diff --git a/api/src/backend/api/fixtures/dev/7_dev_compliance.json b/api/src/backend/api/fixtures/dev/7_dev_compliance.json index 90a4bcd6be..b90ead642b 100644 --- a/api/src/backend/api/fixtures/dev/7_dev_compliance.json +++ b/api/src/backend/api/fixtures/dev/7_dev_compliance.json @@ -1 +1 @@ -[{"model": "api.complianceoverview","pk": "07d0c342-abcb-4d91-b865-88f9c96adbfc","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cisa_aws","framework": "CISA","version": "","description": "Cybersecurity & Infrastructure Security Agency's (CISA) Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.","region": "eu-west-1","requirements": {"your-data-1": {"name": "Your Data-1","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-data-1","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Learn how your data is protected.","checks_status": {"fail": 4,"pass": 3,"total": 13,"manual": 0}},"your-data-2": {"name": "Your Data-2","checks": {"elb_ssl_listeners": "FAIL","elb_logging_enabled": "FAIL","elbv2_ssl_listeners": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"s3_bucket_acl_prohibited": "FAIL","ec2_ebs_volume_encryption": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_default_encryption": "PASS","rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_logging_enabled": "PASS","s3_bucket_policy_public_write_access": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-data-2","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Learn what is happening on your network, manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.","checks_status": {"fail": 18,"pass": 11,"total": 49,"manual": 0}},"your-data-3": {"name": "Your Data-3","checks": {"elbv2_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-data-3","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Domain name system protection.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"your-data-4": {"name": "Your Data-4","checks": {"efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-data-4","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish regular automated backups and redundancies of key systems.","checks_status": {"fail": 4,"pass": 1,"total": 8,"manual": 0}},"your-data-5": {"name": "Your Data-5","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "your-data-5","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Leverage protections for backups, including physical security, encryption and offline copies.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"your-systems-1": {"name": "Your Systems-1","checks": {"ec2_elastic_ip_unassigned": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-systems-1","Section": "your systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack.","checks_status": {"fail": 4,"pass": 0,"total": 4,"manual": 0}},"your-systems-2": {"name": "Your Systems-2","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-systems-2","Section": "your systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Leverage automatic updates for all operating systems and third-party software.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"your-systems-3": {"name": "Your Systems-3","checks": {"elb_ssl_listeners": "FAIL","elb_logging_enabled": "FAIL","elbv2_ssl_listeners": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"rds_instance_multi_az": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","elbv2_deletion_protection": "FAIL","iam_user_accesskey_unused": null,"ec2_ebs_default_encryption": "PASS","iam_password_policy_number": null,"iam_password_policy_symbol": null,"rds_instance_backup_enabled": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","iam_user_console_access_unused": null,"rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","rds_instance_deletion_protection": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_logging_enabled": "PASS","apigateway_restapi_waf_acl_attached": "FAIL","iam_user_mfa_enabled_console_access": null,"redshift_cluster_automated_snapshot": null,"s3_bucket_policy_public_write_access": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"emr_cluster_master_nodes_no_public_ip": null,"iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","secretsmanager_automatic_rotation_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","vpc_endpoint_connections_trust_boundaries": "FAIL","awslambda_function_not_publicly_accessible": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","codebuild_project_user_controlled_buildspec": "PASS","apigateway_restapi_client_certificate_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-systems-3","Section": "your systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement security configurations for all hardware and software assets.","checks_status": {"fail": 25,"pass": 16,"total": 84,"manual": 0}},"your-surroundings-1": {"name": "Your Surroundings-1","checks": {"vpc_flow_logs_enabled": "FAIL","ec2_elastic_ip_unassigned": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-surroundings-1","Section": "your surroundings","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.).","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"your-surroundings-2": {"name": "Your Surroundings-2","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "your-surroundings-2","Section": "your surroundings","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"your-surroundings-3": {"name": "Your Surroundings-3","checks": {"elbv2_ssl_listeners": "FAIL","iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-surroundings-3","Section": "your surroundings","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Grant access and admin permissions based on need-to-know and least privilege.","checks_status": {"fail": 1,"pass": 0,"total": 6,"manual": 0}},"your-surroundings-4": {"name": "Your Surroundings-4","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "your-surroundings-4","Section": "your surroundings","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Leverage unique passwords for all user accounts.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"your-crisis-response-2": {"name": "Your Crisis Response-2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "your-crisis-response-2","Section": "your crisis response","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Lead development of an internal reporting structure to detect, communicate and contain attacks.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"booting-up-thing-to-do-first-1": {"name": "YBooting Up: Things to Do First-1","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "booting-up-thing-to-do-first-1","Section": "booting up thing to do first","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Lead development of an internal reporting structure to detect, communicate and contain attacks.","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"booting-up-thing-to-do-first-2": {"name": "YBooting Up: Things to Do First-2","checks": {"iam_root_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "booting-up-thing-to-do-first-2","Section": "booting up thing to do first","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"booting-up-thing-to-do-first-3": {"name": "YBooting Up: Things to Do First-3","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "booting-up-thing-to-do-first-1","Section": "booting up thing to do first","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}}},"requirements_passed": 4,"requirements_failed": 11,"requirements_manual": 1,"total_requirements": 16,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "089cf697-547a-4a34-a811-e7a19b78b9fd","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_foundational_technical_review_aws","framework": "AWS-Foundational-Technical-Review","version": "","description": "The AWS Foundational Technical Review (FTR) assesses an AWS Partner's solution against a specific set of Amazon Web Services (AWS) best practices around security, performance, and operational processes that are most critical for customer success. Passing the FTR is required to qualify AWS Software Partners for AWS Partner Network (APN) programs such as AWS Competency and AWS Service Ready but any AWS Partner who offers a technology solution may request a FTR review through AWS Partner Central.","region": "eu-west-1","requirements": {"S3-001": {"name": "Review all Amazon S3 buckets to determine appropriate access levels","checks": {"s3_bucket_object_lock": "FAIL","s3_bucket_public_access": null,"s3_bucket_acl_prohibited": "FAIL","s3_bucket_kms_encryption": "FAIL","s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_level_public_access_block": "PASS","s3_bucket_policy_public_write_access": "PASS","s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "You must ensure that buckets that require public access have been reviewed to determine if public read or write access is needed and if appropriate controls are in place to control public access. When assigning access permissions, follow the principle of least privilege, an AWS best practice. For more information, refer to overview of managing access.","checks_status": {"fail": 5,"pass": 3,"total": 11,"manual": 0}},"ARC-001": {"name": "Use root user only by exception","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "The root user has unlimited access to your account and its resources, and using it only by exception helps protect your AWS resources. The AWS root user must not be used for everyday tasks, even administrative ones. Instead, adhere to the best practice of using the root user only to create your first AWS Identity and Access Management (IAM) user. Then securely lock away the root user credentials and use them to perform only a few accounts and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User. FTR does not require you to actively monitor root usage.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ARC-003": {"name": "Enable multi-factor authentication (MFA) on the root user for all AWS accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Enabling MFA provides an additional layer of protection against unauthorized access to your account. To configure MFA for the root user, follow the instructions for enabling either a virtual MFA or hardware MFA device. If you are using AWS Organizations to create new accounts, the initial password for the root user is set to a random value that is never exposed to you. If you do not recover the password for the root user of these accounts, you do not need to enable MFA on them. For any accounts where you do have access to the root user’s password, you must enable MFA","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ARC-004": {"name": "Remove access keys for the root user","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Programmatic access to AWS APIs should never use the root user. It is best not to generate static an access key for the root user. If one already exists, you should transition any processes using that key to use temporary access keys from an AWS Identity and Access Management (IAM) role, or, if necessary, static access keys from an IAM user.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ARC-005": {"name": "Develop incident management plans","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "An incident management plan is critical to respond, mitigate, and recover from the potential impact of security incidents. An incident management plan is a structured process for identifying, remediating, and responding in a timely matter to security incidents. An effective incident management plan must be continually iterated upon, remaining current with your cloud operations goal. For more information on developing incident management plan please see Develop incident management plans.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"BAR-001": {"name": "Configure automatic data backups","checks": {"backup_plans_exist": "PASS","backup_vaults_exist": null,"backup_vaults_encrypted": "PASS","efs_have_backup_enabled": "FAIL","backup_reportplans_exist": null,"rds_instance_backup_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "You must perform regular backups to a durable storage service. Backups ensure that you have the ability to recover from administrative, logical, or physical error scenarios. Configure backups to be taken automatically based on a periodic schedule, or by changes in the dataset. RDS instances, EBS volumes, DynamoDB tables, and S3 objects can all be configured for automatic backup. AWS Backup, AWS Marketplace solutions or third-party solutions can also be used. If objects in S3 bucket are write-once-read-many (WORM), compensating controls such as object lock can be used meet this requirement. If it is customers’ responsibility to backup their data, it must be clearly stated in the documentation and the Partner must provide clear instructions on how to backup the data.","checks_status": {"fail": 1,"pass": 3,"total": 6,"manual": 0}},"BAR-002": {"name": "Periodically recover data to verify the integrity of your backup process","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "To confirm that your backup process meets your recovery time objectives (RTO) and recovery point objectives (RPO), run a recovery test on a regular schedule and after making significant changes to your cloud environment. For more information, refer to Getting Started - Backup and Restore with AWS.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-001": {"name": "Use cross-account roles to access customer AWS accounts","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Cross-account roles reduce the amount of sensitive information AWS Partners need to store for their customers.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-002": {"name": "Use an external ID with cross-account roles to access customer accounts","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "An external ID allows the user that is assuming the role to assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances. The primary function of the external ID is to address and prevent the confused deputy problem.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-003": {"name": "Deprecate any historical use of customer-provided IAM credentials","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If your application provides legacy support for the use of static IAM credentials for cross-account access, the application's user interface and customer documentation must make it clear that this method is deprecated. Existing customers should be encouraged to switch to cross-account role based-access, and collection of credentials should be disabled for new customers.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-004": {"name": "Use a value you generate (not something provided by the customer) for the external ID","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "When configuring cross-account access using IAM roles, you must use a value you generate for the external ID, instead of one provided by the customer, to ensure the integrity of the cross-account role configuration. A partner-generated external ID ensures that malicious parties cannot impersonate a customer's configuration and enforces uniqueness and format consistency across all customers. If you are not generating an external ID today we recommend implementing a process that generates a random unique value (such as a Universally Unique Identifier) for the external ID that a customer uses to set up a cross-account role.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-005": {"name": "Ensure that all external IDs are unique.","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "The external IDs used must be unique across all customers. Re-using external IDs for different customers does not solve the confused deputy problem and runs the risk of customer A being able to view data of customer B by using the role ARN and the external ID of customer B. To resolve this, we recommend implementing a process that ensures a random unique value, such as a Universally Unique Identifier, is generated for the external ID that a customer would use to setup a cross account role.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-006": {"name": "Provide read-only access to external ID to customers","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Customers must not be able to set or influence external IDs. When the external ID is editable, it is possible for one customer to impersonate the configuration of another. For example, when the external ID is editable, customer A can create a cross account role setup using customer B’s role ARN and external ID, granting customer A access to customer B’s data. Remediation of this item involves making the external ID a view-only field, ensuring that the external ID cannot be changed to impersonate the setup of another customer.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-007": {"name": "Provide guidance or an automated setup mechanism (for example, an AWS CloudFormation template) for creating cross-account roles with the minimum required privileges","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "The policy created for cross-account access in customer accounts must follow the principle of least privilege. The AWS Partner must provide a role-policy document or an automated setup mechanism (for example, an AWS CloudFormation template) for the customers to use to ensure that the roles are created with minimum required privileges. For more information, refer to the AWS Partner Network (APN) blog posts.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-001": {"name": "Enable multi-factor authentication (MFA) for all Human Identities with AWS access","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "You must require any human identities to authenticate using MFA before accessing your AWS accounts. Typically, this means enabling MFA within your corporate identity provider. If you have existing legacy IAM users you must enable MFA for console access for those principals as well. Enabling MFA for IAM users provides an additional layer of security. With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone). Please note that machine identities do not require MFA.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"IAM-002": {"name": "Monitor and secure static AWS Identity and Access Management (IAM) credentials","checks": {"guardduty_is_enabled": "PASS","iam_user_accesskey_unused": null,"iam_rotate_access_key_90_days": null,"guardduty_no_high_severity_findings": "FAIL","iam_user_with_temporary_credentials": null},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Use temporary IAM credentials retrieved by assuming a role whenever possible. In cases where it is infeasible to use IAM roles, implement the following controls to reduce the risk these credentials are misused: Rotate IAM access keys regularly (recommended at least every 90 days). Maintain an inventory of all static keys and where they are used and remove unused access keys. Implement monitoring of AWS CloudTrail logs to detect anomalous activity or other potential misuse (e.g. using AWS GuardDuty.) Define a runbook or SOP for revoking credentials in the event you detect misuse.","checks_status": {"fail": 1,"pass": 1,"total": 5,"manual": 0}},"IAM-003": {"name": "Use strong password policy","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Enforce a strong password policy, and educate users to avoid common or re-used passwords. For IAM users, you can create a password policy for your account on the Account Settings page of the IAM console. You can use the password policy to define password requirements, such as minimum length and whether it requires non-alphabetic characters, and so on. For more information, see Setting an Account Password Policy for IAM users.","checks_status": {"fail": 0,"pass": 0,"total": 7,"manual": 0}},"IAM-004": {"name": "Create individual identities (no shared credentials) for anyone who needs AWS access","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Create individual entities and give unique security credentials and permissions to each user accessing your account. With individual entities and no shared credentials, you can audit the activity of each user.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-005": {"name": "Use IAM roles and its temporary security credentials to provide access to third parties.","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Do not provision IAM users and share those credentials with people outside of your organization. Any external services that need to make AWS API calls against your account (for example, a monitoring solution that accesses your account's AWS CloudWatch metrics) must use a cross-account role. For more information, refer to Providing access to AWS accounts owned by third parties.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-006": {"name": "Grant least privilege access","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "You must follow the standard security advice of granting least privilege. Grant only the access that identities require by allowing access to specific actions on specific AWS resources under specific conditions. Rely on groups and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, when a developer is removed from the group, access for the developer is revoked everywhere that group was used for access control, without requiring any changes to the access policies.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"IAM-007": {"name": "Manage access based on life cycle","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Integrate access controls with operator and application lifecycle and your centralized federation provider and IAM. For example, remove a user’s access when they leave the organization or change roles.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-008": {"name": "Audit identities quarterly","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Auditing the identities that are configured in your identity provider and IAM helps ensure that only authorized identities have access to your workload. For example, remove people that leave the organization, and remove cross-account roles that are no longer required. Have a process in place to periodically audit permissions to the services accessed by an IAM entity. This helps you identify the policies you needto modify to remove any unused permissions. For more information, see Refining permissions in AWS using last accessed information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-009": {"name": "Do not embed credentials in application code","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Ensure that all credentials used by your applications (for example, IAM access keys and database passwords) are never included in your application's source code or committed to source control in any way.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-001": {"name": "Define a Recovery Point Objective (RPO)","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "To confirm that your backup process meets your recovery time objectives (RTO) and recovery point objectives (RPO), run a recovery test on a regular schedule and after making significant changes to your cloud environment. For more information, refer to Getting Started - Backup and Restore with AWS.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-002": {"name": "Establish a Recovery Time Objective (RTO)","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Define an RTO that meets your organization’s needs and expectations. RTO is the maximum acceptable delay your organization will accept between the interruption and restoration of service.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-004": {"name": "Resiliency Testing","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Test resiliency to ensure that RTO and RPO are met, both periodically (minimum every 12 months) and after major updates. The resiliency test must include accidental data loss, instance failures, and Availability Zone (AZ) failures. At least one resilience test that meets RTO and RPO requirements must be completed prior to FTR approval. You can use AWS Resilience Hub to test and verify your workloads to see if it meets its resilience target. AWS Resilience Hub works with AWS Fault Injection Service (AWS FIS) , a chaos engineering service, to provide fault-injection simulations of real-world failures to validate the application recovers within the resilience targets you defined. AWS Resilience Hub also provides API operations for you to integrate its resilience assessment and testing into your CI/CD pipelines for ongoing resilience validation. Including resilience validation in CI/CD pipelines helps make sure that changes to the workload’s underlying infrastructure don't compromise resilience.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-005": {"name": "Communicate customer responsibilities for resilience","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Clearly define your customers’ responsibility for backup, recovery, and availability. At a minimum, your product documentation or customer agreements should cover the following: Responsibility the customer has for backing up the data stored in your solution. Instructions for backing up data or configuring optional features in your product for data protection, if applicable. Options customers have for configuring the availability of your product.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-006": {"name": "Architect your product to meet availability targets and uptime service level agreements (SLAs)","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If you publish or privately agree to availability targets or uptime SLAs, ensure that your architecture and operational processes are designed to support them. Additionally, provide clear guidance to customers on any configuration required to achieve the targets or SLAs.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-007": {"name": "Define a customer communication plan for outages","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Establish a plan for communicating information about system outages to your customers both during and after incidents. Your communication should not include any data that was provided by AWS under a non-disclosure agreement (NDA).","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SUP-001": {"name": "Subscribe to the AWS Business Support tier (or higher) for all production AWS accounts or have an action plan to handle issues which require help from AWS Support","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Partner-hosted FTR requirements","Service": null,"SubGroup": null,"SubSection": null}],"description": "It is recommended that you subscribe to the AWS Business Support tier or higher (including AWS Partner-Led Support) for all of your AWS production accounts. For more information, refer to Compare AWS Support Plans. If you don't have premium support, you must have an action plan to handle issues which require help from AWS Support. AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster. AWS Business Support provides additional benefits including access to AWS Trusted Advisor and AWS Personal Health Dashboard and faster response times.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ACOM-001": {"name": "Configure AWS account contacts","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If an account is not managed by AWS Organizations, alternate account contacts help AWS get in contact with the appropriate personnel if needed. Configure the account’s alternate contacts to point to a group rather than an individual. For example, create separate email distribution lists for billing, operations, and security and configure these as Billing, Security, and Operations contacts in each active AWS account. This ensures that multiple people will receive AWS notifications and be able to respond, even if someone is on vacation, changes roles, or leaves the company.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ACOM-002": {"name": "Set account contact information including the root user email address to email addresses and phone numbers owned by your company","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Using company owned email addresses and phone numbers for contact information enables you to access them even if the individuals whom they belong to are no longer with your organization","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"HOST-001": {"name": "Confirm your hosting model","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Partner-hosted FTR requirements","Service": null,"SubGroup": null,"SubSection": null}],"description": "To use this FTR checklist you must host all critical application components on AWS. You may use external providers for edge services such as content delivery networks (CDNs) or domain name system (DNS), or corporate identity providers. If you are using any edge services outside AWS, please specify them in the self-assessment.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-0010": {"name": "Store secrets securely.","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Encrypt all secrets in transit and at rest, define fine-grained access controls that only allow access to specific identities, and log access to secrets in an audit log. We recommend you use a purpose-built secret management service such as AWS Secrets Manager, AWS Systems Manager Parameter Store, or an AWS Partner solution, but internally developed solutions that meet these requirements are also acceptable.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-0011": {"name": "Encrypt all end user/customer credentials and hash passwords at rest.","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If you are storing end user/customer credentials in a database that you manage, encrypt credentials at rest and hash passwords. As an alternative, AWS recommends using a user-identity synchronization service, such as Amazon Cognito or an equivalent AWS Partner solution.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-0012": {"name": "Use temporary credentials","checks": {"iam_root_mfa_enabled": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_administrator_access_with_mfa": null,"iam_role_administratoraccess_policy": null,"iam_user_mfa_enabled_console_access": null,"iam_user_with_temporary_credentials": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_role_cross_account_readonlyaccess_policy": null,"iam_role_cross_service_confused_deputy_prevention": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Use temporary security credentials to access AWS resources. For machine identities within AWS (for example, Amazon Elastic Compute Cloud (Amazon EC2) instances or AWS Lambda functions), always use IAM roles to acquire temporary security credentials. For machine identities running outside of AWS, use IAM Roles Anywhere or securely store static AWS access keys that are only used to assume an IAM role.For human identities, use AWS IAM Identity Center or other identity federation solutions where possible. If you must use static AWS access keys for human users, require MFA for all access, including the AWS Management Console, and AWS Command Line Interface (AWS CLI).","checks_status": {"fail": 0,"pass": 0,"total": 13,"manual": 0}},"RCVP-001": {"name": "Establish a process to ensure that all required compliance standards are met","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If you advertise that your product meets specific compliance standards, you must have an internal process for ensuring compliance. Examples of compliance standards include Payment Card Industry Data Security Standard (PCI DSS) PCI DSS, Federal Risk and Authorization Management Program (FedRAMP)FedRAMP, and U.S. Health Insurance Portability and Accountability Act (HIPAA)HIPAA. Applicable compliance standards are determined by various factors, such as what types of data the solution stores or transmits and which geographic regions the solution supports.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SDAT-001": {"name": "Identify sensitive data (for example, Personally Identifiable Information (PII) and Protected Health Information (PHI))","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Data classification enables you to determine which data needs to be protected and how. Based on the workload and the data it processes, identify the data that is not common public knowledge.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SDAT-002": {"name": "Encrypt all sensitive data at rest","checks": {"athena_workgroup_encryption": null,"efs_encryption_at_rest_enabled": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Encryption maintains the confidentiality of sensitive data even when it gets stolen or the network through which it is transmitted becomes compromised.","checks_status": {"fail": 3,"pass": 0,"total": 7,"manual": 0}},"SDAT-003": {"name": "Only use protocols with encryption when transmitting sensitive data outside of your VPC","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Encryption maintains data confidentiality even when the network through which it is transmitted becomes compromised.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"WAFR-001": {"name": "Conduct periodic architecture reviews (minimum once every year)","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Partner-hosted FTR requirements","Service": null,"SubGroup": null,"SubSection": null}],"description": "Conduct periodic architecture reviews of your production workload (at least once per year) using a documented architectural standard that includes AWS-specific best practices. If you have an internally defined standard for your AWS workloads, we recommend you use it for these reviews. If you do not have an internal standard, we recommend you use the AWS Well-Architected Framework.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"WAFR-002": {"name": "Review the AWS Shared Responsibility Models for Security and Resiliency","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Partner-hosted FTR requirements","Service": null,"SubGroup": null,"SubSection": null}],"description": "Review the AWS Shared Responsibility Model for Security and the AWS Shared Responsibility Model for Resiliency. Ensure that your product’s architecture and operational processes address the customer responsibilities defined in these models. We recommend you to use AWS Resilience Hub to ensure your workload resiliency posture meets your targets and to provide you with operational procedures you may use to address the customer responsibilities.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"NETSEC-001": {"name": "Implement the least permissive rules for all Amazon EC2 security groups","checks": {"ec2_ami_public": null,"ec2_instance_public_ip": "FAIL","ec2_securitygroup_not_used": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "All Amazon EC2 security groups should restrict access to the greatest degree possible. At a minimum, do the following: Ensure that no security groups allow ingress from 0.0.0.0/0 to port 22 or 3389 (CIS 5.2) Ensure that the default security group of every VPC restricts all traffic (CIS 5.3/Security Control EC2.2)","checks_status": {"fail": 3,"pass": 16,"total": 20,"manual": 0}},"NETSEC-002": {"name": "Restrict resources in public subnets","checks": {"vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","vpc_endpoint_connections_trust_boundaries": "FAIL","workspaces_vpc_2private_1public_subnets_nat": null,"vpc_endpoint_services_allowed_principals_trust_boundaries": null},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Do not place resources in public subnets of your VPC unless they must receive network traffic from public sources. Public subnets are subnets associated with a route table that has a route to an internet gateway.","checks_status": {"fail": 3,"pass": 0,"total": 5,"manual": 0}},"SECOPS-001": {"name": "Perform vulnerability management","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","guardduty_no_high_severity_findings": "FAIL","accessanalyzer_enabled_without_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Define a mechanism and frequency to scan and patch for vulnerabilities in your dependencies, and in your operating systems to help protect against new threats. Scan and patch your dependencies, and your operating systems on a defined schedule. Software vulnerability management is essential to keeping your system secure from threat actors. Embedding vulnerability assessments early into your continuous integration/continuous delivery (CI/CD) pipeline allows you to prioritize remediation of any security vulnerabilities detected. The solution you need to achieve this varies according to the AWS services that you are consuming. To check for vulnerabilities in software running in Amazon EC2 instances, you can add Amazon Inspector to your pipeline to cause your build to fail if Inspector detects vulnerabilities. You can also use open source products such as OWASP Dependency-Check, Snyk, OpenVAS, package managers and AWS Partner tools for vulnerability management.","checks_status": {"fail": 4,"pass": 0,"total": 4,"manual": 0}}},"requirements_passed": 6,"requirements_failed": 7,"requirements_manual": 32,"total_requirements": 45,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "1491ce35-3d2b-4cf6-a56d-b18b391d5623","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "nist_800_171_revision_2_aws","framework": "NIST-800-171-Revision-2","version": "","description": "The cybersecurity controls within NIST 800-171 safeguard CUI in the IT networks of government contractors and subcontractors. It defines the practices and procedures that government contractors must adhere to when their networks process or store CUI. NIST 800-171 only applies to those parts of a contractor’s network where CUI is present.","region": "eu-west-1","requirements": {"3_1_1": {"name": "3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"eks_cluster_not_publicly_accessible": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_1","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.","checks_status": {"fail": 3,"pass": 7,"total": 28,"manual": 0}},"3_1_2": {"name": "3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"eks_cluster_not_publicly_accessible": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_2","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).","checks_status": {"fail": 3,"pass": 7,"total": 28,"manual": 0}},"3_1_3": {"name": "3.1.3 Control the flow of CUI in accordance with approved authorizations","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"eks_cluster_not_publicly_accessible": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_3","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"3_1_4": {"name": "3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_1_4","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"3_1_5": {"name": "3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_1_5","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"3_1_6": {"name": "3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_1_6","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_1_7": {"name": "3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_1_7","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_3_1": {"name": "3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_1","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making.","checks_status": {"fail": 7,"pass": 4,"total": 14,"manual": 0}},"3_3_2": {"name": "3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions","checks": {"guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_2","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).","checks_status": {"fail": 3,"pass": 3,"total": 9,"manual": 0}},"3_3_3": {"name": "3.3.3 Review and update logged events","checks": {"vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_3","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient.","checks_status": {"fail": 4,"pass": 2,"total": 9,"manual": 0}},"3_3_4": {"name": "3.3.4 Alert in the event of an audit logging process failure","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_3_4","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"3_3_5": {"name": "3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_5","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"3_3_8": {"name": "3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion","checks": {"s3_bucket_public_access": null,"s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_8","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements.","checks_status": {"fail": 4,"pass": 2,"total": 8,"manual": 0}},"3_4_1": {"name": "3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles","checks": {"ec2_elastic_ip_unassigned": "FAIL","elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","cloudtrail_multi_region_enabled": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_1","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location.","checks_status": {"fail": 6,"pass": 1,"total": 7,"manual": 0}},"3_4_2": {"name": "3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_2","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"3_4_6": {"name": "3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities","checks": {"iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"ec2_instance_managed_by_ssm": "FAIL","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"redshift_cluster_public_access": null,"ssm_managed_compliant_patching": "FAIL","s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_6","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.","checks_status": {"fail": 3,"pass": 3,"total": 15,"manual": 0}},"3_4_7": {"name": "3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_7","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"3_4_9": {"name": "3.4.9 Control and monitor user-installed software","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_9","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved 'app stores.' Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"3_5_2": {"name": "3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems","checks": {"iam_root_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_2","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"3_5_3": {"name": "3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_3","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_5_5": {"name": "3.5.5 Prevent reuse of identifiers for a defined period","checks": {"iam_password_policy_reuse_24": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_5","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"3_5_6": {"name": "3.5.6 Disable identifiers after a defined period of inactivity","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_user_console_access_unused": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_6","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_5_7": {"name": "3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_7","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.","checks_status": {"fail": 0,"pass": 0,"total": 9,"manual": 0}},"3_5_8": {"name": "3.5.8 Prohibit password reuse for a specified number of generations","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_user_console_access_unused": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_8","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Password lifetime restrictions do not apply to temporary passwords.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_6_1": {"name": "3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_6_1","Section": "3.6 Incident Response","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required.","checks_status": {"fail": 6,"pass": 4,"total": 14,"manual": 0}},"3_6_2": {"name": "3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_6_2","Section": "3.6 Incident Response","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.","checks_status": {"fail": 6,"pass": 4,"total": 14,"manual": 0}},"3_11_2": {"name": "3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_11_2","Section": "3.11 Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"3_11_3": {"name": "3.11.3 Remediate vulnerabilities in accordance with risk assessments","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_11_3","Section": "3.11 Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"3_12_4": {"name": "3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_12_4","Section": "3.12 Assessment, Authorization, and Monitoring","Service": "aws","SubGroup": null,"SubSection": null}],"description": "System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization.","checks_status": {"fail": 2,"pass": 3,"total": 9,"manual": 0}},"3_13_1": {"name": "3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems","checks": {"elb_ssl_listeners": "FAIL","elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","elbv2_waf_acl_attached": "FAIL","rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_1","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.","checks_status": {"fail": 10,"pass": 8,"total": 23,"manual": 0}},"3_13_2": {"name": "3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems","checks": {"rds_instance_multi_az": "FAIL","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","dynamodb_tables_pitr_enabled": null,"awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"rds_instance_integration_cloudwatch_logs": "FAIL","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_2","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions.","checks_status": {"fail": 7,"pass": 8,"total": 23,"manual": 0}},"3_13_3": {"name": "3.13.3 Separate user functionality from system management functionality","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_13_3","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"3_13_4": {"name": "3.13.4 Prevent unauthorized and unintended information transfer via shared system resources","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_13_4","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3_13_5": {"name": "3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks","checks": {"elb_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_5","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.","checks_status": {"fail": 6,"pass": 6,"total": 20,"manual": 0}},"3_13_6": {"name": "3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_6","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"3_13_8": {"name": "3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_8","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"3_14_1": {"name": "3.14.1 Identify, report, and correct system flaws in a timely manner","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_14_1","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"3_14_2": {"name": "3.14.2 Provide protection from malicious code at designated locations within organizational systems","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_14_2","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended.","checks_status": {"fail": 2,"pass": 2,"total": 5,"manual": 0}},"3_14_3": {"name": "3.14.3 Monitor system security alerts and advisories and take action in response","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_14_3","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"3_14_4": {"name": "3.14.4 Update malicious code protection mechanisms when new releases are available","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_14_4","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3_14_6": {"name": "3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_14_6","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.","checks_status": {"fail": 5,"pass": 4,"total": 12,"manual": 0}},"3_14_7": {"name": "3.14.7 Identify unauthorized use of organizational systems","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_14_7","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.","checks_status": {"fail": 5,"pass": 4,"total": 12,"manual": 0}},"3_1_12": {"name": "3.1.12 Monitor and control remote access sessions","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_12","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","checks_status": {"fail": 4,"pass": 4,"total": 11,"manual": 0}},"3_1_13": {"name": "3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_13","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"3_1_14": {"name": "3.1.14 Route remote access via managed access control points","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_14","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.","checks_status": {"fail": 3,"pass": 5,"total": 14,"manual": 0}},"3_1_20": {"name": "3.1.20 Verify and control/limit connections to and use of external systems","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_20","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization's direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered 'external' to that system.","checks_status": {"fail": 2,"pass": 1,"total": 5,"manual": 0}},"3_5_10": {"name": "3.5.10 Store and transmit only cryptographically-protected passwords","checks": {"ec2_ebs_volume_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_5_10","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords.","checks_status": {"fail": 2,"pass": 3,"total": 6,"manual": 0}},"3_13_11": {"name": "3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","acm_certificates_expiration_check": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_11","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography.","checks_status": {"fail": 6,"pass": 3,"total": 12,"manual": 0}},"3_13_15": {"name": "3.13.15 Protect the authenticity of communications sessions","checks": {"elb_ssl_listeners": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_15","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3_13_16": {"name": "3.13.16 Protect the confidentiality of CUI at rest","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_16","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}}},"requirements_passed": 14,"requirements_failed": 35,"requirements_manual": 1,"total_requirements": 50,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "168b9e98-d0d8-47a8-b53a-32097ec095ac","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "nist_800_53_revision_4_aws","framework": "NIST-800-53-Revision-4","version": "","description": "NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. The controls defined in this standard are customizable and address a diverse set of security and privacy requirements.","region": "eu-west-1","requirements": {"ac_2": {"name": "Account Management (AC-2)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations.","checks_status": {"fail": 3,"pass": 3,"total": 18,"manual": 0}},"ac_3": {"name": "Access Enforcement (AC-3)","checks": {"iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","checks_status": {"fail": 0,"pass": 3,"total": 14,"manual": 0}},"ac_4": {"name": "Information Flow Enforcement (AC-4)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.","checks_status": {"fail": 3,"pass": 7,"total": 17,"manual": 0}},"ac_5": {"name": "Separation Of Duties (AC-5)","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_5","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_6": {"name": "Least Privilege (AC-6)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_6","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.","checks_status": {"fail": 1,"pass": 5,"total": 18,"manual": 0}},"au_2": {"name": "Event Logging (AU-2)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_2","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3": {"name": "Content of Audit Records (AU-3)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_9": {"name": "Protection of Audit Information (AU-9)","checks": {"cloudtrail_kms_encryption_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"ca_7": {"name": "Continuous Monitoring (CA-7)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_7","Section": "Security Assessment And Authorization (CA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Continuously monitor configuration management processes. Determine security impact, environment and operational risks.","checks_status": {"fail": 2,"pass": 3,"total": 9,"manual": 0}},"cm_2": {"name": "Baseline Configuration (CM-2)","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","cloudtrail_multi_region_enabled": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.","checks_status": {"fail": 5,"pass": 1,"total": 6,"manual": 0}},"cm_7": {"name": "Least Functionality (CM-7)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_7","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cp_9": {"name": "Information System Backup (CP-9)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","dynamodb_tables_pitr_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations.","checks_status": {"fail": 1,"pass": 1,"total": 4,"manual": 0}},"ia_2": {"name": "Identification and Authentication (Organizational users) (IA-2)","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ra_5": {"name": "Vulnerability Scanning (RA-5)","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra_5","Section": "Risk Assessment (RA)","Service": "guardduty","SubGroup": null,"SubSection": null}],"description": "Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"sa_3": {"name": "System Development Life Cycle (SA-3)","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_3","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_2": {"name": "Application Partitioning (SC-2)","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_2","Section": "System and Communications Protection (SC)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "The information system separates user functionality (including user interface services) from information system management functionality.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"sc_4": {"name": "Information In Shared Resources (SC-4)","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_4","Section": "System and Communications Protection (SC)","Service": "ebs","SubGroup": null,"SubSection": null}],"description": "The information system prevents unauthorized and unintended information transfer via shared system resources.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"sc_5": {"name": "Denial Of Service Protection (SC-5)","checks": {"rds_instance_multi_az": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"sc_7": {"name": "Boundary Protection (SC-7)","checks": {"elb_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.","checks_status": {"fail": 6,"pass": 6,"total": 20,"manual": 0}},"sc_8": {"name": "Transmission Confidentiality And Integrity (SC-8)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si_4": {"name": "Information System Monitoring (SI-4)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].","checks_status": {"fail": 3,"pass": 3,"total": 10,"manual": 0}},"si_7": {"name": "Software, Firmware, and Information Integrity (SI-7)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ac_21": {"name": "Information Sharing (AC-21)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_21","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Facilitate information sharing. Enable authorized users to grant access to partners.","checks_status": {"fail": 1,"pass": 4,"total": 11,"manual": 0}},"au_11": {"name": "Audit Record Retention (AU-11)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_11","Section": "Audit and Accountability (AU)","Service": "cloudwatch","SubGroup": null,"SubSection": null}],"description": "The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_12": {"name": "Audit Generation (AU-12)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"cp_10": {"name": "Information System Recovery And Reconstitution (CP-10)","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_10","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.","checks_status": {"fail": 4,"pass": 1,"total": 7,"manual": 0}},"sa_10": {"name": "Developer Configuration Management (SA-10)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_10","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].","checks_status": {"fail": 2,"pass": 2,"total": 4,"manual": 0}},"sc_12": {"name": "Cryptographic Key Establishment And Management (SC-12)","checks": {"kms_cmk_rotation_enabled": null,"acm_certificates_expiration_check": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_12","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"sc_13": {"name": "Cryptographic Protection (SC-13)","checks": {"dynamodb_tables_kms_cmk_encryption_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_13","Section": "System and Communications Protection (SC)","Service": "dynamodb","SubGroup": null,"SubSection": null}],"description": "The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_23": {"name": "Session Authenticity (SC-23)","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_23","Section": "System and Communications Protection (SC)","Service": "elb","SubGroup": null,"SubSection": null}],"description": "The information system protects the authenticity of communications sessions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"sc_28": {"name": "Protection Of Information At Rest (SC-28)","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_28","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].","checks_status": {"fail": 5,"pass": 3,"total": 12,"manual": 0}},"si_12": {"name": "Information Handling and Retention (SI-12)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_12","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.","checks_status": {"fail": 3,"pass": 1,"total": 6,"manual": 0}},"ac_2_1": {"name": "AC-2(1) Automated System Account Management","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.","checks_status": {"fail": 0,"pass": 2,"total": 6,"manual": 0}},"ac_2_3": {"name": "AC-2(3) Disable Inactive Accounts","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The information system automatically disables inactive accounts after 90 days for user accounts.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ac_2_4": {"name": "AC-2(4) Automated Audit Actions","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].","checks_status": {"fail": 2,"pass": 3,"total": 11,"manual": 0}},"au_6_1": {"name": "AU-6(1) Process Integration","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Review, Analysis And Reporting (AU-6)"}],"description": "The organization employs automated mechanisms to integrate audit review, analysis,and reporting processes to support organizational processes for investigation and response to suspicious activities.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"au_6_3": {"name": "AU-6(3) Correlate Audit Repositories","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Review, Analysis And Reporting (AU-6)"}],"description": "The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"au_7_1": {"name": "AU-7(1) Automatic Processing","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_7_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"au_9_2": {"name": "AU-9(2) Audit Backup On Separate Physical Systems / Components","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "au_9_2","Section": "Audit and Accountability (AU)","Service": "s3","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cm_8_1": {"name": "CM-8(1) Updates During Installation / Removals","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_1","Section": "Configuration Management (CM)","Service": "ec2","SubGroup": null,"SubSection": "Information System Component Inventory (CM-8)"}],"description": "The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cm_8_3": {"name": "CM-8(3) Automated Unauthorized Component Detection","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_3","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Information System Component Inventory (CM-8)"}],"description": "The organization employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system and takes actions (disables network access by such components, isolates the components etc) when unauthorized components are detected.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"ia_2_1": {"name": "IA-2(1) Network Access To Privileged Accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_1","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "The information system implements multi-factor authentication for network access to privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_2_2": {"name": "IA-2(2) Network Access To Non-Privileged Accounts","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "The information system implements multifactor authentication for network access to non-privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ia_5_1": {"name": "IA-5(1) Password-Based Authentication","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_1","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_4": {"name": "IA-5(4) Automated Support For Password Strength Determination","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_4","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_7": {"name": "IA-5(7) No Embedded Unencrypted Static Authenticators","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_7","Section": "Identification and Authentication (IA)","Service": "codebuild","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ir_4_1": {"name": "IR-4(1) Automated Incident Handling Processes","checks": {"guardduty_no_high_severity_findings": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir_4_1","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": "Incident Handling (IR-4)"}],"description": "The organization employs automated mechanisms to support the incident handling process.","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"ir_6_1": {"name": "IR-6(1) Automated Reporting","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir_6_1","Section": "Incident Response (IR)","Service": "guardduty","SubGroup": null,"SubSection": "Incident Reporting (IR-6)"}],"description": "The organization employs automated mechanisms to assist in the reporting of security incidents.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ir_7_1": {"name": "IR-7(1) Automation Support For Availability Of Information / Support","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir_7_1","Section": "Incident Response (IR)","Service": "guardduty","SubGroup": null,"SubSection": "Incident Response Assistance (IR-7)"}],"description": "The organization employs automated mechanisms to increase the availability of incident response-related information and support.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_7_3": {"name": "SC-7(3) Access Points","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_3","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "The organization limits the number of external network connections to the information system.","checks_status": {"fail": 3,"pass": 6,"total": 16,"manual": 0}},"sc_8_1": {"name": "SC-8(1) Cryptographic Or Alternate Physical Protection","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si_2_2": {"name": "SI-2(2) Automates Flaw Remediation Status","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_2","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si_4_1": {"name": "SI-4(1) System-Wide Intrusion Detection System","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_1","Section": "System and Information Integrity (SI)","Service": "guardduty","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_2": {"name": "SI-4(2) Automated Tools For Real-Time Analysis","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_2","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization employs automated tools to support near real-time analysis of events.","checks_status": {"fail": 1,"pass": 3,"total": 8,"manual": 0}},"si_4_4": {"name": "SI-4(4) Inbound and Outbound Communications Traffic","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_4","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"si_4_5": {"name": "SI-4(5) System-Generated Alerts","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_5","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"si_7_1": {"name": "SI-7(1) Integrity Checks","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_1","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "The information system performs an integrity check of security relevant events at least monthly.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ac_17_1": {"name": "AC-17(1) Automated Monitoring/Control","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_17_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system monitors and controls remote access methods.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ac_17_2": {"name": "AC-17(2) Protection Of Confidentiality/Integrity Using Encryption","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.","checks_status": {"fail": 2,"pass": 1,"total": 3,"manual": 0}},"ac_17_3": {"name": "AC-17(3) Managed Access Control Points","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_17_3","Section": "Access Control (AC)","Service": "vpc","SubGroup": null,"SubSection": null}],"description": "The information system routes all remote accesses through organization-defined managed network access control points.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ac_2_12": {"name": "AC-2(12) Account Monitoring","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_12","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ac_6_10": {"name": "AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_6_10","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_2_11": {"name": "IA-2(11) Remote Access - Separate Device","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_11","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"si_4_16": {"name": "SI-4(16) Correlate Monitoring Information","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_16","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization correlates information from monitoring tools employed throughout the information system.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}}},"requirements_passed": 18,"requirements_failed": 41,"requirements_manual": 5,"total_requirements": 64,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "1c8c75df-34ec-48f2-b6e2-5dba27d9b734","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "kisa_isms_p_2023_aws","framework": "KISA-ISMS-P","version": "2023","description": "The ISMS-P certification, established by KISA (Korea Internet & Security Agency), is a system where an independent certification body evaluates whether a company or organization's information security and privacy protection measures comply with certification standards, and grants certification. This helps organizations improve public trust in their services and respond effectively to increasingly complex cyber threats. The ISMS-P framework also provides comprehensive guidelines for systematically establishing, implementing, and managing information security and privacy protection.","region": "eu-west-1","requirements": {"1.1.1": {"name": "Executive Participation","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.1 Executive Participation","Subdomain": "1.1. Management System","AuditEvidence": ["Information protection and personal information protection reporting system (e.g., communication plan)","Minutes of the Information Protection and Personal Information Protection Committee","Information protection and personal information protection policies/guidelines (including executive approval records)","Information protection plans and internal management plans (including executive approval records)","Information protection and personal information protection organization chart"],"AuditChecklist": ["Is there documentation outlining the responsibilities and roles of executives to ensure their participation in the establishment and operation of the information protection and personal information protection management system?","Is there a reporting, review, and approval process in place to ensure that executives actively participate in decision-making regarding information protection and personal information protection activities?"],"NonComplianceCases": ["Case 1: Although it is stated in the information protection and personal information protection policy to report the status of information protection and personal information protection to the executives on a quarterly basis, no such reports have been made for an extended period.","Case 2: In performing major information protection activities (e.g., risk assessment, determining risk acceptance levels, reviewing information protection measures and implementation plans, reviewing the results of information protection measures, security audits, etc.), executives or those authorized by the executives did not participate in decision-making or there was no evidence of their involvement."],"RelatedRegulations": []}],"description": "The CEO must establish and operate a reporting and decision-making system to ensure executive participation in the establishment and operation of the information protection and personal information protection management system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.2": {"name": "Designation of Chief Officers","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.2 Designation of Chief Officers","Subdomain": "1.1. Management System","AuditEvidence": ["Documents related to the appointment of the CISO and CPO (e.g., personnel orders, personnel records)","Information protection and personal information protection organization chart","Information protection and personal information protection policies/guidelines","Job descriptions (roles and responsibilities of the CISO and CPO)","Records of CISO reports","Internal management plans (regarding the appointment of the CPO)"],"AuditChecklist": ["Has the CEO officially designated a chief officer responsible for overseeing information protection and personal information protection?","Are the CISO and CPO appointed at an executive level with authority to allocate resources such as budget and personnel, and do they meet the qualifications required by relevant laws?"],"NonComplianceCases": ["Case 1: Failure to appoint and report a CISO as required under the Information and Communications Network Act, even though the organization is obligated to do so.","Case 2: Appointing a person without substantial authority and status as the CPO, making it difficult to believe that they are responsible for overseeing personal information processing.","Case 3: Although the organization chart specifies the CISO and CPO, the formal appointment process, such as issuing personnel orders, was not followed.","Case 4: Although the entity is subject to ISMS certification and had over 5 trillion won in assets at the end of the previous year, the CISO also holds the position of CIO, in violation of the ISMS requirements."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures), Article 31 (Designation of a Personal Information Protection Officer)","Information and Communications Network Act, Article 45-3 (Designation of a Chief Information Security Officer, etc.)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The CEO must appoint a Chief Information Security Officer (CISO) responsible for information protection and a Chief Privacy Officer (CPO) responsible for personal information protection, both at an executive level with authority to allocate resources such as budget and personnel.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.3": {"name": "Organization Structure","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.3 Organization Structure","Subdomain": "1.1. Management System","AuditEvidence": ["Information protection and personal information protection committee regulations/minutes","Information protection and personal information protection working group regulations/minutes","Information protection and personal information protection organization chart","Internal management plan","Job descriptions"],"AuditChecklist": ["Has the organization established and operated a working group with expertise to support the work of the CISO and CPO and systematically implement the organization's information protection and personal information protection activities?","Has the organization established and operated a committee that can review, approve, and make decisions on important information protection and personal information protection matters across the organization?","Has the organization established and operated a working group composed of information protection and personal information protection officers and department-level personnel for enterprise-wide information protection and personal information protection activities?"],"NonComplianceCases": ["Case 1: The Information Protection and Personal Information Protection Committee was established, but it consists only of department heads without the inclusion of executives, making it difficult to make decisions on the organization's key information and personal information protection matters.","Case 2: Although a working group for information protection and personal information protection was established, including heads of departments that handle important information and personal data, it has not been active for an extended period.","Case 3: Although the Information Protection and Personal Information Protection Committee was convened, major matters such as the annual information protection and personal information protection plan, training plan, budget, and personnel were not reviewed or decided upon.","Case 4: Although an Information Protection Committee was established for deliberation and decision-making on information protection and personal information protection matters, only the operations and IT security departments participated, without the involvement of departments responsible for personal information protection, leaving personal information protection matters undecided."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The CEO must establish and operate a working group to effectively implement information protection and personal information protection, a committee that can review and approve key matters related to information protection and personal information protection across the organization, and a consultative body consisting of department-level information protection and personal information protection officers for enterprise-wide protection activities.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.4": {"name": "Scope Setting","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.4 Scope Setting","Subdomain": "1.1. Management System","AuditEvidence": ["Scope definition document for information protection and personal information protection management system","List of information assets and personal information","Document list","Service flowchart","Personal information flowchart","Organization-wide organizational chart","System and network configuration diagram"],"AuditChecklist": ["Has the organization set the scope of the management system to include key assets that may affect core services and personal information processing?","If there are exceptions within the defined scope, are clear reasons documented, and are consultations with relevant stakeholders and approvals from responsible parties recorded and managed?","Is the organization maintaining documentation that includes the major services, operational status, and systems, allowing for clear verification of the scope of the information protection and personal information protection management system?"],"NonComplianceCases": ["Case 1: The development and test systems, external staff, PCs, and test devices related to the development work for information systems and personal information processing systems were omitted from the management system's scope.","Case 2: Key organizations (personnel) in departments and business units that play critical roles in decision-making for services or businesses within the scope of the information protection and personal information protection management system were not included in the certification scope.","Case 3: The development and test systems, developer PCs, test devices, and development organizations related to the development work for information systems and personal information processing systems were omitted from the management system's scope."],"RelatedRegulations": []}],"description": "The organization must set the scope of the management system by considering its core services and the current state of personal information processing, and document the related services, personal information processing tasks, organizations, assets, and physical locations.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.5": {"name": "Policy Establishment","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.5 Policy Establishment","Subdomain": "1.1. Management System","AuditEvidence": ["Information protection and personal information protection policies/guidelines/procedures (including records of new/revised versions)","Meeting minutes of stakeholder reviews of newly established/revised information protection and personal information protection policies/guidelines/procedures","Internal management plans for personal information","Notifications of new/revised information protection and personal information protection policies/guidelines (via groupware, intranet, etc.)","Minutes of the Information Protection and Personal Information Protection Committee"],"AuditChecklist": ["Has the organization established a top-level information protection and personal information protection policy that serves as the foundation for all information protection and personal information protection activities?","Has the organization established detailed guidelines, procedures, and manuals specifying the methods, processes, and frequencies required to implement the information protection and personal information protection policies?","Are the information protection and personal information protection policies and implementation documents approved by the CEO or by someone delegated by the CEO when newly established or revised?","Are the latest versions of the information protection and personal information protection policies and implementation documents provided to relevant employees in an easily understandable format?"],"NonComplianceCases": ["Case 1: Although internal regulations stipulate that revisions to the information protection and personal information protection policies must be approved by the Information Protection and Personal Information Protection Committee, recent revisions were made solely based on the approval of the CISO and CPO without presenting the revisions to the committee.","Case 2: The information protection and personal information protection policies and guidelines were recently revised, but these changes were not communicated to relevant departments and employees, leading some departments to continue operating based on outdated guidelines.","Case 3: The information protection and personal information protection policies and guidelines are managed solely by the security department and are not made available for employees to access through bulletin boards or documents."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The organization must establish and document information protection and personal information protection policies and implementation documents, clearly stating the organization's information protection and personal information protection guidelines and direction. These policies and implementation documents must be approved by the executive management and communicated in an understandable form to employees and relevant parties.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.6": {"name": "Resource Allocation","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.6 Resource Allocation","Subdomain": "1.1. Management System","AuditEvidence": ["Annual action plan for information protection and personal information protection activities (including budget and personnel plans)","Reports on the results of information protection and personal information protection activities","Records of investments in information protection and personal information protection","Information protection and personal information protection organization chart"],"AuditChecklist": ["Has the organization secured personnel with expertise in the fields of information protection and personal information protection?","Has the organization evaluated and allocated the necessary resources, including budget and personnel, for the effective implementation and continuous operation of the information protection and personal information protection management system?","Has the organization established and implemented an annual detailed action plan for information protection and personal information protection, and conducted audits, analyses, and evaluations of the results?"],"NonComplianceCases": ["Case 1: The organization assembled an information protection and personal information protection team, but the team consisted only of personnel without expertise in information protection or IT, resulting in inadequate security staffing.","Case 2: The CEO failed to allocate sufficient resources, such as budget and security solutions, for implementing the technical and managerial safeguards required for personal information processing systems.","Case 3: After obtaining certification, the organization significantly reduced personnel and budget support, reassigned existing staff to other departments, and repurposed part of the budget for other uses."],"RelatedRegulations": []}],"description": "The CEO must allocate the necessary resources, including budget and personnel with expertise in the fields of information protection and personal information protection, for the effective implementation and continuous operation of the management system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.1": {"name": "Identification of Information Assets","checks": {"macie_is_enabled": "PASS","resourceexplorer2_indexes_found": "PASS","config_recorder_all_regions_enabled": null,"organizations_account_part_of_organizations": null,"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.2.1 Identification of Information Assets","Subdomain": "1.2. Risk Management","AuditEvidence": ["Information asset and personal information asset classification criteria","Information asset and personal information asset list (from asset management system screen)","Information asset and personal information security levels","Asset audit details","Risk analysis report (including asset identification)"],"AuditChecklist": ["Has the organization established classification criteria for information assets and identified all assets within the scope of the information protection and personal information protection management system, maintaining them in a list?","For the identified information assets, does the organization determine their importance by considering legal requirements and their impact on operations, and assign security levels?","Does the organization regularly review the status of information assets to keep the list up-to-date?"],"NonComplianceCases": ["Case 1: The list of assets within the scope of the information protection and personal information protection management system omits internal information leakage control systems, such as print security, document encryption, and USB media control, which are used to manage PCs handling important information and personal information.","Case 2: Personal information provided by third parties within the scope of the information protection and personal information protection management system has not been identified as an asset.","Case 3: The asset classification criteria in the internal guidelines and the classification criteria in the asset management register are inconsistent.","Case 4: Although on-premises assets have been identified, assets related to externally entrusted IT services (web hosting, server hosting, cloud, etc.) have been omitted (only for assets within the certification scope).","Case 5: The backup server storing unique identification information and other personal data has been classified with a low confidentiality rating, raising concerns about the reasonableness and reliability of the importance assessment."],"RelatedRegulations": []}],"description": "Organizations must establish classification criteria for information assets according to the characteristics of their operations, identify and classify all information assets within the scope of the management system, assess their importance, and maintain an up-to-date list.","checks_status": {"fail": 0,"pass": 2,"total": 5,"manual": 0}},"1.2.2": {"name": "Status and Flow Analysis","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.2.2 Status and Flow Analysis","Subdomain": "1.2. Risk Management","AuditEvidence": ["Information service status table","Information service workflow charts and process maps","Personal information processing status table (for ISMS-P certification)","Personal information flowcharts (for ISMS-P certification)"],"AuditChecklist": ["Has the organization identified and documented the status and workflows of information services across all areas of the management system?","Has the organization identified and documented the status of personal information processing within the scope of the management system, and mapped out personal information flows in flowcharts?","Does the organization regularly review procedures and workflows in response to changes in services, operations, and information assets, and keep the flowcharts and related documents up-to-date?"],"NonComplianceCases": ["Case 1: There are no documents outlining the workflows and procedures for major services within the scope of the management system.","Case 2: The personal information flowchart contains significant discrepancies from the actual personal information flow, or important personal information flows are missing.","Case 3: After the initial creation of the personal information flowchart, it has not been updated to reflect changes in the personal information flow."],"RelatedRegulations": []}],"description": "Organizations must analyze the status of information services and personal information processing across all areas of the management system, document the procedures and workflows, and review them regularly to maintain their accuracy.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.3": {"name": "Risk Assessment","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.2.3 Risk Assessment","Subdomain": "1.2. Risk Management","AuditEvidence": ["Risk management guidelines","Risk management manuals/guides","Risk management plan","Risk assessment report","Minutes of the Information Protection and Personal Information Protection Committee","Minutes of the Information Protection and Personal Information Protection Working Group","Information asset and personal information asset list","Information service and personal information flowcharts"],"AuditChecklist": ["Has the organization defined methods for identifying and assessing risks that could arise from various aspects, depending on the characteristics of the organization or service?","Does the organization annually develop a risk management plan that specifies the personnel, timeline, targets, methods, and budget for risk management activities?","Does the organization conduct regular or ad-hoc risk assessments at least once a year according to the risk management plan?","Has the organization established an acceptable target risk level and identified risks that exceed that level?","Are the results of risk identification and assessment reported to the executives?"],"NonComplianceCases": ["Case 1: The risk management plan specifies the risk assessment period and the targets and methods for risk management, but lacks details on the personnel and budget required for execution.","Case 2: While a risk assessment was conducted in the previous year, no risk assessment was conducted this year due to a lack of changes in assets.","Case 3: The organization conducted risk identification and assessment according to the risk management plan, but failed to assess the risks of important information assets within the scope, or failed to assess compliance with legal requirements related to information protection.","Case 4: The organization identified and assessed risks and set an acceptable target risk level according to the risk management plan, but did not report and seek approval from the executives (e.g., the Chief Information Security Officer).","Case 5: The method defined in the internal guidelines for risk assessment differs from the method actually used.","Case 6: The organization failed to identify and assess risks in the administrative and physical areas related to the information protection management system, and used only the results of technical vulnerability assessments as the risk assessment outcome.","Case 7: The organization set the acceptable target risk level (DoA) unreasonably high, designating risks that required action as acceptable risks, even though these risks were significant and required immediate or short-term action."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Organizations must collect threat information by analyzing internal and external environments, select a risk assessment method suitable for the organization, conduct a risk assessment at least once a year across all areas of the management system, and manage acceptable risks with the approval of the executives.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.4": {"name": "Selection of Protective Measures","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.2.4 Selection of Protective Measures","Subdomain": "1.2. Risk Management","AuditEvidence": ["Information protection and personal information protection implementation plans/risk management plans","Information protection and personal information protection measures","Information protection and personal information protection master plan","Records of management reports and approvals for the information protection and personal information protection implementation plan"],"AuditChecklist": ["Has the organization developed risk treatment strategies (e.g., risk reduction, avoidance, transfer, acceptance) and selected protective measures to address the identified risks?","Has the organization established and reported to management an implementation plan that includes priority, schedule, responsible department/personnel, and budget for the protective measures?"],"NonComplianceCases": ["Case 1: Although an implementation plan for the information protection and personal information protection measures was established, it was not reported to the CISO and CPO.","Case 2: Some risk mitigation actions that were required were missing from the implementation plan.","Case 3: Mandatory legal requirements and risks with high security vulnerabilities were accepted without additional protective measures, instead of being addressed by a risk treatment plan.","Case 4: The rationale and validity for risk acceptance were insufficient, and some risks that could have been addressed immediately or in the short term due to urgency or ease of implementation were classified under long-term plans without specific justification."],"RelatedRegulations": []}],"description": "Based on the results of the risk assessment, appropriate protective measures must be selected to address the identified risks, and an implementation plan including the priority, schedule, responsible department/personnel, and budget for the protective measures must be established and approved by management.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.1": {"name": "Implementation of Protective Measures","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.3.1 Implementation of Protective Measures","Subdomain": "1.3. Operation of the Management System","AuditEvidence": ["Information protection and personal information protection implementation plans/risk management plans","Information protection and personal information protection measures","Information protection and personal information protection implementation progress reports (including reports to management)","Information protection and personal information protection implementation completion reports (including reports to management)","Information protection and personal information protection operating statements"],"AuditChecklist": ["Are the protective measures effectively implemented according to the implementation plan, and are the implementation results reported to management to verify their accuracy and effectiveness?","Has the organization created and documented detailed operating statements recording the implementation and operation status of protective measures according to the certification standards of the management system?"],"NonComplianceCases": ["Case 1: The results of the completion of the information protection and personal information protection measures were not reported to the CISO and CPO.","Case 2: The risk action implementation result report indicated 'completed,' but related risks still existed, or the accuracy and effectiveness of the implementation results were not verified.","Case 3: Risks classified as medium- to long-term in the previous year's information protection measures implementation plan were not implemented in the current year, or the results were not reviewed and verified by management.","Case 4: The actual operating status described in the operating statements did not match reality, and related documents, approvals, and meeting minutes mentioned in the operating statements did not exist.","Case 5: Although the implementation results were reported to the CISO and CPO, some incomplete items were not followed up with reasons and corrective actions."],"RelatedRegulations": []}],"description": "The selected protective measures must be effectively implemented according to the implementation plan, and management must verify the accuracy and effectiveness of the implementation results.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.2": {"name": "Sharing of Protective Measures","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.3.2 Sharing of Protective Measures","Subdomain": "1.3. Operation of the Management System","AuditEvidence": ["List of operating or implementing departments for each protective measure","Evidence of internal sharing of information protection and personal information protection plans (e.g., notices, training materials, shared documents)"],"AuditChecklist": ["Has the organization clearly identified the departments and personnel responsible for the operation or implementation of the protective measures?","Has the organization shared or provided training to the departments and personnel responsible for the operation or implementation of the protective measures?"],"NonComplianceCases": ["Case 1: Although protective measures were developed and implemented, the relevant information was not sufficiently shared or provided through training, so the departments or personnel responsible for the actual operation or implementation were unaware of the details."],"RelatedRegulations": []}],"description": "The departments and personnel responsible for the actual operation or implementation of the protective measures must be identified, and the related information must be shared and provided through training to ensure continuous operation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.3": {"name": "Operation Status Management","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.3.3 Operation Status Management","Subdomain": "1.3. Operation of the Management System","AuditEvidence": ["Annual plan for information protection and personal information protection","Operation status report for information protection and personal information protection","Results of inspections on the implementation of information protection and personal information protection activities"],"AuditChecklist": ["Are information protection and personal information protection activities that need to be performed periodically or continuously for the operation of the management system documented and managed?","Does management periodically review the effectiveness of the operation of the management system and manage it accordingly?"],"NonComplianceCases": ["Case 1: Failure to document activities that are required to be performed periodically or continuously as part of the operation of the information protection and personal information protection management system.","Case 2: Although documentation of the operational status of the information protection and personal information protection management system has been completed, periodic reviews have not been conducted, resulting in the omission of some required monthly and quarterly activities, and some activities have not been verified for implementation."],"RelatedRegulations": ["Personal Information Protection Act, Article 31 (Designation of a Personal Information Protection Officer)","Information and Communications Network Act, Article 45-3 (Designation of a Chief Information Security Officer, etc.)"]}],"description": "According to the management system established by the organization, operational activities that must be performed continuously or periodically must be recorded and managed in a way that allows identification and tracking, and management must regularly review the effectiveness of operational activities and manage them accordingly.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.1": {"name": "Review of Legal Requirements Compliance","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.4.1 Review of Legal Requirements Compliance","Subdomain": "1.4. Inspection and Improvement of the Management System","AuditEvidence": ["Records of legal compliance reviews","Records of reviews and revisions of information protection and personal information protection policies and guidelines","Comparison tables of revised policies and guidelines","Internal sharing documents of legal revisions","Proof of personal information liability insurance or equivalent guarantees (e.g., cyber insurance contracts)","Information protection disclosure records"],"AuditChecklist": ["Is the organization regularly identifying and maintaining up-to-date legal requirements related to information protection and personal information protection?","Is the organization conducting regular reviews of compliance with legal requirements at least once a year?"],"NonComplianceCases": ["Case 1: Although the Information and Communications Network Act and Personal Information Protection Act were recently revised, the organization did not review the impact of the changes on the organization, and as a result, the policy documents, implementation documents, and legal compliance checklists were not updated, leading to inconsistencies between the documents and the law.","Case 2: Although legal requirements that the organization must comply with were amended, the organization failed to conduct legal compliance reviews for an extended period.","Case 3: Inadequate legal compliance reviews resulted in numerous violations of the Personal Information Protection Act and other regulations.","Case 4: The organization was subject to the Personal Information Liability Compensation Guarantee system under the Personal Information Protection Act but failed to recognize this, resulting in non-compliance with insurance or reserve requirements. In cases where insurance was obtained, the organization failed to meet the minimum coverage requirements based on the number of users and revenue.","Case 5: Although the organization was required by law to disclose information protection status, it failed to do so within the legally mandated timeframe.","Case 6: The organization used a mobile app to receive personal location information from a location-based service provider, but failed to report its location-based service business.","Case 7: A foreign personal information controller without a domestic address or business office, whose personal information of domestic subjects stored and managed in the previous three months averaged over one million persons per day, failed to appoint a domestic representative in writing as required."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The organization must regularly identify and reflect legal requirements related to information protection and personal information protection and continuously review whether compliance is being maintained.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.2": {"name": "Management System Audit","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.4.2 Management System Audit","Subdomain": "1.4. Inspection and Improvement of the Management System","AuditEvidence": ["Management system audit plan (internal audit plan, internal inspection plan)","Management system audit report","Minutes of the Information Protection and Personal Information Protection Committee"],"AuditChecklist": ["Has the organization established a management system audit plan that includes the criteria, scope, frequency, and qualifications for audit personnel to audit the management system's effectiveness in accordance with legal requirements and established policies?","Has the organization conducted audits at least once a year with personnel who have independence, objectivity, and expertise, and reported any identified issues to management?"],"NonComplianceCases": ["Case 1: The audit team included personnel from the IT department, which was also the subject of the audit, compromising the independence of the audit.","Case 2: Although a management system audit was conducted this year, the audit scope was limited to certain areas, failing to cover the full scope of the information protection and personal information protection management system.","Case 3: The management system audit team was composed solely of internal staff and external consultants who participated in the development of the management system, compromising the independence of the audit."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The organization must audit its management system at least once a year with a team of personnel who possess independence and expertise, to ensure the system is operating effectively in accordance with internal policies and legal requirements, and report any identified issues to management.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.3": {"name": "Management System Improvement","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.4.3 Management System Improvement","Subdomain": "1.4. Management System Inspection and Improvement","AuditEvidence": ["Management system inspection result reports","Management system inspection action plans and implementation result reports","Preventive measures","Effectiveness measurement indicators and results (including reports to management)"],"AuditChecklist": ["Are the root causes of the issues identified during legal compliance reviews and management system inspections analyzed, and are preventive and improvement measures established and implemented?","Are there criteria and procedures in place to verify the accuracy and effectiveness of preventive and improvement results?"],"NonComplianceCases": ["Case 1: The same issues in the operation of the information protection and personal information protection management system, identified during internal inspections, are repeated each time.","Case 2: Although internal regulations require the analysis of root causes and the establishment of preventive measures for issues identified during internal inspections, recent internal inspections failed to include root cause analysis and preventive measures.","Case 3: Preventive measures for the issues in the management system were established, and key performance indicators (KPIs) were developed for periodic measurement, but the results were not reported to management for a long period.","Case 4: Action plans were not established or the completion of actions was not confirmed for issues identified during management system inspections."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The root causes of the issues identified during legal compliance reviews and management system inspections must be analyzed, and preventive measures must be established and implemented. The management must confirm the accuracy and effectiveness of the improvement results.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.1": {"name": "Policy Maintenance","checks": {},"status": "PASS","attributes": [{"Domain": "2. Control Measures Requirements","Section": "2.1.1 Policy Maintenance","Subdomain": "2.1. Policies, Organization, and Asset Management","AuditEvidence": ["Information protection and personal information protection policies and implementation documents (e.g., guidelines, procedures, manuals)","Results of regular and ad hoc validity reviews of policies and guidelines","Meeting minutes and circulation records with relevant departments regarding policies and guidelines","Revision history of policies and guidelines"],"AuditChecklist": ["Has the organization established and implemented a procedure for regularly reviewing the validity of information protection and personal information protection policies and implementation documents?","When there are significant changes in the internal and external environment, are the impacts on information protection and personal information protection policies and implementation documents reviewed and revised as necessary?","Are stakeholders consulted when revising information protection and personal information protection policies and implementation documents?","Is there a system in place to track the revision history of information protection and personal information protection policies and implementation documents?"],"NonComplianceCases": ["Case 1: There is inconsistency between password setting rules in guidelines and procedures.","Case 2: Information protection activities (e.g., training, encryption, backup) have different targets, frequencies, levels, and methods described in internal regulations, guidelines, and procedures, leading to inconsistency.","Case 3: A new database access control solution was introduced to effectively record and manage access and operation logs for the database, but internal security guidelines such as those for security systems and database security management have not been updated to reflect these new controls.","Case 4: Although the personal information protection policy was revised, the policy implementation date was not specified, and information such as the author, creation date, and approval date were missing from the relevant policy.","Case 5: Although significant changes occurred in laws and regulations related to personal information protection, these changes were not reviewed or reflected in the personal information protection policy and implementation documents."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Information protection and personal information protection policies and implementation documents must be periodically reviewed and, if necessary, revised in response to changes in laws and regulations, policies of higher organizations and related agencies, and changes in the internal and external environment. These changes must be documented and tracked.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.2": {"name": "Organization Maintenance","checks": {},"status": "PASS","attributes": [{"Domain": "2. Control Measures Requirements","Section": "2.1.2 Organization Maintenance","Subdomain": "2.1. Policies, Organization, and Asset Management","AuditEvidence": ["Information protection and personal information protection organization chart","Job descriptions for the information protection and personal information protection organization","Assignment tables for information protection and personal information protection roles","Information protection and personal information protection policies/guidelines and internal management plans","Information protection and personal information protection communication management plans","Records of communication activities (e.g., monthly/weekly reports, internal notices)","Communication channels (e.g., information protection portal, bulletin boards)"],"AuditChecklist": ["Are the roles and responsibilities of those responsible for and involved in information protection and personal information protection clearly defined?","Has the organization established a system for evaluating the activities of those responsible for and involved in information protection and personal information protection?","Has the organization established and implemented systems and procedures for communication between the information protection and personal information protection organization and its members?"],"NonComplianceCases": ["Case 1: Although the roles and responsibilities of the CISO, CPO, and related personnel are defined in internal guidelines and job descriptions, they do not align with the actual operating status.","Case 2: There are no goals, criteria, or performance indicators in place for the periodic evaluation of the activities of the CISO and related personnel.","Case 3: Although internal guidelines require departments to set KPIs related to information protection for the information protection officers in each department to be reflected in performance evaluations, no information protection-related KPIs were set for any of the departmental information protection officers.","Case 4: Although the CISO and CPO are designated, the roles and responsibilities required by law are not specifically defined in internal guidelines or job descriptions."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures), Article 31 (Designation of a Personal Information Protection Officer)","Information and Communications Network Act, Article 45-3 (Designation of a Chief Information Security Officer, etc.)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Roles and responsibilities related to information protection and personal information protection must be assigned to all members of the organization, and systems must be established for evaluating these activities and for communication between members and departments.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.3": {"name": "Management of Information Assets","checks": {"macie_is_enabled": "PASS","resourceexplorer2_indexes_found": "PASS","config_recorder_all_regions_enabled": null,"account_maintain_current_contact_details": null,"organizations_account_part_of_organizations": null,"organizations_tags_policies_enabled_and_attached": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null,"account_maintain_different_contact_details_to_security_billing_and_operations": null},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.1.3 Management of Information Assets","Subdomain": "2.1. Policy, Organization, Asset Management","AuditEvidence": ["List of information assets (designation of responsible persons and managers)","Handling procedures for information assets (documents, information systems, etc.)","Information asset management system screen","Security classification indicators for information assets"],"AuditChecklist": ["Are handling procedures (creation, introduction, storage, use, disposal) and protection measures defined and implemented according to the security classification of information assets?","Have responsible persons and managers been designated for identified information assets?"],"NonComplianceCases": ["Case 1: Although internal guidelines require security classification to be indicated on documents, this has not been followed.","Case 2: Responsible persons and managers for information assets have not been identified, or the asset list has not been updated, leading to changes in responsible personnel due to resignations, transfers, etc., not being reflected.","Case 3: Although security classifications were assigned to identified information assets after evaluating their importance, handling procedures based on the security classification were not defined."],"RelatedRegulations": []}],"description": "The procedures and protection measures for handling information assets according to their purpose and importance must be established and implemented, and the responsibilities for each asset must be clearly defined and managed.","checks_status": {"fail": 0,"pass": 2,"total": 9,"manual": 0}},"2.2.1": {"name": "Designation and Management of Key Personnel","checks": {"iam_support_role_created": null,"organizations_delegated_administrators": null,"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.2.1 Designation and Management of Key Personnel","Subdomain": "2.2. Personnel Security","AuditEvidence": ["Criteria for key duties","List of key personnel","List of personal information handlers","Account and authority management ledger for key information systems and personal information processing systems","Management status of key personnel (e.g., training results, security pledges)"],"AuditChecklist": ["Are the criteria for key duties, such as handling personal information and important information or accessing key systems, clearly defined?","Are employees and external personnel performing key duties designated as key personnel, and is the list kept up-to-date?","Are personnel handling personal information designated as personal information handlers, and is the list kept up-to-date?","Is the designation of key personnel and personal information handlers minimized based on business needs, and are management plans established and implemented?"],"NonComplianceCases": ["Case 1: Although a list of key personnel (e.g., personal information handlers, secret information managers) has been created, some employees who handle large volumes of personal information (e.g., DBAs, DLP managers) were omitted.","Case 2: Although the list of key personnel and personal information handlers is being managed, it has not been updated, including resigned employees and newly hired personnel.","Case 3: Personal information handler privileges were granted collectively to entire departments, leading to personnel without the need to handle personal information being excessively designated as personal information handlers.","Case 4: Although internal guidelines require approval from the security team and the signing of security pledges when granting key personnel privileges, many key personnel were registered without following this process."],"RelatedRegulations": ["Personal Information Protection Act, Article 28 (Supervision of Personal Information Handlers), Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Criteria and management plans for key duties, such as handling personal information and important information or accessing key systems, must be established, and the number of key personnel must be minimized and their list kept up-to-date.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"2.2.2": {"name": "Separation of Duties","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.2.2 Separation of Duties","Subdomain": "2.2. Personnel Security","AuditEvidence": ["Guidelines on the separation of duties (e.g., personnel security guidelines)","Job descriptions (e.g., system operation/management, development/operation)","Status of supplementary controls when duties are not separated"],"AuditChecklist": ["Are criteria for the separation of duties established and applied to prevent potential harm from the misuse or abuse of authority?","If separation of duties is difficult, have supplementary controls such as mutual review between personnel, regular monitoring and approval of changes by senior management, and ensuring accountability been established?"],"NonComplianceCases": ["Case 1: Although the organization has sufficient size and personnel to enable separation of duties, the established internal separation of duties criteria were not followed due to operational convenience.","Case 2: Although the organization received approval from senior management to combine development and operation duties due to the organization's characteristics, supplementary control measures such as mutual review between personnel, regular monitoring and review of changes by senior management, and ensuring accountability were not established."],"RelatedRegulations": []}],"description": "Criteria for the separation of duties must be established and applied to prevent potential harm from the misuse or abuse of authority. If separation of duties is unavoidable, supplementary measures must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.3": {"name": "Security Pledge","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.2.3 Security Pledge","Subdomain": "2.2. Human Security","AuditEvidence": ["Security and personal information protection pledge (for employees and external personnel)","Confidentiality agreement (for resigned employees)"],"AuditChecklist": ["When hiring new personnel, is there a signed security and personal information protection agreement that specifies their responsibilities?","If temporary or external personnel are granted access to information assets, is there a signed agreement outlining their responsibilities for information protection and confidentiality?","Upon the resignation of an employee, is a separate confidentiality agreement obtained?","Are security, personal information protection, and confidentiality agreements stored safely and managed in a way that they can be easily retrieved when necessary?"],"NonComplianceCases": ["Case 1: While it is stipulated that new hires must sign a security pledge, some recently hired employees have not completed the pledge.","Case 2: Although employees sign a security pledge, external personnel with direct access to information systems have not signed such an agreement.","Case 3: Submitted security and personal information protection pledges are poorly managed, with documents left accessible on desks where unauthorized personnel can access them.","Case 4: Although personal information handlers have signed security pledges, the content only covers confidentiality and does not include specific responsibilities related to personal information protection."],"RelatedRegulations": []}],"description": "Employees, temporary staff, or external personnel handling information assets or granted access must sign a security and confidentiality agreement in accordance with internal policies.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.4": {"name": "Awareness and Training","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.2.4 Awareness and Training","Subdomain": "2.2. Human Security","AuditEvidence": ["Information protection and personal information protection training plan","Training result report","General and job-specific training materials","List of training attendees"],"AuditChecklist": ["Is an annual training plan approved by management, detailing the timing, duration, target audience, content, and method of information protection and personal information protection training?","Are all employees and external personnel within the scope of the management system provided with regular training at least once per year, and are additional training sessions provided when there are significant changes in relevant laws and regulations?","Is information protection and personal information protection training provided to new hires and external personnel before they begin their duties?","Are IT, information protection, and personal information protection staff receiving specialized training to enhance their job-specific expertise?","Are training records maintained, and is the effectiveness of the training evaluated and reflected in future training plans?"],"NonComplianceCases": ["Case 1: Although an annual information protection and personal information protection training plan was established and implemented last year, no such plan was established for the current year without a valid reason.","Case 2: The annual information protection and personal information protection training plan includes the frequency and target audience but lacks details such as schedule, content, and method.","Case 3: Although the annual training plan includes general personal information awareness training for all employees, it does not include job-specific training for those responsible for personal information protection, such as the personal information protection officer.","Case 4: Upon reviewing the training plan and result reports, it was found that certain external contractors (e.g., cleaning staff and security guards who have access to critical facilities within the certification scope) were not included in the training.","Case 5: Although information protection and personal information protection training was conducted, some records (e.g., training materials, attendance lists, evaluation surveys, result reports) were not retained.","Case 6: There is no system in place to identify employees who did not complete the required training or to provide make-up sessions for them (e.g., additional training, online courses)."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Limitation on the Processing of Personal Information by Outsourcing), Article 28 (Supervision of Personal Information Handlers), Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Organizations must establish and operate an annual awareness and training plan to ensure that employees and related external personnel understand the organization's management system and policies and acquire the necessary job-specific expertise. The effectiveness of this plan must be evaluated and reflected in future plans.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.5": {"name": "Management of Resignation and Job Changes","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.2.5 Management of Resignation and Job Changes","Subdomain": "2.2. Human Security","AuditEvidence": ["Procedures for resignation and job changes","Asset (account) return management ledger upon resignation","Security checklists and inspection records for resigned employees"],"AuditChecklist": ["Are personnel changes (e.g., resignation, job changes, department transfers, leave of absence) shared among HR, information protection, personal information protection, and IT system operations departments?","Are procedures in place and implemented to promptly return information assets, revoke or adjust access rights, and confirm results when an employee (including temporary staff and external contractors) resigns or changes roles?"],"NonComplianceCases": ["Case 1: Accounts and access rights for personnel no longer handling personal information due to job changes remain active in the personal information processing system.","Case 2: No records of asset returns or access rights revocation procedures were found for recently resigned key personnel and personal information handlers.","Case 3: While asset returns are properly managed for resigned employees, the security check and resignation confirmation forms required by HR regulations are not being completed.","Case 4: Although access rights to personal information processing systems were revoked promptly upon the resignation of personal information handlers, access rights to systems like physical access control and VPN were not revoked in a timely manner."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "Procedures must be established and managed for the return of assets, the revocation or adjustment of accounts and access rights, and confirmation of results when there is a resignation, job change, or leave of absence, involving departments such as HR, information protection, personal information protection, and IT.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.6": {"name": "Actions in Case of Security Violations","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.2.6 Actions in Case of Security Violations","Subdomain": "2.2. Human Security","AuditEvidence": ["HR regulations (disciplinary measures for violations of information protection and personal information protection regulations)","Records of disciplinary actions for violations of information protection and personal information protection guidelines","Incident case studies (company-wide notices, training materials)"],"AuditChecklist": ["Has the organization established disciplinary measures for employees and relevant external parties in case of violations of information protection and personal information protection responsibilities and obligations under laws, regulations, and internal policies?","When violations of information protection and personal information protection are detected, are actions taken in accordance with internal procedures?"],"NonComplianceCases": ["Case 1: No disciplinary measures or procedures are included in internal regulations for handling violations of information protection and personal information protection regulations.","Case 2: Although warning messages are sent to those who violate policies detected by security systems (e.g., DLP, database access control system, internal information leakage control system), follow-up actions such as explanations, additional investigations, or disciplinary actions are not carried out in accordance with internal regulations."],"RelatedRegulations": []}],"description": "In the event that employees or relevant external parties violate laws, regulations, or internal policies, the organization must establish and implement procedures to take appropriate actions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.1": {"name": "Management of External Parties","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.3.1 Management of External Parties","Subdomain": "2.3. External Security","AuditEvidence": ["List of outsourced services and external facilities/services","Outsourcing contracts","Risk analysis reports and protective measures","Outsourcing security management guidelines, checklists, etc."],"AuditChecklist": ["Has the organization identified the status of outsourcing and the use of external facilities and services within the scope of the management system?","Has the organization identified the legal requirements and risks associated with outsourcing and the use of external facilities and services, and established appropriate protective measures?"],"NonComplianceCases": ["Case 1: Although the organization manages a list of outsourced services and external facilities/services as required by internal regulations, the list is outdated and does not reflect changes made to vendors several months ago.","Case 2: The organization has migrated some personal information processing systems to external cloud services within the scope of the management system, but no identification or risk assessment has been performed."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Processing of Personal Information by Outsourcing)","Information and Communications Network Act, Article 50-3 (Entrustment of the Transmission of Commercial Information for Profit)"]}],"description": "When outsourcing part of the work (e.g., handling personal information, information protection, operating or developing information systems) or using external facilities or services (e.g., data centers, cloud services, application services), the organization must identify the current status, understand the legal requirements and risks arising from external organizations or services, and establish appropriate protective measures.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.2": {"name": "Security in Contracts with External Parties","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.3.2 Security in Contracts with External Parties","Subdomain": "2.3. External Security","AuditEvidence": ["Outsourcing contracts","Information protection and personal information protection agreements (agreements, annexes)","Internal guidelines on outsourcing","RFPs (Requests for Proposals), evaluation forms related to the selection of outsourcing vendors"],"AuditChecklist": ["When selecting external services or outsourcing vendors related to the handling of important information and personal information, does the organization follow procedures to consider the vendors' capabilities in information protection and personal information protection?","Has the organization identified the information protection and personal information protection requirements associated with the use of external services and outsourcing, and specified them in contracts or agreements?","When outsourcing the development of information systems and personal information processing systems, has the organization specified the information protection and personal information protection requirements that must be followed during development in the contract?"],"NonComplianceCases": ["Case 1: No outsourcing contract exists for external vendors performing IT operations, development, or personal information processing tasks.","Case 2: The outsourcing contract with an external vendor handling personal information does not include some items required by the Personal Information Protection Act (e.g., management and supervision provisions).","Case 3: Although infrastructure operation and part of personal information processing tasks are outsourced to external vendors, the contract does not specify security requirements related to the nature of the outsourced work, but only includes general provisions on confidentiality and liability for damages."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Processing of Personal Information by Outsourcing)"]}],"description": "When using external services or outsourcing work to external parties, the organization must identify the information protection and personal information protection requirements and specify them in contracts or agreements.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.3": {"name": "External Party Security Implementation Management","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.3.3 External Party Security Implementation Management","Subdomain": "2.3. External Party Security","AuditEvidence": ["Security inspection results for external parties and contractors","Training details for external parties and contractors (training outcomes, attendee list, training materials, etc.)","Personal information outsourcing contract","Evidence of consent for re-outsourcing of personal information processing tasks"],"AuditChecklist": ["Are periodic inspections or audits conducted to ensure external parties comply with information protection and personal information protection requirements specified in contracts, agreements, and internal policies?","When issues are identified during inspections or audits of external parties, are improvement plans established and implemented?","If a contractor entrusted with personal information processing re-outsources related tasks to a third party, does the contractor obtain the principal's consent?"],"NonComplianceCases": ["Case 1: Failure to regularly conduct security inspections of external contractors who perform IT development and operations tasks on-site.","Case 2: Sending a notification to contractors entrusted with personal information processing to conduct security training, but failing to verify whether the training has been conducted.","Case 3: Allowing contractors to perform their own security inspections and report the results, without a verification process to ensure the inspections were properly conducted, thus undermining the reliability of the inspection results.","Case 4: Allowing contractors to re-outsource personal information processing tasks to a third party without the principal's consent.","Case 5: Failure to supervise contractors entrusted with transmitting commercial information for profit."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Outsourcing of Personal Information Processing)","Information and Communications Network Act, Article 50-3 (Outsourcing of the Transmission of Commercial Information for Profit)"]}],"description": "Security measures specified in contracts, agreements, and internal policies must be regularly inspected or audited to ensure external parties comply with information protection and personal information protection requirements.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.4": {"name": "Security for External Party Contract Changes and Expiry","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.3.4 Security for External Party Contract Changes and Expiry","Subdomain": "2.3. External Party Security","AuditEvidence": ["Information protection and personal information protection agreements","Confidentiality agreements","Information and personal information destruction agreements","Internal policies and guidelines related to the termination of external party contracts"],"AuditChecklist": ["Has the organization established and implemented security measures to ensure the return of information assets, deletion of information system access accounts, and the acquisition of confidentiality agreements in accordance with official procedures when an external party contract expires, a task is completed, or there is a personnel change?","When an external party contract expires, has the organization established and implemented procedures to confirm whether the external party holds any sensitive or personal information related to the outsourced task, and to retrieve or destroy such information?"],"NonComplianceCases": ["Case 1: Failure to delete accounts and permissions for external parties after their contract has expired, allowing access to certain information systems.","Case 2: During an outsourcing project, failure to take appropriate measures for some contractors who were replaced or whose contracts expired, including failing to obtain security agreements as required by internal regulations.","Case 3: After terminating a contract with a contractor entrusted with personal information processing, failure to verify whether the contractor destroyed any personal information they held."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Outsourcing of Personal Information Processing)","Information and Communications Network Act, Article 50-3 (Outsourcing of the Transmission of Commercial Information for Profit)"]}],"description": "When an external party contract expires, the task is completed, or there is a personnel change, security measures such as returning provided information assets, deleting information system access accounts, destroying sensitive information, and obtaining confidentiality agreements for acquired information must be implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.1": {"name": "Designation of Protected Zones","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.4.1 Designation of Protected Zones","Subdomain": "2.4. Physical Security","AuditEvidence": ["Physical security guidelines (criteria for designating protected zones)","List of designated protected zones","Protected zone signage","List of protection measures for each zone"],"AuditChecklist": ["Has the organization established criteria for designating physical protection zones such as controlled areas, restricted areas, and reception areas to protect personal and sensitive information, documents, storage media, key facilities, and systems from physical and environmental threats?","Has the organization designated physical protection zones in accordance with the criteria and established and implemented protection measures for each zone?"],"NonComplianceCases": ["Case 1: Although internal physical security guidelines state that areas where personal information is stored and processed must be designated as controlled zones, certain document storage rooms containing membership application forms were omitted from the list of controlled zones.","Case 2: Internal physical security guidelines require that controlled zones be marked with specific signs, but some controlled zones do not have the required signage."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures)"]}],"description": "To protect personal and sensitive information, documents, storage media, key facilities, and systems from physical and environmental threats, physical protection zones such as controlled areas, restricted areas, and reception areas must be designated, and protection measures for each zone must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.2": {"name": "Access Control","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.4.2 Access Control","Subdomain": "2.4. Physical Security","AuditEvidence": ["Access logbook and entry logs","Access registration application form and approval records","Entry record review report","Access control system management screen (status of registered personnel, etc.)"],"AuditChecklist": ["Is access to protected areas controlled so that only authorized personnel are allowed to enter according to access procedures?","Are entry records for internal and external personnel for each protected area retained for a certain period, and are entry records and access permissions reviewed periodically?"],"NonComplianceCases": ["Case 1: Although control areas are defined, protective measures are established, and employees with access are managed, the entry records are not reviewed periodically, resulting in many inactive personnel (due to retirement, transfer, etc.) having long periods of no entry.","Case 2: Although access control devices are installed in controlled areas such as data centers and document storage rooms, they are left open for extended periods without valid reasons or approval.","Case 3: Some external partner employees are excessively granted all-area access cards for unrestricted entry."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures)"]}],"description": "Access to protected areas must be restricted to authorized personnel only, and entry and access logs should be reviewed periodically to ensure accountability.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.3": {"name": "Information System Protection","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.4.3 Information System Protection","Subdomain": "2.4. Physical Security","AuditEvidence": ["Data processing facility diagram","Information system layout","Asset list"],"AuditChecklist": ["Are information systems placed in separated locations based on their importance, usage, and characteristics?","Are there measures in place to easily verify the actual physical location of the information systems?","Are power and communication cables protected from physical damage and electrical interference from external sources?"],"NonComplianceCases": ["Case 1: The system layout is not updated to reflect the latest changes, making it difficult to quickly identify the information system that has experienced a failure.","Case 2: Many cables are tangled and not properly organized on the server room floor or in racks, increasing the risk of failure due to electrical interference, damage, leakage, or negligence."],"RelatedRegulations": []}],"description": "Information systems should be arranged considering their importance and characteristics to reduce environmental threats, harmful factors, and unauthorized access, and communication and power cables should be protected from damage.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.4": {"name": "Operation of Protective Facilities","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.4.4 Operation of Protective Facilities","Subdomain": "2.4. Physical Security","AuditEvidence": ["Physical security guidelines (related to protective facilities)","Data center facility status and inspection checklist","IDC outsourcing contract, SLA, etc."],"AuditChecklist": ["Are necessary facilities established and operational procedures set up based on the importance and characteristics of each protected area to prevent disasters such as fire, flood, and power failure caused by human error or natural disasters?","If operating outsourced integrated data centers (IDC), are physical security requirements included in the contract, and is the operational status periodically reviewed?"],"NonComplianceCases": ["Case 1: In some protected areas, such as the main office data center, the required protective facilities specified in internal guidelines are not installed.","Case 2: Although protective facilities such as UPS and fire suppression systems are in place in the data center, operational and inspection standards for the related facilities are not established.","Case 3: Although temperature and humidity control devices were installed in the data center according to operational guidelines, insufficient capacity means that the standard temperature and humidity levels are not maintained, increasing the risk of failure."],"RelatedRegulations": ["Information and Communications Network Act, Article 46 (Protection of Integrated Data Centers)","Guidelines for the Protection of Integrated Data Centers","Fire Facility Installation and Management Act, Article 12 (Management of Fire Protection Facilities in Specific Fire Protection Objects), Article 16 (Management of Evacuation Facilities, Fire Zones, and Fire Protection Facilities)"]}],"description": "Based on the importance and characteristics of the information systems located in protected areas, protective facilities such as temperature and humidity control, fire detection, firefighting equipment, leak detection, UPS, emergency generators, and dual power lines should be established and operated according to operational procedures.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.5": {"name": "Operations in Secure Zones","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.4.5 Operations in Secure Zones","Subdomain": "2.4. Physical Security","AuditEvidence": ["Operation request forms, operation logs","Entry logs for controlled areas","Records of review of entry and operation logs for controlled areas"],"AuditChecklist": ["When operations within secure zones, such as the introduction and maintenance of information systems, are required, are formal procedures for application and execution of such operations established and implemented?","Are the records of operations within secure zones periodically reviewed to confirm that the operations were carried out in accordance with the control procedures?"],"NonComplianceCases": ["Case 1: The entry log of the data center shows the presence of external maintenance personnel, but there is no record of an operation request or approval for work within the secure zone (i.e., entry and work in the secure zone were carried out without an operation request as required by internal regulations).","Case 2: Although internal regulations state that the records of operations within secure zones must be reviewed at least once per quarter, the review of such records has not been conducted for a long period without a valid reason."],"RelatedRegulations": []}],"description": "Procedures to prevent unauthorized actions and abuse of privileges within secure zones must be established and implemented, and the records of operations should be periodically reviewed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.6": {"name": "Device Control for Inbound and Outbound","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.4.6 Device Control for Inbound and Outbound","Subdomain": "2.4. Physical Security","AuditEvidence": ["Inbound and outbound application forms for secure zones","Inbound and outbound management logs","Results of the review of inbound and outbound records"],"AuditChecklist": ["Are control procedures established and implemented to prevent security incidents such as information leakage and malware infection when information systems, mobile devices, storage media, etc., are brought into or taken out of secure zones?","Are records maintained and managed in accordance with the inbound and outbound control procedures, and is the compliance with the procedures periodically checked by reviewing the history of inbound and outbound activities?"],"NonComplianceCases": ["Case 1: Although control procedures for the inbound and outbound of mobile computing devices are established, there is no control over the movement of such devices within the controlled area, allowing both internal and external personnel with access to the controlled area to use mobile computing devices without restriction.","Case 2: Although internal guidelines state that inbound and outbound details of IT equipment must be recorded in the operation plan and signed by the person responsible for management, many signatures of responsible managers are missing from the records."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures)"]}],"description": "Procedures to control the inbound and outbound movement of information systems, mobile devices, storage media, etc., within secure zones must be established, implemented, and periodically reviewed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.7": {"name": "Work Environment Security","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.4.7 Work Environment Security","Subdomain": "2.4. Physical Security","AuditEvidence": ["Security inspection reports for offices and shared spaces","Security inspection checklists for offices and shared spaces","Actions taken for non-compliance (e.g., training, rewards and penalties)","Current status of protection measures for printed and copied materials"],"AuditChecklist": ["Are protection measures established and implemented for shared facilities and office equipment such as document storage, shared PCs, multifunction printers, file servers, etc.?","Are protection measures established and implemented to prevent the exposure or leakage of personal and sensitive information through individual work environments such as work PCs, desks, drawers, etc.?","Are appropriate protection measures in place to ensure the safe handling of printed or copied materials containing personal information, such as paper documents?","Is compliance with information protection requirements in both individual and shared work environments periodically reviewed?"],"NonComplianceCases": ["Case 1: Although the internal management plan for personal information specifies that regular security inspections (e.g., clean desk policies) must be conducted, no such inspections have been carried out.","Case 2: Documents containing personal information, such as membership application forms, are stored in an office cabinet without a lock.","Case 3: Employee computers do not have screen savers or passwords set, and important documents have been left on vacationing employees' desks for an extended period.","Case 4: No protection measures are in place for shared PCs installed in shared office spaces such as meeting rooms, resulting in personal information files being stored unencrypted, or security updates not applied, or antivirus software not installed, leaving the systems vulnerable."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures), Article 12 (Safety Measures for Printing and Copying)"]}],"description": "Protection measures such as clean desk policies and regular inspections must be established and implemented to prevent unauthorized exposure or leakage of personal and sensitive information through shared office equipment (e.g., document storage, shared PCs, multifunction printers, file servers) and individual work environments (e.g., work PCs, desks).","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.5.1": {"name": "User Account Management","checks": {"iam_user_accesskey_unused": null,"iam_securityaudit_role_created": null,"iam_user_console_access_unused": null,"iam_policy_no_full_access_to_kms": null,"iam_role_administratoraccess_policy": null,"iam_user_administrator_access_policy": null,"organizations_scp_check_deny_regions": null,"iam_group_administrator_access_policy": null,"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_full_access_to_kms": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_policy_attached_only_to_group_or_roles": null,"cognito_user_pool_self_registration_disabled": null,"iam_role_cross_account_readonlyaccess_policy": null,"iam_inline_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_inline_policy_no_full_access_to_cloudtrail": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.5.1 User Account Management","Subdomain": "2.5. Authentication and Access Management","AuditEvidence": ["User account and access request forms","User account and access management log or screen","Access classification table for information systems and personal information processing systems","Lists of users, administrators, and personal information handlers for each information system and personal information processing system"],"AuditChecklist": ["Has the organization established and implemented formal procedures for registering, changing, and deleting user accounts and access rights to information systems, personal information, and critical information?","When creating and registering user accounts and access rights to information systems, personal information, and critical information, is access limited to the minimum necessary for each job based on the job-specific access classification system?","When granting users accounts and access rights, are they made fully aware that they are responsible for the security of those accounts?"],"NonComplianceCases": ["Case 1: User registration, termination, and approval procedures for accounts and permissions for users and personal information handlers were processed through verbal requests, email, etc., without proper approval and handling records.","Case 2: A personal information handler shared their account with an unauthorized individual for backup purposes during vacations, business trips, or other absences without going through official procedures.","Case 3: Users of information systems or personal information processing systems were granted excessive permissions, allowing access to unnecessary information or personal data."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "To control unauthorized access to information systems, personal information, and critical information, organizations must establish and implement procedures for user registration, termination, and granting, changing, or revoking access rights, ensuring that access rights are granted only to the minimum necessary for work purposes. Additionally, when registering or granting user rights, it must be made clear to users that they are responsible for the security of their accounts.","checks_status": {"fail": 0,"pass": 0,"total": 22,"manual": 0}},"2.5.2": {"name": "User Identification","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.5.2 User Identification","Subdomain": "2.5. Authentication and Access Management","AuditEvidence": ["Login screen for information systems and personal information processing systems","Lists of administrators, users, and personal information handlers for information systems and personal information processing systems","Records of approvals for exceptions"],"AuditChecklist": ["Are unique identifiers assigned to users and personal information handlers in information systems and personal information processing systems, and is the use of easily guessable identifiers restricted?","If the same identifier is shared by multiple users for unavoidable reasons, has the justification been reviewed and have supplementary measures such as approval from the responsible party been established?"],"NonComplianceCases": ["Case 1: The account status of information systems (servers, networks, firewalls, DBMS, etc.) shows that default administrator accounts provided by the manufacturer are still in use, despite being technically modifiable.","Case 2: Developers are sharing personal information processing system accounts for common use without any justification or approval from responsible parties.","Case 3: External personnel maintaining information systems are using operational accounts like personal accounts without going through the required approval procedures."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "User accounts must be assigned unique identifiers that distinguish each user individually, and the use of easily guessable identifiers must be restricted. If the same identifier is shared by multiple users, the reason and justification must be reviewed, supplementary measures such as approval from a responsible party must be established, and accountability must be ensured.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.5.3": {"name": "User Authentication","checks": {"iam_root_mfa_enabled": null,"iam_user_accesskey_unused": null,"iam_check_saml_providers_sts": null,"cognito_user_pool_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_two_active_access_key": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null,"iam_user_with_temporary_credentials": null,"apigatewayv2_api_authorizers_enabled": "FAIL","iam_user_no_setup_initial_access_key": null,"apigateway_restapi_authorizers_enabled": "PASS","rds_cluster_iam_authentication_enabled": "FAIL","rds_instance_iam_authentication_enabled": "FAIL","kafka_cluster_unrestricted_access_disabled": null,"cognito_identity_pool_guest_access_disabled": "FAIL","cognito_user_pool_advanced_security_enabled": null,"cognito_user_pool_self_registration_disabled": null,"directoryservice_supported_mfa_radius_enabled": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cognito_user_pool_client_token_revocation_enabled": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"opensearch_service_domains_internal_user_database_enabled": null,"cognito_user_pool_blocks_potential_malicious_sign_in_attempts": null,"opensearch_service_domains_use_cognito_authentication_for_kibana": null,"cognito_user_pool_blocks_compromised_credentials_sign_in_attempts": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.5.3 User Authentication","Subdomain": "2.5. Authentication and Authorization Management","AuditEvidence": ["Login screen for information systems and personal information processing systems","Login attempt limitation setting screen","Login failure message screen","Procedures for external access (e.g., external access request forms, list of external accessors)"],"AuditChecklist": ["Is access to information systems and personal information processing systems controlled through secure user authentication procedures, login attempt limitations, and warnings for illegal login attempts?","When accessing personal information processing systems from outside via a communication network, are secure authentication methods or secure access measures applied in accordance with legal requirements?"],"NonComplianceCases": ["Case 1: When a personal information handler accesses a personal information processing system through the public external internet, secure authentication methods are not applied, and authentication is done only through ID and password.","Case 2: In the login process for information systems and personal information processing systems, detailed messages are displayed about whether the ID exists or the password is incorrect, and there is no limit on login failure attempts."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights), Article 6 (Access Control)"]}],"description": "User access to information systems, personal information, and critical information must be secured through safe authentication procedures and, if necessary, enhanced authentication methods. In addition, access control measures such as limiting login attempts and issuing warnings for illegal login attempts must be established and implemented.","checks_status": {"fail": 4,"pass": 1,"total": 29,"manual": 0}},"2.5.4": {"name": "Password Management","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null,"cognito_user_pool_password_policy_number": null,"cognito_user_pool_password_policy_symbol": null,"cognito_user_pool_password_policy_lowercase": null,"cognito_user_pool_password_policy_uppercase": null,"cognito_user_pool_temporary_password_expiration": null,"cognito_user_pool_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.5.4 Password Management","Subdomain": "2.5. Authentication and Authorization Management","AuditEvidence": ["Password setting screens for web pages, information systems, and personal information processing systems","Password management policies and procedures"],"AuditChecklist": ["Are procedures for managing and creating secure user passwords for information systems established and implemented?","Are password creation rules established and enforced to ensure that users can use secure passwords?","Are authentication methods for personal information handlers and users securely applied and managed?"],"NonComplianceCases": ["Case 1: Although password creation rules are set in policies and guidelines related to information protection and personal information protection, some information systems and personal information processing systems use passwords that differ from internal guidelines.","Case 2: Internal regulations state that when passwords are reset, temporary passwords must be assigned and forced to be changed, but in practice, temporary passwords are being used without change.","Case 3: Although internal regulations require users and personal information handlers to change their passwords periodically, passwords are being used without change."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "Procedures for managing passwords used by users of information systems, as well as customers and members, must be established and implemented, taking into account legal requirements and external threats.","checks_status": {"fail": 0,"pass": 0,"total": 13,"manual": 0}},"2.5.5": {"name": "Management of Special Accounts and Privileges","checks": {"iam_avoid_root_usage": null,"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_support_role_created": null,"rds_cluster_default_admin": "FAIL","rds_instance_default_admin": "FAIL","ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"organizations_delegated_administrators": null,"cloudwatch_log_metric_filter_root_usage": null,"sagemaker_notebook_instance_root_access_disabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.5.5 Management of Special Accounts and Privileges","Subdomain": "2.5. Authentication and Privilege Management","AuditEvidence": ["Guidelines related to special privileges","Records of special privilege requests and approvals","List of special privilege holders","Records of special privilege reviews"],"AuditChecklist": ["Is there a formal privilege request and approval process established and implemented to ensure that special privileges, such as administrative privileges, are only granted to a minimal number of people?","Is there a control procedure established and implemented to identify and manage accounts and privileges granted for special purposes in a separate list?"],"NonComplianceCases": ["Case 1: The approval history for granting administrator and special privileges in the information system and personal information processing system is not documented or does not match the special privileges list.","Case 2: Internal regulations require that personal information administrators and special privilege holders be documented and managed in a list, but the list is not maintained or some special privileges, such as security system administrators, are not identified or managed.","Case 3: A maintenance special account for visiting maintenance once a quarter remains active at all times without a time limit on usage.","Case 4: Regular reviews of administrator and special privilege usage are not conducted, and some individuals retain special privileges even after their roles have changed."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "Accounts and privileges used for special purposes, such as managing information systems, personal information, and important information, should be granted minimally, separately identified, and controlled.","checks_status": {"fail": 2,"pass": 1,"total": 11,"manual": 0}},"2.5.6": {"name": "Review of Access Rights","checks": {"accessanalyzer_enabled": "PASS","cloudtrail_insights_exist": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.5.6 Review of Access Rights","Subdomain": "2.5. Authentication and Privilege Management","AuditEvidence": ["Access rights review standards and procedures","History of access rights reviews","Access rights review reports and follow-up action records"],"AuditChecklist": ["Are the histories of account and access right creation, registration, granting, use, modification, and deletion for information systems, personal information, and important information being recorded?","Are standards, review subjects, review methods, and periodic review schedules established to regularly review the appropriateness of user accounts and access rights to information systems, personal information, and important information?","When issues such as excessive access rights, failure to follow access right granting procedures, or misuse of access rights are identified in the review results, are appropriate response procedures established and implemented?"],"NonComplianceCases": ["Case 1: The methods, review periods, reporting structure, and misuse criteria related to access rights reviews are not clearly defined in the relevant guidelines, leading to irregular performance of access rights reviews.","Case 2: Although internal policies and guidelines require locking (deactivating) or deleting long-unused accounts, some accounts that have not been accessed for more than six months remain active (indicating that the access rights review was not thoroughly conducted, failing to identify these accounts).","Case 3: During the access rights review, cases of excessive privileges or suspected misuse were identified, but no detailed investigation, internal reporting, or follow-up actions were taken."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "The registration, use, and deletion of user accounts accessing information systems, personal information, and important information, as well as the history of granting, changing, and deleting access rights, should be recorded and periodically reviewed to ensure their appropriateness.","checks_status": {"fail": 2,"pass": 1,"total": 14,"manual": 0}},"2.6.1": {"name": "Network Access","checks": {"ec2_ami_public": null,"elb_internet_facing": "FAIL","ec2_elastic_ip_shodan": null,"elbv2_internet_facing": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","kafka_cluster_is_public": null,"s3_bucket_acl_prohibited": "FAIL","apigateway_restapi_public": "FAIL","lightsail_database_public": null,"lightsail_instance_public": null,"ec2_securitygroup_not_used": "FAIL","elbv2_listeners_underneath": "PASS","networkfirewall_in_all_vpc": "FAIL","s3_bucket_public_write_acl": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","ssm_documents_set_as_public": "PASS","awslambda_function_url_public": null,"dms_instance_no_public_access": null,"rds_instance_no_public_access": "PASS","emr_cluster_publicly_accesible": null,"redshift_cluster_public_access": null,"neptune_cluster_public_snapshot": null,"eks_cluster_private_nodes_enabled": null,"awslambda_function_url_cors_policy": null,"documentdb_cluster_public_snapshot": null,"eks_cluster_network_policy_enabled": null,"neptune_cluster_uses_public_subnet": null,"sns_topics_not_publicly_accessible": "PASS","sqs_queues_not_publicly_accessible": "PASS","vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","eks_cluster_not_publicly_accessible": null,"glacier_vaults_policy_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_access_point_public_access_block": "PASS","s3_bucket_level_public_access_block": "PASS","iam_user_administrator_access_policy": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"iam_group_administrator_access_policy": null,"s3_account_level_public_access_blocks": null,"apigateway_restapi_authorizers_enabled": "PASS","elasticache_cluster_uses_public_subnet": "PASS","rds_instance_iam_authentication_enabled": "FAIL","appstream_fleet_maximum_session_duration": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ecr_repositories_not_publicly_accessible": "PASS","emr_cluster_account_public_block_enabled": "PASS","sagemaker_models_vpc_settings_configured": null,"apigateway_restapi_public_with_authorizer": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","vpc_endpoint_connections_trust_boundaries": "FAIL","appstream_fleet_session_disconnect_timeout": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_instance_port_ldap_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","kafka_cluster_unrestricted_access_disabled": null,"sagemaker_models_network_isolation_enabled": null,"cognito_identity_pool_guest_access_disabled": "FAIL","ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","workspaces_vpc_2private_1public_subnets_nat": null,"ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_transitgateway_auto_accept_vpc_attachments": null,"appstream_fleet_session_idle_disconnect_timeout": null,"ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","rds_instance_event_subscription_security_groups": "FAIL","sagemaker_training_jobs_vpc_settings_configured": null,"vpc_peering_routing_tables_with_least_privilege": "PASS","appstream_fleet_default_internet_access_disabled": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","cloudfront_distributions_geo_restrictions_enabled": null,"sagemaker_training_jobs_network_isolation_enabled": null,"opensearch_service_domains_not_publicly_accessible": null,"sagemaker_notebook_instance_vpc_settings_configured": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","vpc_endpoint_services_allowed_principals_trust_boundaries": null,"ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","cognito_user_pool_blocks_potential_malicious_sign_in_attempts": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Control Measures","Section": "2.6.1 Network Access","Subdomain": "2.6. Access Control","AuditEvidence": ["Network diagram","IP management ledger","Information asset list","Firewall rules"],"AuditChecklist": ["Has the organization identified all access paths to its network and ensured that internal networks are controlled so that only authorized users can access them according to the access control policy?","Has the organization physically or logically segmented the network based on services, user groups, information asset importance, and legal requirements, and applied access control between different network segments?","Has the organization established IP address allocation standards for each network segment, and applied measures such as assigning private IPs to systems like database servers that do not require external connections?","Has the organization implemented protective measures for communication paths when connecting networks between physically separated locations, such as IDCs, branches, and agents?"],"NonComplianceCases": ["Case 1: The network configuration and interviews revealed that data transmission and reception between external sites and the servers located in the IDC are being processed through the general internet line, rather than using VPN or dedicated lines as specified in internal regulations.","Case 2: The IP addresses of some important servers, such as database servers located in the internal network, were set to public IPs instead of private IPs as per internal regulations, and network access blocking was not applied.","Case 3: Although a server farm was established, access from the internal network to the server farm was excessively allowed due to insufficient network access control settings.","Case 4: The network provided to external parties (e.g., external developers, visitors) was not separated from the internal business network without appropriate controls.","Case 5: Contrary to internal regulations, the organization's network could be accessed and used simply by connecting a network cable without applying protective measures such as MAC address authentication and mandatory security software installation."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "In order to control unauthorized access to the network, management procedures such as IP management and device authentication must be established and implemented. Network segmentation (DMZ, server farm, DB zone, development zone, etc.) and access controls must be applied according to the business purpose and importance.","checks_status": {"fail": 17,"pass": 54,"total": 112,"manual": 0}},"2.6.2": {"name": "Access to Information Systems","checks": {"ec2_elastic_ip_shodan": null,"ec2_instance_public_ip": "FAIL","ec2_elastic_ip_unassigned": "FAIL","lightsail_instance_public": null,"lightsail_static_ip_unused": null,"ec2_instance_managed_by_ssm": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protection Requirements","Section": "2.6.2 Access to Information Systems","Subdomain": "2.6. Access Control","AuditEvidence": ["List of operating system accounts of information systems","Server security settings","Server access control policy (e.g., SecureOS management screen)","Server and network configuration diagram","Information asset list"],"AuditChecklist": ["Have users, access locations, and access means allowed to access operating systems (OS) of information systems such as servers, network systems, and security systems been defined and controlled?","Is the system automatically disconnected when there is no work processed after accessing the information system for a certain period?","Are services unrelated to the purpose of using the information system removed?","Are information systems that provide key services operated on independent servers?"],"NonComplianceCases": ["Case 1: When a server administrator accesses a Windows server located in the IDC from the office using terminal services, session timeout settings are not configured, allowing the session to remain open for a long period without any activity.","Case 2: Due to improper restrictions on server-to-server access, a user authorized to access a particular server can access other unauthorized servers via that server.","Case 3: Unsafe access protocols (e.g., telnet, ftp) are being used without valid reasons or compensatory measures, and unnecessary services and ports are open.","Case 4: Although the access control policy requires all access to servers to go through a server access control system, bypass routes exist that allow access to servers without going through the system."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "The users, access restriction methods, and secure access means for accessing information systems such as servers and network systems must be defined and controlled.","checks_status": {"fail": 8,"pass": 13,"total": 24,"manual": 0}},"2.6.3": {"name": "Access to Applications","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.6.3 Access to Applications","Subdomain": "2.6. Access Control","AuditEvidence": ["Application access rights classification system","Application account and rights management screen","Application user and administrator screens (e.g., personal information viewing, etc.)","Application session time and concurrent session restriction settings","Application administrator access log monitoring details","Information asset list","Personal information processing system's personal information viewing and search screens","Personal information masking standards","Personal information masking application screen"],"AuditChecklist": ["Are access rights to applications granted differentially based on the user's tasks to control access to sensitive information?","Are sessions automatically disconnected after a certain period of inactivity, and is the number of simultaneous sessions per user restricted?","Is access to administrator-exclusive applications (e.g., admin web pages, admin consoles) restricted to unauthorized users?","Are criteria established and applied to ensure consistency in protection measures for limiting the display of personal and sensitive information?","Are applications implemented and operated to minimize unnecessary exposure (e.g., viewing, screen display, printing, downloading) of personal and sensitive information?"],"NonComplianceCases": ["Case 1: There is a flaw in the authorization control function of certain personal information processing screens in the application, allowing users without permission to view personal information.","Case 2: The administrator page of the application is open to the public internet without secure authentication methods applied.","Case 3: Session timeouts or concurrent logins for the same user account are not restricted without valid reasons.","Case 4: When personal information is downloaded through the application, the file contains excessive unnecessary information such as resident registration numbers.","Case 5: The application excessively allows 'like' searches, allowing all users to retrieve all customer information by searching only for a surname, even beyond their work scope.","Case 6: Due to the lack of criteria for limiting the display of personal information or failure to adhere to them, different masking standards are applied to the same personal information items on different screens of the personal information processing system.","Case 7: Although personal information is masked on the screen of the personal information processing system, unmasked personal information is exposed by viewing the web browser source."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights), Article 6 (Access Control), Article 12 (Safety Measures for Printing and Copying)"]}],"description": "Access rights to applications must be restricted according to the user's tasks and the importance of the accessed information, and criteria should be established to minimize exposure of unnecessary or sensitive information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.6.4": {"name": "Database Access","checks": {"accessanalyzer_enabled": "PASS","lightsail_database_public": null,"rds_snapshots_public_access": "PASS","dms_instance_no_public_access": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"neptune_cluster_public_snapshot": null,"rds_instance_transport_encrypted": "FAIL","documentdb_cluster_public_snapshot": null,"neptune_cluster_uses_public_subnet": null,"vpc_subnet_separate_private_public": "FAIL","dynamodb_table_cross_account_access": null,"rds_cluster_iam_authentication_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","rds_instance_iam_authentication_enabled": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","neptune_cluster_iam_authentication_enabled": null,"ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","opensearch_service_domains_not_publicly_accessible": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_internal_user_database_enabled": null,"ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","opensearch_service_domains_use_cognito_authentication_for_kibana": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.6.4 Database Access","Subdomain": "2.6. Access Control","AuditEvidence": ["Database status (e.g., tables, columns)","List of database user accounts and permissions","Database access control policy (e.g., database access control system management screen)","Network diagram (e.g., database zone)","Information asset list"],"AuditChecklist": ["Are you identifying the information stored and managed in the database, such as the table list?","Are you clearly identifying the applications, information systems (servers), and users that need access to information in the database and controlling access according to the access control policy?"],"NonComplianceCases": ["Case 1: A database that stores and processes a large amount of personal information is operated on the same physical server as a web application accessible via the Internet, without separating them.","Case 2: Developers and operators share accounts used by the application to access the production database.","Case 3: Although internal regulations require database access rights to be restricted by object, access rights to the database are granted uniformly to administrators, even those who do not need access to personal information tables.","Case 4: A database access control solution has been implemented, but access to the database is not properly restricted by IP address, allowing users to bypass the access control solution.","Case 5: The table status of a database storing personal information has not been identified, resulting in the unnecessary retention of personal information in temporary tables that have not been deleted."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights), Article 6 (Access Control)"]}],"description": "Identify the information stored and managed in the database, such as the table list, and establish and implement access control policies according to the importance of the information and the type of applications and users.","checks_status": {"fail": 6,"pass": 19,"total": 37,"manual": 0}},"2.6.5": {"name": "Wireless Network Access","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.6.5 Wireless Network Access","Subdomain": "2.6. Access Control","AuditEvidence": ["Network diagram","AP security settings history","Inspection records of unauthorized wireless networks","Wireless network usage application and approval records"],"AuditChecklist": ["When using a wireless network for business purposes, are you establishing and implementing protection measures such as authentication and encryption of transmitted and received data to ensure the security of the wireless AP and network segment?","Have you established and implemented procedures for applying for and terminating access to ensure that only authorized employees can use the wireless network?","Have you established and implemented protection measures against unauthorized wireless networks, such as detecting and blocking AD Hoc connections and unauthorized wireless APs within the organization?"],"NonComplianceCases": ["Case 1: The wireless network segments for external users and internal users are the same, allowing external users to access the internal network without separate control via the wireless network.","Case 2: Although the encryption function for information transmission and reception was enabled when configuring the wireless AP, it was set in an insecure manner.","Case 3: A wireless AP connected to the internal network for business purposes has security settings that are insufficient, such as exposure of the administrator password (using the default password) and lack of access control."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "When using a wireless network, wireless network protection measures such as user authentication, encryption of transmitted and received data, and AP control must be applied. In addition, protection measures must be established and implemented to prevent unauthorized wireless network access, such as AD Hoc connections and the use of unauthorized APs.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.6.6": {"name": "Remote Access Control","checks": {"vpc_flow_logs_enabled": "FAIL","networkfirewall_in_all_vpc": "FAIL","cognito_user_pool_mfa_enabled": null,"iam_user_console_access_unused": null,"vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","iam_user_mfa_enabled_console_access": null,"workspaces_volume_encryption_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","appstream_fleet_maximum_session_duration": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","appstream_fleet_session_disconnect_timeout": null,"ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","cognito_identity_pool_guest_access_disabled": "FAIL","workspaces_vpc_2private_1public_subnets_nat": null,"cognito_user_pool_self_registration_disabled": null,"appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"ec2_client_vpn_endpoint_connection_logging_enabled": null,"cloudwatch_log_metric_filter_authentication_failures": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.6.6 Remote Access Control","Subdomain": "2.6. Access Control","AuditEvidence": ["Remote access application form (e.g., VPN)","VPN account list","VPN access control policy settings","IP management log","Remote access control settings (server settings, security system settings, etc.)","Designation and management of management terminals","Network diagram"],"AuditChecklist": ["Is remote operation of information systems through external networks such as the internet prohibited in principle, and are compensatory measures in place if allowed for unavoidable reasons such as incident response?","Is access through remote operation of information systems allowed only for specific devices when done through internal networks?","Are protective measures established and implemented to prevent security incidents such as data breaches and hacking during remote work, such as telecommuting, remote collaboration, and smart work?","Are the devices used for remote access to personal information processing systems for management, operation, development, and security purposes designated as management terminals, and are safety measures such as prohibiting unauthorized operations and use for purposes other than those intended being applied?"],"NonComplianceCases": ["Case 1: Although internal regulations state that remote access to the system is prohibited in principle and, when allowed, access is restricted through IP-based access control, remote desktop connections and SSH access to the system are not limited by IP addresses, allowing access from any PC.","Case 2: A VPN has been established for remote management, but it is always available without usage approval or access period restrictions.","Case 3: Work-related mobile apps have been installed on personal smart devices for external workers, but appropriate protective measures (e.g., antivirus, encryption, wiping in case of loss or theft) to prevent personal information leaks are not being applied.","Case 4: VPN access for external users is not limited by network segments and information systems, allowing excessive access to the entire internal network and information systems for authenticated remote users."],"RelatedRegulations": ["Personal Information Protection Act Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information Article 6 (Access Control)"]}],"description": "Managing information systems and handling personal information outside of protected areas is, in principle, prohibited. However, if remote access is allowed for unavoidable reasons such as telecommuting, incident response, or remote collaboration, protective measures must be established and implemented, including approval from responsible personnel, designation of access devices, setting access scope and duration, enhanced authentication, encrypted communication, and securing access devices (e.g., antivirus, patches).","checks_status": {"fail": 8,"pass": 5,"total": 26,"manual": 0}},"2.6.7": {"name": "Internet Access Control","checks": {"ec2_elastic_ip_shodan": null,"vpc_flow_logs_enabled": "FAIL","ec2_instance_public_ip": "FAIL","ec2_elastic_ip_unassigned": "FAIL","networkfirewall_in_all_vpc": "FAIL","vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","workspaces_volume_encryption_enabled": null,"route53_dangling_ip_subdomain_takeover": null,"appstream_fleet_maximum_session_duration": null,"appstream_fleet_session_disconnect_timeout": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"workspaces_vpc_2private_1public_subnets_nat": null,"ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.6.7 Internet Access Control","Subdomain": "2.6. Access Control","AuditEvidence": ["Policy for blocking non-work-related sites (e.g., P2P) (management screen of non-work-related site blocking system)","Internet access monitoring history","List of individuals subject to internet access restriction measures","Procedures and records for data transfer between networks (e.g., application and approval records)","Network diagram"],"AuditChecklist": ["Is there an established and implemented policy to control internet access for work PCs used for key duties and personal information handling terminals?","Is unnecessary external internet access from key information systems (e.g., database servers) being controlled?","Are internet access restrictions being applied in a secure manner for individuals who are required by law to have their internet access restricted?"],"NonComplianceCases": ["Case 1: Internet access restriction measures were applied according to the Personal Information Protection Act, but the restriction was not applied to some individuals with the authority to set access rights for personal information processing systems.","Case 2: Although internet access restriction measures were applied as required under the Personal Information Protection Act, it was possible to bypass the restriction by accessing the system through another server, allowing the download and deletion of personal information.","Case 3: Some servers located in the DMZ and internal network were unnecessarily able to access the internet directly.","Case 4: Although a physical network separation system was applied between internet PCs and internal work PCs, and a data transfer system was established, there was no approval process for data transfers, and there was no periodic review of the data transfer records.","Case 5: Internal regulations require that individuals handling personal information obtain approval from a responsible person before accessing P2P or web hard drive sites, and access is only permitted for a specific period, but there are numerous cases of exceptions being made without going through the approval process."],"RelatedRegulations": ["Personal Information Protection Act Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information Article 6 (Access Control)"]}],"description": "To prevent information leaks, malware infections, and intrusions into the internal network through the internet, policies must be established and implemented to restrict internet access or services (e.g., P2P, web hard drives, messengers) on key information systems, devices handling sensitive duties, and terminals processing personal information.","checks_status": {"fail": 6,"pass": 1,"total": 19,"manual": 0}},"2.7.1": {"name": "Application of Encryption Policy","checks": {"elb_ssl_listeners": "FAIL","backup_vaults_exist": null,"elbv2_ssl_listeners": "FAIL","ssm_document_secrets": "PASS","backup_vaults_encrypted": "PASS","rds_snapshots_encrypted": "FAIL","elb_insecure_ssl_ciphers": "PASS","s3_bucket_kms_encryption": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","athena_workgroup_encryption": null,"ec2_ebs_snapshots_encrypted": "FAIL","s3_bucket_default_encryption": "PASS","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","rds_instance_transport_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","neptune_cluster_storage_encrypted": null,"s3_bucket_secure_transport_policy": "FAIL","documentdb_cluster_storage_encrypted": null,"workspaces_volume_encryption_enabled": null,"awslambda_function_no_secrets_in_code": "PASS","glue_database_connections_ssl_enabled": null,"athena_workgroup_enforce_configuration": null,"cloudfront_distributions_https_enabled": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudformation_stack_outputs_find_secrets": "PASS","codebuild_project_no_secrets_in_variables": "PASS","kafka_cluster_encryption_at_rest_uses_cmk": null,"sns_subscription_not_using_http_endpoints": "PASS","sns_topics_kms_encryption_at_rest_enabled": "FAIL","sqs_queues_server_side_encryption_enabled": "PASS","awslambda_function_no_secrets_in_variables": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"glue_etl_jobs_amazon_s3_encryption_enabled": "PASS","acm_certificates_with_secure_key_algorithms": "PASS","cloudwatch_log_group_kms_encryption_enabled": "FAIL","ecs_task_definitions_no_environment_secrets": "PASS","kafka_cluster_in_transit_encryption_enabled": null,"storagegateway_fileshare_encryption_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","glue_etl_jobs_job_bookmark_encryption_enabled": "FAIL","glue_data_catalogs_metadata_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"kafka_cluster_mutual_tls_authentication_enabled": null,"directoryservice_radius_server_security_protocol": null,"glue_development_endpoints_s3_encryption_enabled": null,"glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","autoscaling_find_secrets_ec2_launch_configuration": "PASS","eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"elasticache_redis_cluster_rest_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"cloudfront_distributions_field_level_encryption_enabled": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"elasticache_redis_cluster_in_transit_encryption_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"sagemaker_training_jobs_intercontainer_encryption_enabled": null,"glue_data_catalogs_connection_passwords_encryption_enabled": "FAIL","glue_development_endpoints_job_bookmark_encryption_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"glue_development_endpoints_cloudwatch_logs_encryption_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.7.1 Application of Encryption Policy","Subdomain": "2.7. Application of Encryption","AuditEvidence": ["Encryption control policy (targets, methods, algorithms, etc.)","Encryption application status (during storage and transmission)","Risk analysis results (if encryption is not applied to unique identifiers other than resident registration numbers in the internal network)","Encryption solution management screen"],"AuditChecklist": ["Has an encryption policy been established that includes encryption targets, encryption strength, and encryption usage in consideration of legal requirements for the protection of personal and important information?","Is encryption applied to personal and important information during storage, transmission, and transfer according to the encryption policy?"],"NonComplianceCases": ["Case 1: Internal policies and guidelines do not properly specify encryption targets, encryption strength, encryption methods during storage and transmission, or the roles and responsibilities of those responsible for encryption, considering legal requirements.","Case 2: The company applied incorrect regulations during the creation of its encryption policy, leading to non-compliance with legal encryption requirements (e.g., storing user account numbers without encryption).","Case 3: Although one-way encryption was applied to the passwords of both personal information handlers and data subjects, an insecure MD5 algorithm was used.","Case 4: Although a security server was applied to an internet shopping mall in accordance with relevant laws and internal regulations, encryption was missing in some sections where users' personal information is transmitted (e.g., viewing or modifying member information, password retrieval, password changes).","Case 5: Passwords for accessing information systems, authentication keys, and other values were stored in plaintext in system configuration files and source code."],"RelatedRegulations": ["Personal Information Protection Act, Article 24-2 (Restrictions on Processing of Resident Registration Numbers), Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 7 (Encryption of Personal Information)"]}],"description": "To protect personal and important information, encryption policies that reflect legal requirements, such as encryption targets, encryption strength, and encryption usage policies, must be established. Encryption must be applied during the storage, transmission, and transfer of personal and important information.","checks_status": {"fail": 18,"pass": 19,"total": 66,"manual": 0}},"2.7.2": {"name": "Cryptographic Key Management","checks": {"kms_cmk_are_used": null,"kms_cmk_rotation_enabled": null,"kms_key_not_publicly_accessible": null,"kms_cmk_not_deleted_unintentionally": null,"rds_instance_certificate_expiration": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","acm_certificates_transparency_logs_enabled": "PASS","directoryservice_ldap_certificate_expiration": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.7.2 Cryptographic Key Management","Subdomain": "2.7. Application of Encryption","AuditEvidence": ["Cryptographic Key Management Policy","Cryptographic Key Management Log and System Screens"],"AuditChecklist": ["Are procedures for the generation, use, storage, distribution, modification, recovery, and destruction of cryptographic keys established and implemented?","Are cryptographic keys securely stored in a separate location to ensure they can be recovered if necessary, and is access to the use of cryptographic keys minimized?"],"NonComplianceCases": ["Case 1: If encryption policies do not specify procedures and methods for managing cryptographic keys, leading to varying levels and methods of cryptographic key management among personnel, resulting in vulnerabilities.","Case 2: Internal regulations require the generation of encryption keys under the approval of a responsible person when encrypting important information, and to maintain a key management log, but some keys are either missing or outdated in the log.","Case 3: The encryption key applied in the development system is the same as the one applied in the production system, making it easy to decrypt actual data through the development system."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 7 (Encryption of Personal Information)"]}],"description": "Establish and implement management procedures for the secure generation, use, storage, distribution, and destruction of cryptographic keys, and prepare recovery methods if necessary.","checks_status": {"fail": 1,"pass": 2,"total": 9,"manual": 0}},"2.8.1": {"name": "Definition of Security Requirements","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","accessanalyzer_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","codebuild_project_no_secrets_in_variables": "PASS","codebuild_project_user_controlled_buildspec": "PASS","wellarchitected_workload_no_high_or_medium_risks": "FAIL","codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.8.1 Definition of Security Requirements","Subdomain": "2.8. Security for Information System Introduction and Development","AuditEvidence": ["Information System Acquisition Standards and Procedures","RFP (Request for Proposal) and Purchase Contracts for Information System Introduction","Development Outputs (Project Execution Plans, Requirements Definition, Screen Design, Security Architecture Design, Test Plans, etc.)","Secure Coding Standards"],"AuditChecklist": ["When introducing, developing, or modifying an information system, are procedures for reviewing the validity of information protection and personal information protection aspects and for acquisition established and implemented?","When introducing, developing, or modifying an information system, are security requirements, including legal requirements and the latest vulnerabilities, clearly defined and reflected from the design stage?","Are coding standards for secure implementation of the information system established and applied?"],"NonComplianceCases": ["Case 1: Lack of established security verification standards and procedures prior to acquiring an information system.","Case 2: Internal regulations require the review of the security impact and the operating environment when introducing a new system, but recent acquisitions of some information systems lacked detailed standards and plans, and therefore, no security review was conducted during the acquisition.","Case 3: Internal development guidelines do not define key security requirements related to development (authentication and encryption, security logging, etc.).","Case 4: In the 'Development Standards Definition Document', user passwords are to be encrypted using insecure algorithms (MD5, SHA1), resulting in failure to comply with relevant legal requirements."],"RelatedRegulations": []}],"description": "When introducing, developing, or modifying information systems, security requirements such as legal requirements related to information protection and personal information protection, the latest security vulnerabilities, and secure coding methods must be defined and applied.","checks_status": {"fail": 7,"pass": 7,"total": 16,"manual": 0}},"2.8.2": {"name": "Review and Testing of Security Requirements","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","accessanalyzer_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null,"guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","codebuild_project_no_secrets_in_variables": "PASS","codebuild_project_user_controlled_buildspec": "PASS","wellarchitected_workload_no_high_or_medium_risks": "FAIL","codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.8.2 Review and Testing of Security Requirements","Subdomain": "2.8. Security for Information System Introduction and Development","AuditEvidence": ["Information System Acceptance Test Results","Requirements Traceability Matrix","Test Plans, Test Results","Vulnerability Assessment Results","Personal Information Impact Assessment Report","Confirmation of Implementation of Corrective Actions for Personal Information Impact Assessment"],"AuditChecklist": ["When introducing, developing, or modifying an information system, are tests conducted to verify whether the security requirements defined during the analysis and design stages have been effectively applied?","Are vulnerability assessments conducted to confirm that the information system has been securely developed according to secure coding standards?","Are procedures established and implemented to ensure that issues identified during testing and vulnerability assessments are promptly addressed through corrective action plans and follow-up checks?","For public institutions, are impact assessments conducted during the analysis and design stages when developing or modifying personal information processing systems, as required by relevant laws, and are the results reflected during development and modification?"],"NonComplianceCases": ["Case 1: Failure to test security requirements defined in internal guidelines and documents after implementing an information system.","Case 2: In the application program test scenario and technical vulnerability checklist, important validation items such as input validation checks were omitted.","Case 3: Failure to assess whether known technical vulnerabilities exist during implementation or testing, or failure to address identified vulnerabilities without valid reasons or approval.","Case 4: A public institution failed to conduct an impact assessment when developing a personal information file or personal information processing system subject to an impact assessment requirement, such as processing unique identifiers of more than 50,000 data subjects.","Case 5: A public institution failed to submit the impact assessment report to the Personal Information Protection Commission within two months after receiving the report from the impact assessment agency.","Case 6: Internal guidelines require reviewing the security and impact on the operating environment when introducing a new system (e.g., vulnerability assessments), but recent acquisitions of some information systems lacked security reviews during the acceptance process."],"RelatedRegulations": ["Personal Information Protection Act, Article 33 (Personal Information Impact Assessment)","Notification on Personal Information Impact Assessment"]}],"description": "To verify that an information system has been introduced or implemented according to predefined security requirements, review standards and procedures must be established and implemented to check compliance with legal requirements, the latest security vulnerabilities, secure coding implementation, and personal information impact assessment, and corrective measures must be taken for any identified issues.","checks_status": {"fail": 10,"pass": 7,"total": 19,"manual": 0}},"2.8.3": {"name": "Separation of Test and Production Environments","checks": {"codebuild_project_user_controlled_buildspec": "PASS"},"status": "PASS","attributes": [{"Domain": "2. Security Requirements for Protection Measures","Section": "2.8.3 Separation of Test and Production Environments","Subdomain": "2.8. Security for Information System Introduction and Development","AuditEvidence": ["Network diagrams (including test environment configuration)","Current application of access control between the production environment and the development/test environment"],"AuditChecklist": ["Are development and test systems separated from the production system?","If separation of development and production environments is difficult due to unavoidable reasons, have security measures such as mutual review, monitoring by supervisors, approval for changes, and ensuring accountability been implemented?"],"NonComplianceCases": ["Case 1: Source code changes are being made directly in the production environment without a separate development environment or proper approval.","Case 2: Although it is unavoidable to operate the development and production systems without separation, records of mutual review or monitoring are missing.","Case 3: Although a separate development system is in place, access from the development environment to the production environment is not controlled, allowing developers unnecessary access to the production system through the development system."],"RelatedRegulations": []}],"description": "Development and test systems must, in principle, be separated from production systems to reduce the risk of unauthorized access and changes to the production system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.8.4": {"name": "Test Data Security","checks": {"codebuild_project_no_secrets_in_variables": "PASS"},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.8.4 Test Data Security","Subdomain": "2.8. Security in Information System Introduction and Development","AuditEvidence": ["Test data status","Test data generation rules","If operational data was used in a test environment, the approval history"],"AuditChecklist": ["Is the use of actual operational data restricted during the development and testing of information systems?","If it is inevitable to use operational data in a test environment, are control procedures such as approval by the responsible person, monitoring of access and leakage, and deletion of data after testing established and implemented?"],"NonComplianceCases": ["Case 1: There are no specific standards and procedures established for generating test data for use on the development server.","Case 2: Operational data is being used as test data without proper processing and without approval from the responsible person for a valid reason.","Case 3: Although operational data was approved in advance for use as test data for unavoidable reasons, the same level of access control as the operational database is not applied to the test database.","Case 4: After using operational data for testing purposes, the data was not deleted from the test database even though the testing was completed."],"RelatedRegulations": []}],"description": "In order to prevent the leakage of operational data during system testing, procedures for the creation, use, management, disposal, and technical protection measures of test data must be established and implemented.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.8.5": {"name": "Source Program Management","checks": {"ecr_repositories_not_publicly_accessible": "PASS","codeartifact_packages_external_public_publishing_disabled": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.8.5 Source Program Management","Subdomain": "2.8. Security in Information System Introduction and Development","AuditEvidence": ["Status of configuration management systems such as SVN (e.g., list of authorized personnel)","History of changes to the source program"],"AuditChecklist": ["Have procedures been established and implemented to control access to source programs by unauthorized persons?","Is the source program stored safely in a non-operational environment for emergencies such as system failures?","Is the history of changes to the source program being managed?"],"NonComplianceCases": ["Case 1: There is no separate backup or configuration management system for source programs, and previous versions of the source code are stored on the operational server or developer's PC without approval or history management.","Case 2: A configuration management system has been established, but access control, access and change history for the system or the source code stored in the system are not properly managed.","Case 3: The internal regulations require version control of source programs through a configuration management system, but the latest version of the source program is only stored on the developer's PC, and no separate backup is performed."],"RelatedRegulations": []}],"description": "Source programs must be managed so that only authorized users can access them, and it is a principle that they should not be stored in the operational environment.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.8.6": {"name": "Transition to Operational Environment","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.8.6 Transition to Operational Environment","Subdomain": "2.8. Security in Information System Introduction and Development","AuditEvidence": ["Transition procedures","Transition records (requests, approvals, tests, transitions, etc.)"],"AuditChecklist": ["Have control procedures been established and implemented to safely transition newly introduced, developed, or modified systems to the operational environment?","Are contingency plans in place to address issues that may arise during the transition to the operational environment?","Are only the files necessary for service execution installed in the operational environment?"],"NonComplianceCases": ["Case 1: There are no procedures in place to review and approve the transition of developed or modified source programs to the operational environment.","Case 2: Unnecessary files (source code, distribution modules, backups, development-related documents, manuals, etc.) exist in the operational server.","Case 3: The internal guidelines require the preparation of change request and result documents for safe transition and recovery during transitions to the operational environment, but such documents are not available.","Case 4: The internal guidelines require internal review and approval before distributing mobile apps to the app market, but developers are bypassing these procedures and distributing the apps directly."],"RelatedRegulations": []}],"description": "When transitioning newly introduced, developed, or modified systems to the operational environment, the process must be controlled, and the executable code must be run according to test and user acceptance procedures.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.9.1": {"name": "Change Management","checks": {"codebuild_project_older_90_days": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.9.1 Change Management","Subdomain": "2.9. System and Service Operations Management","AuditEvidence": ["Change management procedures","Change management records (requests, approvals, change details, etc.)","Impact analysis results of changes"],"AuditChecklist": ["Have procedures been established and implemented for changes to assets related to information systems (hardware, operating systems, commercial software packages, etc.)?","Are the performance and security impacts analyzed before making changes to information system-related assets?"],"NonComplianceCases": ["Case 1: A recent change to the DMZ section for redundancy was made, but there is no evidence of performing and approving the security risk and performance evaluation that may occur after the change.","Case 2: A recent network change was made, but the review and notification were not sufficiently carried out, so the changes were not properly reflected in the network diagram or some access control systems (e.g., firewalls, database access control systems) ACLs.","Case 3: Although a change management system was established to analyze and discuss the impact on performance and security when information systems are introduced or changed, changes can still be made outside the system, and related changes are not properly reviewed."],"RelatedRegulations": []}],"description": "Procedures must be established and implemented to manage all changes to assets related to information systems, and the impact on system performance and security must be analyzed before changes are made.","checks_status": {"fail": 2,"pass": 0,"total": 14,"manual": 0}},"2.9.2": {"name": "Performance and Fault Management","checks": {"rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","elbv2_is_in_multiple_az": "PASS","s3_bucket_no_mfa_delete": "FAIL","vpc_subnet_different_az": "PASS","neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"rds_cluster_backtrack_enabled": null,"cloudtrail_multi_region_enabled": "PASS","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_cross_region_replication": "FAIL","trustedadvisor_errors_and_warnings": null,"config_recorder_all_regions_enabled": null,"kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"networkfirewall_deletion_protection": null,"rds_instance_certificate_expiration": "PASS","route53_domains_transferlock_enabled": null,"cloudtrail_bucket_requires_mfa_delete": null,"elb_cross_zone_load_balancing_enabled": "PASS","documentdb_cluster_deletion_protection": null,"documentdb_cluster_cloudwatch_log_export": null,"ec2_instance_detailed_monitoring_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","iam_no_expired_server_certificates_stored": null,"kafka_cluster_enhanced_monitoring_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null,"directoryservice_ldap_certificate_expiration": null,"cognito_user_pool_deletion_protection_enabled": null,"trustedadvisor_premium_support_plan_subscribed": null,"directoryservice_directory_monitor_notifications": null,"cloudformation_stacks_termination_protection_enabled": "FAIL","cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.9.2 Performance and Fault Management","Subdomain": "2.9. System and Service Operations Management","AuditEvidence": ["Procedures for performance and capacity monitoring","Evidence of performance and capacity monitoring (e.g., internal reporting results)","Fault response procedures","Fault response report"],"AuditChecklist": ["Have procedures been established and implemented to continuously monitor performance and capacity to ensure the availability of information systems?","Are response procedures in place and implemented to address cases where the performance and capacity requirements (thresholds) of the information system are exceeded?","Have procedures been established and implemented to immediately recognize and respond to information system faults?","Are procedures in place to record and manage actions taken in response to faults through fault response reports?","For serious faults, are measures being taken to prevent recurrence through cause analysis?"],"NonComplianceCases": ["Case 1: Failure to define requirements (e.g., thresholds) for managing performance and capacity for each target, or the absence of records in regular inspection reports, making it difficult to assess the current status.","Case 2: Performance or capacity standards were exceeded, but no related reviews or follow-up measures were taken or implemented.","Case 3: Fault response procedures for IT equipment have been established, but internal and external environmental changes such as network configuration or vendor changes are not adequately reflected.","Case 4: Inconsistencies exist between fault handling procedures and fault type-specific response methods, or there is a lack of rationale for estimating response times, making swift, accurate, and systematic responses difficult."],"RelatedRegulations": []}],"description": "To ensure the availability of information systems, performance and capacity requirements must be defined, and the status must be continuously monitored. Procedures for detecting, recording, analyzing, recovering, and reporting in response to faults must be established and managed effectively.","checks_status": {"fail": 11,"pass": 6,"total": 39,"manual": 0}},"2.9.3": {"name": "Backup and Recovery Management","checks": {"ec2_ami_public": null,"backup_plans_exist": "PASS","backup_vaults_exist": null,"backup_vaults_encrypted": "PASS","ec2_ebs_public_snapshot": "PASS","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"backup_reportplans_exist": null,"s3_bucket_kms_encryption": "FAIL","s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"ec2_ebs_snapshots_encrypted": "FAIL","rds_instance_backup_enabled": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","rds_cluster_backtrack_enabled": null,"neptune_cluster_backup_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","neptune_cluster_public_snapshot": null,"documentdb_cluster_backup_enabled": null,"documentdb_cluster_public_snapshot": null,"rds_cluster_copy_tags_to_snapshots": "FAIL","s3_bucket_cross_region_replication": "FAIL","rds_instance_copy_tags_to_snapshots": null,"redshift_cluster_automated_snapshot": null,"s3_access_point_public_access_block": "PASS","s3_bucket_policy_public_write_access": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","elasticache_redis_cluster_backup_enabled": null,"ecr_repositories_lifecycle_policy_enabled": "FAIL","directoryservice_directory_snapshots_limit": null,"ec2_ebs_snapshot_account_block_public_access": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.9.3 Backup and Recovery Management","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Backup and recovery procedures","Recovery test results","Disaster recovery backup status"],"AuditChecklist": ["Have backup and recovery procedures been established and implemented, including targets, frequency, methods, and procedures?","Is regular recovery testing conducted to verify the completeness and accuracy of the backed-up information and the adequacy of the recovery procedures?","For backup media containing critical information, is the media stored in physically separate locations to address disaster recovery?"],"NonComplianceCases": ["Case 1: Backup and recovery procedures, including targets, frequency, methods, and procedures, have not been established.","Case 2: Although a backup policy is in place, information required to be stored for a long period (6 months, 3 years, 5 years, etc.) according to legal requirements is not being stored according to the backup policy.","Case 3: Some systems (e.g., security system policies and logs) that are required to be separately backed up according to higher-level or internal guidelines are not being backed up.","Case 4: Although higher-level or internal guidelines stipulate that recovery tests for backup media should be conducted periodically, recovery tests have not been performed for an extended period."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 11 (Safety Measures for Disaster Recovery)"]}],"description": "To maintain the availability and data integrity of the information system, procedures must be established and implemented regarding the backup targets, frequency, methods, storage locations, retention periods, and disaster recovery. Additionally, management must ensure timely recovery in case of incidents.","checks_status": {"fail": 11,"pass": 8,"total": 37,"manual": 0}},"2.9.4": {"name": "Log and Access Record Management","checks": {"macie_is_enabled": "PASS","elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_ebs_public_snapshot": "PASS","eventbridge_bus_exposed": "PASS","rds_snapshots_encrypted": "FAIL","s3_bucket_public_access": null,"s3_bucket_kms_encryption": "FAIL","cloudtrail_insights_exist": null,"s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"ec2_ebs_snapshots_encrypted": "FAIL","ec2_instance_managed_by_ssm": "FAIL","efs_not_publicly_accessible": "FAIL","guardduty_centrally_managed": "FAIL","rds_snapshots_public_access": "PASS","s3_bucket_default_encryption": "PASS","wafv2_webacl_logging_enabled": "FAIL","iam_securityaudit_role_created": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","config_recorder_all_regions_enabled": null,"s3_access_point_public_access_block": "PASS","s3_bucket_level_public_access_block": "PASS","eventbridge_bus_cross_account_access": "FAIL","s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"apigatewayv2_api_access_logging_enabled": "FAIL","cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"s3_bucket_server_access_logging_enabled": "FAIL","cloudfront_distributions_logging_enabled": null,"documentdb_cluster_cloudwatch_log_export": null,"ec2_instance_detailed_monitoring_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_cross_account_sharing_disabled": null,"kafka_cluster_enhanced_monitoring_enabled": null,"acm_certificates_transparency_logs_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"eks_control_plane_logging_all_types_enabled": null,"ec2_ebs_snapshot_account_block_public_access": null,"iam_inline_policy_no_full_access_to_cloudtrail": null,"trustedadvisor_premium_support_plan_subscribed": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"directoryservice_directory_monitor_notifications": null,"eventbridge_schema_registry_cross_account_access": "FAIL","glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"directoryservice_directory_log_forwarding_enabled": null,"ec2_client_vpn_endpoint_connection_logging_enabled": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","cloudwatch_log_metric_filter_authentication_failures": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"route53_public_hosted_zones_cloudwatch_logging_enabled": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","glue_development_endpoints_cloudwatch_logs_encryption_enabled": null,"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled": "PASS","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.9.4 Log and Access Record Management","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Log management procedures","Log record details","Access control records for log storage devices","Access records of personal information"],"AuditChecklist": ["Has the organization established log management procedures for information systems such as servers, applications, security systems, and network systems, and is it generating and storing the necessary logs accordingly?","Are log records of information systems securely stored to prevent tampering, theft, or loss, and is access to the log records minimized?","Are access records for personal information processing systems securely stored for a specified period in accordance with legal requirements, including all necessary items?"],"NonComplianceCases": ["Case 1: The detailed criteria and procedures for log recording, retention periods, review frequency, and responsible personnel have not been established.","Case 2: The maximum size for critical logs such as security event logs, application, and service logs (for Windows Server 2008 or later) is not sufficiently configured, resulting in logs not being recorded and retained for the period specified by internal standards.","Case 3: The log records of important Linux/UNIX servers are not separately backed up or adequately protected, allowing users to arbitrarily delete command execution histories and access logs.","Case 4: Upon reviewing access records for the personal information processing system, while the account, access time, and IP address of the user were logged, details about the data subject information handled and the tasks performed (e.g., view, modify, delete, download) were not recorded.","Case 5: The capacity of the log server is insufficient, leaving only two months of access records for the personal information processing system.","Case 6: A personal information processing system handling personal information of 100,000 data subjects is only retaining access logs for one year."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 8 (Retention and Inspection of Access Records)"]}],"description": "The organization must define the types of logs, retention periods, and retention methods for user access records, system logs, and privilege grant records for information systems such as servers, applications, security systems, and network systems, and must securely retain and manage them to prevent tampering, theft, or loss.","checks_status": {"fail": 25,"pass": 15,"total": 81,"manual": 0}},"2.9.5": {"name": "Log and Access Record Inspection","checks": {"cloudtrail_insights_exist": null,"inspector2_active_findings_exist": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","cloudtrail_threat_detection_enumeration": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Control Requirements","Section": "2.9.5 Log and Access Record Inspection","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Log review and monitoring procedures","Log review and monitoring results (review details, reports, etc.)","Access record inspection details for personal information","Criteria and results for verifying reasons for personal information downloads","Evidence of responses to detected anomalies"],"AuditChecklist": ["Are there established log review and monitoring procedures, including the frequency, targets, and methods for detecting errors, misuse (unauthorized access, excessive queries, etc.), fraud, and other anomalies in the information system?","Are the results of log reviews and monitoring reported to the responsible person, and are responses taken following procedures when anomalies are detected?","Are access records of the personal information processing system regularly inspected according to the periods specified in relevant laws?"],"NonComplianceCases": ["Case 1: Monitoring and alert policies (criteria) for abnormal access (e.g., early morning access on holidays, access via bypass routes) or abnormal behaviors (e.g., large-scale data queries or continuous small data queries) on information systems processing important information have not been established.","Case 2: Although periodic inspection/monitoring criteria for access and usage are established in internal guidelines or systems, there is no record of actual review of abnormal access or behavior.","Case 3: The personal information processor sets the inspection frequency of access records for personal information processing systems to once per quarter.","Case 4: The internal management plan for the personal information processor sets criteria for verifying reasons when more than 1,000 items of personal information are downloaded, but the reasons are not verified when such downloads occur."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 8 (Retention and Inspection of Access Records)"]}],"description": "To ensure normal use of the information system and prevent misuse (unauthorized access, excessive queries, etc.) by users, log review criteria for access and usage must be established and inspected periodically, and post-event actions must be taken promptly if issues arise.","checks_status": {"fail": 6,"pass": 0,"total": 26,"manual": 0}},"2.9.6": {"name": "Time Synchronization","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Control Requirements","Section": "2.9.6 Time Synchronization","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Time synchronization settings","Evidence of time synchronization for key systems"],"AuditChecklist": ["Is the system time synchronized with the standard time?","Is regular inspection conducted to ensure that time synchronization is functioning properly?"],"NonComplianceCases": ["Case 1: The time of some critical systems (e.g., security systems, CCTV, etc.) is not synchronized with the standard time, and regular inspections for synchronization are not being conducted.","Case 2: Although internal NTP servers are configured for time synchronization, some systems are not synchronized, and there has been no cause analysis or response."],"RelatedRegulations": []}],"description": "To ensure the accuracy of logs and access records and provide reliable log analysis, the system time must be synchronized with a standard time and regularly maintained.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.9.7": {"name": "Reuse and Disposal of Information Assets","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Control Requirements","Section": "2.9.7 Reuse and Disposal of Information Assets","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Procedures for the disposal and reuse of information assets","Storage media management ledger","Evidence of the disposal of information assets and storage media","Disposal-related outsourcing contracts for information assets and storage media"],"AuditChecklist": ["Are secure reuse and disposal procedures for information assets established and implemented?","When reusing or disposing of information assets and storage media, are personal and critical information processed to be irrecoverable?","If information assets and storage media are disposed of internally, are the disposal records maintained in a management ledger along with evidence of disposal?","If disposal is outsourced to an external company, are disposal procedures specified in the contract and is the complete disposal confirmed?","Are measures in place to protect data on storage media during maintenance, repairs, or replacements of systems and PCs?"],"NonComplianceCases": ["Case 1: Although the policy and procedure require the complete deletion of data using a data deletion program when reusing PCs used by personal information handlers, in practice, PCs are reused without complete deletion or are only formatted before reuse, indicating that procedures are not being followed.","Case 2: Although storage media are disposed of through an external company, the contract lacks details on secure disposal procedures and protective measures, and there is no verification or supervision of the disposal process or evidence of compliance.","Case 3: Instead of recording the serial numbers of disposed HDDs, the system names are recorded, or the disposal ledger is not maintained, making it impossible to verify the disposal history and traceability.","Case 4: Discarded hard disks are left unsecured in an area without locks, and the data has not been fully deleted."],"RelatedRegulations": ["Personal Information Protection Act, Article 21 (Destruction of Personal Information)","Standards for Ensuring the Safety of Personal Information, Article 13 (Destruction of Personal Information)"]}],"description": "To prevent the recovery or regeneration of personal and critical information during the reuse and disposal process, secure reuse and disposal procedures for information assets must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.1": {"name": "Collection and Use of Personal Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.1.1 Collection and Use of Personal Information","Subdomain": "3.1. Protection Measures during Personal Information Collection","AuditEvidence": ["Online personal information collection forms (e.g., website sign-up screens, mobile app registration screens, event participation forms)","Offline personal information collection forms (e.g., membership application forms)","Records of personal information collection consent (e.g., member databases)","Records of legal guardian consent","Privacy policy"],"AuditChecklist": ["When collecting personal information, is it collected in accordance with lawful requirements such as obtaining the data subject’s consent, complying with legal obligations, or concluding and fulfilling contracts?","When obtaining consent from the data subject for the collection of personal information, are the method and timing of obtaining consent appropriate?","When obtaining consent from the data subject for the collection of personal information, are the relevant details clearly communicated, and are significant points required by law highlighted in a way that is easy to understand?","When collecting, using, or providing personal information from children under the age of 14, are necessary details notified to their legal representatives, and is consent obtained?","When obtaining the consent of a legal representative, is only the minimum necessary personal information collected, and are procedures and methods in place to verify the qualifications of the legal representative?","When notifying children under the age of 14 about matters related to the processing of their personal information, are the notifications presented in a format and language that is clear and easy to understand?","Are records of consent obtained from data subjects and legal representatives being retained?","For personal information that can be processed without the consent of the data subject, are the relevant items and legal basis for processing disclosed in the privacy policy or communicated to the data subject separately from the personal information processed with consent?","When personal information is used for additional purposes without the consent of the data subject, are criteria established and implemented to assess the relevance to the original purpose, predictability, impact on the data subject, and safety measures? If additional usage continues to occur, are these criteria disclosed in the privacy policy and regularly reviewed?"],"NonComplianceCases": ["Case 1: A personal information processor subject to the Personal Information Protection Act failed to include the 'right to refuse consent and the consequences of refusal' in the notifications when obtaining consent to collect personal information.","Case 2: During the process of obtaining consent for the collection of personal information, the items of personal information to be collected were not specified in detail, and were instead described in general terms like 'etc.'","Case 3: On a shopping mall website, personal information necessary for membership registration was collected alongside payment and delivery information required for future purchases, even though such information was not necessary at the time of registration.","Case 4: Personal information (e.g., name, email, phone number) was collected through Q&A boards without obtaining the data subject's consent.","Case 5: Personal information of children under the age of 14 was collected without obtaining the consent of their legal guardians.","Case 6: Although the service was not intended for children under 14, some members were under 14 because the website did not check birthdates during registration, allowing them to register without legal guardian consent.","Case 7: The procedure for verifying the authenticity of the legal representative was insufficient, allowing individuals who were not legal guardians to provide consent.","Case 8: Personal information (e.g., name, phone number) of legal guardians was collected for the purpose of obtaining their consent to collect personal information from children under the age of 14, but the consent of the legal guardian was not confirmed for an extended period, and the information was retained without being destroyed.","Case 9: Personal information of children under 14 was collected based on the consent of their legal guardians, but records of this consent were not maintained, making it impossible to verify the details related to legal guardian consent (e.g., legal guardian’s name, time of consent)."],"RelatedRegulations": ["Personal Information Protection Act, Article 15 (Collection and Use of Personal Information), Article 22 (Methods for Obtaining Consent), Article 22-2 (Protection of Personal Information of Children)","Notice on the Processing of Personal Information"]}],"description": "Personal information must be collected and used lawfully and fairly. When collecting personal information based on the consent of the data subject, such consent must be obtained through legal means. Additionally, when collecting personal information from children under the age of 14, consent must be obtained from their legal representative, and it must be verified that such consent was given by the legal representative.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.2": {"name": "Restrictions on the Collection of Personal Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.1.2 Restrictions on the Collection of Personal Information","Subdomain": "3.1. Protection Measures during Personal Information Collection","AuditEvidence": ["Online personal information collection forms (e.g., website sign-up screens, event participation forms)","Offline personal information collection forms (e.g., membership application forms)","Privacy policy"],"AuditChecklist": ["When collecting personal information, is only the minimum amount of information necessary for the intended purpose being collected?","When collecting personal information based on the data subject’s consent, is the data subject clearly informed that they can refuse to consent to the collection of additional personal information beyond the minimum required?","Is the data subject not denied goods or services for refusing to consent to the collection of additional personal information beyond the minimum necessary for the intended purpose?"],"NonComplianceCases": ["Case 1: Although personal information was being collected based on the fulfillment of a contract, excessive personal information not essential to the fulfillment of the contract was being collected.","Case 2: During the process of obtaining consent from the data subject for optional information, the data subject was not explicitly informed that they could refuse to provide such information.","Case 3: Although the sign-up form distinguished between required and optional information, the data subject was not clearly informed that they could complete registration without providing optional information (e.g., there was no indication on the personal information entry form of which fields were required and which were optional).","Case 4: On the website registration page, the data subject was unable to proceed or complete registration if they refused to provide optional information or consent to optional matters.","Case 5: During the hiring process, excessive personal information unrelated to the job position (e.g., family details) was collected."],"RelatedRegulations": ["Personal Information Protection Act, Article 16 (Restrictions on the Collection of Personal Information), Article 22 (Methods for Obtaining Consent)"]}],"description": "When collecting personal information, only the minimum amount of personal information necessary for the intended purpose may be collected, and the data subject must not be denied the provision of goods or services for refusing to consent to optional matters.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.3": {"name": "Restrictions on the Processing of Resident Registration Numbers","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.1.3 Restrictions on the Processing of Resident Registration Numbers","Subdomain": "3.1. Protection Measures during Personal Information Collection","AuditEvidence": ["Personal information collection forms (e.g., website sign-up screens, event participation forms, membership application forms)","Online personal information collection forms (alternative registration methods for identity verification)","Evidence of legal grounds for processing resident registration numbers","Privacy policy"],"AuditChecklist": ["Are resident registration numbers only processed when there is a clear legal basis?","Is the legal provision that forms the basis for the collection of resident registration numbers clearly identified?","When processing resident registration numbers under a legal basis, does the organization provide a method for data subjects to register without using their resident registration number during the membership registration process on an internet website?"],"NonComplianceCases": ["Case 1: Resident registration numbers were collected for simple membership management purposes, such as identity verification, during website sign-up based on the data subject's consent.","Case 2: Resident registration numbers were collected based on provisions in enforcement rules or local ordinances.","Case 3: The last 6 digits of the resident registration number were collected for identity verification, such as during password recovery, without any legal basis.","Case 4: Resident registration numbers were collected from job applicants during the hiring process without a legal basis.","Case 5: Resident registration numbers were collected during customer service inquiries at a call center for identity verification purposes.","Case 6: Even when there was a legal basis for the collection of resident registration numbers, alternative registration methods were not provided during the membership registration process on the website, and resident registration numbers were required for identity verification and membership registration."],"RelatedRegulations": ["Personal Information Protection Act, Article 24-2 (Restrictions on the Processing of Resident Registration Numbers)","Information and Communications Network Act, Article 23-2 (Restrictions on the Use of Resident Registration Numbers)"]}],"description": "Resident registration numbers may not be collected, used, or processed unless there is a legal basis for doing so. Even when the processing of resident registration numbers is permitted, alternative methods must be provided, such as through an internet website.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.4": {"name": "Restriction on Processing of Sensitive and Unique Identifying Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Personal Information Processing Requirements","Section": "3.1.4 Restriction on Processing of Sensitive and Unique Identifying Information","Subdomain": "3.1. Protection Measures for Personal Information Collection","AuditEvidence": ["Online personal information collection forms (e.g., membership sign-up pages, event participation forms)","Offline personal information collection forms (e.g., membership application forms)","Privacy policy"],"AuditChecklist": ["Is sensitive information processed only with the separate consent of the data subject or when legally required?","Is unique identifying information (excluding resident registration numbers) processed only with the separate consent of the data subject or when there is a specific legal basis?","If there is a risk of invasion of privacy due to the disclosure of sensitive information during the provision of goods or services, is the data subject clearly informed of the possibility of such disclosure and how to opt for non-disclosure before the provision of goods or services?"],"NonComplianceCases": ["Case 1: Collecting sensitive information such as disability status for discounts or benefits for disabled individuals, and obtaining blanket consent for all personal information items.","Case 2: Collecting foreign registration numbers only from foreigners during membership registration, and obtaining blanket consent for all personal information items.","Case 3: When obtaining separate consent for the collection of sensitive or unique identifying information, failing to inform or incorrectly informing the data subject about the four key points that must be disclosed (e.g., the right to refuse consent and the consequences of refusal)."],"RelatedRegulations": ["Personal Information Protection Act, Article 23 (Restrictions on Processing of Sensitive Information), Article 24 (Restrictions on Processing of Unique Identifying Information)"]}],"description": "In order to process sensitive information and unique identifying information (excluding resident registration numbers), separate consent from the data subject must be obtained unless the processing is specifically required or permitted by law.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.5": {"name": "Indirect Collection of Personal Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Personal Information Processing Requirements","Section": "3.1.5 Indirect Collection of Personal Information","Subdomain": "3.1. Protection Measures for Personal Information Collection","AuditEvidence": ["Contracts related to the provision of personal information (agreements with providers)","Records of notifications to data subjects about the source of personal information","Privacy policy"],"AuditChecklist": ["When receiving personal information from a third party, is it clearly stated in the contract that the responsibility for obtaining consent for the collection of personal information lies with the party providing the information?","When collecting personal information from public media or places, is the collection limited to the scope recognized as having the data subject's consent, based on common societal standards?","Even for personal information collected or generated through automated collection devices during the process of providing services, is the principle of minimum collection applied?","When personal information is collected from a source other than the data subject and the data subject requests it, is the required information immediately provided to the data subject?","When personal information collected from a source other than the data subject meets legal requirements in terms of type or scale, is the required information provided to the data subject?","Is there a record of informing the data subject about the source of personal information, and is this record maintained until the personal information is destroyed?"],"NonComplianceCases": ["Case 1: In the case of collecting personal information published on websites or social media, there is no procedure for handling requests from data subjects about the source of the information.","Case 2: Personal information provided by another business entity was received based on consent for the provision of personal information under Article 17(1)(1) of the Personal Information Protection Act, but the data subjects were not notified within three months (note: this applies to cases where the recipient handles the personal information of more than 50,000 data subjects, sensitive information, or unique identifying information, or processes personal information of over 1 million data subjects).","Case 3: The data subject was informed about the source of the personal information as required by law, but some mandatory notification items were omitted, such as the purpose of processing or the right to withdraw consent.","Case 4: The data subject was informed about the source of the personal information, but the record of this notification was not maintained until the personal information was destroyed, in violation of legal obligations."],"RelatedRegulations": ["Personal Information Protection Act, Article 16 (Restrictions on the Collection of Personal Information), Article 19 (Restrictions on Use and Provision of Personal Information Provided by a Third Party), Article 20 (Notification of the Source, Purpose, etc. of Indirectly Collected Personal Information)"]}],"description": "When collecting personal information from sources other than the data subject or when receiving personal information from a third party, only the minimum amount of personal information necessary for the task should be collected or received. If there is a legal basis or at the request of the data subject, the source of the personal information, the purpose of processing, and the right to request a suspension of processing must be disclosed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.6": {"name": "Installation and Operation of Video Information Processing Devices","checks": {},"status": "PASS","attributes": [{"Domain": "3. Personal Information Processing Requirements","Section": "3.1.6 Installation and Operation of Video Information Processing Devices","Subdomain": "3.1. Protection Measures for Personal Information Collection","AuditEvidence": ["Status of video information processing device operation","Signs for video information processing devices","Video information processing device operation and management policies","Management screens for video information processing devices (e.g., account/permission details, video retention periods)","Contracts with operators of video information processing devices and inspection records"],"AuditChecklist": ["When installing and operating fixed video information processing devices in public places, is it reviewed whether the installation meets legal requirements?","If public institutions install and operate fixed video information processing devices in public places, are public hearings or explanation sessions held to gather opinions from relevant experts and stakeholders, as required by law?","When installing and operating fixed video information processing devices, are necessary measures taken, such as installing signs to ensure the data subject can easily recognize the presence of the devices?","When operating mobile video information processing devices in public places for business purposes, is it reviewed whether the operation meets legal requirements?","When operating mobile video information processing devices in public places for business purposes, is the fact that the video is being recorded indicated and informed to the public through lights, sounds, or signs?","Is there an operation and management policy in place for the safe management of video information processing devices and the video information they record, and is it being implemented?","Is the retention period for video information set, and is the information destroyed without delay after the retention period expires?","When outsourcing the operation of video information processing devices, are the related procedures and requirements reflected in the contract?"],"NonComplianceCases": ["Case 1: The wording on the signs for video information processing devices is incomplete, or there is no established and implemented policy for the operation and management of video information processing devices.","Case 2: Although there is a policy for the operation and management of video information processing devices, the policy is not followed, such as failing to comply with the retention period or failing to implement access control and logging as described in the policy.","Case 3: The operation of video information processing devices is outsourced, but the legal requirements, such as inspection of the video information management status and provisions regarding liability for damages, are not reflected in the contract.","Case 4: The operation of video information processing devices is outsourced, but the signs for the devices do not include the name and contact information of the contractor."],"RelatedRegulations": ["Personal Information Protection Act, Article 25 (Restrictions on the Installation and Operation of Fixed Video Information Processing Devices), Article 25-2 (Restrictions on the Operation of Mobile Video Information Processing Devices)"]}],"description": "When installing and operating fixed video information processing devices in public places or operating mobile video information processing devices in public places for business purposes, legal requirements must be followed according to the purpose and location of the installation, and appropriate protection measures must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.7": {"name": "Collection and Use of Personal Information for Marketing Purposes","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.1.7 Collection and Use of Personal Information for Marketing Purposes","Subdomain": "3.1. Protection Measures When Collecting Personal Information","AuditEvidence": ["Online personal information collection forms (e.g., website membership sign-up, mobile app sign-up, event participation)","Offline personal information collection forms (e.g., membership application forms)","Marketing consent records","Records of consent for receiving advertising information and confirmation of consent","Administrator screen for advertising information transmission systems (e.g., email, SMS, app push notifications)","Advertising information transmission content","Personal information processing policy"],"AuditChecklist": ["When obtaining consent from data subjects to process personal information for the purpose of promoting or recommending goods or services, is the data subject clearly informed, and is separate consent obtained?","When sending advertising information for profit using electronic transmission media, is the recipient's explicit prior consent obtained, and is the consent reconfirmed every two years?","When a recipient indicates refusal or withdraws prior consent for receiving advertising information for profit, is the transmission of such advertising information stopped?","When sending advertising information for profit, is the sender's name, method for opting out, etc., clearly stated, and are such messages not sent during nighttime hours?"],"NonComplianceCases": ["Case 1: When collecting personal information for 'promotion and marketing' purposes, the purpose is vaguely explained (e.g., 'providing additional services', 'providing partner services') or blanket consent is obtained without distinguishing between different purposes.","Case 2: Even after a user has expressed refusal to receive advertising push notifications via a mobile app, such notifications are sent due to a program error.","Case 3: The option to receive advertising information via text messages or email is pre-selected by default on the online sign-up page.","Case 4: The recipient's consent for receiving advertising information is not reconfirmed every two years.","Case 5: When sending advertising information for profit via email, the subject line does not begin with '(Advertisement)'."],"RelatedRegulations": ["Personal Information Protection Act, Article 22 (Method of Obtaining Consent)","Information and Communications Network Act, Article 50 (Restrictions on Transmission of Advertising Information)"]}],"description": "When collecting and using personal information for marketing purposes, such as promoting goods or services, sales recommendations, or sending advertising information, the purpose must be clearly communicated to the data subject, and their consent must be obtained.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.1": {"name": "Management of Personal Information Status","checks": {"macie_is_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL"},"status": "FAIL","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.1 Management of Personal Information Status","Subdomain": "3.2. Protection Measures When Retaining and Using Personal Information","AuditEvidence": ["Personal information status table","Personal information flowchart","Registration status of personal information files","Personal information file management ledger","Personal information processing policy-related personal information files","Personal information files related to investigations under the Punishment of Tax Offenses Act and the Customs Act","Personal information files for one-time operations deemed to have a low need for continuous management as determined by Presidential Decree","Personal information files for simple tasks such as attending meetings, sending documents or materials, and financial settlements, which have a low need for continuous management","Personal information files processed temporarily for public health or public safety emergencies","Other personal information files collected for one-time tasks that are not stored or recorded","Personal information files classified as confidential under other laws","Personal information files collected or requested for analysis related to national security","Personal video information files processed via video information processing devices","Personal information files retained by financial institutions for handling financial transactions under the Real Name Financial Transactions and Guarantee of Secrecy Act"],"AuditChecklist": ["Is the status of collected and retained personal information, including the items, volume, purpose and method of processing, and retention period, regularly managed?","When a public institution operates or modifies personal information files, are the relevant matters registered with the head of the relevant agency as required by law?","Does the public institution disclose the status of personal information files in the personal information processing policy?"],"NonComplianceCases": ["Case 1: Although personal information files are managed through the website's personal information file registration menu, some personal information files related to website services are missing from the personal information processing policy.","Case 2: Although two months have passed since a new personal information file was created, it has not been registered with the Personal Information Protection Commission.","Case 3: The content of personal information files registered and disclosed with the Personal Information Protection Commission (e.g., items of personal information collected) does not match the actual status of personal information files being processed.","Case 4: A public institution has not registered personal information files with the Personal Information Protection Commission, even though the files do not qualify for exceptions such as employee personal information files or personal information files collected under the Statistics Act."],"RelatedRegulations": ["Personal Information Protection Act, Article 32 (Registration and Disclosure of Personal Information Files)"]}],"description": "The items, volume, purpose and method of processing, and retention period of collected and retained personal information must be regularly managed. In the case of public institutions, such information must be registered with the head of the relevant agency as stipulated by law.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"3.2.2": {"name": "Personal Information Quality Assurance","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.2 Personal Information Quality Assurance","Subdomain": "3.2. Protection Measures for Retention and Use of Personal Information","AuditEvidence": ["Form for data subjects to modify/update their personal information (online, offline)","Procedures to maintain the up-to-date status of personal information"],"AuditChecklist": ["Are procedures and methods in place to maintain personal information in an accurate and up-to-date state?","Is there a method provided for data subjects to ensure the accuracy, completeness, and up-to-dateness of their personal information?"],"NonComplianceCases": ["Case 1: Although an identity verification process is implemented when changing member information through the website, the identity verification process is insufficient when changing member information via customer service, making unauthorized changes possible.","Case 2: While an online method is provided for online members to change their personal information, no such method is provided for offline members."],"RelatedRegulations": ["Personal Information Protection Act, Article 3 (Principles of Personal Information Protection)"]}],"description": "Collected personal information must be managed to ensure its accuracy, completeness, and up-to-dateness within the scope necessary for the processing purpose, and procedures must be provided to data subjects to manage their information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.3": {"name": "Protection of User Device Access","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.3 Protection of User Device Access","Subdomain": "3.2. Protection Measures for Retention and Use of Personal Information","AuditEvidence": ["App access rights consent screen","App access rights settings"],"AuditChecklist": ["When accessing information stored on the user's mobile device or functions installed on the device, are users clearly informed and their consent obtained?","Is it ensured that services are not denied if users do not consent to access rights that are not essential for the service?","Are methods provided for users to consent to or withdraw access rights on their mobile devices?"],"NonComplianceCases": ["Case 1: A smartphone app requests excessive access to personal information areas such as contacts, photos, and messages, even though such access is unnecessary for the service.","Case 2: A service provider's smartphone app accesses information stored on the smartphone and installed functions without notifying the user and obtaining their consent.","Case 3: Consent is obtained for app access rights by informing users that optional permissions are required as essential permissions.","Case 4: A smartphone app supports Android versions below 6.0, where individual consent for access rights is not possible, making it impossible for users to reject optional access rights."],"RelatedRegulations": ["Information and Communications Network Act, Article 22-2 (Consent for Access Rights)"]}],"description": "When accessing information stored on the user's mobile device or functions installed on the mobile device, it is necessary to notify the user clearly and obtain their consent.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.4": {"name": "Use and Provision of Personal Information Beyond Purpose","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.4 Use and Provision of Personal Information Beyond Purpose","Subdomain": "3.2. Protection Measures for Retention and Use of Personal Information","AuditEvidence": ["Records of personal information use and provision beyond the original purpose (including related evidence such as requests)","Log of personal information use and provision beyond the original purpose (for public institutions)","Records of publication in the official gazette or on the website (for public institutions)","Guidelines for handling information provision requests","Official documents requesting information provision and records of personal information provision"],"AuditChecklist": ["Is personal information used or provided only within the scope of the purpose consented to by the data subject at the time of collection or as permitted by law?","When receiving personal information from a personal information processor, is the information used or provided only within the scope of the purpose for which it was provided?","If personal information is used or provided beyond the scope of the purpose of collection or the purpose for which it was received from a personal information processor, is additional consent obtained from the data subject or limited to cases with a legal basis?","When providing personal information to a third party for purposes beyond the original purpose, is the recipient required to take necessary actions to restrict the use of personal information and ensure safety?","When public institutions use or provide personal information beyond the original purpose, are the legal basis, purpose, and scope published in the official gazette or on the internet?","When public institutions use or provide personal information beyond the original purpose, is there a record of such use or provision and are procedures in place for managing it?"],"NonComplianceCases": ["Case 1: Personal information collected for product delivery is used for telemarketing of other company products without prior consent.","Case 2: Personal information collected for customer satisfaction surveys or sweepstakes entries is used for advertising other promotional events without consent.","Case 3: A public institution provides personal information to another institution for purposes outside the scope of the original purpose based on legal grounds but does not publish the information in the official gazette or on the internet.","Case 4: A public institution provides personal information to a police department for criminal investigation purposes but fails to record the details in the log of personal information use and provision beyond the original purpose."],"RelatedRegulations": ["Personal Information Protection Act, Article 18 (Restriction on the Use and Provision of Personal Information Beyond the Original Purpose), Article 19 (Restriction on Use and Provision by Recipients of Personal Information)"]}],"description": "Personal information must only be used or provided within the scope notified and consented to by the data subject at the time of collection or as permitted by law. If personal information is to be used or provided beyond this scope, additional consent must be obtained from the data subject or the legality must be verified, and appropriate protective measures must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.5": {"name": "Processing of Pseudonymized Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.5 Processing of Pseudonymized Information","Subdomain": "3.2. Protection Measures for Retention and Use of Personal Information","AuditEvidence": ["Procedures and results of the adequacy review of pseudonymization/anonymization","Records of pseudonymized information processing","Privacy policy (regarding the use and provision of pseudonymized information)"],"AuditChecklist": ["When processing pseudonymized information, are procedures established for purpose limitation, pseudonymization methods and standards, adequacy review, prohibition of re-identification, and actions in case of re-identification?","When using or providing pseudonymized personal information, is the information pseudonymized to a level where individuals cannot be identified without using or combining additional information?","When combining pseudonymized information with that of other personal information processors, is the combination conducted through a specialized agency or data professional organization?","When processing pseudonymized information, are technical, administrative, and physical measures taken to ensure safety, such as deleting or separately storing additional information and keeping records?","Is the processing period for pseudonymized information set to an appropriate period considering the processing purpose, and is the information destroyed without delay when that period expires?","When anonymizing personal information, is the information anonymized to a level where individuals cannot be identified even with the use of additional information, considering the time, cost, and technology available?"],"NonComplianceCases": ["Case 1: When processing pseudonymized information for statistical purposes or scientific research without obtaining consent from data subjects, records of the pseudonymization process were not kept, or the privacy policy was not updated to include relevant information.","Case 2: Additional information was not stored separately from pseudonymized information in the same database, or access rights to both sets of information were not appropriately segregated.","Case 3: Although pseudonymized personal information was used, the pseudonymization process was not sufficient, making it possible to identify individuals by combining the information with other data without using additional information.","Case 4: Personal information was anonymized for generating test data or for public release, but due to outliers or other factors, it was still possible to identify individuals, indicating that the anonymization process was not sufficient."],"RelatedRegulations": ["Personal Information Protection Act, Article 2 (Definitions), Article 28-2 (Processing of Pseudonymized Information), Article 28-3 (Restrictions on Combining Pseudonymized Information), Article 28-4 (Obligations for the Safe Processing of Pseudonymized Information), Article 28-5 (Prohibition of Re-identification in Processing Pseudonymized Information), Article 28-7 (Scope of Application), Article 58-2 (Exemptions)"]}],"description": "When processing pseudonymized information, legal requirements such as purpose limitation, combination restrictions, safety measures, and prohibition obligations must be met, and procedures must be established and implemented to ensure an appropriate level of pseudonymization.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.1": {"name": "Provision of Personal Information to Third Parties","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.3.1 Provision of Personal Information to Third Parties","Subdomain": "3.3. Protective Measures When Providing Personal Information","AuditEvidence": ["Forms related to the provision of personal information to third parties online (e.g., membership registration page, consent for third-party provision on websites)","Forms related to the provision of personal information to third parties offline (e.g., membership application forms, consent forms for third-party provision)","Records of third-party provisions","Privacy policy"],"AuditChecklist": ["When providing personal information to third parties, are legal requirements such as consent from the data subject or compliance with legal obligations clearly identified and followed?","When obtaining consent from the data subject for the provision of personal information to third parties, are the related matters clearly communicated, and is consent legally obtained by distinguishing it from other consents?","When obtaining consent from the data subject for the provision of personal information to third parties, are important matters clearly indicated and made easily understandable as required by law?","When providing personal information to third parties, is the information limited to the minimum necessary for the intended purpose?","When providing personal information to third parties, is it done through secure procedures and methods, and is the provision recorded and stored?","When allowing third parties to access personal information, is control implemented in accordance with protection procedures to securely protect the personal information?","When providing additional personal information without the data subject's consent, are criteria for determining the relevance to the original purpose of collection, predictability, potential harm, and safety measures established and followed? If such provisions continue, are these criteria disclosed in the privacy policy and periodically reviewed?"],"NonComplianceCases": ["Case 1: When obtaining consent from the data subject for the provision of personal information to third parties, some necessary information (e.g., the right to refuse consent, the items provided) was omitted.","Case 2: In the process of providing personal information to third parties, personal information from data subjects who did not consent was provided due to improper verification of consent.","Case 3: When obtaining consent for the provision of personal information, the recipient was not specifically identified and was vaguely referred to as ʻ~ etc.ʼ in the consent.","Case 4: Although third-party provision consent was optional during the membership registration process, if the data subject did not agree to third-party provision, the registration process could not be completed.","Case 5: An excessive amount of personal information was provided beyond what was necessary for the recipient's purpose of use."],"RelatedRegulations": ["Personal Information Protection Act, Article 17 (Provision of Personal Information), Article 22 (Methods of Obtaining Consent)","Notification on the Methods of Processing Personal Information"]}],"description": "When providing personal information to third parties, there must be a legal basis or consent from the data subject, and protection measures must be established and implemented to securely protect personal information during the process of providing access to third parties.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.2": {"name": "Outsourcing of Personal Information Processing","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.3.2 Outsourcing of Personal Information Processing","Subdomain": "3.3. Protective Measures When Providing Personal Information","AuditEvidence": ["Privacy policy (disclosing details related to the outsourcing of personal information processing)","Personal information collection forms","Contracts for outsourcing personal information processing","Records of notifications to data subjects regarding outsourced tasks related to promoting or selling goods or services"],"AuditChecklist": ["When outsourcing personal information processing tasks (including sub-outsourcing) to third parties, are the details of the outsourced tasks and the trustees regularly updated and disclosed on the website?","When outsourcing tasks related to promoting or selling goods or services, is the data subject notified of the details of the outsourced tasks and the trustees through methods such as written notice, email, or text messages?"],"NonComplianceCases": ["Case 1: Although the details of the outsourcing of personal information processing tasks were disclosed on the website's privacy policy, some trustees and the details of the outsourced tasks were missing.","Case 2: When outsourcing tasks related to promoting or selling goods or services, the details of the outsourced tasks and trustees were not notified to the data subject through written methods, and instead, the information was disclosed only in the privacy policy.","Case 3: After terminating a contract with an existing trustee for personal information processing, the new trustee was not promptly reflected in the privacy policy.","Case 4: Although the trustee sub-outsourced the personal information processing tasks to a third party, the sub-outsourcing details were not disclosed on the website."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Processing of Personal Information by Outsourcing)"]}],"description": "When outsourcing personal information processing tasks to third parties, the details of the outsourced tasks and the trustee must be disclosed. Additionally, if the task involves promoting or selling goods or services, the details of the outsourced task and the trustee must be notified to the data subject.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.3": {"name": "Transfer of Personal Information Due to Business Transfers","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.3.3 Transfer of Personal Information Due to Business Transfers","Subdomain": "3.3. Protective Measures When Providing Personal Information","AuditEvidence": ["Records of notifications to data subjects regarding the transfer of personal information (during business transfers)","Privacy policy"],"AuditChecklist": ["When transferring personal information to another party due to the transfer or merger of all or part of the business, are the necessary matters communicated to the data subjects in advance?","When receiving personal information, does the recipient notify the data subjects without delay regarding the fact that personal information has been received and other necessary matters, if legally required?","Does the recipient of the personal information use the information only for its original purpose at the time of transfer, or provide it to third parties in compliance with the original purpose?"],"NonComplianceCases": ["Case 1: When receiving personal information through business acquisition, the data subjects were not notified of the transfer of personal information, even though the data provider failed to notify them of the transfer.","Case 2: When receiving personal information through business acquisition or merger, no procedures or methods were provided to allow data subjects to opt-out of the transfer, nor were such options communicated to the data subjects."],"RelatedRegulations": ["Personal Information Protection Act, Article 27 (Restrictions on the Transfer of Personal Information Due to Business Transfers)"]}],"description": "When transferring or receiving personal information due to business transfers or mergers, appropriate protection measures such as notifying the data subjects must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.4": {"name": "Transfer of Personal Information Abroad","checks": {"s3_bucket_cross_region_replication": "FAIL"},"status": "FAIL","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.3.4 Transfer of Personal Information Abroad","Subdomain": "3.3. Protection Measures When Providing Personal Information","AuditEvidence": ["Consent form for personal information transfer abroad","Contract related to personal information transfer abroad","Privacy policy","Notification or disclosure records regarding outsourcing or storage of personal information abroad"],"AuditChecklist": ["When transferring personal information abroad, has the data subject been fully informed of all notification requirements and obtained separate consent, or complied with certification or recognition, as required by law?","When informing the data subject about the outsourcing or storage of personal information abroad for the purpose of contract execution, are all necessary details included and communicated appropriately?","Has a contract for the transfer of personal information abroad been established, including compliance with personal information protection laws?","Are necessary measures being taken to protect personal information when transferring it abroad?"],"NonComplianceCases": ["Case 1: Personal information was provided to a foreign company during processing, but separate consent for the transfer of personal information abroad was not obtained, even though the conditions for consent exemption (such as certification or recognition by the recipient country) were not met.","Case 2: While using foreign cloud services (foreign regions) for outsourcing and storing personal information, the relevant details, such as the destination country and transfer method, were not disclosed in the privacy policy or communicated to the data subject.","Case 3: While obtaining consent for the transfer of personal information abroad, only the name of the recipient (company name) was disclosed, and the destination country was not properly notified."],"RelatedRegulations": ["Personal Information Protection Act, Articles 28-8 (Transfer of Personal Information Abroad), 28-9 (Order to Suspend Transfer of Personal Information Abroad), 28-10 (Reciprocity), 28-11 (Applicable Provisions)","Regulations on the Operation of Personal Information Transfer Abroad"]}],"description": "When transferring personal information abroad, appropriate protective measures such as obtaining consent and disclosing relevant details about the transfer must be established and implemented.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.4.1": {"name": "Destruction of Personal Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.4.1 Destruction of Personal Information","Subdomain": "3.4. Protection Measures When Destroying Personal Information","AuditEvidence": ["Regulations regarding the retention period and destruction of personal information","Destruction results (e.g., from member databases)","Personal information destruction management records"],"AuditChecklist": ["Has an internal policy been established regarding the retention period and destruction of personal information?","Is personal information being destroyed without delay when the processing purpose is achieved or the retention period has expired?","Is personal information destroyed using safe methods that prevent recovery or reconstruction?","Are records kept of the destruction of personal information and managed properly?"],"NonComplianceCases": ["Case 1: When a member withdraws or the purpose of retention is achieved, personal information was destroyed from the member database, but not from associated systems (CRM, DW) where duplicate personal information was stored.","Case 2: Personal information collected during a specific event was not destroyed or no destruction policy was established, even after the event ended.","Case 3: Personal information collected through a call center (such as call logs, recordings) is retained for three years under the Electronic Commerce Act, but the information was not destroyed even after three years had passed.","Case 4: Due to technical limitations, such as using blockchain, it was not possible to completely destroy personal information, so it was anonymized instead. However, the anonymization process was not done properly, allowing partial re-identification of personal information."],"RelatedRegulations": ["Personal Information Protection Act, Article 21 (Destruction of Personal Information)","Standards for Ensuring the Safety of Personal Information, Article 13 (Destruction of Personal Information)"]}],"description": "The organization must establish an internal policy regarding retention periods and destruction of personal information. When the retention period has expired or the purpose of processing has been achieved, personal information must be destroyed without delay using methods that ensure safety and completeness.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.4.2": {"name": "Measures When Retaining Personal Information After Purpose Is Achieved","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.4.2 Measures When Retaining Personal Information After Purpose Is Achieved","Subdomain": "3.4. Protection Measures When Destroying Personal Information","AuditEvidence": ["Regulations regarding the retention period and destruction of personal information","Current status of separated databases (table structure, etc.)","Access permissions for separated databases"],"AuditChecklist": ["When personal information is retained beyond the retention period or after the processing purpose has been achieved, in accordance with relevant laws, is it limited to the minimum necessary period and only the minimum necessary information?","When personal information is retained beyond the retention period or after the processing purpose has been achieved, is it stored separately from other personal information?","Is personal information that is stored separately processed only within the scope allowed by law?","Is access to separately stored personal information limited to the minimum number of personnel?"],"NonComplianceCases": ["Case 1: Information from withdrawn members was not destroyed but kept for a certain period under the Electronic Commerce Act, with only the flag value changed, and stored in the same table as other member information.","Case 2: Records related to consumer complaints and disputes were kept for five years instead of the required three years, due to misinterpretation of legal requirements.","Case 3: Although a separate database was set up, access permissions were not appropriately configured, allowing personnel who did not require access to view the separated database.","Case 4: Information from withdrawn members was stored separately in accordance with the Electronic Commerce Act, but excessive optional information was also stored, even though there was no legal obligation to do so."],"RelatedRegulations": ["Personal Information Protection Act, Article 21 (Destruction of Personal Information)"]}],"description": "If personal information is retained beyond the retention period or after the purpose of processing has been achieved, as permitted by relevant laws, it must be limited to the minimum necessary items and stored separately from other personal information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.1": {"name": "Disclosure of Privacy Policy","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.5.1 Disclosure of Privacy Policy","Subdomain": "3.5. Protection of Data Subject's Rights","AuditEvidence": ["Privacy policy","Records of privacy policy amendments (e.g., board notices)"],"AuditChecklist": ["Is the privacy policy written in clear and easy-to-understand language, covering all the contents required by law?","Is the privacy policy continuously updated and made easily accessible to data subjects via the internet or other means?","When the privacy policy is updated, are the reasons for the changes and the contents of the changes promptly notified, and can the data subjects easily recognize the changes at any time?"],"NonComplianceCases": ["Case 1: The privacy policy discloses information about the collection and provision of personal information, but the actual details differ from what is being collected and provided.","Case 2: Changes such as the replacement of the privacy officer or changes in subcontractors have occurred, but these changes have not been reflected in the privacy policy.","Case 3: The privacy policy is disclosed, but it is labeled 'Privacy Protection Policy' instead of 'Privacy Policy,' and its visibility is not enhanced with larger font sizes or color to make it easy for data subjects to find.","Case 4: Several amendments have been made to the privacy policy, but older versions of the policy are not made available for review.","Case 5: Although personal information is retained in compliance with laws such as the Electronic Commerce Act and the Commercial Act, the legal grounds for retention and the retained personal information items are not disclosed in the privacy policy."],"RelatedRegulations": ["Personal Information Protection Act, Article 30 (Establishment and Disclosure of Privacy Policy), Article 30-2 (Evaluation and Improvement Recommendations for Privacy Policy)"]}],"description": "A privacy policy must be established to include all necessary information, such as the purpose of personal information processing, in a way that is easy for data subjects to understand. The policy must be disclosed through appropriate methods so that data subjects can easily access it at any time, and it must be continuously updated.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.2": {"name": "Guaranteeing Data Subject's Rights","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.5.2 Guaranteeing Data Subject's Rights","Subdomain": "3.5. Protection of Data Subject's Rights","AuditEvidence": ["Privacy policy","Procedures and forms for handling Requests for Access, etc.","Records of actions taken in response to Requests for Access, etc.","Procedures for member withdrawal and consent withdrawal"],"AuditChecklist": ["Are procedures in place to ensure that data subjects or their representatives can exercise their rights (hereinafter referred to as 'Requests for Access, etc.') to access, rectify, delete, or suspend the processing of their personal information in a way that is not more difficult than the process used for collecting it?","When data subjects or their representatives submit Requests for Access, etc., are the necessary measures taken within the required time frame?","When data subjects withdraw their consent to the collection, use, or provision of their personal information, are the collected personal information and associated data promptly deleted or otherwise handled appropriately?","Are appropriate procedures in place to allow data subjects to object to the actions taken regarding their Requests for Access, etc., and are they informed of these procedures?","Are records kept of data subjects' Requests for Access, etc., and the resulting actions?","When the rights of others, such as privacy or honor, are violated on information networks, does the organization have procedures for the affected individuals to request the deletion of the information from service providers, and are these procedures being implemented?"],"NonComplianceCases": ["Case 1: The method for requesting access, rectification, deletion, or suspension of personal information is not disclosed in a way that data subjects can easily find.","Case 2: There has been no response to access requests for personal information within 10 days, without any valid reason.","Case 3: Records of actions taken in response to personal information access requests are not maintained.","Case 4: Access notifications are being sent without verifying whether the requester is the data subject or their legitimate representative.","Case 5: There has been a failure to respond to rectification or deletion requests within 10 days.","Case 6: It was easy to sign up online as a member, but to withdraw membership, additional documents such as ID must be submitted, or in-person visits are required."],"RelatedRegulations": ["Personal Information Protection Act, Article 34-2 (Deletion or Blocking of Exposed Personal Information), Article 35 (Access to Personal Information), Article 35-2 (Right to Data Portability), Article 36 (Rectification or Deletion of Personal Information), Article 37 (Suspension of Processing, etc.), Article 37-2 (Right of Data Subjects to Contest Automated Decisions), Article 38 (Methods and Procedures for Exercising Rights)","Information and Communications Network Act, Article 44 (Protection of Rights in Information Networks), Article 44-2 (Request for Deletion of Information, etc.), Article 44-3 (Temporary Measures)"]}],"description": "Procedures must be established and implemented to ensure that data subjects can easily exercise their rights, such as requesting access, rectification, deletion, suspension of processing, objection, or withdrawal of consent, through simpler processes than those used for collecting their information. When a request is received, it must be processed without delay, and records must be kept. Measures such as deletion requests and temporary actions must be taken to prevent the distribution of information that infringes on the rights of others, such as invasion of privacy or defamation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.3": {"name": "Notification to Data Subjects","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.5.3 Notification to Data Subjects","Subdomain": "3.5. Protection of Data Subject's Rights","AuditEvidence": ["Records of notifications regarding the use and provision of personal information","Forms and wording used for notifications regarding the use and provision of personal information"],"AuditChecklist": ["If the organization is legally obligated to do so, does it periodically notify data subjects of the use and provision of their personal information, or provide them with access to an information system where they can review such details?","Do the notification items regarding the use and provision of personal information include all legally required elements?"],"NonComplianceCases": ["Case 1: Although the organization is required to notify data subjects of the use and provision of their personal information, no notifications have been sent during the year despite being obligated due to handling personal information of more than 1 million people on a daily average for the past three months at the end of the previous year.","Case 2: Instead of directly notifying individual data subjects, notifications about the use and provision of personal information were made through simple pop-ups or general announcements on the website."],"RelatedRegulations": ["Personal Information Protection Act, Article 20-2 (Notification of Use and Provision of Personal Information)"]}],"description": "The organization must identify matters that must be notified to data subjects, such as the use and provision of personal information, and periodically inform the data subjects of these matters.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.1": {"name": "Security System Operation","checks": {"kms_cmk_are_used": null,"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","elbv2_waf_acl_attached": "FAIL","kms_cmk_rotation_enabled": null,"ec2_securitygroup_not_used": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","ssm_managed_compliant_patching": "FAIL","kms_key_not_publicly_accessible": null,"ssmincidents_enabled_with_plans": null,"inspector2_active_findings_exist": "FAIL","cloudfront_distributions_using_waf": null,"cognito_user_pool_waf_acl_attached": null,"trustedadvisor_errors_and_warnings": null,"apigateway_restapi_waf_acl_attached": "FAIL","config_recorder_all_regions_enabled": null,"guardduty_no_high_severity_findings": "FAIL","ec2_securitygroup_from_launch_wizard": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","organizations_delegated_administrators": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_instance_port_ldap_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","shield_advanced_protection_in_global_accelerators": null,"ec2_instance_internet_facing_with_instance_profile": "FAIL","shield_advanced_protection_in_route53_hosted_zones": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_authentication_failures": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.10.1 Security System Operation","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Security system configuration","Network configuration","Security system operational procedures","Firewall policies","Firewall policy setup/modification request forms","Exception list for the security system","Management screens for each security system (firewall, IPS, server access control, DLP, DRM, etc.)","Security system policy review history"],"AuditChecklist": ["Has the organization established and implemented operational procedures for the security systems in use?","Is access to the security system administrators limited to a minimum, and is unauthorized access strictly controlled?","Has the organization established and implemented formal procedures for registering, modifying, and deleting policies for each security system?","Are exception policies for the security system managed according to procedures, and are users of exception policies managed with the minimum privileges?","Is the validity of the policies set on the security system periodically reviewed?","Has the organization installed and operated security systems that perform functions specified by law to prevent illegal access and data leakage in personal information processing systems?"],"NonComplianceCases": ["Case 1: Regular reviews of the security policies for the intrusion prevention system were not conducted, resulting in unnecessary or excessively permissive policies.","Case 2: There are no procedures or criteria for applying, modifying, or deleting security policies, or such procedures exist but are not followed.","Case 3: The assignment and supervision of administrators for the security system were not properly implemented.","Case 4: Although internal guidelines stipulate that the information security officer must record and maintain the history of security policy changes for the security system, the policy management ledger was not periodically maintained, or the policies recorded in the ledger did not match those actually applied in the operating system."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "For each type of security system, an administrator must be designated, and operational procedures such as updating to the latest policies, modifying rule sets, and monitoring events must be established and implemented. The status of policy application for each security system must be managed.","checks_status": {"fail": 16,"pass": 39,"total": 75,"manual": 0}},"2.10.2": {"name": "Cloud Security","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measure Requirements","Section": "2.10.2 Cloud Security","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Cloud service-related contracts and SLA","Cloud service risk analysis results","Cloud service security control policies","Cloud service administrator privilege assignment status","Cloud service architecture diagram","Cloud service security setting status","Cloud service security setting appropriateness review history"],"AuditChecklist": ["Is the responsibility and role for information protection and personal information protection clearly defined with the cloud service provider, and is it reflected in contracts (such as SLA)?","Are security risks based on the service type evaluated when using cloud services, and are security control policies established and implemented, including security configurations and setting standards, security setting changes and approval procedures, secure connection methods, and authority systems to prevent unauthorized access and configuration errors?","Are administrator privileges for cloud services granted minimally according to roles, and are enhanced protection measures such as strengthened authentication, encryption, access control, and audit logs applied to prevent unauthorized access and abuse of privileges?","Is the monitoring of cloud service security setting changes and operation status conducted, and is the appropriateness of these settings reviewed regularly?"],"NonComplianceCases": ["Case 1: The cloud service contract does not include responsibilities and roles related to security.","Case 2: Employees without a business need have been excessively granted permissions to change the security settings of the cloud service.","Case 3: Internal guidelines require security officer approval when changing access control rules in the private network of the cloud, but many access control rules were registered or changed without following the approval procedure.","Case 4: Due to security setting errors in the cloud service, internal log files were exposed to the internet."],"RelatedRegulations": []}],"description": "When using cloud services, protection measures must be established and implemented for administrator access and security settings to prevent unauthorized access and configuration errors that could lead to the leakage or exposure of critical information and personal data, depending on the service type (SaaS, PaaS, IaaS, etc.).","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.3": {"name": "Public Server Security","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","ssm_document_secrets": "PASS","elbv2_waf_acl_attached": "FAIL","elb_insecure_ssl_ciphers": "PASS","apigateway_restapi_public": "FAIL","lightsail_database_public": null,"lightsail_instance_public": null,"elbv2_insecure_ssl_ciphers": "PASS","lightsail_static_ip_unused": null,"networkfirewall_in_all_vpc": "FAIL","ec2_instance_imdsv2_enabled": "PASS","elbv2_desync_mitigation_mode": "FAIL","awslambda_function_inside_vpc": "FAIL","awslambda_function_url_public": null,"ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","ssm_managed_compliant_patching": "FAIL","inspector2_active_findings_exist": "FAIL","acm_certificates_expiration_check": "PASS","awslambda_function_url_cors_policy": null,"cloudfront_distributions_using_waf": null,"vpc_subnet_separate_private_public": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","apigatewayv2_api_authorizers_enabled": "FAIL","awslambda_function_no_secrets_in_code": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","apigateway_restapi_authorizers_enabled": "PASS","cloudfront_distributions_https_enabled": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","apigateway_restapi_public_with_authorizer": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","awslambda_function_no_secrets_in_variables": "PASS","awslambda_function_not_publicly_accessible": "PASS","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","route53_domains_privacy_protection_enabled": null,"ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","apigateway_restapi_client_certificate_enabled": "FAIL","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","kafka_cluster_mutual_tls_authentication_enabled": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","autoscaling_find_secrets_ec2_launch_configuration": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","cloudfront_distributions_using_deprecated_ssl_protocols": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protective Measure Requirements","Section": "2.10.3 Public Server Security","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Network diagram","Website information disclosure procedures and history (e.g., requests, approvals, posting history)","Inspection history of personal and sensitive information exposure"],"AuditChecklist": ["Are protective measures established and implemented for the operation of public servers?","Are public servers installed in a DMZ separated from internal networks and protected by security systems such as firewalls?","When posting or storing personal or sensitive information on public servers, are approval and posting procedures, including obtaining approval from the responsible person, established and followed?","Does the organization regularly check whether sensitive information is being exposed through websites and web servers, and if exposure is detected, are measures taken immediately to block it?"],"NonComplianceCases": ["Case 1: Due to vulnerabilities in publicly exposed websites, unauthorized individuals were able to access others' personal information through Google search.","Case 2: Although internal regulations require approval procedures before posting personal information on websites, there were multiple cases where personal information was posted without following these procedures.","Case 3: In web applications such as bulletin boards, it was possible to arbitrarily modify or delete posts made by others, or view password-protected posts."],"RelatedRegulations": []}],"description": "For servers exposed to external networks, protective measures must be established and implemented, including separating them from internal networks, conducting vulnerability assessments, access control, authentication, and establishing procedures for information collection, storage, and disclosure.","checks_status": {"fail": 19,"pass": 47,"total": 76,"manual": 0}},"2.10.4": {"name": "Security for Electronic Transactions and FinTech","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.10.4 Security for Electronic Transactions and FinTech","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Protection measures for electronic transaction and FinTech services","Security review results for payment system integration"],"AuditChecklist": ["Are protection measures established and implemented to ensure the safety and reliability of transactions when providing electronic transaction and FinTech services?","Are protection measures established and implemented to protect transmitted information when integrating with external systems, such as payment systems, and is the security of the integration checked?"],"NonComplianceCases": ["Case 1: While a contract was made with a payment service provider and integration was established, all payment-related information was transmitted in plain text through a specific URL without appropriate authentication or access restrictions.","Case 2: Although the external payment system was connected via a dedicated network, internal business systems were not properly controlled by firewalls or other security measures.","Case 3: Although internal guidelines required a security review by the information protection team before integrating external FinTech services, the review was skipped due to scheduling reasons when integrating a new FinTech service."],"RelatedRegulations": []}],"description": "When providing electronic transaction and FinTech services, protection measures such as authentication and encryption must be established to prevent data leakage, data tampering, or fraud. The security of external systems, such as payment systems, must be checked when integrated.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.5": {"name": "Secure Information Transmission","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","elb_insecure_ssl_ciphers": "PASS","elbv2_insecure_ssl_ciphers": "PASS","rds_instance_transport_encrypted": "FAIL","s3_bucket_secure_transport_policy": "FAIL","glue_database_connections_ssl_enabled": null,"cloudfront_distributions_https_enabled": null,"sns_subscription_not_using_http_endpoints": "PASS","kafka_cluster_in_transit_encryption_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","kafka_cluster_mutual_tls_authentication_enabled": null,"directoryservice_radius_server_security_protocol": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"elasticache_redis_cluster_in_transit_encryption_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.10.5 Secure Information Transmission","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Information transmission agreement or contract","Technical standards for information transmission","System diagrams and interface definitions related to information transmission"],"AuditChecklist": ["Has a secure transmission policy been established when transmitting personal and critical information to external organizations?","When exchanging personal and critical information between organizations for business purposes, are agreements and protection measures for secure transmission established and implemented?"],"NonComplianceCases": ["Case 1: Although a dedicated network or VPN is applied when integrating with external organizations, there is inadequate management of the timing, method, responsible person, transmitted information, and legal basis for each integration.","Case 2: There is a lack of implementation of security reviews, security standards, and action plans for using weak encryption algorithms (e.g., DES, 3DES) or decrypting during intermediate transmission stages."],"RelatedRegulations": []}],"description": "When transmitting personal or critical information to other organizations, a secure transmission policy must be established, and agreements must be made between organizations regarding management responsibilities, transmission methods, and technical protection measures for personal and critical information.","checks_status": {"fail": 5,"pass": 3,"total": 17,"manual": 0}},"2.10.6": {"name": "Security for Business Devices","checks": {"workspaces_volume_encryption_enabled": null,"appstream_fleet_maximum_session_duration": null,"appstream_fleet_session_disconnect_timeout": null,"workspaces_vpc_2private_1public_subnets_nat": null,"appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.10.6 Security for Business Devices","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Security control guidelines and procedures for business devices","Registration status of business devices","Security settings for business devices","Authentication and approval history for business devices","Security check status for business devices"],"AuditChecklist": ["Are security control policies, such as device authentication, approval, access scope, and security settings, established and implemented for devices used for business purposes, such as PCs, laptops, virtual PCs, and tablets?","Are policies established and implemented to prevent the leakage of personal and critical information through business devices by prohibiting the use of file-sharing programs, limiting shared settings, and controlling wireless network usage?","Are security measures applied to prevent the leakage of personal and critical information in case of loss or theft of business mobile devices?","Is the appropriateness of access control measures for business devices periodically reviewed?"],"NonComplianceCases": ["Case 1: Although laptops and tablet PCs are used for business purposes, there are no policies established for device approval, usage scope, approval procedures, or authentication methods.","Case 2: The security management guidelines for mobile devices prohibit the use of mobile devices for business purposes unless specifically approved, but unapproved mobile devices are still being used to access internal information systems.","Case 3: Personal and critical information is handled on mobile devices, but security measures such as password protection are not applied to prevent leaks due to loss or theft.","Case 4: Although internal regulations prohibit the use of shared folders on business devices, periodic checks are not conducted, resulting in excessive use of shared folders on many business devices."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "When connecting devices such as PCs and mobile devices to the network for business purposes, access control measures such as device authentication, approval, access scope, and security settings must be established and periodically checked.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"2.10.7": {"name": "Management of Removable Media","checks": {},"status": "PASS","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.10.7 Management of Removable Media","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Policy on blocking removable media (USB, CD, etc.)","Removable media management log","Inspection records of removable media status"],"AuditChecklist": ["Are policies and procedures established and implemented for handling (use), storage, disposal, and reuse of removable media such as external hard drives, USB memory, and CDs?","Is the status of ownership, use, and management of removable media periodically checked?","Is the use of removable media restricted in controlled areas, such as key information systems or important restricted areas?","Are measures in place to prevent the infection of malware and the leakage of important information through removable media?","Are removable media containing personal or important information stored in a secure location with locking mechanisms?"],"NonComplianceCases": ["Case 1: Although there is a policy restricting the use of removable media in controlled areas like server rooms, several cases were found where removable media was used without following the exception approval process, and periodic inspections of the removable media management status were not conducted, resulting in inadequate updates to the management log.","Case 2: Removable media containing personal information was not stored in a secure location with locking mechanisms and was left unattended in office drawers.","Case 3: Although a solution to control removable media was implemented, some users were granted write access without appropriate approval procedures.","Case 4: Some common PCs and IT equipment in the server room allowed writing to standard USB memory devices, but controls such as media import and usage restrictions, usage history records, and reviews were not applied."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures)"]}],"description": "Procedures must be established and implemented to prevent the leakage of personal or important information or infection by malware through removable media. Removable media containing personal or important information must be stored in a secure location.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.8": {"name": "Patch Management","checks": {"ssm_managed_compliant_patching": "FAIL","kafka_cluster_uses_latest_version": null,"ec2_instance_account_imdsv2_enabled": null,"redshift_cluster_automatic_upgrades": null,"eks_cluster_uses_a_supported_version": null,"ec2_instance_older_than_specific_days": "FAIL","rds_instance_deprecated_engine_version": "PASS","rds_cluster_minor_version_upgrade_enabled": "PASS","dms_instance_minor_version_upgrade_enabled": null,"rds_instance_minor_version_upgrade_enabled": "PASS","awslambda_function_using_supported_runtimes": "FAIL","elasticache_redis_cluster_auto_minor_version_upgrades": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"opensearch_service_domains_updated_to_the_latest_service_software_version": null},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.10.8 Patch Management","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Patch management policies and procedures","Patch status of each system","Impact analysis results related to patch application"],"AuditChecklist": ["Are patch management policies and procedures for operating systems (OS) and software established and implemented according to the characteristics and importance of each asset, such as servers, network systems, security systems, and PCs?","Are the patch status of installed OS and software on key servers, network systems, and security systems periodically managed?","If applying the latest patches to address vulnerabilities is difficult due to service impact, are alternative measures implemented?","Is the application of patches via public internet access restricted for key servers, network systems, and security systems?","When using a patch management system, are sufficient protection measures, such as access control, established?"],"NonComplianceCases": ["Case 1: In some systems, OS patches were not applied for a long period without valid reasons or approval from the responsible personnel.","Case 2: Some systems were using OS versions that were no longer supported (EOS), but no response plans or alternative measures were in place.","Case 3: Although the latest patches were applied to commercial software and OS, there were no procedures or personnel assigned to confirm and apply the latest patches for open-source programs (e.g., OpenSSL, OpenSSH, Apache), resulting in the lack of application of the latest security patches."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 9 (Prevention of Malware, etc.)"]}],"description": "To prevent security incidents due to vulnerabilities in software, operating systems, or security systems, the latest patches must be applied. However, if the application of the latest patches is difficult due to service impact considerations, alternative measures must be implemented.","checks_status": {"fail": 3,"pass": 3,"total": 14,"manual": 0}},"2.10.9": {"name": "Malware Control","checks": {},"status": "PASS","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.10.9 Malware Control","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Guidelines, procedures, and manuals for malware response","Antivirus program installation status","Antivirus program configuration screens","Malware response history (e.g., response reports)"],"AuditChecklist": ["Are protection measures established and implemented to protect information systems and business terminals from malware such as viruses, worms, Trojans, and ransomware?","Are prevention and detection activities for the latest malware continuously performed using security programs such as antivirus software?","Are security programs such as antivirus software kept up to date, and are emergency security updates performed when necessary?","Are procedures for response, such as minimizing the spread of malware and mitigating damage, established and implemented when malware infections are discovered?"],"NonComplianceCases": ["Case 1: Some PCs and servers do not have antivirus software installed, or the antivirus engine has not been updated to the latest version for a long time.","Case 2: Although users can change the antivirus program settings (e.g., real-time scanning, scheduled scanning, update settings) at their discretion, no additional protection measures were established to address this.","Case 3: Insufficient protection measures, such as access control, were in place for the central antivirus management system, leading to the possibility of security incidents through the central management system, or no integrity verification of the antivirus pattern was performed, making it possible for malware to spread through malicious users.","Case 4: Although multiple malware infections were confirmed on some internal network PCs and servers, there was no confirmation of the infection status, infection routes, cause analysis, or resulting actions."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 9 (Prevention of Malware, etc.)"]}],"description": "To protect personal and important information, information systems, and business terminals from malware such as viruses, worms, Trojans, and ransomware, prevention, detection, and response measures must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.11.1": {"name": "Establishment of Incident Prevention and Response System","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.11.1 Establishment of Incident Prevention and Response System","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Incident response guidelines/procedures/manual","Incident response organization chart and emergency contact list","Security monitoring service contract (SLA, etc.)"],"AuditChecklist": ["Has the organization established procedures and systems to prevent security breaches and personal information leaks and to respond quickly and effectively when incidents occur?","If the organization is operating an incident response system through an external institution, such as a security monitoring service, are the details of the incident response procedures reflected in the contract?","Has the organization established a cooperative system with external experts, specialized companies, or institutions for monitoring, responding to, and handling security incidents?"],"NonComplianceCases": ["Case 1: Failure to clearly define the incident response organization and procedures for responding to security breaches.","Case 2: Although internal guidelines and procedures specify incident response steps for different phases (before, during, after detection, recovery, reporting, etc.), some or all of the response and recovery procedures for specific incident types and severity levels are not established.","Case 3: Failure to keep the incident response organization chart and emergency contact list up to date, or the roles and responsibilities of each team member are not clearly defined.","Case 4: Errors or outdated information in the contact details for external agencies responsible for incident reporting, notification, and cooperation, or failure to keep some agency details current.","Case 5: When outsourcing incident detection and response to an external security monitoring company or related institution, failure to clearly define the roles and responsibilities for both parties in the contract or SLA.","Case 6: Although incident response procedures are in place, they do not meet the legal requirements for reporting and notifying personal data breaches, such as criteria and timing."],"RelatedRegulations": ["Personal Information Protection Act, Article 34 (Notification and Reporting of Personal Information Leaks, etc.)","Information and Communications Network Act, Article 48-3 (Reporting of Security Incidents), Article 48-4 (Analysis of Causes of Security Incidents, etc.)"]}],"description": "To prevent incidents such as security breaches and personal information leaks, and to respond quickly and effectively in the event of an incident, the organization must establish procedures for detecting, responding to, analyzing, and sharing internal and external intrusion attempts. In addition, the organization must establish a cooperative system with relevant external institutions and experts.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.11.2": {"name": "Vulnerability Inspection and Remediation","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_document_secrets": "PASS","inspector2_is_enabled": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_centrally_managed": "FAIL","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","inspector2_active_findings_exist": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","awslambda_function_no_secrets_in_code": "PASS","cloudwatch_log_group_no_secrets_in_logs": "FAIL","ecr_registry_scan_images_on_push_enabled": "PASS","cloudformation_stack_outputs_find_secrets": "PASS","codebuild_project_no_secrets_in_variables": "PASS","awslambda_function_no_secrets_in_variables": "PASS","ecs_task_definitions_no_environment_secrets": "PASS","ecr_repositories_scan_images_on_push_enabled": "FAIL","trustedadvisor_premium_support_plan_subscribed": null,"autoscaling_find_secrets_ec2_launch_configuration": "PASS","ecr_repositories_scan_vulnerabilities_in_latest_image": null,"codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.11.2 Vulnerability Inspection and Remediation","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Vulnerability inspection plan","Vulnerability inspection report (for web, mobile apps, servers, network systems, security systems, DBMS, etc.)","Vulnerability inspection records","Vulnerability remediation plan","Vulnerability remediation completion report","Penetration testing plan/results report"],"AuditChecklist": ["Has the organization established and implemented procedures for conducting regular vulnerability inspections of information systems?","Are actions taken to address identified vulnerabilities, and are the results reported to the responsible authorities?","Does the organization continuously monitor for new security vulnerabilities and assess their impact on the information systems, taking appropriate actions?","Is a record of vulnerability inspections maintained, and are protective measures implemented to address recurring vulnerabilities identified in previous years?"],"NonComplianceCases": ["Case 1: Although internal regulations require annual technical vulnerability inspections for major systems, some major systems were excluded from the inspection.","Case 2: Failure to implement corrective actions for identified vulnerabilities, or failure to provide justification and approval records for vulnerabilities that cannot be addressed promptly."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans), Article 6 (Access Control)"]}],"description": "Regular vulnerability inspections must be conducted to verify whether information systems have exposed vulnerabilities, and any identified vulnerabilities must be promptly addressed. In addition, the organization must continuously monitor for new security vulnerabilities, assess their impact on the information systems, and take necessary actions.","checks_status": {"fail": 6,"pass": 14,"total": 23,"manual": 0}},"2.11.3": {"name": "Abnormal Behavior Analysis and Monitoring","checks": {"securityhub_enabled": "PASS","fms_policy_compliant": null,"vpc_flow_logs_enabled": "FAIL","cloudtrail_insights_exist": null,"networkfirewall_in_all_vpc": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","cloudtrail_threat_detection_enumeration": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.11.3 Abnormal Behavior Analysis and Monitoring","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Status of abnormal behavior analysis and monitoring","Evidence of responses taken when abnormal behaviors were detected"],"AuditChecklist": ["Is the organization collecting, analyzing, and monitoring network traffic, data flows, and event logs from major information systems, applications, networks, and security systems to detect abnormal behaviors such as intrusion attempts, personal information leakage attempts, or fraudulent activities?","Has the organization defined criteria and thresholds to determine abnormal behaviors, and is follow-up action, such as the determination and investigation of abnormal activities, taken in a timely manner?"],"NonComplianceCases": ["Case 1: Failure to establish a real-time or regular monitoring system and procedures to detect intrusion attempts on servers, networks, databases, and security systems from external sources.","Case 2: Although the organization has outsourced monitoring tasks to an external security monitoring agency, there is no record of reviewing the reports provided by the agency, and the organization does not have its own monitoring system for systems excluded from the outsourced service.","Case 3: Although abnormal traffic exceeding internally defined thresholds has been continuously detected, no response measures have been taken."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "To quickly detect and respond to intrusion attempts, personal information leakage attempts, and fraudulent activities from internal or external sources, the organization must collect and analyze network and data flows. Post-monitoring and inspection actions must be timely.","checks_status": {"fail": 6,"pass": 1,"total": 28,"manual": 0}},"2.11.4": {"name": "Incident Response Training and Improvement","checks": {"ssmincidents_enabled_with_plans": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.11.4 Incident Response Training and Improvement","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Simulation training plan for responding to security and personal information leakage incidents","Simulation training result reports for responding to security and personal information leakage incidents","Incident response procedures"],"AuditChecklist": ["Has the organization established a simulation training plan for responding to security incidents and personal information leakage incidents, and are such training exercises conducted at least once a year?","Is the organization reflecting the results of security incident and personal information leakage incident training to improve its response system?"],"NonComplianceCases": ["Case 1: Failure to conduct simulation training or provide related training plans and result reports.","Case 2: Although an annual simulation training plan for security incidents was established, it was not conducted within the planned period without valid reason or approval.","Case 3: Simulation training was conducted, but it was not performed according to the procedures and forms defined in the internal guidelines."],"RelatedRegulations": []}],"description": "The organization must conduct at least one simulation training per year based on scenarios to ensure that employees and stakeholders are familiar with the procedures for responding to security incidents and personal information leakage incidents. The response system must be improved based on the training results.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"2.11.5": {"name": "Incident Response and Recovery","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.11.5 Incident Response and Recovery","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Incident response procedures","Incident response reports","Incident management logs","Personal information leakage reports","Emergency contact list"],"AuditChecklist": ["When signs of or actual incidents of security breaches or personal information leakage are detected, is the organization responding and reporting promptly according to the defined incident response procedures?","Is the organization notifying data subjects and reporting to relevant authorities as required by law in case of a personal information breach?","After the incident is resolved, is the organization analyzing the cause, reporting the results, and sharing them with relevant departments and personnel?","Is the organization utilizing the information obtained from incident analysis to establish preventive measures to prevent similar incidents from recurring, and if necessary, modifying its incident response procedures?"],"NonComplianceCases": ["Case 1: Although internal incident response guidelines require that security incidents be reported to the internal information protection committee and relevant departments, the department in charge responded to the incident independently without reporting to the information protection committee or relevant departments.","Case 2: Although a service outage suspected to be caused by a DDoS attack occurred recently, the organization did not analyze the cause or establish preventive measures.","Case 3: Although a personal information leakage incident occurred due to external hacking, notification and reporting were not made within 72 hours, citing the small number of affected personal information records as the reason.","Case 4: Although personal information of more than 1,000 individuals was leaked due to an employee's mistake on the company website, the affected data subjects were not notified."],"RelatedRegulations": ["Personal Information Protection Act, Article 34 (Notification and Reporting of Personal Information Leakage)","Information and Communications Network Act, Article 48-3 (Reporting of Security Incidents), Article 48-4 (Analysis of Causes of Security Incidents)"]}],"description": "When signs of or actual incidents of security breaches or personal information leakage are detected, the organization must comply with legal notification and reporting obligations, respond and recover promptly according to established procedures, and analyze the incident to establish preventive measures to reflect in the response system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.12.1": {"name": "Safety Measures for Disaster Preparedness","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","s3_bucket_object_lock": "FAIL","vpc_different_regions": null,"efs_have_backup_enabled": "FAIL","elbv2_is_in_multiple_az": "PASS","vpc_subnet_different_az": "PASS","backup_reportplans_exist": null,"neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","documentdb_cluster_backup_enabled": null,"s3_bucket_cross_region_replication": "FAIL","kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"redshift_cluster_automated_snapshot": null,"elb_cross_zone_load_balancing_enabled": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","documentdb_cluster_cloudwatch_log_export": null,"elasticache_redis_cluster_backup_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protective Measure Requirements","Section": "2.12.1 Safety Measures for Disaster Preparedness","Subdomain": "2.12. Disaster Recovery","AuditEvidence": ["IT disaster recovery guidelines/procedures","IT disaster recovery plans (including RTO and RPO definitions)","Emergency contact list","Crisis response manual for personal information processing systems"],"AuditChecklist": ["Has the organization identified IT disaster types that could threaten the continuity of core services (businesses) and analyzed the expected scale of damage and impact on operations to identify core IT services (businesses) and systems?","Has the organization defined recovery time objectives (RTO) and recovery point objectives (RPO) based on the importance and characteristics of core IT services and systems?","Has the organization established and implemented disaster recovery plans, including recovery strategies, emergency recovery teams, emergency contact networks, and recovery procedures, to ensure the continuity of core services and systems during disasters?"],"NonComplianceCases": ["Case 1: The IT disaster recovery procedures lack critical details such as the definition of IT disaster recovery teams and roles, emergency contact systems, and recovery procedures and methods.","Case 2: Although a backup center has been established to ensure the continuity of information systems and minimize damage during emergencies, the relevant policies do not include disaster recovery procedures using the backup center, making disaster recovery tests and actual recovery efforts ineffective.","Case 3: Recovery time objectives for some critical systems related to service operations have not been defined, and appropriate recovery strategies are not in place.","Case 4: The disaster recovery guidelines do not define the recovery priorities, RTO, or RPO for IT services or systems.","Case 5: Unrealistic recovery objectives have been set, either too high or too low, and the RPO and backup policies (e.g., targets, frequency) are not appropriately linked, making it difficult to ensure the effectiveness of recovery."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 11 (Safety Measures for Disaster Preparedness)"]}],"description": "Identify types of disasters that could threaten the operational continuity of the organization's core services and systems, such as natural disasters, communication or power failures, and hacking. Analyze the expected scale of damage and impact for each type, define the recovery time objective (RTO) and recovery point objective (RPO), and establish a disaster recovery system including recovery strategies, emergency recovery teams, emergency contact networks, and recovery procedures.","checks_status": {"fail": 14,"pass": 5,"total": 33,"manual": 0}},"2.12.2": {"name": "Disaster Recovery Testing and Improvement","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","s3_bucket_object_lock": "FAIL","vpc_different_regions": null,"efs_have_backup_enabled": "FAIL","elbv2_is_in_multiple_az": "PASS","vpc_subnet_different_az": "PASS","backup_reportplans_exist": null,"neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","documentdb_cluster_backup_enabled": null,"s3_bucket_cross_region_replication": "FAIL","kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"redshift_cluster_automated_snapshot": null,"elb_cross_zone_load_balancing_enabled": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","documentdb_cluster_cloudwatch_log_export": null,"elasticache_redis_cluster_backup_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protective Measure Requirements","Section": "2.12.2 Disaster Recovery Testing and Improvement","Subdomain": "2.12. Disaster Recovery","AuditEvidence": ["IT disaster recovery procedures","IT disaster recovery test plans","IT disaster recovery test results"],"AuditChecklist": ["Has the organization established and implemented disaster recovery test plans to evaluate the effectiveness of the established IT disaster recovery system?","Are the disaster recovery strategies and plans regularly reviewed and supplemented to reflect test results, changes in the information system environment, and legal requirements?"],"NonComplianceCases": ["Case 1: Disaster recovery drills were not planned or conducted, and the related plans and result reports are not available.","Case 2: Although a disaster recovery drill plan was established, it was not conducted as planned or approved, and the related result reports are missing.","Case 3: Disaster recovery drills were conducted, but they did not follow the procedures and forms outlined in the internal guidelines, making it difficult to evaluate the adequacy and effectiveness of the disaster recovery procedures."],"RelatedRegulations": []}],"description": "Regularly test the adequacy of the disaster recovery strategies and plans, and supplement the recovery strategies and plans based on test results, changes in the information system environment, and legal requirements.","checks_status": {"fail": 14,"pass": 5,"total": 33,"manual": 0}}},"requirements_passed": 10,"requirements_failed": 27,"requirements_manual": 64,"total_requirements": 101,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "23a633ec-caa6-4021-809a-a247c6f177e6","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "nist_csf_1.1_aws","framework": "NIST-CSF","version": "1.1","description": "The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of sector or size. The NIST Cybersecurity Framework consists of three primary components: the framework core, the profiles, and the implementation tiers. The framework core contains desired cybersecurity activities and outcomes organized into 23 categories that cover the breadth of cybersecurity objectives for an organization. The profiles contain an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources using the desired outcomes of the framework core. The implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework core.","region": "eu-west-1","requirements": {"ac_1": {"name": "PR.AC-1","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_1","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.","checks_status": {"fail": 1,"pass": 0,"total": 9,"manual": 0}},"ac_3": {"name": "PR.AC-3","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"iam_root_hardware_mfa_enabled": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Remote access is managed.","checks_status": {"fail": 3,"pass": 6,"total": 20,"manual": 0}},"ac_4": {"name": "PR.AC-4","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_4","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"ac_5": {"name": "PR.AC-5","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_5","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Network integrity is protected (e.g., network segregation, network segmentation).","checks_status": {"fail": 3,"pass": 7,"total": 17,"manual": 0}},"ac_6": {"name": "PR.AC-6","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_6","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Identities are proofed and bound to credentials and asserted in interactions.","checks_status": {"fail": 1,"pass": 1,"total": 4,"manual": 0}},"ac_7": {"name": "PR.AC-7","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_7","Section": "Protect (PR)","Service": "iam","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ae_1": {"name": "DE.AE-1","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ae_1","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "A baseline of network operations and expected data flows for users and systems is established and managed.","checks_status": {"fail": 7,"pass": 3,"total": 13,"manual": 0}},"ae_2": {"name": "DE.AE-2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ae_2","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "Detected events are analyzed to understand attack targets and methods.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ae_3": {"name": "DE.AE-3","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ae_3","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "Event data are collected and correlated from multiple sources and sensors.","checks_status": {"fail": 5,"pass": 2,"total": 11,"manual": 0}},"ae_4": {"name": "DE.AE-4","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ae_4","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "Impact of events is determined.","checks_status": {"fail": 4,"pass": 3,"total": 10,"manual": 0}},"ae_5": {"name": "DE.AE-5","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ae_5","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "Incident alert thresholds are established.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"am_1": {"name": "ID.AM-1","checks": {"ec2_instance_managed_by_ssm": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "am_1","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Physical devices and systems within the organization are inventoried.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"am_2": {"name": "ID.AM-2","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "am_2","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Software platforms and applications within the organization are inventoried.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"am_3": {"name": "ID.AM-3","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "am_3","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Organizational communication and data flows are mapped.","checks_status": {"fail": 4,"pass": 2,"total": 8,"manual": 0}},"am_5": {"name": "ID.AM-5","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "am_5","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"am_6": {"name": "ID.AM-6","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "am_6","Section": "Identify (ID)","Service": "iam","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"an_2": {"name": "RS.AN-2","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "an_2","Section": "Respond (RS)","Service": "guardduty","SubGroup": null,"SubSection": "Analysis (RS.AN)"}],"description": "The impact of the incident is understood.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"be_5": {"name": "ID.BE-5","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "be_5","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Business Environment (ID.BE)"}],"description": "Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"cm_1": {"name": "DE.CM-1","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_1","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "The network is monitored to detect potential cybersecurity events.","checks_status": {"fail": 4,"pass": 4,"total": 11,"manual": 0}},"cm_2": {"name": "DE.CM-2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "The physical environment is monitored to detect potential cybersecurity events.","checks_status": {"fail": 2,"pass": 3,"total": 20,"manual": 0}},"cm_3": {"name": "DE.CM-3","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_3","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "Personnel activity is monitored to detect potential cybersecurity events.","checks_status": {"fail": 1,"pass": 3,"total": 7,"manual": 0}},"cm_4": {"name": "DE.CM-4","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "cm_4","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "Malicious code is detected.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"cm_5": {"name": "DE.CM-5","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_5","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "Unauthorized mobile code is detected.","checks_status": {"fail": 3,"pass": 3,"total": 10,"manual": 0}},"cm_6": {"name": "DE.CM-6","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_6","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "External service provider activity is monitored to detect potential cybersecurity events.","checks_status": {"fail": 1,"pass": 3,"total": 7,"manual": 0}},"cm_7": {"name": "DE.CM-7","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_7","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "Monitoring for unauthorized personnel, connections, devices, and software is performed.","checks_status": {"fail": 4,"pass": 4,"total": 11,"manual": 0}},"cp_4": {"name": "DE.DP-4","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_4","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Detection Processes (DE.DP)"}],"description": "Event detection information is communicated.","checks_status": {"fail": 3,"pass": 3,"total": 10,"manual": 0}},"cp_5": {"name": "DE.DP-5","checks": {"ec2_instance_imdsv2_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "cp_5","Section": "Detect (DE)","Service": "ec2","SubGroup": null,"SubSection": "Detection Processes (DE.DP)"}],"description": "Detection processes are continuously improved.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ds_1": {"name": "PR.DS-1","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_1","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Data-at-rest is protected.","checks_status": {"fail": 5,"pass": 2,"total": 9,"manual": 0}},"ds_2": {"name": "PR.DS-2","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_2","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Data-in-transit is protected.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"ds_3": {"name": "PR.DS-3","checks": {"ec2_elastic_ip_unassigned": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_3","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Assets are formally managed throughout removal, transfers, and disposition.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ds_4": {"name": "PR.DS-4","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_4","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Adequate capacity to ensure availability is maintained.","checks_status": {"fail": 4,"pass": 1,"total": 5,"manual": 0}},"ds_5": {"name": "PR.DS-5","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","s3_bucket_policy_public_write_access": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"s3_account_level_public_access_blocks": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_5","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Protections against data leaks are implemented.","checks_status": {"fail": 4,"pass": 7,"total": 19,"manual": 0}},"ds_6": {"name": "PR.DS-6","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_6","Section": "Protect (PR)","Service": "cloudtrail","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Integrity checking mechanisms are used to verify software, firmware, and information integrity.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ds_7": {"name": "PR.DS-7","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_7","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "The development and testing environment(s) are separate from the production environment.","checks_status": {"fail": 5,"pass": 1,"total": 6,"manual": 0}},"ds_8": {"name": "PR.DS-8","checks": {"securityhub_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_8","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Integrity checking mechanisms are used to verify hardware integrity.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"ip_1": {"name": "PR.IP-1","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_1","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ip_2": {"name": "PR.IP-2","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_2","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "A System Development Life Cycle to manage systems is implemented.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ip_3": {"name": "PR.IP-3","checks": {"elbv2_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_3","Section": "Protect (PR)","Service": "elb","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Configuration change control processes are in place.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ip_4": {"name": "PR.IP-4","checks": {"rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_4","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Backups of information are conducted, maintained, and tested periodically.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"ip_7": {"name": "PR.IP-7","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "ip_7","Section": "Protect (PR)","Service": "ec2","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Protection processes are improved.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ip_8": {"name": "PR.IP-8","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"eks_cluster_not_publicly_accessible": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_8","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Effectiveness of protection technologies is shared.","checks_status": {"fail": 1,"pass": 4,"total": 13,"manual": 0}},"ip_9": {"name": "PR.IP-9","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_9","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.","checks_status": {"fail": 4,"pass": 1,"total": 10,"manual": 0}},"ma_2": {"name": "PR.MA-2","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ma_2","Section": "Protect (PR)","Service": "cloudtrail","SubGroup": null,"SubSection": "Maintenance (PR.MA)"}],"description": "Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"mi_3": {"name": "RS.MI-3","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "mi_3","Section": "Respond (RS)","Service": "guardduty","SubGroup": null,"SubSection": "Mitigation (RS.MI)"}],"description": "Newly identified vulnerabilities are mitigated or documented as accepted risks.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"pt_1": {"name": "PR.PT-1","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pt_1","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Protective Technology (PR.PT)"}],"description": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.","checks_status": {"fail": 5,"pass": 2,"total": 8,"manual": 0}},"pt_3": {"name": "PR.PT-3","checks": {"iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "pt_3","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Protective Technology (PR.PT)"}],"description": "The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.","checks_status": {"fail": 0,"pass": 3,"total": 11,"manual": 0}},"pt_4": {"name": "PR.PT-4","checks": {"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pt_4","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Protective Technology (PR.PT)"}],"description": "Communications and control networks are protected.","checks_status": {"fail": 1,"pass": 3,"total": 6,"manual": 0}},"pt_5": {"name": "PR.PT-5","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pt_5","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Protective Technology (PR.PT)"}],"description": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"ra_1": {"name": "ID.RA-1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra_1","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Risk Assessment (ID.RA)"}],"description": "Asset vulnerabilities are identified and documented.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"ra_2": {"name": "ID.RA-2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_2","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Risk Assessment (ID.RA)"}],"description": "Cyber threat intelligence is received from information sharing forums and sources.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ra_3": {"name": "ID.RA-3","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_3","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Risk Assessment (ID.RA)"}],"description": "Threats, both internal and external, are identified and documented.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ra_5": {"name": "ID.RA-5","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra_5","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Risk Assessment (ID.RA)"}],"description": "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.","checks_status": {"fail": 2,"pass": 3,"total": 20,"manual": 0}},"rp_1": {"name": "RS.RP-1","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "rp_1","Section": "Respond (RS)","Service": "aws","SubGroup": null,"SubSection": "Response Planning (RS.RP)"}],"description": "Response plan is executed during or after an incident.","checks_status": {"fail": 4,"pass": 1,"total": 11,"manual": 0}},"sc_4": {"name": "ID.SC-4","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_4","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Supply Chain Risk Management (ID.SC)"}],"description": "Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.","checks_status": {"fail": 2,"pass": 3,"total": 16,"manual": 0}},"ip_12": {"name": "PR.IP-12","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_12","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "A vulnerability management plan is developed and implemented.","checks_status": {"fail": 2,"pass": 0,"total": 4,"manual": 0}}},"requirements_passed": 11,"requirements_failed": 42,"requirements_manual": 3,"total_requirements": 56,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "23ef3629-e1cd-4f16-af98-ab0daaff257e","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "fedramp_low_revision_4_aws","framework": "FedRAMP-Low-Revision-4","version": "","description": "The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011. It provides a cost-effective, risk-based approach for the adoption and use of cloud services by the U.S. federal government. FedRAMP empowers federal agencies to use modern cloud technologies, with an emphasis on the security and protection of federal information.","region": "eu-west-1","requirements": {"ac-2": {"name": "Account Management (AC-2)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","iam_user_mfa_enabled_console_access": null,"cloudtrail_s3_dataevents_read_enabled": null,"iam_password_policy_minimum_length_14": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"iam_aws_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations.","checks_status": {"fail": 3,"pass": 4,"total": 26,"manual": 0}},"ac-3": {"name": "Account Management (AC-3)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","checks_status": {"fail": 1,"pass": 6,"total": 20,"manual": 0}},"au-2": {"name": "Audit Events (AU-2)","checks": {"elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-2","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents","checks_status": {"fail": 5,"pass": 2,"total": 11,"manual": 0}},"au-9": {"name": "Protection of Audit Information (AU-9)","checks": {"s3_bucket_object_versioning": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-9","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion.","checks_status": {"fail": 4,"pass": 0,"total": 4,"manual": 0}},"ca-7": {"name": "Continuous Monitoring (CA-7)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca-7","Section": "Security Assessment And Authorization (CA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Continuously monitor configuration management processes. Determine security impact, environment and operational risks.","checks_status": {"fail": 2,"pass": 4,"total": 11,"manual": 0}},"cm-2": {"name": "Baseline Configuration (CM-2)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"elbv2_deletion_protection": "FAIL","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"ssm_managed_compliant_patching": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.","checks_status": {"fail": 7,"pass": 6,"total": 21,"manual": 0}},"cm-8": {"name": "Information System Component Inventory (CM-8)","checks": {"guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-8","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"cp-9": {"name": "Information System Backup (CP-9)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp-9","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations.","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"ia-2": {"name": "Identification and Authentication (Organizational users) (IA-2)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-2","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"ir-4": {"name": "Incident Handling (IR-4)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir-4","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery, coordinates incident handling activities with contingency planning activities and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"sa-3": {"name": "System Development Life Cycle (SA-3)","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa-3","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc-5": {"name": "Denial Of Service Protection (SC-5)","checks": {"guardduty_is_enabled": "PASS","rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].","checks_status": {"fail": 4,"pass": 2,"total": 8,"manual": 0}},"sc-7": {"name": "Boundary Protection (SC-7)","checks": {"elb_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-7","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.","checks_status": {"fail": 6,"pass": 6,"total": 21,"manual": 0}},"ac-17": {"name": "Remote Access (AC-17)","checks": {"elb_ssl_listeners": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-17","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems.","checks_status": {"fail": 5,"pass": 9,"total": 21,"manual": 0}},"au-11": {"name": "Audit Record Retention (AU-11)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-11","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cp-10": {"name": "Information System Recovery And Reconstitution (CP-10)","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp-10","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.","checks_status": {"fail": 4,"pass": 1,"total": 9,"manual": 0}},"sc-12": {"name": "Cryptographic Key Establishment And Management (SC-12)","checks": {"kms_cmk_rotation_enabled": null,"acm_certificates_expiration_check": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc-12","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"sc-13": {"name": "Use of Cryptography (SC-13)","checks": {"s3_bucket_default_encryption": "PASS","sns_topics_kms_encryption_at_rest_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-13","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","checks_status": {"fail": 1,"pass": 1,"total": 4,"manual": 0}}},"requirements_passed": 2,"requirements_failed": 16,"requirements_manual": 0,"total_requirements": 18,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "2d3bdafb-2503-4e04-a107-bdda7c4163ba","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_audit_manager_control_tower_guardrails_aws","framework": "AWS-Audit-Manager-Control-Tower-Guardrails","version": "","description": "AWS Control Tower is a management and governance service that you can use to navigate through the setup process and governance requirements that are involved in creating a multi-account AWS environment.","region": "eu-west-1","requirements": {"1.0.1": {"name": "Disallow launch of EC2 instance types that are not EBS-optimized","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "1.0.1","Section": "EBS checks","Service": "ebs","SubGroup": null,"SubSection": null}],"description": "Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.0.2": {"name": "Disallow EBS volumes that are unattached to an EC2 instance","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "1.0.2","Section": "EBS checks","Service": "ebs","SubGroup": null,"SubSection": null}],"description": "Checks whether EBS volumes are attached to EC2 instances","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.0.3": {"name": "Enable encryption for EBS volumes attached to EC2 instances","checks": {"ec2_ebs_default_encryption": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "1.0.3","Section": "EBS checks","Service": "ebs","SubGroup": null,"SubSection": null}],"description": "Checks whether EBS volumes that are in an attached state are encrypted","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.0.1": {"name": "Disallow internet connection through RDP","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "2.0.1","Section": "Disallow Internet Connection","Service": "vpc","SubGroup": null,"SubSection": null}],"description": "Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.0.2": {"name": "Disallow internet connection through SSH","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "2.0.2","Section": "Disallow Internet Connection","Service": "vpc","SubGroup": null,"SubSection": null}],"description": "Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.0.1": {"name": "Disallow access to IAM users without MFA","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3.0.1","Section": "Multi-Factor Authentication","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.0.2": {"name": "Disallow console access to IAM users without MFA","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3.0.2","Section": "Multi-Factor Authentication","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.0.3": {"name": "Enable MFA for the root user","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3.0.3","Section": "Multi-Factor Authentication","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.0.1": {"name": "Disallow public access to RDS database instances","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.0.1","Section": "Disallow Public Access","Service": "rds","SubGroup": null,"SubSection": null}],"description": "Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"4.0.2": {"name": "Disallow public access to RDS database snapshots","checks": {"rds_snapshots_public_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.0.2","Section": "Disallow Public Access","Service": "rds","SubGroup": null,"SubSection": null}],"description": "Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"4.1.1": {"name": "Disallow public read access to S3 buckets","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.1.1","Section": "Disallow Public Access","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Checks that your S3 buckets do not allow public read access.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"4.1.2": {"name": "Disallow public write access to S3 buckets","checks": {"s3_bucket_policy_public_write_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.1.2","Section": "Disallow Public Access","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Checks that your S3 buckets do not allow public write access.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"5.0.1": {"name": "Disallow RDS database instances that are not storage encrypted ","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "5.0.1","Section": "Disallow Instances","Service": "rds","SubGroup": null,"SubSection": null}],"description": "Checks whether storage encryption is enabled for your RDS DB instances.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.1.1": {"name": "Disallow S3 buckets that are not versioning enabled","checks": {"s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "5.1.1","Section": "Disallow Instances","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Checks whether versioning is enabled for your S3 buckets.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 10,"requirements_failed": 2,"requirements_manual": 2,"total_requirements": 14,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "3477e5c1-467e-4fb1-9b4b-1c2bc8fcd03e","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "pci_3.2.1_aws","framework": "PCI","version": "3.2.1","description": "The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard. It's administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). This includes, but isn't limited to, merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.","region": "eu-west-1","requirements": {"cw": {"name": "CloudWatch","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "cw","Section": null,"Service": "cloudwatch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudWatch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"s3": {"name": "S3","checks": {"s3_bucket_public_access": null,"s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "s3","Section": null,"Service": "s3","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS S3 resources and options.","checks_status": {"fail": 1,"pass": 2,"total": 5,"manual": 0}},"dms": {"name": "DMS","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "dms","Section": null,"Service": "dms","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS DMS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ec2": {"name": "EC2","checks": {"vpc_flow_logs_enabled": "FAIL","ec2_ebs_public_snapshot": "PASS","ec2_elastic_ip_unassigned": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ec2","Section": null,"Service": "ec2","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring EC2 resources and options.","checks_status": {"fail": 3,"pass": 3,"total": 6,"manual": 0}},"iam": {"name": "IAM","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "iam","Section": null,"Service": "iam","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS IAM resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 15,"manual": 0}},"kms": {"name": "KMS","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "kms","Section": null,"Service": "kms","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS KMS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"rds": {"name": "RDS","checks": {"rds_snapshots_public_access": "PASS","rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "rds","Section": null,"Service": "rds","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS RDS resources and options.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ssm": {"name": "SSM","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ssm","Section": null,"Service": "ssm","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS SSM resources and options.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"elbv2": {"name": "ELBV2","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "elbv2","Section": null,"Service": "elbv2","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elastic Load Balancer resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"config": {"name": "Config","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "config","Section": null,"Service": "config","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Config.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"lambda": {"name": "Lambda","checks": {"awslambda_function_url_public": null,"awslambda_function_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "lambda","Section": null,"Service": "lambda","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Lambda resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"redshift": {"name": "Redshift","checks": {"redshift_cluster_public_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "redshift","Section": null,"Service": "redshift","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Redshift resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"codebuild": {"name": "CodeBuild","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "codebuild","Section": null,"Service": "codebuild","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CodeBuild resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"guardduty": {"name": "GuardDuty","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "guardduty","Section": null,"Service": "guardduty","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS GuardDuty resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sagemaker": {"name": "SageMaker","checks": {"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sagemaker","Section": null,"Service": "sagemaker","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Sagemaker resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cloudtrail": {"name": "CloudTrail","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cloudtrail","Section": null,"Service": "cloudtrail","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudTrail resources and options.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"opensearch": {"name": "OpenSearch","checks": {"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "opensearch","Section": null,"Service": "opensearch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring OpenSearch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"autoscaling": {"name": "Auto Scaling","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "autoscaling","Section": null,"Service": "autoscaling","SubGroup": null,"SubSection": null}],"description": "This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elasticsearch": {"name": "Elasticsearch","checks": {"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "elasticsearch","Section": null,"Service": "elasticsearch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elasticsearch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 11,"requirements_failed": 4,"requirements_manual": 4,"total_requirements": 19,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "34f5d2fe-fe37-4143-81ce-fdf21d9a9826","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "gxp_eu_annex_11_aws","framework": "GxP-EU-Annex-11","version": "","description": "The GxP EU Annex 11 framework is the European equivalent to the FDA 21 CFR part 11 framework in the United States. This annex applies to all forms of computerized systems that are used as part of Good Manufacturing Practices (GMP) regulated activities. A computerized system is a set of software and hardware components that together fulfill certain functionalities. The application should be validated and IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control, or quality assurance. There should be no increase in the overall risk of the process.","region": "eu-west-1","requirements": {"5-data": {"name": "5 Data","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "5-data","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Computerised systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.","checks_status": {"fail": 2,"pass": 1,"total": 8,"manual": 0}},"17-archiving": {"name": "17 Archiving","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "17-archiving","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested.","checks_status": {"fail": 2,"pass": 1,"total": 9,"manual": 0}},"9-audit-trails": {"name": "9 Audit Trails","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "9-audit-trails","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated 'audit trail'). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1-risk-management": {"name": "1 Risk Management","checks": {"securityhub_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "1-risk-management","Section": "General","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"16-business-continuity": {"name": "16 Business Continuity","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "16-business-continuity","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested.","checks_status": {"fail": 2,"pass": 1,"total": 9,"manual": 0}},"7.2-data-storage-backups": {"name": "7.2 Data Storage - Backups","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "7.2-data-storage-backups","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.","checks_status": {"fail": 2,"pass": 1,"total": 8,"manual": 0}},"12.4-security-audit-trail": {"name": "12.4 Security - Audit Trail","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "12.4-security-audit-trail","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"8.2-printouts-data-changes": {"name": "8.2 Printouts - Data Changes","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "8.2-printouts-data-changes","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"4.8-validation-data-transfer": {"name": "4.8 Validation - Data Transfer","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "4.8-validation-data-transfer","Section": "Project Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process.","checks_status": {"fail": 2,"pass": 1,"total": 9,"manual": 0}},"4.5-validation-development-quality": {"name": "4.5 Validation - Development Quality","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.5-validation-development-quality","Section": "Project Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6-validation-quality-performance": {"name": "4.6 Validation - Quality and Performance","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.6-validation-quality-performance","Section": "Project Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"7.1-data-storage-damage-protection": {"name": "7.1 Data Storage - Damage Protection","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","redshift_cluster_automated_snapshot": null,"sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "7.1-data-storage-damage-protection","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period.","checks_status": {"fail": 6,"pass": 4,"total": 22,"manual": 0}},"10-change-and-configuration-management": {"name": "10 Change and Configuration Management","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "10-change-and-configuration-management","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2-validation-documentation-change-control": {"name": "4.2 Validation - Documentation Change Control","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.2-validation-documentation-change-control","Section": "Project Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}}},"requirements_passed": 8,"requirements_failed": 6,"requirements_manual": 0,"total_requirements": 14,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "376854be-93cd-44ab-a070-1e996b24184d","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cis_1.5_aws","framework": "CIS","version": "1.5","description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.","region": "eu-west-1","requirements": {"1.1": {"name": "1.1","checks": {"account_maintain_current_contact_details": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info","Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.","DefaultValue": null,"AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, review and verify the current details. 4. Under `Contact Information`, review and verify the current details.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.","RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. 4. Next to the field that you need to update, choose `Edit`. 5. After you have entered your changes, choose `Save changes`. 6. After you have made your changes, choose `Done`. 7. To edit your contact information, under `Contact Information`, choose `Edit`. 8. For the fields that you want to change, type your updated information, and then choose `Update`.","AdditionalInformation": ""}],"description": "Maintain current contact details","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.2": {"name": "1.2","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if security contact information is present:**From Console:**1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.","RemediationProcedure": "Perform the following to establish security contact information:**From Console:**1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.","AdditionalInformation": ""}],"description": "Ensure security contact information is registered","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.3": {"name": "1.3","checks": {"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS account as the 'root' user 2. On the top right you will see the __ 3. Click on the __ 4. From the drop-down menu Click `My Account`5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.","RemediationProcedure": "**From Console:**1. Login to the AWS Account as the 'root' user 2. Click on the __ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`6. Click on each `Question` - From the drop-down select an appropriate question- Click on the `Answer` section- Enter an appropriate answer - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location","AdditionalInformation": ""}],"description": "Ensure security questions are registered in the AWS account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.4": {"name": "1.4","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/","Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .**From Command Line:**Run the following command: ```aws iam get-account-summary | grep \"AccountAccessKeysPresent\"``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.","RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys**From Console:**1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on __ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active- Click on `Make Inactive` - (Temporarily disable Key - may be needed again)- Click `Delete` - (Deleted keys cannot be recovered)","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region."}],"description": "Ensure no 'root' user account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.5": {"name": "1.5","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `mfa_active` field is set to `TRUE` .**From Command Line:**1. Run the following command: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.When you are finished, the virtual MFA device starts generating one-time passwords.In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions."}],"description": "Ensure MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.6": {"name": "1.6","checks": {"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:1. Run the following command to determine if the 'root' account has MFA setup: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ```The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```aws iam list-virtual-mfa-devices``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation: `\"SerialNumber\": \"arn:aws:iam::__:mfa/root-account-mfa-device\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.","RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.Remediation for this recommendation is not available through AWS CLI.","AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions."}],"description": "Ensure hardware MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.7": {"name": "1.7","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html","Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.**From Command Line:**Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '' ```Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.","RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.","AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user."}],"description": "Eliminate use of the 'root' user for administrative and daily tasks","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.8": {"name": "1.8","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.**From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"**From Command Line:** ```aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy requires minimum length of 14 or greater","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.9": {"name": "1.9","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24**From Command Line:** ``` aws iam get-account-password-policy``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24` **From Command Line:** ```aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy prevents password reuse","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.1": {"name": "3.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events","Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane- You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`**From Command Line:** ```aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true```` aws cloudtrail get-trail-status --name ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`","ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html","AssessmentStatus": "Automated","RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated onAWS global services- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account","RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented- Click `Add new trail` - Enter a trail name in the `Trail name` box- Set the `Apply trail to all regions` option to `Yes` - Specify an S3 bucket name in the `S3 bucket` box- Click `Create`4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.**From Command Line:** ``` aws cloudtrail create-trail --name --bucket-name --is-multi-region-trailaws cloudtrail update-trail --name --is-multi-region-trail ```Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.","AdditionalInformation": ""}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.2": {"name": "3.2","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.","DefaultValue": null,"AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled` **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.","RemediationProcedure": "Perform the following to enable log file validation on a given trail:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`7. Click `Save changes` **From Command Line:** ``` aws cloudtrail update-trail --name --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn --start-time --end-time ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail log file validation is enabled","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.3": {"name": "3.3","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html","Description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails`3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties`6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.`9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 2. Ensure the `AllUsers` principal is not granted privileges to that `` : ```aws s3api get-bucket-acl --bucket --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that ``: ```aws s3api get-bucket-acl --bucket --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 4. Get the S3 Bucket Policy ```aws s3api get-bucket-policy --bucket ``` 5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.","RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User`6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.","AdditionalInformation": ""}],"description": "Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.4": {"name": "3.4","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html","Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Under `Trails` , click on the CloudTrail you wish to evaluate 3. Under the `CloudWatch Logs` section. 4. Ensure a `CloudWatch Logs` log group is configured and listed. 5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.**From Command Line:**1. Run the following command to get a listing of existing trails: ```aws cloudtrail describe-trails ``` 2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property. 3. Using the noted value of the `Name` property, run the following command: ```aws cloudtrail get-trail-status --name ``` 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.If the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.","ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.","RemediationProcedure": "Perform the following to establish the prescribed state:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Select the `Trail` the needs to be updated. 3. Scroll down to `CloudWatch Logs` 4. Click `Edit` 5. Under `CloudWatch Logs` click the box `Enabled` 6. Under `Log Group` pick new or select an existing log group 7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group. 8. Under `IAM Role` pick new or select an existing. 9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role. 10. Click `Save changes.**From Command Line:** ``` aws cloudtrail update-trail --name --cloudwatch-logs-log-group-arn --cloudwatch-logs-role-arn ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail trails are integrated with CloudWatch Logs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.5": {"name": "3.5","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html","Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.","DefaultValue": null,"AuditProcedure": "Process to evaluate AWS Config configuration per region**From Console:**1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.- Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.**From Command Line:**1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])Sample Output:``` {\"ConfigurationRecorders\": [{\"recordingGroup\": {\"allSupported\": true,\"resourceTypes\": [],\"includeGlobalResourceTypes\": true},\"roleARN\": \"arn:aws:iam:::role/service-role/\",\"name\": \"default\"}] } ```3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`","ImpactStatement": "It is recommended AWS Config be enabled in all regions.","AssessmentStatus": "Automated","RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.","RemediationProcedure": "To implement AWS Config configuration:**From Console:**1. Select the region you want to focus on in the top right of the console 2. Click `Services`3. Click `Config`4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account**From Command Line:**1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name ```","AdditionalInformation": ""}],"description": "Ensure AWS Config is enabled in all regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.6": {"name": "3.6","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html","Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.","DefaultValue": null,"AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `` _ click on `Logging`8. Ensure `Enabled` is checked.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket ``` Ensure command does not returns empty output.Sample Output for a bucket with logging enabled:``` {\"LoggingEnabled\": {\"TargetPrefix\": \"\",\"TargetBucket\": \"\"} } ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.","RemediationProcedure": "Perform the following to enable S3 bucket logging:**From Console:**1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:` click on `Logging`5. Configure bucket logging- Click on the `Enabled` checkbox- Select Target Bucket from list- Enter a Target Prefix 6. Click `Save`.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``: ``` {\"LoggingEnabled\": {\"TargetBucket\": \"\",\"TargetPrefix\": \"\",\"TargetGrants\": [{\"Grantee\": {\"Type\": \"AmazonCustomerByEmail\",\"EmailAddress\": \"\"},\"Permission\": \"FULL_CONTROL\"}]}} ``` 3. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket --bucket-logging-status file:// ```","AdditionalInformation": ""}],"description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.7": {"name": "3.7","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html","Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.**From Command Line:**1. Run the following command: ```aws cloudtrail describe-trails``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.","ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.","AssessmentStatus": "Automated","RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.","RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`6. Select an existing CMK from the `KMS key Id` drop-down menu- Note: Ensure the CMK is located in the same region as the S3 bucket- Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes` **From Command Line:** ``` aws cloudtrail update-trail --name --kms-id aws kms put-key-policy --key-id --policy ```","AdditionalInformation": "3 statements which need to be added to the CMK policy:1\\. Enable Cloudtrail to describe CMK properties ```
{\"Sid\": \"Allow CloudTrail access\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:DescribeKey\",\"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` 
{\"Sid\": \"Allow CloudTrail to encrypt logs\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:GenerateDataKey*\",\"Resource\": \"*\",\"Condition\": {\"StringLike\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": [\"arn:aws:cloudtrail:*:aws-account-id:trail/*\"]}} } ``` 3\\. Granting decrypt permissions ``` 
{\"Sid\": \"Enable CloudTrail log decrypt permissions\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"arn:aws:iam::aws-account-id:user/username\"},\"Action\": \"kms:Decrypt\",\"Resource\": \"*\",\"Condition\": {\"Null\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"}} } ```"}],"description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.8": {"name": "3.8","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final","Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the `General configuration` panel open the tab `Key rotation` 5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"**From Command Line:**1. Run the following command to get a list of all keys and their associated `KeyIds````aws kms list-keys ``` 2. For each key, note the KeyId and run the following command ``` describe-key --key-id  ``` 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command ```aws kms get-key-rotation-status --key-id  ``` 4. Ensure `KeyRotationEnabled` is set to `true` 5. Repeat steps 2 - 4 for all remaining CMKs","ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.","AssessmentStatus": "Automated","RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` . 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the \"General configuration\" panel open the tab \"Key rotation\" 5. Check the \"Automatically rotate this KMS key every year.\" checkbox**From Command Line:**1. Run the following command to enable key rotation: ```aws kms enable-key-rotation --key-id  ```","AdditionalInformation": ""}],"description": "Ensure rotation for customer created symmetric CMKs is enabled","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.9": {"name": "3.9","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html","Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.**From Command Line:**1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region  --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.","ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.","RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`9. Click `Create Log Flow`10. Click on `CloudWatch Logs Group` **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.**From Command Line:**1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"test\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\"Action\": \"sts:AssumeRole\"}] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\":[\"logs:CreateLogGroup\",\"logs:CreateLogStream\",\"logs:DescribeLogGroups\",\"logs:DescribeLogStreams\",\"logs:PutLogEvents\",\"logs:GetLogEvents\",\"logs:FilterLogEvents\"],\"Resource\": \"*\"}] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name  --assume-role-policy-document file://role_policy_document.json``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name  --policy-document file://iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name  ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region  ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids  --traffic-type REJECT --log-group-name  --deliver-logs-permission-arn  ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.","AdditionalInformation": ""}],"description": "Ensure VPC flow logging is enabled in all VPCs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"4.1": {"name": "4.1","checks": {"cloudwatch_log_metric_filter_unauthorized_api_calls": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with \"Name\":` note ``- From value associated with \"CloudWatchLogsLogGroupArn\" note Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this `` that you captured in step 1:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```4. Note the \"filterName\" `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.","AssessmentStatus": "Automated","RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for unauthorized API calls","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2": {"name": "4.2","checks": {"cloudwatch_log_metric_filter_sign_in_without_mfa": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all `CloudTrails`:``` aws cloudtrail describe-trails ```- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region `CloudTrail` is active``` aws cloudtrail get-trail-status --name  ```Ensure in the output that `IsLogging` is set to `TRUE`- Ensure identified Multi-region 'Cloudtrail' captures all Management Events``` aws cloudtrail get-event-selectors --trail-name  ```Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `` taken from audit step 1.Use Command: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account."}],"description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.3": {"name": "4.3","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**- ensures that activities from all regions (used as well as unused) are monitored- ensures that activities on all supported global services are monitored- ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for usage of 'root' account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.4": {"name": "4.4","checks": {"cloudwatch_log_metric_filter_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for IAM policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.5": {"name": "4.5","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6": {"name": "4.6","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.7": {"name": "4.7","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.8": {"name": "4.8","checks": {"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for S3 bucket policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.9": {"name": "4.9","checks": {"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Config configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"5.1": {"name": "5.1","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison","Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "**From Console:**Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "**From Console:**Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Click `Edit inbound rules`- Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule- Click `Save`","AdditionalInformation": ""}],"description": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"5.2": {"name": "5.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.3": {"name": "5.3","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the ::/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.4": {"name": "5.4","checks": {"ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group","Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:Security Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules existSecurity Group Members1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'","ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.","AssessmentStatus": "Automated","RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.","RemediationProcedure": "Security Group MembersPerform the following to implement the prescribed state:1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security groupSecurity Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rulesRecommended:IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"","AdditionalInformation": ""}],"description": "Ensure the default security group of every VPC restricts all traffic","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.5": {"name": "5.5","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html","Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.","DefaultValue": null,"AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.**From Command Line:**1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a __ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.","RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.**From Command Line:**1. For each __ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id  --destination-cidr-block  ```2. Create a new compliant route: ``` aws ec2 create-route --route-table-id  --destination-cidr-block  --vpc-peering-connection-id  ```","AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table."}],"description": "Ensure routing tables for VPC peering are \"least access\"","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.10": {"name": "1.10","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users","Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:**From Console:**1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8``` 2. The output of this command will produce a table similar to the following: ```user,password_enabled,mfa_activeelise,false,falsebrandon,true,truerakesh,false,falsehelene,false,falseparas,true,trueanitha,false,false``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`","ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to enable MFA:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords.8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.9. Click `Assign MFA`.","AdditionalInformation": "**Forced IAM User Self-Service Remediation**Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts."}],"description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.11": {"name": "1.11","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html","Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_dateelise,false,true,2015-04-16T15:14:00+00:00,false,N/Abrandon,true,true,N/A,false,N/Arakesh,false,false,N/A,false,N/Ahelene,false,true,2015-11-18T17:47:00+00:00,false,N/Aparas,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.","RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:**From Console:**1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. As an Administrator - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User- Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.**From Command Line:** ``` aws iam delete-access-key --access-key-id  --user-name  ```","AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\""}],"description": "Do not setup access keys during initial user setup for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.12": {"name": "1.12","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if unused credentials exist:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`8. Check and ensure that `Console last sign-in` is less than 45 days ago.**Note** - `Never` means the user has never logged in.9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.**From Command Line:****Download Credential Report:**1. Run the following commands: ```aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^' ```**Ensure unused credentials do not exist:**2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.","RemediationProcedure": "**From Console:**Perform the following to manage Unused Password (IAM user console access)1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`9. Under Console Access select `Disable` 10.Click `Apply`Perform the following to deactivate Access Keys:1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select any access keys that are over 45 days old and that have been used and - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and - Click the X to `Delete`","AdditionalInformation": " is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days."}],"description": "Ensure credentials unused for 45 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.13": {"name": "1.13","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.**From Command Line:**1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name  ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.- Repeat steps no. 2 and 3 for each IAM user in your AWS account.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.**From Command Line:**1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user**Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id  --status Inactive --user-name  ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name  ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.","AdditionalInformation": ""}],"description": "Ensure there is only one active access key available for any single IAM user","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.14": {"name": "1.14","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.**From Command Line:**``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.","RemediationProcedure": "Perform the following to rotate access keys:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`4. As an Administrator - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User- Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`7. Update programmatic call with new Access Key credentials**From Command Line:**1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```At this point, the user has two active access keys.2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```","AdditionalInformation": ""}],"description": "Ensure access keys are rotated every 90 days or less","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.15": {"name": "1.15","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html","Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:1. Run the following to get a list of IAM users: ```aws iam list-users --query 'Users[*].UserName' --output text``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.","RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group` Perform the following to add a user to a given group:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`3. Select the group to add a user to 4. Click `Add Users To Group`5. Select the users to be added to the group 6. Click `Add Users` Perform the following to remove a direct association between a user and policy:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:- Select the user- Click on the `Permissions` tab- Expand `Permissions policies` - Click `X` for each policy; then click Detach or Remove (depending on policy type)","AdditionalInformation": ""}],"description": "Ensure IAM Users Receive Permissions Only Through Groups","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.16": {"name": "1.16","checks": {"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam","Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.","DefaultValue": null,"AuditProcedure": "Perform the following to determine what policies are created:**From Command Line:**1. Run the following to get a list of IAM policies: ```aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```aws iam get-policy-version --policy-arn  --version-id  ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.","RemediationProcedure": "**From Console:**Perform the following to detach the policy that has full administrative privileges:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first `Detach`5. Select all Users, Groups, Roles that have this policy attached 6. Click `Detach Policy`7. In the policy action menu, select `Detach` **From Command Line:**Perform the following to detach the policy that has full administrative privileges as found in the audit step:1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.```aws iam list-entities-for-policy --policy-arn  ``` 2. Detach the policy from all IAM Users: ```aws iam detach-user-policy --user-name  --policy-arn  ``` 3. Detach the policy from all IAM Groups: ```aws iam detach-group-policy --group-name  --policy-arn  ``` 4. Detach the policy from all IAM Roles: ```aws iam detach-role-policy --role-name  --policy-arn  ```","AdditionalInformation": ""}],"description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.17": {"name": "1.17","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html","Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.","DefaultValue": null,"AuditProcedure": "**From Command Line:**1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'If it returns empty refer to the remediation below.","ImpactStatement": "All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.","AssessmentStatus": "Automated","RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.","RemediationProcedure": "**From Command Line:**1. Create an IAM role for managing incidents with AWS:- Create a trust relationship policy document that allows  to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"\"},\"Action\": \"sts:AssumeRole\"}]} ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name  --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name  ```","AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account."}],"description": "Ensure a support role has been created to manage incidents with AWS Support","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.18": {"name": "1.18","checks": {"ec2_instance_profile_attached": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html","Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.","DefaultValue": null,"AuditProcedure": "Where an instance is associated with a Role:For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.Where an Instance Contains Embedded Credentials:- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.Where an Instance Application Contains Embedded Credentials:- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.","RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.","AdditionalInformation": ""}],"description": "Ensure IAM instance roles are used for AWS resource access from instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.19": {"name": "1.19","checks": {"iam_no_expired_server_certificates_stored": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html","Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.","DefaultValue": null,"AuditProcedure": "**From Console:**Getting the certificates expiration information via AWS Management Console is not currently supported.To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**Run list-server-certificates command to list all the IAM-stored server certificates:``` aws iam list-server-certificates ```The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):``` {\"ServerCertificateMetadataList\": [{\"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\"ServerCertificateName\": \"MyServerCertificate\",\"Expiration\": \"2018-07-10T23:59:59Z\",\"Path\": \"/\",\"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\"UploadDate\": \"2018-06-10T11:56:08Z\"}] } ```Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.","ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.","AssessmentStatus": "Automated","RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.","RemediationProcedure": "**From Console:**Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**To delete Expired Certificate run following command by replacing  with the name of the certificate to delete:``` aws iam delete-server-certificate --server-certificate-name  ```When the preceding command is successful, it does not return any output.","AdditionalInformation": ""}],"description": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.20": {"name": "1.20","checks": {"accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html","Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region**From Command Line:**1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`3. Repeat the steps above for each active region.If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.","RemediationProcedure": "**From Console:**Perform the following to enable IAM Access analyzer for IAM policies:1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.7. Choose `Create Analyzer`. 8. Repeat these step for each active region**From Command Line:**Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name  --type  ``` Repeat this command above for each active region.**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.","AdditionalInformation": ""}],"description": "Ensure that IAM Access analyzer is enabled for all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.21": {"name": "1.21","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "","Description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.","DefaultValue": null,"AuditProcedure": "For multi-account AWS environments with an external identity provider... 1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click `Services`4. Click `IAM`5. Click `Identity providers` 6. Verify the configurationThen..., determine all accounts that should not have local users present. For each account...1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are presentFor multi-account AWS environments implementing AWS Organizations without an external identity provider... 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are present","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.","RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.","AdditionalInformation": ""}],"description": "Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.10": {"name": "3.10","checks": {"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/` 2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine. 3. Review `General details` 4. Confirm that `Multi-region trail` is set to `Yes` 5. Scroll down to `Data events` 6. Confirm that it reads: Data events: S3 Bucket Name: All current and future S3 buckets Read: Enabled Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.**From Command Line:**1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions: ``` aws cloudtrail list-trails ``` 2. The command output will be a list of all the trail names to include. \"TrailARN\": \"arn:aws:cloudtrail:::trail/\", \"Name\": \"\", \"HomeRegion\": \"\" 3. Next run 'get-trail- command to determine Multi-region. ``` aws cloudtrail get-trail --name  --region  ``` 4. The command output should include: \"IsMultiRegionTrail\": true, 5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. \"Type\": \"AWS::S3::Object\",\"Values\": [\"arn:aws:s3\" 7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered. If Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled. 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.**From Command Line:**1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for write events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.11": {"name": "3.11","checks": {"cloudtrail_s3_dataevents_read_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.**From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region  --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.**From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for read events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.10": {"name": "4.10","checks": {"cloudwatch_log_metric_filter_security_group_changes": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"\" --filter-name \"\" --metric-transformations metricName= \"\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"\" ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"\" --protocol  --notification-endpoint \"\" ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"\" --metric-name \"\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"\" ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for security group changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.11": {"name": "4.11","checks": {"cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.12": {"name": "4.12","checks": {"cloudwatch_changes_to_network_gateways_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to network gateways","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.13": {"name": "4.13","checks": {"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for route table changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for route table changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.14": {"name": "4.14","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for VPC changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.15": {"name": "4.15","checks": {"cloudwatch_log_metric_filter_aws_organizations_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.","DefaultValue": null,"AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name  ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.2. Get a list of all associated metric filters for this : ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `` value associated with the filterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":``` \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name  ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": ""}],"description": "Ensure a log metric filter and alarm exists for AWS Organizations changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.16": {"name": "4.16","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-get-started.html:https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-api:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/enable-security-hub.html","Description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.","DefaultValue": null,"AuditProcedure": "The process to evaluate AWS Security Hub configuration per region **From Console:**1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/. 2. On the top right of the console, select the target Region. 3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region. 4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions. 5. Repeat steps 2 to 4 for each region.","ImpactStatement": "It is recommended AWS Security Hub be enabled in all regions. AWS Security Hub requires AWS Config to be enabled.","AssessmentStatus": "Automated","RationaleStatement": "AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.","RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.Enabling Security Hub**From Console:**1. Use the credentials of the IAM identity to sign in to the Security Hub console. 2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub. 3. On the welcome page, Security standards list the security standards that Security Hub supports. 4. Choose Enable Security Hub.**From Command Line:**1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`. ``` aws securityhub enable-security-hub --enable-default-standards ```2. To enable the security hub without the default standards, include `--no-enable-default-standards`. ``` aws securityhub enable-security-hub --no-enable-default-standards ```","AdditionalInformation": ""}],"description": "Ensure AWS Security Hub is enabled","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.1": {"name": "2.1.1","checks": {"s3_bucket_default_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html:https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources","Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select a Bucket. 3. Click on 'Properties'. 4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. Run command to list buckets ``` aws s3 ls ``` 2. For each bucket, run``` aws s3api get-bucket-encryption --bucket  ``` 3. Verify that either``` \"SSEAlgorithm\": \"AES256\" ```or``` \"SSEAlgorithm\": \"aws:kms\"```is displayed.","ImpactStatement": "Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select a Bucket. 3. Click on 'Properties'. 4. Click edit on `Default Encryption`. 5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 6. Click `Save` 7. Repeat for all the buckets in your AWS account lacking encryption.**From Command Line:**Run either``` aws s3api put-bucket-encryption --bucket  --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}' ```or``` aws s3api put-bucket-encryption --bucket  --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}' ```**Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.","AdditionalInformation": "S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does **not** encrypt objects previously stored within the bucket."}],"description": "Ensure all S3 buckets employ encryption-at-rest","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.2": {"name": "2.1.2","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html","Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.","DefaultValue": null,"AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{\"Sid\": ,\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}' ``` `` and `` will be specific to your account5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket  | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.**From Console** using AWS Policy Generator:1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` =  5. Generate Policy 6. Copy the text and add it to the Bucket Policy.**From Command Line:**1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket  --query Policy --output text > policy.json ```2. Modify the policy.json file by adding in this statement: ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket  --policy file://policy.json ```","AdditionalInformation": ""}],"description": "Ensure S3 Bucket Policy is set to deny HTTP requests","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.3": {"name": "2.1.3","checks": {"s3_bucket_no_mfa_delete": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html","Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","DefaultValue": null,"AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket**From Console:**1. Login to the S3 console at `https://console.aws.amazon.com/s3/`2. Click the `Check` box next to the Bucket name you want to confirm3. In the window under `Properties`4. Confirm that Versioning is `Enabled`5. Confirm that MFA Delete is `Enabled`**From Command Line:**1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```Output example: ```  EnabledEnabled ```If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.","RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.**From Command line:**1. Run the s3api put-bucket-versioning command``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```","AdditionalInformation": ""}],"description": "Ensure MFA Delete is enabled on S3 buckets","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.4": {"name": "2.1.4","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html","Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.","DefaultValue": null,"AuditProcedure": "Perform the following steps to determine if Macie is running:**From Console:** 1. Login to the Macie console at https://console.aws.amazon.com/macie/ 2. In the left hand pane click on By job under findings. 3. Confirm that you have a Job setup for your S3 BucketsWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.","ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.","AssessmentStatus": "Manual","RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.","RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie**From Console:**1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`2. Click `Get started`.3. Click `Enable Macie`.Setup a repository for sensitive data discovery results1. In the Left pane, under Settings, click `Discovery results`.2. Make sure `Create bucket` is selected.3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.4. Click on `Advanced`.5. Block all public access, make sure `Yes` is selected.6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.7. Click on `Save`Create a job to discover sensitive data1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.2. Select the `check box` for each bucket that you want Macie to analyze as part of the job3. Click `Create job`.3. Click `Quick create`.4. For the Name and description step, enter a name and, optionally, a description of the job.5. Then click `Next`.6. For the Review and create step, click `Submit`.Review your findings1. In the left pane, click `Findings`.2. To view the details of a specific finding, choose any field other than the check box for the finding.If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.","AdditionalInformation": ""}],"description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.5": {"name": "2.1.5","checks": {"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html","Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.","DefaultValue": null,"AuditProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket  ``` Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"BlockPublicAcls\": true,\"IgnorePublicAcls\": true,\"BlockPublicPolicy\": true,\"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.**If utilizing Block Public Access (account settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.**From Command Line:**To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id  --region `Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"IgnorePublicAcls\": true, \"BlockPublicPolicy\": true, \"BlockPublicAcls\": true, \"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.","ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.","AssessmentStatus": "Automated","RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.","RemediationProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket  --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```**If utilizing Block Public Access (account settings)****From Console:**If the output reads `true` for the separate configuration settings then it is set on the account.1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.**From Command Line:**To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id  ```","AdditionalInformation": ""}],"description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.2.1": {"name": "2.2.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.2. Elastic Compute Cloud (EC2)","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/","Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.**Note:** EBS volume encryption is configured per region.","ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.**Note:** EBS volume encryption is configured per region.","AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically."}],"description": "Ensure EBS Volume Encryption is Enabled in all Regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.1": {"name": "2.3.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/","Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region  --db-snapshot-identifier  --db-instance-identifier  ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region  ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region  --source-db-snapshot-identifier  --target-db-snapshot-identifier  --copy-tags --kms-key-id  ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region  --db-instance-identifier  --db-snapshot-identifier  ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ```","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for RDS Instances","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.3.2": {"name": "2.3.2","checks": {"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to examine. 4. Click on the `Maintenance and backups` panel. 5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status. - If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to update. 4. Click on the `Modify` button placed on the top right side. 5. On the `Modify DB Instance: ` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button. 6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime. 7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime: ``` aws rds modify-db-instance --region  --db-instance-identifier  --auto-minor-version-upgrade --apply-immediately ``` 4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value. 5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.","AdditionalInformation": ""}],"description": "Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.3": {"name": "2.3.3","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to examine. 4. Click `Instance Name` from the dashboard, Under `Connectivity and Security. 5. On the `Security`, check if the Publicly Accessible flag status is set to `Yes`, follow the below-mentioned steps to check database subnet access. - In the `networking` section, click the subnet link available under `Subnets` - The link will redirect you to the VPC Subnets page. - Select the subnet listed on the page and click the `Route Table` tab from the dashboard bottom panel. If the route table contains any entries with the destination `CIDR block set to 0.0.0.0/0` and with an `Internet Gateway` attached. - The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet. 6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region. 8. Change the AWS region from the navigation bar and repeat the audit process for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance `identifier`. 3. Run again `describe-db-instances` command using the `PubliclyAccessible` parameter as query filter to reveal the database instance Publicly Accessible flag status: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].PubliclyAccessible' ``` 4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to `Yes`. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access 5. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.Subnets[]' ``` - The command output should list the subnets available in the selected database subnet group. 6. Run `describe-route-tables` command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet: ``` aws ec2 describe-route-tables --region  --filters \"Name=association.subnet-id,Values=\" --query 'RouteTables[*].Routes[]' ``` - If the command returns the route table associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet. - Or - If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step 7. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.VpcId' ``` - The command output should show the VPC ID in the selected database subnet group 8. Now run `describe-route-tables` command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet: ``` aws ec2 describe-route-tables --region  --filters \"Name=vpc-id,Values=\" \"Name=association.main,Values=true\" --query 'RouteTables[*].Routes[]' ``` - The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to update. 4. Click `Modify` from the dashboard top menu. 5. On the Modify DB Instance panel, under the `Connectivity` section, click on `Additional connectivity configuration` and update the value for `Publicly Accessible` to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations: - Select the `Connectivity and security` tab, and click on the VPC attribute value inside the `Networking` section. - Select the `Details` tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. - On the Route table details page, select the Routes tab from the dashboard bottom panel and click on `Edit routes`. - On the Edit routes page, update the Destination of Target which is set to `igw-xxxxx` and click on `Save` routes. 6. On the Modify DB Instance panel Click on `Continue` and In the Scheduling of modifications section, perform one of the following actions based on your requirements: - Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window. - Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application. 7. Repeat steps 3 to 6 for each RDS instance available in the current region. 8. Change the AWS region from the navigation bar to repeat the process for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names identifiers, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run `modify-db-instance` command to modify the selected RDS instance configuration. Then use the following command to disable the `Publicly Accessible` flag for the selected RDS instances. This command use the apply-immediately flag. If you want `to avoid any downtime --no-apply-immediately flag can be used`: ``` aws rds modify-db-instance --region  --db-instance-identifier  --no-publicly-accessible --apply-immediately ``` 4. The command output should reveal the `PubliclyAccessible` configuration under pending values and should get applied at the specified time. 5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure. 6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region. 7. Change the AWS region by using the --region filter to repeat the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that public access is not given to RDS Instance","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.4.1": {"name": "2.4.1","checks": {"efs_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.4 Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/index.html#efs","Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).","DefaultValue": null,"AuditProcedure": "**From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard. 2. Select `File Systems` from the left navigation panel. 3. Each item on the list has a visible Encrypted field that displays data at rest encryption status. 4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.**From CLI:** 1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region: ``` aws efs describe-file-systems --region  --output table --query 'FileSystems[*].FileSystemId' ``` 2. The command output should return a table with the requested file system IDs. 3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters: ``` aws efs describe-file-systems --region  --file-system-id  --query 'FileSystems[*].Encrypted' ``` 4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.","RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.**Steps to create an EFS file system with data encrypted at rest:****From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard. 2. Select `File Systems` from the left navigation panel. 3. Click `Create File System` button from the dashboard top menu to start the file system setup process. 4. On the `Configure file system access` configuration page, perform the following actions. - Choose the right VPC from the VPC dropdown list. - Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets. - Click `Next step` to continue.5. Perform the following on the `Configure optional settings` page. - Create `tags` to describe your new file system. - Choose `performance mode` based on your requirements. - Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS. - Click `Next step` to continue.6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system. 7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. 9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.**From CLI:** 1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource): ``` aws efs describe-file-systems --region  --file-system-id  ``` 2. The command output should return the requested configuration information. 3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\". 4. Run create-file-system command using the unique token created at the previous step. ``` aws efs create-file-system --region  --creation-token  --performance-mode generalPurpose --encrypted ``` 5. The command output should return the new file system configuration metadata. 6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target: ``` aws efs create-mount-target --region  --file-system-id  --subnet-id  ``` 7. The command output should return the new mount target metadata. 8. Now you can mount your file system from an EC2 instance. 9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. ``` aws efs delete-file-system --region  --file-system-id  ``` 11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for EFS file systems","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 52,"requirements_failed": 11,"requirements_manual": 0,"total_requirements": 63,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "407c3a08-81aa-4d24-9aca-46a0904f4b1d","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_account_security_onboarding_aws","framework": "AWS-Account-Security-Onboarding","version": "","description": "Checklist when onboarding new AWS Accounts to existing AWS Organization.","region": "eu-west-1","requirements": {"S3 protection": {"name": "S3 protection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "S3","SubGroup": null,"SubSection": null}],"description": "Protection using S3","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"RDS protection": {"name": "RDS protection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Protection for RDS instances","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Block root user": {"name": "Block root user","checks": {"iam_avoid_root_usage": null,"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": "Apply existing SCPs based on OU placement"}],"description": "Block root user","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"Malware Scanning": {"name": "Malware Scanning","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Conducting a Comprehensive Scan for Malicious Software","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Threat Detection": {"name": "Threat Detection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Detection of Threats in your AWS environment","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Lambda protection": {"name": "Lambda protection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "Lambda","SubGroup": null,"SubSection": null}],"description": "Protection using Lambda","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Runtime protection": {"name": "Runtime protection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Optional","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Brand new and in need of thorough testing.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Predefine IAM Roles": {"name": "Predefine IAM Roles","checks": {"iam_support_role_created": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "IAM","SubGroup": null,"SubSection": null}],"description": "Check if exists predefine IAM Roles","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"Block unused regions": {"name": "Block unused regions","checks": {"organizations_scp_check_deny_regions": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": "Apply existing SCPs based on OU placement"}],"description": "Block unsued regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"S3 Block Public Access": {"name": "S3 Block Public Access","checks": {"s3_bucket_public_access": null,"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "S3","SubGroup": null,"SubSection": null}],"description": "Block public access to S3 buckets","checks_status": {"fail": 0,"pass": 1,"total": 3,"manual": 0}},"Organization invitation": {"name": "Organization invitation","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "Organizations","SubGroup": null,"SubSection": null}],"description": "Check if organization invitation is enabled","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Additional managed rules": {"name": "Additional managed rules","checks": {},"status": "PASS","attributes": [{"Type": "Discuss","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Supplementary managed rules","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Blanket rate-based rules": {"name": "Blanket rate-based rules","checks": {},"status": "PASS","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Establishing rules based on a standardized, all-encompassing rate.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Restrict instances types": {"name": "Restrict instances types","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": "Apply existing SCPs based on OU placement"}],"description": "Restrict instances types","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alert on IAM user changes": {"name": "Alert on IAM user changes","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Alert on IAM user changes","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enabled security services": {"name": "Enabled security services","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "SecurityServices","SubGroup": null,"SubSection": null}],"description": "Check if security services are enabled","checks_status": {"fail": 0,"pass": 4,"total": 4,"manual": 0}},"Alert on blocked DNS query": {"name": "Alert on blocked DNS query","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Route53","SubGroup": null,"SubSection": "R53 DNS Resolver"}],"description": "Notify when a DNS query is obstructed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alert on each High finding": {"name": "Alert on each High finding","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Alerting","Service": "GuardDuty","SubGroup": null,"SubSection": "GuardDuty"}],"description": "Checks that GuardDuty is enabled and configured to send High findings to CloudWatch Events","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"Disable AMI public sharing": {"name": "Disable AMI public sharing","checks": {"ec2_ami_public": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "EC2","SubGroup": null,"SubSection": null}],"description": "Disable AMI public sharing","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Add custom SCPs if required": {"name": "Add custom SCPs if required","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": null}],"description": "Add custom SCPs if required","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Scoped-down rate-based rules": {"name": "Scoped-down rate-based rules","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Discuss","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Rate-based rules with a narrowed scope","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Global allow - and block-lists": {"name": "Global allow - and block-lists","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Establishing International Lists for Permissions and Restrictions","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Service-unique exclusion rules": {"name": "Service-unique exclusion rules","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Exclusion rules specific to the service provided.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Alert on snapshot manipulations": {"name": "Alert on snapshot manipulations","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Alert when a snapshot is manipulated","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"EKS protection (if EKS is used)": {"name": "EKS protection (if EKS is used)","checks": {},"status": "PASS","attributes": [{"Type": "Optional","ItemId": null,"Section": "Enable GuardDuty","Service": "EKS","SubGroup": null,"SubSection": null}],"description": "Enhanced Kubernetes Security (EKS) protection, if the Kubernetes service is employed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Predefined set of managed rules": {"name": "Predefined set of managed rules","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "A pre-established collection of rules under management control.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Alerts based on rate-based rules": {"name": "Alerts based on rate-based rules","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "WAF","SubGroup": null,"SubSection": "WAF"}],"description": "Notifications triggered by rate-based regulations","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Use strictly AWS VPC DNS resolver": {"name": "Use strictly AWS VPC DNS resolver","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "R53 DNS Resolver Firewall","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Exclusively Employ Amazon Web Services (AWS) Virtual Private Cloud (VPC) DNS Resolver","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alert based on DDoSDetected metric": {"name": "Alert based on DDoSDetected metric","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Shield","SubGroup": null,"SubSection": "Shield"}],"description": "Generate an alert triggered by the detection of a DDoS attack based on the DDoSDetected metric.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable and configure AWS Inspector": {"name": "Enable and configure AWS Inspector","checks": {"inspector2_is_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Vulnerability Scanning","Service": "EC2","SubGroup": null,"SubSection": "EC2 used as servers"}],"description": "Enable and set up AWS Inspector.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"IDC integration, SSO configuration": {"name": "IDC integration, SSO configuration","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "IAM Identity Center","SubGroup": null,"SubSection": null}],"description": "Check if IDC integration and SSO configuration is enabled","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Send DNS Resolvers queries to SIEM": {"name": "Send DNS Resolvers queries to SIEM","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Logging","Service": "Logging","SubGroup": null,"SubSection": null}],"description": "Send DNS Resolvers queries to SIEM","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alerts on raised cost anomaly events": {"name": "Alerts on raised cost anomaly events","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Billing","SubGroup": null,"SubSection": "Cost Anomaly"}],"description": "Alert when cost anomaly events are raised","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable as part of Organization trail": {"name": "Enable as part of Organization trail","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_multi_region_enabled_logging_management_events": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "AWS Cloudtrail","Service": "CloudTrail","SubGroup": null,"SubSection": null}],"description": "Activate as a component of the Organization trail.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"Root user - distribution email + MFA": {"name": "Root user - distribution email + MFA","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "IAM","SubGroup": null,"SubSection": null}],"description": "Check if root user has distribution email and MFA enabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"Billing, emergency, security contacts": {"name": "Billing, emergency, security contacts","checks": {"account_maintain_current_contact_details": null,"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "Billing","SubGroup": null,"SubSection": null}],"description": "Check if billing, emergency, security contacts are configured","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"Realert on inactivity in a set period": {"name": "Realert on inactivity in a set period","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "SecurityHub","SubGroup": null,"SubSection": "SecurityHub"}],"description": "Activate a re-alert system for detecting inactivity within a specified time frame.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Confirm that events are present in SIEM": {"name": "Confirm that events are present in SIEM","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Confirm that events are present in SIEM","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Create analyzers in each active regions": {"name": "Create analyzers in each active regions","checks": {"accessanalyzer_enabled": "PASS","accessanalyzer_enabled_without_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "IAM Access Analyzer","Service": "IAM Access Analyzer","SubGroup": null,"SubSection": null}],"description": "Establish analyzers within every active region.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Export metrics in centralized collector": {"name": "Export metrics in centralized collector","checks": {"wafv2_webacl_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "WAFv2","Service": "CloudWatch","SubGroup": null,"SubSection": null}],"description": "Exporting metrics to a centralized collector for comprehensive data aggregation.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"CFD + ALB + secret rotation architecture": {"name": "CFD + ALB + secret rotation architecture","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Designing an Architecture for Computational Fluid Dynamics (CFD), Application Load Balancing (ALB), and Secret Rotation Integration","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Critical alert on every root user activity": {"name": "Critical alert on every root user activity","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Send critical alert on every root user activity","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Consider enabling for critical buckets only": {"name": "Consider enabling for critical buckets only","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Macie","Service": "Macie","SubGroup": null,"SubSection": null}],"description": "Please contemplate activating this feature exclusively for essential or crucial buckets.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Alert on rise of ConsoleLoginFailures events": {"name": "Alert on rise of ConsoleLoginFailures events","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Alert on rise ConsoleLoginFailures events","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Send VPC Flow Logs (only DENYs) to S3 bucket": {"name": "Send VPC Flow Logs (only DENYs) to S3 bucket","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Logging","Service": "Logging","SubGroup": null,"SubSection": null}],"description": "Send VPC Flow Logs (only DENYs) to S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"Critical alert on cloudtrail settings changes": {"name": "Critical alert on cloudtrail settings changes","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Send critical alert on cloudtrail settings changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Scan images for vulnerability on upload to ECR": {"name": "Scan images for vulnerability on upload to ECR","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","ecr_registry_scan_images_on_push_enabled": "PASS","ecr_repositories_scan_images_on_push_enabled": "FAIL","ecr_repositories_scan_vulnerabilities_in_latest_image": null},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Vulnerability Scanning","Service": "ECR","SubGroup": null,"SubSection": "ECR used as docker images hub"}],"description": "Check uploaded images for vulnerabilities when adding them to the ECR (Elastic Container Registry).","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"Alert on critical vulnerabilities in AMIs/Images": {"name": "Alert on critical vulnerabilities in AMIs/Images","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Inspector","SubGroup": null,"SubSection": "Vulnerability Scanning"}],"description": "Notification regarding severe vulnerabilities detected in AMIs/Images.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Ban outbound DNS calls from all VPCs to ports 53": {"name": "Ban outbound DNS calls from all VPCs to ports 53","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "R53 DNS Resolver Firewall","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Prohibit all Virtual Private Clouds (VPCs) from initiating outbound DNS calls on port 53.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable/disable additional standards and controls": {"name": "Enable/disable additional standards and controls","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Implement SecurityHub Central Configuration across the organization.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Confirm that logs are present in S3 bucket and SIEM": {"name": "Confirm that logs are present in S3 bucket and SIEM","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "AWS Cloudtrail","Service": "CloudTrail","SubGroup": null,"SubSection": null}],"description": "Verify the existence of logs within both the S3 bucket and the SIEM system.","checks_status": {"fail": 1,"pass": 0,"total": 3,"manual": 0}},"Alerts based on (at least) each new CRITICAL finding": {"name": "Alerts based on (at least) each new CRITICAL finding","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "SecurityHub","SubGroup": null,"SubSection": "SecurityHub"}],"description": "Alerts triggered by every new CRITICAL finding, at a minimum.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Apply suppression filters to disable useless findings": {"name": "Apply suppression filters to disable useless findings","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Implementing suppression filters to deactivate non-essential detections.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Enable continuous recording for most of the resources": {"name": "Enable continuous recording for most of the resources","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS Config","Service": "Config","SubGroup": null,"SubSection": null}],"description": "Activate continuous recording for the majority of resources.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Adopt incident response guide and prepared battle card": {"name": "Adopt incident response guide and prepared battle card","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Shield","SubGroup": null,"SubSection": "Shield"}],"description": "Utilize the incident response manual and have the battle card ready for use.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Confirm that records are present in central aggregator": {"name": "Confirm that records are present in central aggregator","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS Config","Service": "Config","SubGroup": null,"SubSection": null}],"description": "Confirm that records are present in central aggregator","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Configure R53 health checks for all protected resources": {"name": "Configure R53 health checks for all protected resources","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "WAFv2","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Establishing Amazon Route 53 (R53) health checks to monitor the well-being of all safeguarded resources.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Export scan results as metrics in centralized collector": {"name": "Export scan results as metrics in centralized collector","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Vulnerability Scanning","Service": "ECR","SubGroup": null,"SubSection": "ECR used as docker images hub"}],"description": "Generate metric data from scan results and store it in a centralized collector.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Include in process of incident response based on events": {"name": "Include in process of incident response based on events","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Incorporate within the procedural framework of incident response, taking into account the triggering events.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Apply SecurityHub Central Configuration for Organization": {"name": "Apply SecurityHub Central Configuration for Organization","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Apply SecurityHub Central Configuration for Organization","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Enable as part of central configuration for Organization": {"name": "Enable as part of central configuration for Organization","checks": {"guardduty_is_enabled": "PASS","guardduty_centrally_managed": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Please verify the existence of records within the central aggregator.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Deploy solution to alert on at least critical new findings": {"name": "Deploy solution to alert on at least critical new findings","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Implement a solution to trigger alerts for newly identified critical issues at minimum.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Apply managed domain name lists for Resolver in block mode)": {"name": "Apply managed domain name lists for Resolver in block mode)","checks": {"route53_domains_transferlock_enabled": null,"route53_domains_privacy_protection_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "R53 DNS Resolver Firewall","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Utilize managed domain name lists within Resolver to implement block mode.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"Block tampering with security-related settings and services": {"name": "Block tampering with security-related settings and services","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": "Apply existing SCPs based on OU placement"}],"description": "Block tampering with security-related settings and services","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable Shield Advanced subscription for public facing account": {"name": "Enable Shield Advanced subscription for public facing account","checks": {"shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"shield_advanced_protection_in_internet_facing_load_balancers": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Shield Advanced","Service": "Shield Advanced","SubGroup": null,"SubSection": null}],"description": "Activate the Shield Advanced subscription for the publicly accessible account.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"Verify that events are present in SecurityHub aggregated view": {"name": "Verify that events are present in SecurityHub aggregated view","checks": {"securityhub_enabled": "PASS","accessanalyzer_enabled": "PASS","accessanalyzer_enabled_without_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "IAM Access Analyzer","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Confirm the presence of events within the aggregated view of SecurityHub.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"Configure sensitive fields redaction and send WAF logs to SIEM": {"name": "Configure sensitive fields redaction and send WAF logs to SIEM","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": null}],"description": "Configure the redaction of sensitive fields and transmit Web Application Firewall (WAF) logs to the Security Information and Event Management (SIEM) system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Confirm that findings are being visible in the aggregated view": {"name": "Confirm that findings are being visible in the aggregated view","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Please verify that the findings are visible when viewed in the aggregated perspective.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Send S3 access logs for critical buckets to separate S3 bucket": {"name": "Send S3 access logs for critical buckets to separate S3 bucket","checks": {"cloudtrail_s3_dataevents_write_enabled": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Logging","Service": "Logging","SubGroup": null,"SubSection": null}],"description": "Send S3 access logs for critical buckets to separate S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"Consider periodic recording for some resources to optimize bill": {"name": "Consider periodic recording for some resources to optimize bill","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Enable AWS Config","Service": "Config","SubGroup": null,"SubSection": null}],"description": "Think about implementing scheduled monitoring for specific resources in order to maximize cost efficiency.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Create DDoS battle card with main info about protected services": {"name": "Create DDoS battle card with main info about protected services","checks": {"shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"shield_advanced_protection_in_internet_facing_load_balancers": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Shield Advanced","Service": "Shield Advanced","SubGroup": null,"SubSection": null}],"description": "Prepare a Detailed Distributed Denial of Service (DDoS) Battle Card Encompassing Key Information Regarding Safeguarded Services.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"Alerts based on high amount of blocked requests by managed rules": {"name": "Alerts based on high amount of blocked requests by managed rules","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "WAF","SubGroup": null,"SubSection": "WAF"}],"description": "Notifications triggered by a significant number of blocked requests as a result of managed rules.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alerts based on aggregated findings with severity Medium and below": {"name": "Alerts based on aggregated findings with severity Medium and below","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "GuardDuty","SubGroup": null,"SubSection": "GuardDuty"}],"description": "Alert based on aggregated findings with severity Medium and below","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Create Cost Anomaly Detection monitors to alert spending anomalies": {"name": "Create Cost Anomaly Detection monitors to alert spending anomalies","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Budget Alarms","Service": "CloudWatch","SubGroup": null,"SubSection": "QA"}],"description": "Establish monitoring systems for cost anomaly detection to promptly notify about unusual spending patterns.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable Shield Advanced automatic application layer DDoS mitigation": {"name": "Enable Shield Advanced automatic application layer DDoS mitigation","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "WAFv2","Service": "Shield Advanced","SubGroup": null,"SubSection": null}],"description": "Activate automatic application layer Distributed Denial of Service (DDoS) mitigation within Shield Advanced.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Apply custom threat list for GuardDuty to alert on access to DoH servers": {"name": "Apply custom threat list for GuardDuty to alert on access to DoH servers","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "R53 DNS Resolver Firewall","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Implement a customized threat list within GuardDuty to generate alerts when there is access to Domain Name System over HTTPS (DoH) servers.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Configure Budgets Actions to stop services in cases of big unexpected spendings": {"name": "Configure Budgets Actions to stop services in cases of big unexpected spendings","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Budget Alarms","Service": "SNS","SubGroup": null,"SubSection": "QA"}],"description": "Set up Budgets Actions to halt services when significant unexpected expenses occur.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Ensure that there are no critical (and considered critical) findings present in account": {"name": "Ensure that there are no critical (and considered critical) findings present in account","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Make certain that there are no critical findings, whether deemed critical or not, within the account.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Deploy solution to periodically rescan currently used images and report found vulnerabilities": {"name": "Deploy solution to periodically rescan currently used images and report found vulnerabilities","checks": {"ecr_repositories_scan_vulnerabilities_in_latest_image": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Vulnerability Scanning","Service": "ECR","SubGroup": null,"SubSection": "ECR used as docker images hub"}],"description": "Implement a solution to conduct regular scans on currently employed images and notify about any identified vulnerabilities.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Establish ready-to-be-enabled pipelines to deliver ALB and CFD to SIEM to toggle in case of emergency and investigations": {"name": "Establish ready-to-be-enabled pipelines to deliver ALB and CFD to SIEM to toggle in case of emergency and investigations","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Logging","Service": "Logging","SubGroup": null,"SubSection": null}],"description": "Establish ready-to-be-enabled pipelines to deliver ALB and CFD to SIEM to toggle in case of emergency and investigations","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}}},"requirements_passed": 26,"requirements_failed": 23,"requirements_manual": 34,"total_requirements": 83,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "623480b7-012a-4aab-b553-16d3b8898136","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "hipaa_aws","framework": "HIPAA","version": "","description": "The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that helps US workers to retain health insurance coverage when they change or lose jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.","region": "eu-west-1","requirements": {"164_312_b": {"name": "164.312(b) Audit controls","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_b","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.","checks_status": {"fail": 8,"pass": 4,"total": 16,"manual": 0}},"164_312_d": {"name": "164.312(d) Person or entity authentication","checks": {"iam_root_mfa_enabled": null,"iam_password_policy_reuse_24": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_312_d","Section": "164.312 Technical Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"164_308_a_8": {"name": "164.308(a)(8) Evaluation","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_8","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"164_312_a_1": {"name": "164.312(a)(1) Access control","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"awslambda_function_not_publicly_accessible": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_a_1","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).","checks_status": {"fail": 1,"pass": 5,"total": 16,"manual": 0}},"164_312_c_1": {"name": "164.312(c)(1) Integrity","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_c_1","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.","checks_status": {"fail": 4,"pass": 2,"total": 6,"manual": 0}},"164_312_c_2": {"name": "164.312(c)(2) Mechanism to authenticate electronic protected health information","checks": {"vpc_flow_logs_enabled": "FAIL","ec2_ebs_volume_encryption": "PASS","s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_c_2","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.","checks_status": {"fail": 5,"pass": 2,"total": 7,"manual": 0}},"164_312_e_1": {"name": "164.312(e)(1) Transmission security","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","cloudfront_distributions_https_enabled": null,"awslambda_function_not_publicly_accessible": "PASS","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_e_1","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.","checks_status": {"fail": 3,"pass": 3,"total": 9,"manual": 0}},"164_308_a_3_i": {"name": "164.308(a)(3)(i) Workforce security","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_3_i","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.","checks_status": {"fail": 1,"pass": 5,"total": 15,"manual": 0}},"164_308_a_4_i": {"name": "164.308(a)(4)(i) Information access management","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_4_i","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"164_308_a_6_i": {"name": "164.308(a)(6)(i) Security incident procedures","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_6_i","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures to address security incidents.","checks_status": {"fail": 0,"pass": 2,"total": 8,"manual": 0}},"164_308_a_7_i": {"name": "164.308(a)(7)(i) Contingency plan","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_7_i","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.","checks_status": {"fail": 3,"pass": 1,"total": 10,"manual": 0}},"164_312_a_2_i": {"name": "164.312(a)(2)(i) Unique user identification","checks": {"iam_no_root_access_key": null,"s3_bucket_public_access": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_312_a_2_i","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Assign a unique name and/or number for identifying and tracking user identity.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"164_312_e_2_i": {"name": "164.312(e)(2)(i) Integrity controls","checks": {"elb_ssl_listeners": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_e_2_i","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.","checks_status": {"fail": 4,"pass": 3,"total": 10,"manual": 0}},"164_308_a_6_ii": {"name": "164.308(a)(6)(ii) Response and reporting","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_log_metric_filter_root_usage": null,"s3_bucket_server_access_logging_enabled": "FAIL","cloudwatch_log_metric_filter_authentication_failures": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_6_ii","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.","checks_status": {"fail": 6,"pass": 4,"total": 15,"manual": 0}},"164_312_a_2_ii": {"name": "164.312(a)(2)(ii) Emergency access procedure","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_a_2_ii","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.","checks_status": {"fail": 2,"pass": 1,"total": 9,"manual": 0}},"164_312_a_2_iv": {"name": "164.312(a)(2)(iv) Encryption and decryption","checks": {"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_a_2_iv","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement a mechanism to encrypt and decrypt electronic protected health information.","checks_status": {"fail": 6,"pass": 3,"total": 19,"manual": 0}},"164_312_e_2_ii": {"name": "164.312(e)(2)(ii) Encryption","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_e_2_ii","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.","checks_status": {"fail": 7,"pass": 3,"total": 19,"manual": 0}},"164_308_a_1_ii_a": {"name": "164.308(a)(1)(ii)(A) Risk analysis","checks": {"guardduty_is_enabled": "PASS","config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_1_ii_a","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"164_308_a_1_ii_b": {"name": "164.308(a)(1)(ii)(B) Risk Management","checks": {"elb_ssl_listeners": "FAIL","rds_instance_multi_az": "FAIL","ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"ec2_ebs_volume_encryption": "PASS","elbv2_deletion_protection": "FAIL","ec2_ebs_default_encryption": "PASS","rds_instance_backup_enabled": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","awslambda_function_url_public": null,"efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","cloudwatch_log_group_kms_encryption_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_encryption_enabled": null,"iam_aws_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_1_ii_b","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a): Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.","checks_status": {"fail": 14,"pass": 9,"total": 39,"manual": 0}},"164_308_a_1_ii_d": {"name": "164.308(a)(1)(ii)(D) Information system activity review","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_1_ii_d","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.","checks_status": {"fail": 7,"pass": 4,"total": 15,"manual": 0}},"164_308_a_3_ii_a": {"name": "164.308(a)(3)(ii)(A) Authorization and/or supervision","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","iam_root_hardware_mfa_enabled": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","iam_user_mfa_enabled_console_access": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_3_ii_a","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.","checks_status": {"fail": 4,"pass": 4,"total": 16,"manual": 0}},"164_308_a_3_ii_b": {"name": "164.308(a)(3)(ii)(B) Workforce clearance procedure","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_3_ii_b","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"164_308_a_3_ii_c": {"name": "164.308(a)(3)(ii)(C) Termination procedures","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_3_ii_c","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b).","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"164_308_a_4_ii_a": {"name": "164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","rds_instance_backup_enabled": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"acm_certificates_expiration_check": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","redshift_cluster_automated_snapshot": null,"cloudfront_distributions_https_enabled": null,"rds_instance_integration_cloudwatch_logs": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_4_ii_a","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.","checks_status": {"fail": 7,"pass": 5,"total": 25,"manual": 0}},"164_308_a_4_ii_b": {"name": "164.308(a)(4)(ii)(B) Access authorization","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_4_ii_b","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures for granting access to electronic protected health information, As one illustrative example, through access to a workstation, transaction, program, process, or other mechanism.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"164_308_a_4_ii_c": {"name": "164.308(a)(4)(ii)(B) Access authorization","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_4_ii_c","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.","checks_status": {"fail": 1,"pass": 0,"total": 9,"manual": 0}},"164_308_a_5_ii_b": {"name": "164.308(a)(5)(ii)(B) Protection from malicious software","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_5_ii_b","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Procedures for guarding against, detecting, and reporting malicious software.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"164_308_a_5_ii_c": {"name": "164.308(a)(5)(ii)(C) Log-in monitoring","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_5_ii_c","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Procedures for monitoring log-in attempts and reporting discrepancies.","checks_status": {"fail": 0,"pass": 2,"total": 3,"manual": 0}},"164_308_a_5_ii_d": {"name": "164.308(a)(5)(ii)(D) Password management","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_5_ii_d","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Procedures for creating, changing, and safeguarding passwords.","checks_status": {"fail": 0,"pass": 0,"total": 9,"manual": 0}},"164_308_a_7_ii_a": {"name": "164.308(a)(7)(ii)(A) Data backup plan","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_7_ii_a","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.","checks_status": {"fail": 3,"pass": 1,"total": 10,"manual": 0}},"164_308_a_7_ii_b": {"name": "164.308(a)(7)(ii)(B) Disaster recovery plan","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_7_ii_b","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish (and implement as needed) procedures to restore any loss of data.","checks_status": {"fail": 3,"pass": 1,"total": 10,"manual": 0}},"164_308_a_7_ii_c": {"name": "164.308(a)(7)(ii)(C) Emergency mode operation plan","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_7_ii_c","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.","checks_status": {"fail": 3,"pass": 1,"total": 10,"manual": 0}}},"requirements_passed": 11,"requirements_failed": 21,"requirements_manual": 0,"total_requirements": 32,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "6a808cc7-3501-4085-98f9-e4a9fa251f4c","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "mitre_attack_aws","framework": "MITRE-ATTACK","version": "","description": "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.","region": "eu-west-1","requirements": {"T1040": {"name": "Network Sniffing","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"rds_instance_transport_encrypted": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"cloudfront_distributions_https_enabled": null,"iam_policy_allows_privilege_escalation": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudWatch uses TLS/SSL connections to communicate with other AWS resources which protects against network sniffing attacks. As a result, this mapping is given a score of Significant.","Category": "Protect","AWSService": "AWS CloudWatch"},{"Value": "Significant","Comment": "AWS RDS and AWS RDS Proxy support TLS/SSL connections to database instances which protects against network sniffing attacks. As a result, this mapping is given a score of Significant.","Category": "Protect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over untrusted networks which can prevent information from being gathered via network sniffing.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"},{"Value": "Partial","Comment": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: 'CA certificate expiring' ('CA_CERTIFICATE_EXPIRING_CHECK' in the CLI and API), 'CA certificate key quality' ('CA_CERTIFICATE_KEY_QUALITY_CHECK' in the CLI and API), and 'CA certificate revoked but device certificates still active' ('REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK' in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the 'UPDATE_CA_CERTIFICATE' mitigation action which can resolve them. 'Device certificate expiring' ('DEVICE_CERTIFICATE_EXPIRING_CHECK' in the CLI and API), 'Device certificate key quality' ('DEVICE_CERTIFICATE_KEY_QUALITY_CHECK' in the CLI and API), 'Device certificate shared' ('DEVICE_CERTIFICATE_SHARED_CHECK' in the CLI and API), and 'Revoked device certificate still active' ('REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK' in the CLI and API) can identify problems with IoT devices' certificates and support the 'UPDATE_DEVICE_CERTIFICATE' and 'ADD_THINGS_TO_THING_GROUP' mitigation actions which can resolve them. Coverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: 'acm-certificate-expiration-check' for nearly expired certificates in AWS Certificate Manager (ACM); 'alb-http-to-https-redirection-check' for Application Load Balancer (ALB) HTTP listeners; 'api-gw-ssl-enabled' for API Gateway REST API stages; 'cloudfront-custom-ssl-certificate', 'cloudfront-sni-enabled', and 'cloudfront-viewer-policy-https', for Amazon CloudFront distributions; 'elb-acm-certificate-required', 'elb-custom-security-policy-ssl-check', 'elb-predefined-security-policy-ssl-check', and 'elb-tls-https-listeners-only' for Elastic Load Balancing (ELB) Classic Load Balancer listeners; 'redshift-require-tls-ssl' for Amazon Redshift cluster connections to SQL clients; 's3-bucket-ssl-requests-only' for requests for S3 bucket contents; and 'elasticsearch-node-to-node-encryption-check' for Amazon ElasticSearch Service node-to-node communications. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that private traffic is routed securely and only within VPCs rather than on the public Internet: 'api-gw-endpoint-type-check' for Amazon API Gateway APIs, 'elasticsearch-in-vpc-only' for Amazon ElasticSearch Service domains, and 'redshift-enhanced-vpc-routing-enabled' for Amazon Redshift cluster traffic. All of these are run on configuration changes except 'alb-http-to-https-redirection-check' and 'elasticsearch-in-vpc-only', which are run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic and/or do not have access to traffic within the relevant VPCs, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"}],"description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.","checks_status": {"fail": 5,"pass": 1,"total": 17,"manual": 0}},"T1046": {"name": "Network Service Discovery","checks": {"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","elbv2_waf_acl_attached": "FAIL","networkfirewall_in_all_vpc": "FAIL","inspector2_active_findings_exist": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices to search their networks for other hosts and their running services, possibly to subsequently carry out lateral movement techniques: 'Destination IPs' ('aws:destination-ip-addresses') outside of expected IP address ranges may suggest that a device is communicating with unexpected devices. 'Bytes in' ('aws:all-bytes-in'), 'Bytes out' ('aws:all-bytes-out'), 'Packets in' ('aws:all-packets-in'), and 'Packets out' ('aws:all-packets-out') values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may traffic used to discover other hosts/services. 'Listening TCP ports' ('aws:listening-tcp-ports'), 'Listening TCP port count' ('aws:num-listening-tcp-ports'), 'Established TCP connections count' ('aws:num-established-tcp-connections'), 'Listening UDP ports' ('aws:listening-udp-ports'), and 'Listening UDP port count' ('aws:num-listening-udp-ports') values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols that may suggest scanning is taking place. Coverage factor is partial, since these metrics are limited to IoT device communication and detection is only based on network traffic, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Partial","Comment": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection. AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet. This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.","Category": "Protect","AWSService": "AWS Web Application Firewall"},{"Value": "Partial","Comment": "The following GuardDuty finding types reflect flagged events where there is an attempt to get a list of services running on a remote host. Recon:EC2/PortProbeEMRUnprotectedPort Recon:EC2/PortProbeUnprotectedPort Recon:EC2/Portscan Impact:EC2/PortSweep","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Partial","Comment": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial.","Category": "Protect","AWSService": "Amazon Inspector"},{"Value": "Significant","Comment": "VPC security groups and network access control lists (NACLs) can filter both internal and external network traffic and therefore, can mitigate unauthorized network service scanning.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.","checks_status": {"fail": 7,"pass": 16,"total": 23,"manual": 0}},"T1048": {"name": "Exfiltration Over Alternative Protocol","checks": {"guardduty_is_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Partial","Comment": "The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel. Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Partial","Comment": "This control provides partial coverage for this technique and all of its sub-techniques, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore provide mitigation of this technique. For environments where Internet access is required, these controls can be used to block known malicious addresses. Because this latter protection is limited to known malicious endpoints, it provides Partial coverage resulting in an overall Partial score.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.","checks_status": {"fail": 4,"pass": 16,"total": 20,"manual": 0}},"T1049": {"name": "System Network Connections Discovery","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1059": {"name": "Command and Scripting Interpreter","checks": {"elbv2_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet. This is given a score of Partial (instead of Minimal) because while it only protects against a subset of SubTechniques (3 out of 8), it does provide protections for command and scripting interpreters that do not have SubTechniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time.","Category": "Protect","AWSService": "AWS Web Application Firewall"}],"description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"T1069": {"name": "Permission Groups Discovery","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1074": {"name": "Data from Cloud Storage","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1078": {"name": "Valid Accounts","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_avoid_root_usage": null,"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"iam_user_two_active_access_key": null,"iam_policy_no_full_access_to_kms": null,"iam_administrator_access_with_mfa": null,"config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_user_no_setup_initial_access_key": null,"organizations_scp_check_deny_regions": null,"iam_password_policy_minimum_length_14": null,"iam_policy_allows_privilege_escalation": null,"organizations_delegated_administrators": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_no_expired_server_certificates_stored": null,"organizations_account_part_of_organizations": null,"iam_role_cross_account_readonlyaccess_policy": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "GuardDuty implements a finding that flags occurrences unattended behavior from an IAM User in the Account. PenTest:IAMUser/KaliLinux, PenTest:IAMUser/ParrotLinux, PenTest:IAMUser/PentooLinux, Policy:IAMUser/RootCredentialUsage, PrivilegeEscalation:IAMUser/AdministrativePermissions, UnauthorizedAccess:IAMUser/ConsoleLogin, UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B, UnauthorizedAccess:IAMUser/MaliciousIPCaller, UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/TorIPCaller, Policy:S3/AccountBlockPublicAccessDisabled, Policy:S3/BucketAnonymousAccessGranted, Policy:S3/BucketBlockPublicAccessDisabled, Policy:S3/BucketPublicAccessGranted, CredentialAccess:IAMUser/AnomalousBehavior, DefenseEvasion:IAMUser/AnomalousBehavior, Discovery:IAMUser/AnomalousBehavior, Exfiltration:IAMUser/AnomalousBehavior, Impact:IAMUser/AnomalousBehavior, Persistence:IAMUser/AnomalousBehavior, Recon:IAMUser/MaliciousIPCaller, Recon:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "This control provides detection capability for one of this technique's SubTechniques and some of its procedure examples resulting in an overall Partial protection score.","Category": "Detect","AWSService": "AWS IAM"},{"Value": "Partial","Comment": "This control provides protection capability for one of this technique's SubTechniques and some of its procedure examples resulting in an overall Partial protection score.","Category": "Protect","AWSService": "AWS IAM"},{"Value": "Partial","Comment": "This control provides protection capability for one of this technique's SubTechniques and some of its procedure examples resulting in an overall Partial protection score.","Category": "Protect","AWSService": "AWS Single Sign-On"},{"Value": "Minimal","Comment": "This control provides partial detection capability for one of this technique's SubTechniques and a few of its procedure examples resulting in an overall Minimal protection score.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Minimal","Comment": "This control provides partial protection for one of this technique's SubTechniques and a few of its procedure examples resulting in an overall Minimal protection score.","Category": "Protect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "This control may protect against malicious use of cloud accounts but may not mitigate exploitation of local, domain, or default accounts present within deployed resources.","Category": "Protect","AWSService": "AWS Organizations"},{"Value": "Minimal","Comment": "AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights. AWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity. AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS Security Hub provides these detections with the following checks. 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of root account 3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the root user. By monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that are being misused and are potentially compromised. This is scored as Minimal because it only supports a subset of the SubTechniques (1 of 4).","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Minimal","Comment": "This control provides partial protection for one of this technique's SubTechniques and a few of its procedure examples resulting in an overall Minimal protection score.","Category": "Protect","AWSService": "Amazon Cognito"}],"description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.[1] Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.","checks_status": {"fail": 0,"pass": 2,"total": 36,"manual": 0}},"T1082": {"name": "System Information Discovery","checks": {},"status": "PASS","attributes": [],"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1087": {"name": "Account Discovery","checks": {"organizations_account_part_of_organizations": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control may protect against cloud account discovery but does not mitigate against other forms of account discovery.","Category": "Protect","AWSService": "AWS Organizations"}],"description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1098": {"name": "Account Manipulation","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_avoid_root_usage": null,"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"iam_policy_no_full_access_to_kms": null,"iam_administrator_access_with_mfa": null,"config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Minimal","Comment": "This control may generate logs for creation and manipulation of accounts but the relevant security information would be handled by another security control.","Category": "Detect","AWSService": "AWS IAM"},{"Value": "Minimal","Comment": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check. 3.4 Ensure a log metric filter and alarm exist for IAM policy changes. This is scored as Minimal because it only supports a subset of the SubTechniques (1 of 4).","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Partial","Comment": "GuardDuty has a finding types that flag events where an adversary may have compromised an AWS IAM User. Finding Type: Persistence:IAMUser/AnomalousBehavior.","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.","checks_status": {"fail": 0,"pass": 2,"total": 16,"manual": 0}},"T1110": {"name": "Brute Force","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"inspector2_is_enabled": "FAIL","iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Significant","Comment": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS IAM"},{"Value": "Partial","Comment": "This control may not provide any mitigation against password cracking.","Category": "Protect","AWSService": "AWS Single Sign-On"},{"Value": "Significant","Comment": "Amazon Cognito's MFA capability provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.","Category": "Protect","AWSService": "Amazon Cognito"},{"Value": "Minimal","Comment": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures. This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.) and it only supports a subset of the sub-techniques (3 of 4). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances.","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Minimal","Comment": "Finding types such as UnauthorizedAccess:EC2/RDPBruteForce, UnauthorizedAccess:EC2/SSHBruteForce, Impact:EC2/WinRMBruteForce, and Stealth:IAMUser/PasswordPolicyChange can detect when an EC2 instance may be involved in a brute force attack aimed at obtaining passwords. Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include 'Disable password authentication over SSH', 'Configure password maximum age', 'Configure password minimum length', and 'Configure password complexity' all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.","Category": "Protect","AWSService": "Amazon Inspector"}],"description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.","checks_status": {"fail": 2,"pass": 2,"total": 19,"manual": 0}},"T1119": {"name": "Automated Collection","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","ec2_ebs_snapshots_encrypted": "FAIL","s3_bucket_default_encryption": "PASS","rds_instance_storage_encrypted": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Value": "Minimal","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that storage volumes are encrypted, which may mitigate adversary attempts to automate collection within cloud environments: 'ec2-ebs-encryption-by-default' which is run periodically and 'encrypted-volumes' which is run on configuration changes. Coverage factor is minimal for these rules, since they are specific to EBS volumes and will only prevent certain forms of collection since adversaries with access to mounted volumes may be able to decrypt their contents, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"}],"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools.","checks_status": {"fail": 2,"pass": 3,"total": 6,"manual": 0}},"T1136": {"name": "Create Account","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control provides partial coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"}],"description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1190": {"name": "Exploit Public-Facing Application","checks": {"drs_job_exist": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","rds_instance_backup_enabled": "PASS","inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null,"awslambda_function_not_publicly_accessible": "PASS","rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that a public-facing application or server is compromised, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that applications intended for internal use cannot be accessed externally for exploitation: 'api-gw-endpoint-type-check' can ensure that Amazon API Gateway APIs are private and can only be accessed from within VPCs, 'elasticsearch-in-vpc-only' can ensure that Amazon ElasticSearch Service (Amazon ES) domains are in the same VPC and the domain endpoint is not public, 'lambda-function-public-access-prohibited' can verify that AWS Lambda functions are not publicly available, and 'ec2-instance-no-public-ip' can verify whether EC2 instances have public IP addresses. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that insecure applications are not installed and installed packages are kept updated, reducing the likelihood of adversary exploitation: the 'ec2-managedinstance-applications-blacklisted' managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The 'ec2-managedinstance-platform-check' managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation. 'rds-automatic-minor-version-upgrade-enabled' can verify that Amazon RDS is being patched, and 'elastic-beanstalk-managed-updates-enabled' can verify that Elastic Beanstalk is being patched. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services that can be used to host public-facing applications and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation.","Category": "Protect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS RDS"},{"Value": "Minimal","Comment": "There is a GuardDuty finding type that captures when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable (e.g., IAM credentials associated with the resource). UnauthorizedAccess:EC2/MetadataDNSRebind - This finding type only detects MetadataDNSRebind and is more focused on the EC2 instance and not the application running on the instance itself resulting in Minimal coverage.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Partial","Comment": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities. This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Significant","Comment": "The AWS WAF protects public-facing applications against a range of vulnerabilities including those listed in the OWASP Top 10. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesKnownBadInputRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet. This is given a score of Significant because it protects against vulnerabilities across multiple operating systems (Windows, Linux, POSIX) and technologies (JavaScript, SQL, PHP, WordPress). Furthermore, it blocks the malicious content in near real-time.","Category": "Protect","AWSService": "AWS Web Application Firewall"},{"Value": "Partial","Comment": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for 'Enable Address Space Layout Randomization (ASLR)' and 'Enable Data Execution Prevention (DEP)' that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.","Category": "Protect","AWSService": "Amazon Inspector"}],"description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.","checks_status": {"fail": 5,"pass": 5,"total": 11,"manual": 0}},"T1199": {"name": "Trusted Relationship","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "VPC network access control lists (NACLs) can isolate portions of the network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.","checks_status": {"fail": 3,"pass": 15,"total": 18,"manual": 0}},"T1201": {"name": "Password Policy Discovery","checks": {"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Significant","Comment": "Ensure least privilege in IAM since password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"T1204": {"name": "User Execution","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "AWS Config"}],"description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1213": {"name": "Data from Information Repositories","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1485": {"name": "Data Destruction","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","s3_bucket_object_lock": "FAIL","efs_have_backup_enabled": "FAIL","s3_bucket_no_mfa_delete": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","config_recorder_all_regions_enabled": null,"s3_bucket_policy_public_write_access": "PASS","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include data destruction: 's3-bucket-blacklisted-actions-prohibited' checks whether bucket policies prohibit disallowed actions (including S3:DeleteObject) for principals from other AWS accounts, 's3-bucket-default-lock-enabled' checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and 's3-bucket-public-write-prohibited' checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of data destruction: 'aurora-mysql-backtracking-enabled' for data in Aurora MySQL; 'db-instance-backup-enabled' and 'rds-in-backup-plan' for Amazon Relational Database Service (RDS) data; 'dynamodb-in-backup-plan' and 'dynamodb-pitr-enabled' for Amazon DynamoDB table contents; 'ebs-in-backup-plan' for Elastic Block Store (EBS) volumes; 'efs-in-backup-plan' for Amazon Elastic File System (EFS) file systems; 'elasticache-redis-cluster-automatic-backup-check' for Amazon ElastiCache Redis cluster data; 'redshift-backup-enabled' and 'redshift-cluster-maintenancesettings-check' for Redshift; 's3-bucket-replication-enabled' and 's3-bucket-versioning-enabled' for S3 storage; and 'cloudfront-origin-failover-enabled' for CloudFront. The following AWS Config managed rules provide specific detections for configuration problems that should be fixed in order to prevent malicious deletion of specific data: 'elb-deletion-protection-enabled' for Elastic Block Store (EBS) volumes, and 'rds-cluster-deletion-protection-enabled' and 'rds-instance-deletion-protection-enabled' for RDS data. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against destruction, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has destroyed the database instance. RDS-EVENT-0003: The DB instance has been deleted RDS-EVENT-0041: A DB snapshot has been deleted. This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized deletion.","Category": "Detect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS RDS provides deletion protection which prevents any user from deleting a database instance. If applied, the setting may mitigate attempts to delete a database instance. As a result, this mapping is given a score of Significant.","Category": "Protect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS S3 may protect against data destruction through application of several best practices. Multi-factor authentication can be enabled for delete operations and for changing the versioning state of a bucket. Versioning can be enabled to revert objects to a previous state after malicious destruction or corruption. S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. In addition, S3 Cross Region Replication can be used to replicate S3 buckets to another AWS region for add protection.","Category": "Protect","AWSService": "AWS S3"},{"Value": "Minimal","Comment": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the scheduled destruction of Customer Master Keys (CMKs) which are critical for being able to decrypt data. AWS Security Hub provides this detection with the following check. Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs. This is scored as Minimal because CMKs only represent one type of data that could be destroyed by an adversary.","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Partial","Comment": "The following GuardDuty finding type flags events where adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Impact:S3/MaliciousIPCaller, Impact:IAMUser/AnomalousBehavior Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux.","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.[1][2][3][4][5][6] Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.","checks_status": {"fail": 6,"pass": 3,"total": 12,"manual": 0}},"T1486": {"name": "Data Encrypted for Impact","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","s3_bucket_object_lock": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"config_recorder_all_regions_enabled": null,"s3_bucket_policy_public_write_access": "PASS"},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious changes to data encryption within Amazon Simple Storage Service (S3) storage: 's3-bucket-blacklisted-actions-prohibited' checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, 's3-bucket-default-lock-enabled' checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and 's3-bucket-public-write-prohibited' checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious changes to data encryption: 'aurora-mysql-backtracking-enabled' for data in Aurora MySQL; 'db-instance-backup-enabled' and 'rds-in-backup-plan' for Amazon Relational Database Service (RDS) data; 'dynamodb-in-backup-plan' and 'dynamodb-pitr-enabled' for Amazon DynamoDB table contents; 'ebs-in-backup-plan' for Elastic Block Store (EBS) volumes; 'efs-in-backup-plan' for Amazon Elastic File System (EFS) file systems; 'elasticache-redis-cluster-automatic-backup-check' for Amazon ElastiCache Redis cluster data; 'redshift-backup-enabled' and 'redshift-cluster-maintenancesettings-check' for Redshift; 's3-bucket-replication-enabled' and 's3-bucket-versioning-enabled' for S3 storage; and 'cloudfront-origin-failover-enabled' for CloudFront. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against malicious encryption changes, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Significant","Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is encrypted by an adversary (e.g., ransomware), AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS RDS"},{"Value": "Partial","Comment": "The following GuardDuty finding type flags events where adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. Impact:S3/MaliciousIPCaller Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.","checks_status": {"fail": 4,"pass": 3,"total": 9,"manual": 0}},"T1490": {"name": "Inhibit System Recovery","checks": {"drs_job_exist": "FAIL","rds_instance_backup_enabled": "PASS"},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2).","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Partial","Comment": "AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery. RDS-EVENT-0028: Automatic backups for this DB instance have been disabled. This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups.","Category": "Detect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS RDS"}],"description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[1][2] This may deny access to available backups and recovery options.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"T1491": {"name": "Defacement","checks": {"drs_job_exist": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2).","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Significant","Comment": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "GuardDuty provides multiple finding types that flag malicious activity against resources. These findings focus on API calls that look suspicious and although they do not flag events such as Defacement specifically, it can be inferred that these findings can result in mitigating this technique's negative impact. With this assumption the score is capped at Partial.","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"T1496": {"name": "Resource Hijacking","checks": {"guardduty_is_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudwatch_log_metric_filter_root_usage": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metrics (not an exhaustive list) could be used to detect if the usage of a resource has increased such as when an adversary hijacks a resource to perform intensive tasks. Linux/Mac OS ------------- cpu_time_active cpu_time_guest cpu_usage_active cpu_usage_guest disk_free disk_total disk_used ethtool_bw_in_allowance_exceeded ethtool_bw_out_allowance_exceeded ethtool_conntrack_allowance_exceeded mem_active mem_available_percent mem_free net_bytes_recv net_bytes_sent net_packets_sent net_packets_recv netstat_tcp_established netstat_tcp_listen processes_running processes_total swap_free swap_used. Containers ---------- CpuUtilized MemoryUtilized NetworkRxBytes NetworkTxBytes node_cpu_usage_total node_cpu_utilization node_filesystem_utilization node_memory_utilization. This mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized increase in resource utilization.","Category": "Detect","AWSService": "AWS CloudWatch"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure alarms exist for spikes in resource utilization, which help to identify malicious use of resources within a cloud environment: 'cloudwatch-alarm-action-check', 'cloudwatch-alarm-resource-check', 'cloudwatch-alarm-settings-check', 'desired-instance-tenancy', 'desired-instance-type', 'dynamodb-autoscaling-enabled', 'dynamodb-throughput-limit-check', 'ec2-instance-detailed-monitoring-enabled', and 'rds-enhanced-monitoring-enabled'. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only detect resource hijacking that results in a change in utilization that is significant enough to trigger alarms, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices' resources to perform resource-intensive operations like mining cryptocurrency or performing denial of service attacks on other environments: 'Destination IPs' ('aws:destination-ip-addresses') outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. 'Bytes in' ('aws:all-bytes-in'), 'Bytes out' ('aws:all-bytes-out'), 'Packets in' ('aws:all-packets-in'), and 'Packets out' ('aws:all-packets-out') values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include traffic related to resource hijacking activities. 'Listening TCP ports' ('aws:listening-tcp-ports'), 'Listening TCP port count' ('aws:num-listening-tcp-ports'), 'Established TCP connections count' ('aws:num-established-tcp-connections'), 'Listening UDP ports' ('aws:listening-udp-ports'), and 'Listening UDP port count' ('aws:num-listening-udp-ports') values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols which may include traffic related to resource hijacking activities. Coverage factor is partial, since these metrics are limited to IoT device hijacking, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "The following GuardDuty finding types flag events where adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. CryptoCurrency:EC2/BitcoinTool.B CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/BitcoinDomainRequest.Reputation UnauthorizedAccess:EC2/TorRelay","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability.","checks_status": {"fail": 1,"pass": 1,"total": 18,"manual": 0}},"T1498": {"name": "Network Denial of Service","checks": {"guardduty_is_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","config_recorder_all_regions_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Minimal","Comment": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Minimal","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While AWS Network Firewall supports both all sub-techniques (2 of 2), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Significant","Comment": "AWS Shield is a service that protects against Distributed Denial of Service attacks. There are two tiers for this service Standard and Advanced. AWS Shield Standard defends against most common, frequently occurring network and transport (Layer 3 and 4 attacks) layer DDoS attacks that target your web site or applications. AWS Shield Advanced adds on to standard by providing additional detection and mitigation against large and sophisticated DDoS attacks. There is near real-time visibility into attacks. AWS Shield Advanced also comes with 24x7 access to the AWS DDoS Response Team (DRT).","Category": "Respond","AWSService": "AWS Shield"},{"Value": "Partial","Comment": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.","checks_status": {"fail": 4,"pass": 16,"total": 27,"manual": 0}},"T1499": {"name": "Endpoint Denial of Service","checks": {"networkfirewall_in_all_vpc": "FAIL","config_recorder_all_regions_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS Shield is a service that protects against Distributed Denial of Service attacks. There are two tiers for this service Standard and Advanced. AWS Shield Standard defends against most common, frequently occurring network and transport (Layer 3 and 4 attacks) layer DDoS attacks that target your web site or applications. AWS Shield Advanced adds on to standard by providing additional detection and mitigation against large and sophisticated DDoS attacks. There is near real-time visibility into attacks. AWS Shield Advanced also comes with 24x7 access to the AWS DDoS Response Team (DRT).","Category": "Respond","AWSService": "AWS Shield"},{"Value": "Minimal","Comment": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because it only supports a subset of the sub-techniques (3 of 4) and because the source of the attack would have to be known before rules could be put in place to protect against it.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Minimal","Comment": "VPC security groups and network access control lists (NACLs) provides minimal protection for a majority of this control's sub-techniques and procedure examples resulting in an overall score of Minimal.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.","checks_status": {"fail": 4,"pass": 15,"total": 26,"manual": 0}},"T1518": {"name": "Software Discovery","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1525": {"name": "Implant Internal Image","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: 'approved-amis-by-id' and 'approved-amis-by-tag', both of which are run on configuration changes. This does not provide detection of the image implanting itself, but does provide detection for any subsequent use of images that are implanted and not present within the allow list, resulting in a score of Minimal.","Category": "Detect","AWSService": "AWS Config"}],"description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1526": {"name": "Cloud Service Discovery","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Value": "Partial","Comment": "GuardDuty has the following finding types to flag events where there is an attempt to discover information about resources on the account. Recon:IAMUser/MaliciousIPCaller Recon:IAMUser/MaliciousIPCaller.Custom Recon:IAMUser/TorIPCaller","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"T1530": {"name": "Data from Cloud Storage","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","s3_bucket_public_access": null,"networkfirewall_in_all_vpc": "FAIL","efs_not_publicly_accessible": "FAIL","rds_snapshots_public_access": "PASS","s3_bucket_default_encryption": "PASS","rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","emr_cluster_publicly_accesible": null,"rds_instance_storage_encrypted": "FAIL","redshift_cluster_public_access": null,"rds_instance_transport_encrypted": "FAIL","config_recorder_all_regions_enabled": null,"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null,"sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"sagemaker_training_jobs_intercontainer_encryption_enabled": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage: 's3-account-level-public-access-blocks', 's3-bucket-level-public-access-prohibited', 's3-bucket-public-read-prohibited', 's3-bucket-policy-not-more-permissive', 'cloudfront-origin-access-identity-enabled', and 'cloudfront-default-root-object-configured' identify objects that are publicly available or subject to overly permissive access policies; 's3-bucket-blacklisted-actions-prohibited' checks whether bucket policies prohibit disallowed actions for principals from other AWS accounts; and 's3-bucket-policy-grantee-check' checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data from other AWS services: 'dms-replication-not-public' for AWS Database Migration Service; 'emr-master-no-public-ip' for Amazon Elastic MapReduce (EMR); 'rds-cluster-iam-authentication-enabled', 'rds-instance-iam-authentication-enabled', 'rds-instance-public-access-check' and 'rds-snapshots-public-prohibited' for Amazon Relational Database Service; 'redshift-cluster-public-access-check' for Amazon Redshift; and 'sagemaker-notebook-no-direct-internet-access' for SageMaker. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data are encrypted to prevent malicious access: 'dax-encryption-enabled', 'dynamodb-table-encrypted-kms', and 'dynamodb-table-encryption-enabled' for Amazon DynamoDB table contents; 'efs-encrypted-check' for Amazon Elastic File System (EFS) file systems; 'elasticsearch-encrypted-at-rest' for Elasticsearch Service (ES) domains; 'rds-snapshot-encrypted' and 'rds-storage-encrypted' for Amazon Relational Database Service; 's3-bucket-server-side-encryption-enabled' and 's3-default-encryption-kms' for S3 storage; 'sns-encrypted-kms' for Amazon Simple Notification Service (SNS); 'redshift-cluster-configuration-check' and 'redshift-cluster-kms-enabled' for Redshift clusters; 'sagemaker-endpoint-configuration-kms-key-configured' and 'sagemaker-notebook-instance-kms-key-configured' for SageMaker. These rules provide a wide range of coverage for many AWS services, especially those most significant to procedures for this technique, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: 'Source IP' ('aws:source-ip-address') values outside of expected IP address ranges may suggest that a device has been stolen. 'Messages sent' ('aws:num-messages-sent'), 'Messages received' ('aws:num-messages-received'), and 'Message size' ('aws:message-byte-size') values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage. The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: 'Bytes in' ('aws:all-bytes-in'), 'Bytes out' ('aws:all-bytes-out'), 'Packets in' ('aws:all-packets-in'), and 'Packets out' ('aws:all-packets-out') values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage. Coverage factor is partial, since these metrics are limited to IoT device-based collection, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where the AWS Network Firewall protects, the mapping is only given a score of Partial.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Significant","Comment": "AWS RDS supports the encryption of the underlying storage for database instances, backups, read replicas, and snapshots using the AES-256 encryption algorithm. This can protect against an adversary from gaining access to a database instance in the event they get access to the underlying system where the database instance is hosted or to S3 where the backups are stored. Furthermore, with AWS RDS, there is a setting that specifies whether or not a database instances is publicly accessible. When public accessibility is turned off, the database instance will not be available outside the VPC in which it was created. As a result, this mapping is given a score of Significant.","Category": "Protect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "S3 provides full control of access via Identity and Access Management (IAM) policies and with its access control lists (ACLs). The S3 Block Public Access feature allows for policies limiting public access to Amazon S3 resources that are enforced regardless of how the resources are created or associated IAM policies. Server-side encryption can be enabled for data at rest and allows for use of S3-managed keys, AWS Key Management Service managed keys, or customer-provided keys.","Category": "Protect","AWSService": "AWS S3"},{"Value": "Partial","Comment": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to data in cloud storage. AWS Security Hub provides this detection with the following managed insight. S3 buckets with public write or read permissions. AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check. 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes. This is scored as Partial because it only detects when S3 buckets have public read or write access and doesn't detect improperly secured data in other storage types (e.g., DBs, NFS, etc.).","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Partial","Comment": "The following GuardDuty finding types flag events where adversaries may have access data objects from improperly secured cloud storage. UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "The following Macie findings can detect the collection of data from S3 buckets: Policy:IAMUser/S3BlockPublicAccessDisabled Policy:IAMUser/S3BucketEncryptionDisabled Policy:IAMUser/S3BucketPublic Policy:IAMUser/S3BucketReplicatedExternally Policy:IAMUser/S3BucketSharedExternally. This type of detection is limited to only the S3 storage type and not other storage types available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.","Category": "Detect","AWSService": "Amazon Macie"},{"Value": "Minimal","Comment": "The following Macie findings can protect against collection of sensitive data from S3 buckets: SensitiveData:S3Object/Credentials SensitiveData:S3Object/CustomIdentifier SensitiveData:S3Object/Financial SensitiveData:S3Object/Multiple SensitiveData:S3Object/Personal. The ability to discover this type of sensitive data stored in a bucket may lead to hardening steps or removing the data altogether which would prevent an adversary from being able to collect the data. This type of protection is limited to only the S3 storage type and not other storage types available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.","Category": "Protect","AWSService": "Amazon Macie"}],"description": "Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.[5][6][7] There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.","checks_status": {"fail": 6,"pass": 6,"total": 22,"manual": 0}},"T1535": {"name": "Unused/Unsupported Cloud Regions","checks": {"organizations_scp_check_deny_regions": null},"status": "PASS","attributes": [],"description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1537": {"name": "Transfer Data to Cloud Account","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "The following Macie findings can detect attempts to replicate data objects from a monitored bucket to an Amazon Web Services account that isn't part of your organization: Policy:IAMUser/S3BucketReplicatedExternally Policy:IAMUser/S3BucketSharedExternally. This type of detection is limited to only the S3 storage type and not other storage types available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.","Category": "Detect","AWSService": "Amazon Macie"}],"description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"T1538": {"name": "Cloud Service Dashboard","checks": {"iam_user_mfa_enabled_console_access": null,"organizations_account_part_of_organizations": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "This control may protect against cloud service dashboard abuse by segmenting accounts into separate organizational units and restricting dashboard access by least privilege.","Category": "Protect","AWSService": "AWS Organizations"},{"Value": "Significant","Comment": "The 'mfa-enabled-for-iam-console-access' managed rule checks whether multi-factor authentication is enabled for all AWS IAM users that use a console password, protecting against misuse of those accounts' dashboard access. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS Config"}],"description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"T1546": {"name": "Event Triggered Execution","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1550": {"name": "Use Alternate Authentication Material","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"iam_user_two_active_access_key": null,"iam_policy_no_full_access_to_kms": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null,"iam_user_no_setup_initial_access_key": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.","checks_status": {"fail": 0,"pass": 0,"total": 17,"manual": 0}},"T1552": {"name": "Unsecured Credentials","checks": {"macie_is_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_document_secrets": "PASS","ec2_instance_imdsv2_enabled": "PASS","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","awslambda_function_no_secrets_in_code": "PASS","cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudformation_stack_outputs_find_secrets": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","awslambda_function_no_secrets_in_variables": "PASS","ecs_task_definitions_no_environment_secrets": "PASS","autoscaling_find_secrets_ec2_launch_configuration": "PASS","eks_cluster_kms_cmk_encryption_in_secrets_enabled": null},"status": "FAIL","attributes": [{"Value": "Minimal","Comment": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.","Category": "Protect","AWSService": "AWS CloudHSM"},{"Value": "Significant","Comment": "The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: 'codebuild-project-envvar-awscred-check' for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, 'codebuild-project-source-repo-url-check' for personal access tokens and/or credentials within source repository URLs. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: 'secretsmanager-rotation-enabled-check', 'secretsmanager-scheduled-rotation-success-check', 'secretsmanager-secret-periodic-rotation', and 'secretsmanager-using-cmk'. This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Minimal","Comment": "This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Minimal","Comment": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.","Category": "Protect","AWSService": "AWS Key Management Service"},{"Value": "Partial","Comment": "This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.","Category": "Protect","AWSService": "AWS Secrets Manager"},{"Value": "Minimal","Comment": "This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "Macie only provides detection for the Credentials in Files sub-technique of this technique and only for the S3 storage type resulting in Minimal coverage and an overall Minimal score.","Category": "Protect","AWSService": "Amazon Macie"}],"description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).","checks_status": {"fail": 2,"pass": 11,"total": 14,"manual": 0}},"T1556": {"name": "Modify Authentication Process","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "This control provides coverage for one of this technique's SubTechniques, resulting in an overall score of Partial. Enforce MFA in IAM Users.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"T1562": {"name": "Impair Defenses","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Value": "Minimal","Comment": "This control provides significant coverage for a minority of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "AWS Config"},{"Value": "Minimal","Comment": "This control provides partial coverage for a minority of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Minimal","Comment": "This control provides partial coverage for a minority of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Respond","AWSService": "AWS IoT Device Defender"}],"description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.","checks_status": {"fail": 2,"pass": 2,"total": 5,"manual": 0}},"T1578": {"name": "Modify Cloud Compute Infrastructure","checks": {"iam_policy_no_full_access_to_kms": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Significant","Comment": "Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege.","Category": "Protect","AWSService": "AWS IAM"}],"description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"T1580": {"name": "Cloud Infrastructure Discovery","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_policy_no_full_access_to_kms": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"organizations_account_part_of_organizations": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "This control may protect against cloud infrastructure discovery by segmenting accounts into separate organizational units and restricting infrastructure access by least privilege.","Category": "Protect","AWSService": "AWS Organizations"},{"Value": "Partial","Comment": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access as well as accessible EC2 instances that may result in an adversary learning about cloud infrastructure used by the organization. AWS Security Hub provides these detections with the following managed insights. S3 buckets with public write or read permissions EC2 instances that have ports accessible from the Internet EC2 instances that are open to the Internet. AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check. 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes. This is scored as Partial because S3 and EC2 only represent a subset of available cloud infrastructure components.","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Partial","Comment": "The following GuardDuty finding types flag events that are linked to Discovery techniques and can be used to capture events where a malicious user may be searching through the account looking for available resources. The finding types are also used to flag certain signatures of running services to detect malicious user activities from commonly used pentest operating systems. Discovery:IAMUser/AnomalousBehavior Discovery:S3/MaliciousIPCaller Discovery:S3/MaliciousIPCaller.Custom Discovery:S3/TorIPCaller PenTest:IAMUser/KaliLinux PenTest:IAMUser/ParrotLinux PenTest:IAMUser/PentooLinux PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Significant","Comment": "Limit IAM permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.","Category": "Protect","AWSService": "AWS IAM"}],"description": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.","checks_status": {"fail": 0,"pass": 2,"total": 10,"manual": 0}},"T1606": {"name": "Forge Web Credentials","checks": {"iam_policy_allows_privilege_escalation": null,"iam_no_custom_policy_permissive_role_assumption": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "Limit IAM permissions from calling the sts:GetFederationToken API unless explicitly required, in accordance with least privilege.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"T1614": {"name": "System Location Discovery","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1619": {"name": "Cloud Storage Object Discovery","checks": {"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Significant","Comment": "Restrict granting of permissions related to listing objects in AWS S3 Buckets to necessary accounts.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"T1621": {"name": "Multi-Factor Authentication Request Generation","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1648": {"name": "Serverless Execution","checks": {"iam_policy_no_full_access_to_kms": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Significant","Comment": "Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"T1651": {"name": "Cloud Administration Command","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}}},"requirements_passed": 18,"requirements_failed": 18,"requirements_manual": 10,"total_requirements": 46,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "6e52644d-3557-4704-9cf6-e33e4c1a316b","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "ffiec_aws","framework": "FFIEC","version": "","description": "In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity maturity.","region": "eu-west-1","requirements": {"d1-g-it-b-1": {"name": "D1.G.IT.B.1","checks": {"ec2_elastic_ip_unassigned": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d1-g-it-b-1","Section": "Cyber Risk Management and Oversight (Domain 1)","Service": "aws","SubGroup": null,"SubSection": "Governance (G)"}],"description": "An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"d4-c-co-b-2": {"name": "D4.C.Co.B.2","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d4-c-co-b-2","Section": "External Dependency Management (Domain 4)","Service": "aws","SubGroup": null,"SubSection": "Connections (C)"}],"description": "The institution ensures that third-party connections are authorized.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"d1-rm-ra-b-2": {"name": "D1.RM.RA.B.2","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d1-rm-ra-b-2","Section": "Cyber Risk Management and Oversight (Domain 1)","Service": "aws","SubGroup": null,"SubSection": "Risk Management (RM)"}],"description": "The risk assessment identifies Internet- based systems and high-risk transactions that warrant additional authentication controls.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"d1-rm-rm-b-1": {"name": "D1.RM.Rm.B.1","checks": {"rds_instance_multi_az": "FAIL","rds_instance_backup_enabled": "PASS","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d1-rm-rm-b-1","Section": "Cyber Risk Management and Oversight (Domain 1)","Service": "aws","SubGroup": null,"SubSection": "Risk Management (RM)"}],"description": "An information security and business continuity risk management function(s) exists within the institution.","checks_status": {"fail": 1,"pass": 1,"total": 4,"manual": 0}},"d2-is-is-b-1": {"name": "D2.IS.Is.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d2-is-is-b-1","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Information Sharing (IS)"}],"description": "Information security threats are gathered and shared with applicable internal employees.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"d2-ma-ma-b-1": {"name": "D2.MA.Ma.B.1","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d2-ma-ma-b-1","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Monitoring and Analyzing (MA)"}],"description": "Information security threats are gathered and shared with applicable internal employees.","checks_status": {"fail": 7,"pass": 2,"total": 14,"manual": 0}},"d2-ma-ma-b-2": {"name": "D2.MA.Ma.B.2","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d2-ma-ma-b-2","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Monitoring and Analyzing (MA)"}],"description": "Computer event logs are used for investigations once an event has occurred.","checks_status": {"fail": 5,"pass": 2,"total": 12,"manual": 0}},"d2-ti-ti-b-1": {"name": "D2.TI.Ti.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d2-ti-ti-b-1","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Threat Intelligence (TI)"}],"description": "The institution belongs or subscribes to a threat and vulnerability information-sharing source(s) that provides information on threats (e.g., FS-ISAC, US- CERT).","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"d2-ti-ti-b-2": {"name": "D2.TI.Ti.B.2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d2-ti-ti-b-2","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Threat Intelligence (TI)"}],"description": "Threat information is used to monitor threats and vulnerabilities.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"d2-ti-ti-b-3": {"name": "D2.TI.Ti.B.3","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d2-ti-ti-b-3","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Threat Intelligence (TI)"}],"description": "Threat information is used to enhance internal risk management and controls.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"d3-cc-pm-b-1": {"name": "D3.CC.PM.B.1","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-cc-pm-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Corrective Controls (CC)"}],"description": "A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"d3-cc-pm-b-3": {"name": "D3.CC.PM.B.3","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-cc-pm-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Corrective Controls (CC)"}],"description": "Patch management reports are reviewed and reflect missing security patches.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"d3-dc-an-b-1": {"name": "D3.DC.An.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "The institution is able to detect anomalous activities through monitoring across the environment.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"d3-dc-an-b-2": {"name": "D3.DC.An.B.2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-2","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Customer transactions generating anomalous activity alerts are monitored and reviewed.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"d3-dc-an-b-3": {"name": "D3.DC.An.B.3","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Logs of physical and/or logical access are reviewed following events.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"d3-dc-an-b-4": {"name": "D3.DC.An.B.4","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-4","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Access to critical systems by third parties is monitored for unauthorized or unusual activity.","checks_status": {"fail": 6,"pass": 2,"total": 13,"manual": 0}},"d3-dc-an-b-5": {"name": "D3.DC.An.B.5","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-5","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Elevated privileges are monitored.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"d3-dc-ev-b-1": {"name": "D3.DC.Ev.B.1","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-ev-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "A normal network activity baseline is established.","checks_status": {"fail": 4,"pass": 2,"total": 10,"manual": 0}},"d3-dc-ev-b-2": {"name": "D3.DC.Ev.B.2","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-dc-ev-b-2","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"d3-dc-ev-b-3": {"name": "D3.DC.Ev.B.3","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-ev-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.","checks_status": {"fail": 1,"pass": 3,"total": 4,"manual": 0}},"d3-dc-th-b-1": {"name": "D3.DC.Th.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-th-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"d3-pc-am-b-1": {"name": "D3.PC.Am.B.1","checks": {"iam_no_root_access_key": null,"ec2_instance_profile_attached": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.","checks_status": {"fail": 0,"pass": 1,"total": 6,"manual": 0}},"d3-pc-am-b-2": {"name": "D3.PC.Am.B.2","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-2","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Employee access to systems and confidential data provides for separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"d3-pc-am-b-3": {"name": "D3.PC.Am.B.3","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_root_hardware_mfa_enabled": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"d3-pc-am-b-6": {"name": "D3.PC.Am.B.6","checks": {"iam_root_mfa_enabled": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-6","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Identification and authentication are required and managed for access to systems, applications, and hardware.","checks_status": {"fail": 0,"pass": 0,"total": 16,"manual": 0}},"d3-pc-am-b-7": {"name": "D3.PC.Am.B.7","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-7","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Access controls include password complexity and limits to password attempts and reuse.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"d3-pc-am-b-8": {"name": "D3.PC.Am.B.8","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-8","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "All default passwords and unnecessary default accounts are changed before system implementation.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"d3-pc-im-b-1": {"name": "D3.PC.Im.B.1","checks": {"ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","apigateway_restapi_waf_acl_attached": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Network perimeter defense tools (e.g., border router and firewall) are used.","checks_status": {"fail": 5,"pass": 7,"total": 20,"manual": 0}},"d3-pc-im-b-2": {"name": "D3.PC.Im.B.2","checks": {"elbv2_waf_acl_attached": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-2","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.","checks_status": {"fail": 4,"pass": 1,"total": 6,"manual": 0}},"d3-pc-im-b-3": {"name": "D3.PC.Im.B.3","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "All ports are monitored.","checks_status": {"fail": 4,"pass": 2,"total": 6,"manual": 0}},"d3-pc-im-b-5": {"name": "D3.PC.Im.B.5","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-5","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"d3-pc-im-b-6": {"name": "D3.PC.Im.B.6","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-6","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Ports, functions, protocols and services are prohibited if no longer needed for business purposes.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"d3-pc-im-b-7": {"name": "D3.PC.Im.B.7","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-7","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.","checks_status": {"fail": 1,"pass": 1,"total": 6,"manual": 0}},"d3-pc-se-b-1": {"name": "D3.PC.Se.B.1","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-se-b1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"d5-dr-de-b-1": {"name": "D5.DR.De.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d5-dr-de-b-1","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Detection, Response, & Mitigation (DR)"}],"description": "Alert parameters are set for detecting information security incidents that prompt mitigating actions.","checks_status": {"fail": 0,"pass": 2,"total": 6,"manual": 0}},"d5-dr-de-b-2": {"name": "D5.DR.De.B.2","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "d5-dr-de-b-2","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Detection, Response, & Mitigation (DR)"}],"description": "System performance reports contain information that can be used as a risk indicator to detect information security incidents.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"d5-dr-de-b-3": {"name": "D5.DR.De.B.3","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d5-dr-de-b-3","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Detection, Response, & Mitigation (DR)"}],"description": "Tools and processes are in place to detect, alert, and trigger the incident response program.","checks_status": {"fail": 5,"pass": 3,"total": 16,"manual": 0}},"d5-er-es-b-4": {"name": "D5.ER.Es.B.4","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d5-er-es-b-4","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Escalation and Reporting (ER)"}],"description": "Incidents are classified, logged and tracked.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"d5-ir-pl-b-6": {"name": "D5.IR.Pl.B.6","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d5-ir-pl-b-6","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Incident Resilience Planning & Strategy (IR)"}],"description": "The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident.","checks_status": {"fail": 5,"pass": 1,"total": 8,"manual": 0}},"d3-pc-am-b-10": {"name": "D3.PC.Am.B.10","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-10","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution's third party.)","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"d3-pc-am-b-12": {"name": "D3.PC.Am.B.12","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-12","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "All passwords are encrypted in storage and in transit.","checks_status": {"fail": 4,"pass": 3,"total": 10,"manual": 0}},"d3-pc-am-b-13": {"name": "D3.PC.Am.B.13","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-13","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Confidential data is encrypted when transmitted across public or untrusted networks (e.g., Internet).","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"d3-pc-am-b-15": {"name": "D3.PC.Am.B.15","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"s3_bucket_secure_transport_policy": "FAIL","iam_user_mfa_enabled_console_access": null,"apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-15","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication.","checks_status": {"fail": 2,"pass": 0,"total": 5,"manual": 0}},"d3-pc-am-b-16": {"name": "D3.PC.Am.B.16","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-16","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}}},"requirements_passed": 13,"requirements_failed": 29,"requirements_manual": 2,"total_requirements": 44,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "7058bd2a-3241-4e0e-9773-9a0136d861bc","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cis_2.0_aws","framework": "CIS","version": "2.0","description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.","region": "eu-west-1","requirements": {"1.1": {"name": "1.1","checks": {"account_maintain_current_contact_details": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info","Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.","DefaultValue": null,"AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, review and verify the current details. 4. Under `Contact Information`, review and verify the current details.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.","RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. 4. Next to the field that you need to update, choose `Edit`. 5. After you have entered your changes, choose `Save changes`. 6. After you have made your changes, choose `Done`. 7. To edit your contact information, under `Contact Information`, choose `Edit`. 8. For the fields that you want to change, type your updated information, and then choose `Update`.","AdditionalInformation": ""}],"description": "Maintain current contact details","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.2": {"name": "1.2","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if security contact information is present:**From Console:**1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.","RemediationProcedure": "Perform the following to establish security contact information:**From Console:**1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.","AdditionalInformation": ""}],"description": "Ensure security contact information is registered","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.3": {"name": "1.3","checks": {"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS account as the 'root' user 2. On the top right you will see the __ 3. Click on the __ 4. From the drop-down menu Click `My Account`5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.","RemediationProcedure": "**From Console:**1. Login to the AWS Account as the 'root' user 2. Click on the __ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`6. Click on each `Question` - From the drop-down select an appropriate question- Click on the `Answer` section- Enter an appropriate answer - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location","AdditionalInformation": ""}],"description": "Ensure security questions are registered in the AWS account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.4": {"name": "1.4","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/","Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .**From Command Line:**Run the following command: ```aws iam get-account-summary | grep \"AccountAccessKeysPresent\"``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.","RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys**From Console:**1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on __ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active- Click on `Make Inactive` - (Temporarily disable Key - may be needed again)- Click `Delete` - (Deleted keys cannot be recovered)","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region."}],"description": "Ensure no 'root' user account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.5": {"name": "1.5","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `mfa_active` field is set to `TRUE` .**From Command Line:**1. Run the following command: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.When you are finished, the virtual MFA device starts generating one-time passwords.In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions."}],"description": "Ensure MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.6": {"name": "1.6","checks": {"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:1. Run the following command to determine if the 'root' account has MFA setup: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ```The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```aws iam list-virtual-mfa-devices``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation: `\"SerialNumber\": \"arn:aws:iam::__:mfa/root-account-mfa-device\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.","RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.Remediation for this recommendation is not available through AWS CLI.","AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions."}],"description": "Ensure hardware MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.7": {"name": "1.7","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html","Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.**From Command Line:**Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '' ```Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.","RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.","AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user."}],"description": "Eliminate use of the 'root' user for administrative and daily tasks","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.8": {"name": "1.8","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.**From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"**From Command Line:** ```aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy requires minimum length of 14 or greater","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.9": {"name": "1.9","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24**From Command Line:** ``` aws iam get-account-password-policy``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24` **From Command Line:** ```aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy prevents password reuse","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.1": {"name": "3.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events","Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane- You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`**From Command Line:** ```aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true```` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name  ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`","ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html","AssessmentStatus": "Automated","RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated onAWS global services- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account","RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented- Click `Add new trail` - Enter a trail name in the `Trail name` box- Set the `Apply trail to all regions` option to `Yes` - Specify an S3 bucket name in the `S3 bucket` box- Click `Create`4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.**From Command Line:** ``` aws cloudtrail create-trail --name  --bucket-name  --is-multi-region-trailaws cloudtrail update-trail --name  --is-multi-region-trail ```Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.","AdditionalInformation": ""}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.2": {"name": "3.2","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.","DefaultValue": null,"AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled` **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.","RemediationProcedure": "Perform the following to enable log file validation on a given trail:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`7. Click `Save changes` **From Command Line:** ``` aws cloudtrail update-trail --name  --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn  --start-time  --end-time  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail log file validation is enabled","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.3": {"name": "3.3","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html","Description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails`3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties`6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.`9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 2. Ensure the `AllUsers` principal is not granted privileges to that `` : ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that ``: ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 4. Get the S3 Bucket Policy ```aws s3api get-bucket-policy --bucket ``` 5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.","RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User`6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.","AdditionalInformation": ""}],"description": "Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.4": {"name": "3.4","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html","Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Under `Trails` , click on the CloudTrail you wish to evaluate 3. Under the `CloudWatch Logs` section. 4. Ensure a `CloudWatch Logs` log group is configured and listed. 5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.**From Command Line:**1. Run the following command to get a listing of existing trails: ```aws cloudtrail describe-trails ``` 2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property. 3. Using the noted value of the `Name` property, run the following command: ```aws cloudtrail get-trail-status --name  ``` 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.If the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.","ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.","RemediationProcedure": "Perform the following to establish the prescribed state:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Select the `Trail` the needs to be updated. 3. Scroll down to `CloudWatch Logs` 4. Click `Edit` 5. Under `CloudWatch Logs` click the box `Enabled` 6. Under `Log Group` pick new or select an existing log group 7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group. 8. Under `IAM Role` pick new or select an existing. 9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role. 10. Click `Save changes.**From Command Line:** ``` aws cloudtrail update-trail --name  --cloudwatch-logs-log-group-arn  --cloudwatch-logs-role-arn  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail trails are integrated with CloudWatch Logs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.5": {"name": "3.5","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html","Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.","DefaultValue": null,"AuditProcedure": "Process to evaluate AWS Config configuration per region**From Console:**1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.- Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.**From Command Line:**1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])Sample Output:``` {\"ConfigurationRecorders\": [{\"recordingGroup\": {\"allSupported\": true,\"resourceTypes\": [],\"includeGlobalResourceTypes\": true},\"roleARN\": \"arn:aws:iam:::role/service-role/\",\"name\": \"default\"}] } ```3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`","ImpactStatement": "It is recommended AWS Config be enabled in all regions.","AssessmentStatus": "Automated","RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.","RemediationProcedure": "To implement AWS Config configuration:**From Console:**1. Select the region you want to focus on in the top right of the console 2. Click `Services`3. Click `Config`4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account**From Command Line:**1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name  ```","AdditionalInformation": ""}],"description": "Ensure AWS Config is enabled in all regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.6": {"name": "3.6","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html","Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.","DefaultValue": null,"AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `` _ click on `Logging`8. Ensure `Enabled` is checked.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket  ``` Ensure command does not returns empty output.Sample Output for a bucket with logging enabled:``` {\"LoggingEnabled\": {\"TargetPrefix\": \"\",\"TargetBucket\": \"\"} } ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.","RemediationProcedure": "Perform the following to enable S3 bucket logging:**From Console:**1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:`  click on `Logging`5. Configure bucket logging- Click on the `Enabled` checkbox- Select Target Bucket from list- Enter a Target Prefix 6. Click `Save`.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region  --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``: ``` {\"LoggingEnabled\": {\"TargetBucket\": \"\",\"TargetPrefix\": \"\",\"TargetGrants\": [{\"Grantee\": {\"Type\": \"AmazonCustomerByEmail\",\"EmailAddress\": \"\"},\"Permission\": \"FULL_CONTROL\"}]}} ``` 3. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket  --bucket-logging-status file:// ```","AdditionalInformation": ""}],"description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.7": {"name": "3.7","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html","Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.**From Command Line:**1. Run the following command: ```aws cloudtrail describe-trails``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.","ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.","AssessmentStatus": "Automated","RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.","RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`6. Select an existing CMK from the `KMS key Id` drop-down menu- Note: Ensure the CMK is located in the same region as the S3 bucket- Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes` **From Command Line:** ``` aws cloudtrail update-trail --name  --kms-id  aws kms put-key-policy --key-id  --policy  ```","AdditionalInformation": "3 statements which need to be added to the CMK policy:1\\. Enable Cloudtrail to describe CMK properties ``` 
{\"Sid\": \"Allow CloudTrail access\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:DescribeKey\",\"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` 
{\"Sid\": \"Allow CloudTrail to encrypt logs\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:GenerateDataKey*\",\"Resource\": \"*\",\"Condition\": {\"StringLike\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": [\"arn:aws:cloudtrail:*:aws-account-id:trail/*\"]}} } ``` 3\\. Granting decrypt permissions ``` 
{\"Sid\": \"Enable CloudTrail log decrypt permissions\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"arn:aws:iam::aws-account-id:user/username\"},\"Action\": \"kms:Decrypt\",\"Resource\": \"*\",\"Condition\": {\"Null\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"}} } ```"}],"description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.8": {"name": "3.8","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final","Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the `General configuration` panel open the tab `Key rotation` 5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"**From Command Line:**1. Run the following command to get a list of all keys and their associated `KeyIds````aws kms list-keys ``` 2. For each key, note the KeyId and run the following command ``` describe-key --key-id  ``` 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command ```aws kms get-key-rotation-status --key-id  ``` 4. Ensure `KeyRotationEnabled` is set to `true` 5. Repeat steps 2 - 4 for all remaining CMKs","ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.","AssessmentStatus": "Automated","RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` . 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the \"General configuration\" panel open the tab \"Key rotation\" 5. Check the \"Automatically rotate this KMS key every year.\" checkbox**From Command Line:**1. Run the following command to enable key rotation: ```aws kms enable-key-rotation --key-id  ```","AdditionalInformation": ""}],"description": "Ensure rotation for customer created symmetric CMKs is enabled","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.9": {"name": "3.9","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html","Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.**From Command Line:**1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region  --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.","ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.","RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`9. Click `Create Log Flow`10. Click on `CloudWatch Logs Group` **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.**From Command Line:**1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"test\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\"Action\": \"sts:AssumeRole\"}] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\":[\"logs:CreateLogGroup\",\"logs:CreateLogStream\",\"logs:DescribeLogGroups\",\"logs:DescribeLogStreams\",\"logs:PutLogEvents\",\"logs:GetLogEvents\",\"logs:FilterLogEvents\"],\"Resource\": \"*\"}] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name  --assume-role-policy-document file://role_policy_document.json``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name  --policy-document file://iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name  ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region  ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids  --traffic-type REJECT --log-group-name  --deliver-logs-permission-arn  ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.","AdditionalInformation": ""}],"description": "Ensure VPC flow logging is enabled in all VPCs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"4.1": {"name": "4.1","checks": {"cloudwatch_log_metric_filter_unauthorized_api_calls": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with \"Name\":` note ``- From value associated with \"CloudWatchLogsLogGroupArn\" note Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this `` that you captured in step 1:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```4. Note the \"filterName\" `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.","AssessmentStatus": "Automated","RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for unauthorized API calls","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2": {"name": "4.2","checks": {"cloudwatch_log_metric_filter_sign_in_without_mfa": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all `CloudTrails`:``` aws cloudtrail describe-trails ```- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region `CloudTrail` is active``` aws cloudtrail get-trail-status --name  ```Ensure in the output that `IsLogging` is set to `TRUE`- Ensure identified Multi-region 'Cloudtrail' captures all Management Events``` aws cloudtrail get-event-selectors --trail-name  ```Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `` taken from audit step 1.Use Command: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account."}],"description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.3": {"name": "4.3","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**- ensures that activities from all regions (used as well as unused) are monitored- ensures that activities on all supported global services are monitored- ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for usage of 'root' account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.4": {"name": "4.4","checks": {"cloudwatch_log_metric_filter_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for IAM policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.5": {"name": "4.5","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6": {"name": "4.6","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.7": {"name": "4.7","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.8": {"name": "4.8","checks": {"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for S3 bucket policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.9": {"name": "4.9","checks": {"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Config configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"5.1": {"name": "5.1","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison","Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "**From Console:**Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "**From Console:**Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Click `Edit inbound rules`- Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule- Click `Save`","AdditionalInformation": ""}],"description": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"5.2": {"name": "5.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.3": {"name": "5.3","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the ::/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.4": {"name": "5.4","checks": {"ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group","Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:Security Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules existSecurity Group Members1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'","ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.","AssessmentStatus": "Automated","RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.","RemediationProcedure": "Security Group MembersPerform the following to implement the prescribed state:1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security groupSecurity Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rulesRecommended:IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"","AdditionalInformation": ""}],"description": "Ensure the default security group of every VPC restricts all traffic","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.5": {"name": "5.5","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html","Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.","DefaultValue": null,"AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.**From Command Line:**1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a __ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.","RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.**From Command Line:**1. For each __ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id  --destination-cidr-block  ```2. Create a new compliant route: ``` aws ec2 create-route --route-table-id  --destination-cidr-block  --vpc-peering-connection-id  ```","AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table."}],"description": "Ensure routing tables for VPC peering are \"least access\"","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"5.6": {"name": "5.6","checks": {"ec2_instance_imdsv2_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/:https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html","Description": "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).","DefaultValue": null,"AuditProcedure": "From Console:1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under the Instances menu, select Instances.3. For each Instance, select the instance, then choose Actions > Modify instance metadata options.4. If the Instance metadata service is enabled, verify whether IMDSv2 is set to required. From Command Line:1. Use the describe-instances CLI command2. Ensure for all ec2 instances that the metadata-options.http-tokens setting is set to required.3. Repeat for all active regions.```aws ec2 describe-instances --filters \"\"Name=metadata-options.http-tokens\",\"Values=optional\" \"\"Name=metadata-options.state\"\",\"\"Values=applied\"\" --query \"\"Reservations[*].Instances[*].\"\" ``` ","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security.","RemediationProcedure": "From Console:1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ 2. Under the Instances menu, select Instances.3. For each Instance, select the instance, then choose Actions > Modify instance metadata options.4. If the Instance metadata service is enabled, set IMDSv2 to Required. From Command Line:```aws ec2 modify-instance-metadata-options --instance-id  --http-tokens required``` ","AdditionalInformation": ""}],"description": "Ensure that EC2 Metadata Service only allows IMDSv2","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.10": {"name": "1.10","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users","Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:**From Console:**1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8``` 2. The output of this command will produce a table similar to the following: ```user,password_enabled,mfa_activeelise,false,falsebrandon,true,truerakesh,false,falsehelene,false,falseparas,true,trueanitha,false,false``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`","ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to enable MFA:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords.8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.9. Click `Assign MFA`.","AdditionalInformation": "**Forced IAM User Self-Service Remediation**Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts."}],"description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.11": {"name": "1.11","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html","Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_dateelise,false,true,2015-04-16T15:14:00+00:00,false,N/Abrandon,true,true,N/A,false,N/Arakesh,false,false,N/A,false,N/Ahelene,false,true,2015-11-18T17:47:00+00:00,false,N/Aparas,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.","RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:**From Console:**1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. As an Administrator - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User- Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.**From Command Line:** ``` aws iam delete-access-key --access-key-id  --user-name  ```","AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\""}],"description": "Do not setup access keys during initial user setup for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.12": {"name": "1.12","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if unused credentials exist:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`8. Check and ensure that `Console last sign-in` is less than 45 days ago.**Note** - `Never` means the user has never logged in.9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.**From Command Line:****Download Credential Report:**1. Run the following commands: ```aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^' ```**Ensure unused credentials do not exist:**2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.","RemediationProcedure": "**From Console:**Perform the following to manage Unused Password (IAM user console access)1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`9. Under Console Access select `Disable` 10.Click `Apply`Perform the following to deactivate Access Keys:1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select any access keys that are over 45 days old and that have been used and - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and - Click the X to `Delete`","AdditionalInformation": " is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days."}],"description": "Ensure credentials unused for 45 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.13": {"name": "1.13","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.**From Command Line:**1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name  ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.- Repeat steps no. 2 and 3 for each IAM user in your AWS account.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.**From Command Line:**1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user**Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id  --status Inactive --user-name  ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name  ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.","AdditionalInformation": ""}],"description": "Ensure there is only one active access key available for any single IAM user","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.14": {"name": "1.14","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.**From Command Line:**``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.","RemediationProcedure": "Perform the following to rotate access keys:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`4. As an Administrator - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User- Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`7. Update programmatic call with new Access Key credentials**From Command Line:**1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```At this point, the user has two active access keys.2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```","AdditionalInformation": ""}],"description": "Ensure access keys are rotated every 90 days or less","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.15": {"name": "1.15","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html","Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:1. Run the following to get a list of IAM users: ```aws iam list-users --query 'Users[*].UserName' --output text``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.","RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group` Perform the following to add a user to a given group:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`3. Select the group to add a user to 4. Click `Add Users To Group`5. Select the users to be added to the group 6. Click `Add Users` Perform the following to remove a direct association between a user and policy:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:- Select the user- Click on the `Permissions` tab- Expand `Permissions policies` - Click `X` for each policy; then click Detach or Remove (depending on policy type)","AdditionalInformation": ""}],"description": "Ensure IAM Users Receive Permissions Only Through Groups","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.16": {"name": "1.16","checks": {"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam","Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.","DefaultValue": null,"AuditProcedure": "Perform the following to determine what policies are created:**From Command Line:**1. Run the following to get a list of IAM policies: ```aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```aws iam get-policy-version --policy-arn  --version-id  ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.","RemediationProcedure": "**From Console:**Perform the following to detach the policy that has full administrative privileges:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first `Detach`5. Select all Users, Groups, Roles that have this policy attached 6. Click `Detach Policy`7. In the policy action menu, select `Detach` **From Command Line:**Perform the following to detach the policy that has full administrative privileges as found in the audit step:1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.```aws iam list-entities-for-policy --policy-arn  ``` 2. Detach the policy from all IAM Users: ```aws iam detach-user-policy --user-name  --policy-arn  ``` 3. Detach the policy from all IAM Groups: ```aws iam detach-group-policy --group-name  --policy-arn  ``` 4. Detach the policy from all IAM Roles: ```aws iam detach-role-policy --role-name  --policy-arn  ```","AdditionalInformation": ""}],"description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.17": {"name": "1.17","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html","Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.","DefaultValue": null,"AuditProcedure": "**From Command Line:**1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'If it returns empty refer to the remediation below.","ImpactStatement": "All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.","AssessmentStatus": "Automated","RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.","RemediationProcedure": "**From Command Line:**1. Create an IAM role for managing incidents with AWS:- Create a trust relationship policy document that allows  to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"\"},\"Action\": \"sts:AssumeRole\"}]} ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name  --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name  ```","AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account."}],"description": "Ensure a support role has been created to manage incidents with AWS Support","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.18": {"name": "1.18","checks": {"ec2_instance_profile_attached": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html","Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.","DefaultValue": null,"AuditProcedure": "Where an instance is associated with a Role:For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.Where an Instance Contains Embedded Credentials:- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.Where an Instance Application Contains Embedded Credentials:- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.","RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.","AdditionalInformation": ""}],"description": "Ensure IAM instance roles are used for AWS resource access from instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.19": {"name": "1.19","checks": {"iam_no_expired_server_certificates_stored": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html","Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.","DefaultValue": null,"AuditProcedure": "**From Console:**Getting the certificates expiration information via AWS Management Console is not currently supported.To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**Run list-server-certificates command to list all the IAM-stored server certificates:``` aws iam list-server-certificates ```The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):``` {\"ServerCertificateMetadataList\": [{\"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\"ServerCertificateName\": \"MyServerCertificate\",\"Expiration\": \"2018-07-10T23:59:59Z\",\"Path\": \"/\",\"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\"UploadDate\": \"2018-06-10T11:56:08Z\"}] } ```Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.","ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.","AssessmentStatus": "Automated","RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.","RemediationProcedure": "**From Console:**Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**To delete Expired Certificate run following command by replacing  with the name of the certificate to delete:``` aws iam delete-server-certificate --server-certificate-name  ```When the preceding command is successful, it does not return any output.","AdditionalInformation": ""}],"description": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.20": {"name": "1.20","checks": {"accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html","Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region**From Command Line:**1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`3. Repeat the steps above for each active region.If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.","RemediationProcedure": "**From Console:**Perform the following to enable IAM Access analyzer for IAM policies:1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.7. Choose `Create Analyzer`. 8. Repeat these step for each active region**From Command Line:**Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name  --type  ``` Repeat this command above for each active region.**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.","AdditionalInformation": ""}],"description": "Ensure that IAM Access analyzer is enabled for all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.21": {"name": "1.21","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "","Description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.","DefaultValue": null,"AuditProcedure": "For multi-account AWS environments with an external identity provider... 1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click `Services`4. Click `IAM`5. Click `Identity providers` 6. Verify the configurationThen..., determine all accounts that should not have local users present. For each account...1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are presentFor multi-account AWS environments implementing AWS Organizations without an external identity provider... 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are present","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.","RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.","AdditionalInformation": ""}],"description": "Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.22": {"name": "1.22","checks": {},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html","Description": "AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.","DefaultValue": null,"AuditProcedure": "**From Console** 1. Open the IAM console at https://console.aws.amazon.com/iam/2. In the left pane, select Policies3. Search for and select AWSCloudShellFullAccess4. On the Entities attached tab, ensure that there are no entities using this policy **From Command Line**1. List IAM policies, filter for the 'AWSCloudShellFullAccess' managed policy, and note the \"\"Arn\"\" element value:```aws iam list-policies --query \"\"Policies[?PolicyName == 'AWSCloudShellFullAccess']\"\"``` 2. Check if the 'AWSCloudShellFullAccess' policy is attached to any role: ```aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess```3. In Output, Ensure PolicyRoles returns empty. 'Example: Example: PolicyRoles: [ ]'If it does not return empty refer to the remediation below.Note: Keep in mind that other policies may grant access.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Access to this policy should be restricted as it presents a potential channel for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy which denies file transfer permissions.","RemediationProcedure": "**From Console**1. Open the IAM console at https://console.aws.amazon.com/iam/2. In the left pane, select Policies 3. Search for and select AWSCloudShellFullAccess4. On the Entities attached tab, for each item, check the box and select Detach","AdditionalInformation": ""}],"description": "Ensure access to AWSCloudShellFullAccess is restricted","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.10": {"name": "3.10","checks": {"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/` 2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine. 3. Review `General details` 4. Confirm that `Multi-region trail` is set to `Yes` 5. Scroll down to `Data events` 6. Confirm that it reads: Data events: S3 Bucket Name: All current and future S3 buckets Read: Enabled Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.**From Command Line:**1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions: ``` aws cloudtrail list-trails ``` 2. The command output will be a list of all the trail names to include. \"TrailARN\": \"arn:aws:cloudtrail:::trail/\", \"Name\": \"\", \"HomeRegion\": \"\" 3. Next run 'get-trail- command to determine Multi-region. ``` aws cloudtrail get-trail --name  --region  ``` 4. The command output should include: \"IsMultiRegionTrail\": true, 5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. \"Type\": \"AWS::S3::Object\",\"Values\": [\"arn:aws:s3\" 7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered. If Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled. 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.**From Command Line:**1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for write events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.11": {"name": "3.11","checks": {"cloudtrail_s3_dataevents_read_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.**From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region  --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.**From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for read events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.10": {"name": "4.10","checks": {"cloudwatch_log_metric_filter_security_group_changes": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"\" --filter-name \"\" --metric-transformations metricName= \"\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"\" ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"\" --protocol  --notification-endpoint \"\" ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"\" --metric-name \"\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"\" ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for security group changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.11": {"name": "4.11","checks": {"cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.12": {"name": "4.12","checks": {"cloudwatch_changes_to_network_gateways_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to network gateways","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.13": {"name": "4.13","checks": {"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for route table changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for route table changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.14": {"name": "4.14","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for VPC changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.15": {"name": "4.15","checks": {"cloudwatch_log_metric_filter_aws_organizations_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.","DefaultValue": null,"AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name  ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.2. Get a list of all associated metric filters for this : ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `` value associated with the filterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":``` \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name  ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": ""}],"description": "Ensure a log metric filter and alarm exists for AWS Organizations changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.16": {"name": "4.16","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-get-started.html:https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-api:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/enable-security-hub.html","Description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.","DefaultValue": null,"AuditProcedure": "The process to evaluate AWS Security Hub configuration per region **From Console:**1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/. 2. On the top right of the console, select the target Region. 3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region. 4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions. 5. Repeat steps 2 to 4 for each region.","ImpactStatement": "It is recommended AWS Security Hub be enabled in all regions. AWS Security Hub requires AWS Config to be enabled.","AssessmentStatus": "Automated","RationaleStatement": "AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.","RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.Enabling Security Hub**From Console:**1. Use the credentials of the IAM identity to sign in to the Security Hub console. 2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub. 3. On the welcome page, Security standards list the security standards that Security Hub supports. 4. Choose Enable Security Hub.**From Command Line:**1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`. ``` aws securityhub enable-security-hub --enable-default-standards ```2. To enable the security hub without the default standards, include `--no-enable-default-standards`. ``` aws securityhub enable-security-hub --no-enable-default-standards ```","AdditionalInformation": ""}],"description": "Ensure AWS Security Hub is enabled","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.1": {"name": "2.1.1","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html","Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.","DefaultValue": null,"AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{\"Sid\": ,\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}' ``` `` and `` will be specific to your account5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket  | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.**From Console** using AWS Policy Generator:1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` =  5. Generate Policy 6. Copy the text and add it to the Bucket Policy.**From Command Line:**1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket  --query Policy --output text > policy.json ```2. Modify the policy.json file by adding in this statement: ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket  --policy file://policy.json ```","AdditionalInformation": ""}],"description": "Ensure S3 Bucket Policy is set to deny HTTP requests","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.2": {"name": "2.1.2","checks": {"s3_bucket_no_mfa_delete": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html","Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","DefaultValue": null,"AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket**From Console:**1. Login to the S3 console at `https://console.aws.amazon.com/s3/`2. Click the `Check` box next to the Bucket name you want to confirm3. In the window under `Properties`4. Confirm that Versioning is `Enabled`5. Confirm that MFA Delete is `Enabled`**From Command Line:**1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```Output example: ```  EnabledEnabled ```If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.","RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.**From Command line:**1. Run the s3api put-bucket-versioning command``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```","AdditionalInformation": ""}],"description": "Ensure MFA Delete is enabled on S3 buckets","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.3": {"name": "2.1.3","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html","Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.","DefaultValue": null,"AuditProcedure": "Perform the following steps to determine if Macie is running:**From Console:** 1. Login to the Macie console at https://console.aws.amazon.com/macie/ 2. In the left hand pane click on By job under findings. 3. Confirm that you have a Job setup for your S3 BucketsWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.","ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.","AssessmentStatus": "Manual","RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.","RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie**From Console:**1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`2. Click `Get started`.3. Click `Enable Macie`.Setup a repository for sensitive data discovery results1. In the Left pane, under Settings, click `Discovery results`.2. Make sure `Create bucket` is selected.3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.4. Click on `Advanced`.5. Block all public access, make sure `Yes` is selected.6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.7. Click on `Save`Create a job to discover sensitive data1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.2. Select the `check box` for each bucket that you want Macie to analyze as part of the job3. Click `Create job`.3. Click `Quick create`.4. For the Name and description step, enter a name and, optionally, a description of the job.5. Then click `Next`.6. For the Review and create step, click `Submit`.Review your findings1. In the left pane, click `Findings`.2. To view the details of a specific finding, choose any field other than the check box for the finding.If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.","AdditionalInformation": ""}],"description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.4": {"name": "2.1.4","checks": {"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html","Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.","DefaultValue": null,"AuditProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket  ``` Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"BlockPublicAcls\": true,\"IgnorePublicAcls\": true,\"BlockPublicPolicy\": true,\"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.**If utilizing Block Public Access (account settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.**From Command Line:**To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id  --region `Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"IgnorePublicAcls\": true, \"BlockPublicPolicy\": true, \"BlockPublicAcls\": true, \"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.","ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.","AssessmentStatus": "Automated","RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.","RemediationProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket  --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```**If utilizing Block Public Access (account settings)****From Console:**If the output reads `true` for the separate configuration settings then it is set on the account.1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.**From Command Line:**To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id  ```","AdditionalInformation": ""}],"description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.2.1": {"name": "2.2.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.2. Elastic Compute Cloud (EC2)","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/","Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.**Note:** EBS volume encryption is configured per region.","ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.**Note:** EBS volume encryption is configured per region.","AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically."}],"description": "Ensure EBS Volume Encryption is Enabled in all Regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.1": {"name": "2.3.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/","Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region  --db-snapshot-identifier  --db-instance-identifier  ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region  ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region  --source-db-snapshot-identifier  --target-db-snapshot-identifier  --copy-tags --kms-key-id  ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region  --db-instance-identifier  --db-snapshot-identifier  ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ```","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for RDS Instances","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.3.2": {"name": "2.3.2","checks": {"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to examine. 4. Click on the `Maintenance and backups` panel. 5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status. - If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to update. 4. Click on the `Modify` button placed on the top right side. 5. On the `Modify DB Instance: ` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button. 6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime. 7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime: ``` aws rds modify-db-instance --region  --db-instance-identifier  --auto-minor-version-upgrade --apply-immediately ``` 4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value. 5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.","AdditionalInformation": ""}],"description": "Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.3": {"name": "2.3.3","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to examine. 4. Click `Instance Name` from the dashboard, Under `Connectivity and Security. 5. On the `Security`, check if the Publicly Accessible flag status is set to `Yes`, follow the below-mentioned steps to check database subnet access. - In the `networking` section, click the subnet link available under `Subnets` - The link will redirect you to the VPC Subnets page. - Select the subnet listed on the page and click the `Route Table` tab from the dashboard bottom panel. If the route table contains any entries with the destination `CIDR block set to 0.0.0.0/0` and with an `Internet Gateway` attached. - The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet. 6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region. 8. Change the AWS region from the navigation bar and repeat the audit process for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance `identifier`. 3. Run again `describe-db-instances` command using the `PubliclyAccessible` parameter as query filter to reveal the database instance Publicly Accessible flag status: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].PubliclyAccessible' ``` 4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to `Yes`. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access 5. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.Subnets[]' ``` - The command output should list the subnets available in the selected database subnet group. 6. Run `describe-route-tables` command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet: ``` aws ec2 describe-route-tables --region  --filters \"Name=association.subnet-id,Values=\" --query 'RouteTables[*].Routes[]' ``` - If the command returns the route table associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet. - Or - If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step 7. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.VpcId' ``` - The command output should show the VPC ID in the selected database subnet group 8. Now run `describe-route-tables` command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet: ``` aws ec2 describe-route-tables --region  --filters \"Name=vpc-id,Values=\" \"Name=association.main,Values=true\" --query 'RouteTables[*].Routes[]' ``` - The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to update. 4. Click `Modify` from the dashboard top menu. 5. On the Modify DB Instance panel, under the `Connectivity` section, click on `Additional connectivity configuration` and update the value for `Publicly Accessible` to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations: - Select the `Connectivity and security` tab, and click on the VPC attribute value inside the `Networking` section. - Select the `Details` tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. - On the Route table details page, select the Routes tab from the dashboard bottom panel and click on `Edit routes`. - On the Edit routes page, update the Destination of Target which is set to `igw-xxxxx` and click on `Save` routes. 6. On the Modify DB Instance panel Click on `Continue` and In the Scheduling of modifications section, perform one of the following actions based on your requirements: - Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window. - Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application. 7. Repeat steps 3 to 6 for each RDS instance available in the current region. 8. Change the AWS region from the navigation bar to repeat the process for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names identifiers, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run `modify-db-instance` command to modify the selected RDS instance configuration. Then use the following command to disable the `Publicly Accessible` flag for the selected RDS instances. This command use the apply-immediately flag. If you want `to avoid any downtime --no-apply-immediately flag can be used`: ``` aws rds modify-db-instance --region  --db-instance-identifier  --no-publicly-accessible --apply-immediately ``` 4. The command output should reveal the `PubliclyAccessible` configuration under pending values and should get applied at the specified time. 5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure. 6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region. 7. Change the AWS region by using the --region filter to repeat the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that public access is not given to RDS Instance","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.4.1": {"name": "2.4.1","checks": {"efs_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.4 Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/index.html#efs","Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).","DefaultValue": null,"AuditProcedure": "**From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard. 2. Select `File Systems` from the left navigation panel. 3. Each item on the list has a visible Encrypted field that displays data at rest encryption status. 4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.**From CLI:** 1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region: ``` aws efs describe-file-systems --region  --output table --query 'FileSystems[*].FileSystemId' ``` 2. The command output should return a table with the requested file system IDs. 3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters: ``` aws efs describe-file-systems --region  --file-system-id  --query 'FileSystems[*].Encrypted' ``` 4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.","RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.**Steps to create an EFS file system with data encrypted at rest:****From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard. 2. Select `File Systems` from the left navigation panel. 3. Click `Create File System` button from the dashboard top menu to start the file system setup process. 4. On the `Configure file system access` configuration page, perform the following actions. - Choose the right VPC from the VPC dropdown list. - Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets. - Click `Next step` to continue.5. Perform the following on the `Configure optional settings` page. - Create `tags` to describe your new file system. - Choose `performance mode` based on your requirements. - Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS. - Click `Next step` to continue.6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system. 7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. 9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.**From CLI:** 1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource): ``` aws efs describe-file-systems --region  --file-system-id  ``` 2. The command output should return the requested configuration information. 3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\". 4. Run create-file-system command using the unique token created at the previous step. ``` aws efs create-file-system --region  --creation-token  --performance-mode generalPurpose --encrypted ``` 5. The command output should return the new file system configuration metadata. 6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target: ``` aws efs create-mount-target --region  --file-system-id  --subnet-id  ``` 7. The command output should return the new mount target metadata. 8. Now you can mount your file system from an EC2 instance. 9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. ``` aws efs delete-file-system --region  --file-system-id  ``` 11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for EFS file systems","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 52,"requirements_failed": 11,"requirements_manual": 1,"total_requirements": 64,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "7aee25d8-9e9a-44e1-8e01-336bfd9d9582","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_well_architected_framework_reliability_pillar_aws","framework": "AWS-Well-Architected-Framework-Reliability-Pillar","version": "","description": "Best Practices for the AWS Well-Architected Framework Reliability Pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.","region": "eu-west-1","requirements": {"REL06-BP01": {"name": "REL06-BP01","checks": {"elb_logging_enabled": "FAIL","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","apigatewayv2_api_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled": "PASS"},"status": "FAIL","attributes": [{"Name": "REL06-BP01 Monitor all components for the workload (Generation)","Section": "Change management","SubSection": "Monitor workload resources","Description": "Monitor components and services of AWS workload effectifely, using tools like Amazon CloudWatch and AWS Health Dashboard. Define relevant metrics, set thresholds, and analyze metrics and logs for early detection of issues.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_monitor_aws_resources_monitor_resources.html#implementation-guidance","WellArchitectedPracticeId": "rel_monitor_aws_resources_monitor_resources","WellArchitectedQuestionId": "monitor-aws-resources"}],"description": "Monitor components and services of AWS workload effectifely, using tools like Amazon CloudWatch and AWS Health Dashboard. Define relevant metrics, set thresholds, and analyze metrics and logs for early detection of issues.","checks_status": {"fail": 5,"pass": 2,"total": 9,"manual": 0}},"REL09-BP03": {"name": "REL09-BP03","checks": {"rds_instance_backup_enabled": "PASS","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","cloudformation_stacks_termination_protection_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "REL09-BP03 Perform data backup automatically","Section": "Failure management","SubSection": "Backup up data","Description": "Configure backups to be taken automatically based on a periodic schedule informed by the Recovery Point Objective (RPO), or by changes in the dataset. Critical datasets with low data loss requirements need to be backed up automatically on a frequent basis, whereas less critical data where some loss is acceptable can be backed up less frequently.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_backing_up_data_automated_backups_data.html#implementation-guidance","WellArchitectedPracticeId": "rel_backing_up_data_automated_backups_data","WellArchitectedQuestionId": "backing-up-data"}],"description": "Configure backups to be taken automatically based on a periodic schedule informed by the Recovery Point Objective (RPO), or by changes in the dataset. Critical datasets with low data loss requirements need to be backed up automatically on a frequent basis, whereas less critical data where some loss is acceptable can be backed up less frequently.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"REL10-BP01": {"name": "REL10-BP01","checks": {"rds_instance_multi_az": "FAIL"},"status": "FAIL","attributes": [{"Name": "REL10-BP01 Deploy the workload to multiple locations","Section": "Failure management","SubSection": "Use fault isolation to protect your workload","Description": "Distribute workload data and resources across multiple Availability Zones or, where necessary, across AWS Regions. These locations can be as diverse as required.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/use-fault-isolation-to-protect-your-workload.html#implementation-guidance.","WellArchitectedPracticeId": "rel_fault_isolation_multiaz_region_system","WellArchitectedQuestionId": "fault-isolation"}],"description": "Distribute workload data and resources across multiple Availability Zones or, where necessary, across AWS Regions. These locations can be as diverse as required.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 0,"requirements_failed": 3,"requirements_manual": 0,"total_requirements": 3,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "85c783d4-a01a-4297-b490-216e38ee144e","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "iso27001_2013_aws","framework": "ISO27001","version": "2013","description": "ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.","region": "eu-west-1","requirements": {"A.9.2": {"name": "User Access Management","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Category": "A.9 Access Control","Objetive_ID": "A.9.2","Check_Summary": "Ensure no root account access key exists","Objetive_Name": "User Access Management"}],"description": "Ensure no root account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"A.9.3": {"name": "User Responsibilities","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Category": "A.9 Access Control","Objetive_ID": "A.9.3","Check_Summary": "Ensure credentials unused for 90 days or greater are disabled","Objetive_Name": "User Responsibilities"}],"description": "Ensure credentials unused for 90 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"A.9.4": {"name": "System and Application Access Control","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Category": "A.9 Access Control","Objetive_ID": "A.9.4","Check_Summary": "Ensure no root account access key exists","Objetive_Name": "System and Application Access Control"}],"description": "Ensure no root account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"A.10.1": {"name": "Cryptographic Controls","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Category": "A.10 Cryptography","Objetive_ID": "A.10.1","Check_Summary": "Detect Customer Master Keys (CMKs) scheduled for deletion","Objetive_Name": "Cryptographic Controls"}],"description": "Detect Customer Master Keys (CMKs) scheduled for deletion","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"A.12.4": {"name": "Logging and Monitoring","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Category": "A.12 Operations Security","Objetive_ID": "A.12.4","Check_Summary": "Ensure CloudTrail is enabled in all regions","Objetive_Name": "Logging and Monitoring"}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"A.12.6": {"name": "Technical Vulnerability Management","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Category": "A.12 Operations Security","Objetive_ID": "A.12.6","Check_Summary": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible","Objetive_Name": "Technical Vulnerability Management"}],"description": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"A.13.1": {"name": "Network Security Management","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Category": "A.13 Communications Security","Objetive_ID": "A.13.1","Check_Summary": "Ensure RDS instances are not accessible to the world.","Objetive_Name": "Network Security Management"}],"description": "Ensure RDS instances are not accessible to the world.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}}},"requirements_passed": 79,"requirements_failed": 0,"requirements_manual": 0,"total_requirements": 79,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "86401f28-9311-42b9-ac06-a3cdcc9e5e39","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "soc2_aws","framework": "SOC2","version": "","description": "System and Organization Controls (SOC), defined by the American Institute of Certified Public Accountants (AICPA), is the name of a set of reports that's produced during an audit. It's intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories known as Trust Service Principles.","region": "eu-west-1","requirements": {"p_1_1": {"name": "P1.1 The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_1_1","Section": "P1.0 - Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy. Communicates to Data Subjects - Notice is provided to data subjects regarding the following: Purpose for collecting personal informationChoice and consentTypes of personal information collectedMethods of collection (for example, use of cookies or other tracking techniques)Use, retention, and disposalAccessDisclosure to third partiesSecurity for privacyQuality, including data subjects’ responsibilities for qualityMonitoring and enforcementIf personal information is collected from sources other than the individual, such sources are described in the privacy notice. Provides Notice to Data Subjects - Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified. Covers Entities and Activities in Notice - An objective description of the entities and activities covered is included in the entity’s privacy notice. Uses Clear and Conspicuous Language - The entity’s privacy notice is conspicuous and uses clear language.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_2_1": {"name": "P2.1 The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_2_1","Section": "P2.0 - Privacy Criteria Related to Choice and Consent","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented. Communicates to Data Subjects - Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise. Communicates Consequences of Denying or Withdrawing Consent - When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice. Obtains Implicit or Explicit Consent - Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon thereafter. The individual’s preferences expressed in his or her consent are confirmed and implemented. Documents and Obtains Consent for New Purposes and Uses - If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose. Obtains Explicit Consent for Sensitive Information - Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_3_1": {"name": "P3.1 Personal information is collected consistent with the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_3_1","Section": "P3.0 - Privacy Criteria Related to Collection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Limits the Collection of Personal Information - The collection of personal information is limited to that necessary to meet the entity’s objectives. Collects Information by Fair and Lawful Means - Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information. Collects Information From Reliable Sources - Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully. Informs Data Subjects When Additional Information Is Acquired - Data subjects are informed if the entity develops or acquires additional information about them for its use.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_3_2": {"name": "P3.2 For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_3_2","Section": "P3.0 - Privacy Criteria Related to Collection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Obtains Explicit Consent for Sensitive Information - Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise. Documents Explicit Consent to Retain Information - Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_4_1": {"name": "P4.1 The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_4_1","Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Uses Personal Information for Intended Purposes - Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained unless a law or regulation specifically requires otherwise.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_4_2": {"name": "P4.2 The entity retains personal information consistent with the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_4_2","Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Retains Personal Information - Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise. Protects Personal Information - Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_4_3": {"name": "P4.3 The entity securely disposes of personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_4_3","Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Captures, Identifies, and Flags Requests for Deletion - Requests for deletion of personal information are captured, and information related to the requests is identified and flagged for destruction to meet the entity’s objectives related to privacy. Disposes of, Destroys, and Redacts Personal Information - Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access. Destroys Personal Information - Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for destruction.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_5_1": {"name": "P5.1 The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_5_1","Section": "P5.0 - Privacy Criteria Related to Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy. Authenticates Data Subjects’ Identity - The identity of data subjects who request access to their personal information is authenticated before they are given access to that information. Permits Data Subjects Access to Their Personal Information - Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information. Provides Understandable Personal Information Within Reasonable Time - Personal information is provided to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost, if any. Informs Data Subjects If Access Is Denied - When data subjects are denied access to their personal information, the entity informs them of the denial and the reason for the denial in a timely manner, unless prohibited by law or regulation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_5_2": {"name": "P5.2 The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_5_2","Section": "P5.0 - Privacy Criteria Related to Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy. Communicates Denial of Access Requests - Data subjects are informed, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation. Permits Data Subjects to Update or Correct Personal Information - Data subjects are able to update or correct personal information held by the entity. The entity provides such updated or corrected information to third parties that were previously provided with the data subject’s personal information consistent with the entity’s objective related to privacy. Communicates Denial of Correction Requests - Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_1": {"name": "P6.1 The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_1","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Communicates Privacy Policies to Third Parties - Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed. Discloses Personal Information Only When Appropriate - Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise. Discloses Personal Information Only to Appropriate Third Parties - Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_2": {"name": "P6.2 The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_2","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Creates and Retains Record of Authorized Disclosures - The entity creates and maintains a record of authorized disclosures of personal information that is complete, accurate, and timely.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_3": {"name": "P6.3 The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_3","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Creates and Retains Record of Detected or Reported Unauthorized Disclosures - The entity creates and maintains a record of detected or reported unauthorized disclosures of personal information that is complete, accurate, and timely.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_4": {"name": "P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_4","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary. Discloses Personal Information Only to Appropriate Third Parties - Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. Remediates Misuse of Personal Information by a Third Party - The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_5": {"name": "P6.5 The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_5","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy. Remediates Misuse of Personal Information by a Third Party - The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. Reports Actual or Suspected Unauthorized Disclosures - A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_6": {"name": "P6.6 The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_6","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Remediates Misuse of Personal Information by a Third Party - The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. Reports Actual or Suspected Unauthorized Disclosures - A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_7": {"name": "P6.7 The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_7","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifies Types of Personal Information and Handling Process - The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. Captures, Identifies, and Communicates Requests for Information - Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured, and information related to the requests is identified and communicated to data subjects to meet the entity’s objectives related to privacy.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_7_1": {"name": "P7.1 The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_7_1","Section": "P7.0 - Privacy Criteria Related to Quality","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Ensures Accuracy and Completeness of Personal Information - Personal information is accurate and complete for the purposes for which it is to be used. Ensures Relevance of Personal Information - Personal information is relevant to the purposes for which it is to be used.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_8_1": {"name": "P8.1 The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_8_1","Section": "P8.0 - Privacy Criteria Related to Monitoring and Enforcement","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner. Communicates to Data Subjects—Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes. Addresses Inquiries, Complaints, and Disputes - A process is in place to address inquiries, complaints, and disputes. Documents and Communicates Dispute Resolution and Recourse - Each complaint is addressed, and the resolution is documented and communicated to the individual. Documents and Reports Compliance Review Results - Compliance with objectives related to privacy are reviewed and documented, and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. Documents and Reports Instances of Noncompliance - Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis. Performs Ongoing Monitoring - Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_1_1": {"name": "CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_1_1","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Sets the Tone at the Top - The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. Establishes Standards of Conduct - The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. Evaluates Adherence to Standards of Conduct - Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct. Addresses Deviations in a Timely Manner - Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_1_2": {"name": "CC1.2 COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_1_2","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establishes Oversight Responsibilities - The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations. Applies Relevant Expertise - The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. Operates Independently - The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. Additional point of focus specifically related to all engagements using the trust services criteria: Supplements Board Expertise - The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_1_3": {"name": "CC1.3 COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_1_3","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Considers All Structures of the Entity - Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives. Establishes Reporting Lines - Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. Defines, Assigns, and Limits Authorities and Responsibilities - Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. Additional points of focus specifically related to all engagements using the trust services criteria: Addresses Specific Requirements When Defining Authorities and Responsibilities—Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities — Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"cc_1_4": {"name": "CC1.4 COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_1_4","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establishes Policies and Practices - Policies and practices reflect expectations of competence necessary to support the achievement of objectives. Evaluates Competence and Addresses Shortcomings - The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings. Attracts, Develops, and Retains Individuals - The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. Plans and Prepares for Succession - Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control. Additional point of focus specifically related to all engagements using the trust services criteria: Considers the Background of Individuals - The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. Considers the Technical Competency of Individuals - The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. Provides Training to Maintain Technical Competencies - The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_1_5": {"name": "CC1.5 COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_1_5","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Enforces Accountability Through Structures, Authorities, and Responsibilities - Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. Establishes Performance Measures, Incentives, and Rewards - Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance - Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives. Considers Excessive Pressures - Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. Evaluates Performance and Rewards or Disciplines Individuals - Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_2_1": {"name": "CC2.1 COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control","checks": {"cloudtrail_multi_region_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_2_1","Section": "CC2.0 - Common Criteria Related to Communication and Information","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifies Information Requirements - A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives. Captures Internal and External Sources of Data - Information systems capture internal and external sources of data. Processes Relevant Data Into Information - Information systems process and transform relevant data into information. Maintains Quality Throughout Processing - Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components.","checks_status": {"fail": 0,"pass": 1,"total": 4,"manual": 0}},"cc_2_2": {"name": "CC2.2 COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_2_2","Section": "CC2.0 - Common Criteria Related to Communication and Information","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Communicates Internal Control Information - A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. Communicates With the Board of Directors - Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives. Provides Separate Communication Lines - Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. Selects Relevant Method of Communication - The method of communication considers the timing, audience, and nature of the information. Additional point of focus specifically related to all engagements using the trust services criteria: Communicates Responsibilities - Entity personnel with responsibility for designing, developing, implementing,operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters—Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel. Communicates Objectives and Changes to Objectives - The entity communicates its objectives and changes to those objectives to personnel in a timely manner. Communicates Information to Improve Security Knowledge and Awareness - The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: Communicates Information About System Operation and Boundaries - The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized personnel to enable them to understand their role in the system and the results of system operation. Communicates System Objectives - The entity communicates its objectives to personnel to enable them to carry out their responsibilities. Communicates System Changes - System changes that affect responsibilities or the achievement of the entity's objectives are communicated in a timely manner.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_2_3": {"name": "CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_2_3","Section": "CC2.0 - Common Criteria Related to Communication and Information","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Communicates to External Parties - Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. Enables Inbound Communications - Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. Communicates With the Board of Directors - Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. Provides Separate Communication Lines - Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. Selects Relevant Method of Communication - The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Communicates Objectives Related to Confidentiality and Changes to Objectives - The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality. Additional point of focus that applies only to an engagement using the trust services criteria for privacy: Communicates Objectives Related to Privacy and Changes to Objectives - The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: Communicates Information About System Operation and Boundaries - The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. Communicates System Objectives - The entity communicates its system objectives to appropriate external users. Communicates System Responsibilities - External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters - External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_3_1": {"name": "CC3.1 COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_3_1","Section": "CC3.0 - Common Criteria Related to Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Operations Objectives: Reflects Management's Choices - Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity. Considers Tolerances for Risk - Management considers the acceptable levels of variation relative to the achievement of operations objectives. External Financial Reporting Objectives: Complies With Applicable Accounting Standards - Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances. External Nonfinancial Reporting Objectives: Complies With Externally Established Frameworks - Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations. Reflects Entity Activities - External reporting reflects the underlying transactions and events within a range of acceptable limits. Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting. Internal Reporting Objectives: Reflects Management's Choices - Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity. Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives. Reflects Entity Activities—Internal reporting reflects the underlying transactions and events within a range of acceptable limits. Compliance Objectives: Reflects External Laws and Regulations - Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives. Considers Tolerances for Risk - Management considers the acceptable levels of variation relative to the achievement of operations objectives. Additional point of focus specifically related to all engagements using the trust services criteria: Establishes Sub-objectives to Support Objectives—Management identifies sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of the entity’s objectives related to reporting, operations, and compliance.","checks_status": {"fail": 0,"pass": 2,"total": 3,"manual": 0}},"cc_3_2": {"name": "CC3.2 COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed","checks": {"guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_3_2","Section": "CC3.0 - Common Criteria Related to Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels - The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. Analyzes Internal and External Factors - Risk identification considers both internal and external factors and their impact on the achievement of objectives. Involves Appropriate Levels of Management - The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management. Estimates Significance of Risks Identified - Identified risks are analyzed through a process that includes estimating the potential significance of the risk. Determines How to Respond to Risks - Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. Additional points of focus specifically related to all engagements using the trust services criteria: Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities - The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"cc_3_3": {"name": "CC3.3 COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_3_3","Section": "CC3.0 - Common Criteria Related to Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Considers Various Types of Fraud - The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. Assesses Incentives and Pressures - The assessment of fraud risks considers incentives and pressures. Assesses Opportunities - The assessment of fraud risk considers opportunities for unauthorized acquisition,use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts. Assesses Attitudes and Rationalizations - The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. Additional point of focus specifically related to all engagements using the trust services criteria: Considers the Risks Related to the Use of IT and Access to Information - The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_3_4": {"name": "CC3.4 COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_3_4","Section": "CC3.0 - Common Criteria Related to Risk Assessment","Service": "config","SubGroup": null,"SubSection": null}],"description": "Assesses Changes in the External Environment - The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. Assesses Changes in the Business Model - The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies. Assesses Changes in Leadership - The entity considers changes in management and respective attitudes and philosophies on the system of internal control. Assess Changes in Systems and Technology - The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment. Assess Changes in Vendor and Business Partner Relationships - The risk identification process considers changes in vendor and business partner relationships.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cc_4_1": {"name": "CC4.1 COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_4_1","Section": "CC4.0 - Monitoring Activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Considers a Mix of Ongoing and Separate Evaluations - Management includes a balance of ongoing and separate evaluations. Considers Rate of Change - Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations. Establishes Baseline Understanding - The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations. Uses Knowledgeable Personnel - Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated. Integrates With Business Processes - Ongoing evaluations are built into the business processes and adjust to changing conditions. Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk. Objectively Evaluates - Separate evaluations are performed periodically to provide objective feedback. Considers Different Types of Ongoing and Separate Evaluations - Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_4_2": {"name": "CC4.2 COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_4_2","Section": "CC4.0 - Monitoring Activities","Service": "guardduty","SubGroup": null,"SubSection": null}],"description": "Assesses Results - Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations. Communicates Deficiencies - Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate. Monitors Corrective Action - Management tracks whether deficiencies are remedied on a timely basis.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"cc_5_1": {"name": "CC5.1 COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_5_1","Section": "CC5.0 - Control Activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Integrates With Risk Assessment - Control activities help ensure that risk responses that address and mitigate risks are carried out. Considers Entity-Specific Factors - Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities. Determines Relevant Business Processes - Management determines which relevant business processes require control activities. Evaluates a Mix of 2017 Data Submitted Types - Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls. Considers at What Level Activities Are Applied - Management considers control activities at various levels in the entity. Addresses Segregation of Duties - Management segregates incompatible duties, and where such segregation is not practical, management selects and develops alternative control activities.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_5_2": {"name": "CC5.2 COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_5_2","Section": "CC5.0 - Control Activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls - Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls. Establishes Relevant Technology Infrastructure Control Activities - Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. Establishes Relevant Security Management Process Controls Activities - Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats. Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities - Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_5_3": {"name": "CCC5.3 COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_5_3","Section": "CC5.0 - Control Activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establishes Policies and Procedures to Support Deployment of Management ‘s Directives - Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions. Establishes Responsibility and Accountability for Executing Policies and Procedures - Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside. Performs in a Timely Manner - Responsible personnel perform control activities in a timely manner as defined by the policies and procedures. Takes Corrective Action - Responsible personnel investigate and act on matters identified as a result of executing control activities. Performs Using Competent Personnel - Competent personnel with sufficient authority perform control activities with diligence and continuing focus. Reassesses Policies and Procedures - Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_6_1": {"name": "CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives","checks": {"s3_bucket_public_access": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_1","Section": "CC6.0 - Logical and Physical Access","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Identifies and Manages the Inventory of Information Assets - The entity identifies, inventories, classifies, and manages information assets. Restricts Logical Access - Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. Identifies and Authenticates Users - Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely. Considers Network Segmentation - Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. Manages Points of Access - Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. Restricts Access to Information Assets - Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets. Manages Identification and Authentication - Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software. Manages Credentials for Infrastructure and Software - New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. Uses Encryption to Protect Data - The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk. Protects Encryption Keys - Processes are in place to protect encryption keys during generation, storage, use, and destruction.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cc_6_2": {"name": "CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_2","Section": "CC6.0 - Logical and Physical Access","Service": "rds","SubGroup": null,"SubSection": null}],"description": "Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. Controls Access Credentials to Protected Assets - Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. Removes Access to Protected Assets When Appropriate - Processes are in place to remove credential access when an individual no longer requires such access. Reviews Appropriateness of Access Credentials - The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"cc_6_3": {"name": "CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_3","Section": "CC6.0 - Logical and Physical Access","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Creates or Modifies Access to Protected Information Assets - Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. Removes Access to Protected Information Assets - Processes are in place to remove access to protected information assets when an individual no longer requires access. Uses Role-Based Access Controls - Role-based access control is utilized to support segregation of incompatible functions.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"cc_6_4": {"name": "CC6.4 The entity restricts physical access to facilities and protected information assets to authorized personnel to meet the entity’s objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_6_4","Section": "CC6.0 - Logical and Physical Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Creates or Modifies Physical Access - Processes are in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system's asset owner. Removes Physical Access - Processes are in place to remove access to physical resources when an individual no longer requires access. Reviews Physical Access - Processes are in place to periodically review physical access to ensure consistency with job responsibilities.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_6_5": {"name": "CC6.5 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_6_5","Section": "CC6.0 - Logical and Physical Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifies Data and Software for Disposal - Procedures are in place to identify data and software stored on equipment to be disposed and to render such data and software unreadable. Removes Data and Software From Entity Control - Procedures are in place to remove data and software stored on equipment to be removed from the physical control of the entity and to render such data and software unreadable.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_6_6": {"name": "CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries","checks": {"ec2_instance_public_ip": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_6_6","Section": "CC6.0 - Logical and Physical Access","Service": "ec2","SubGroup": null,"SubSection": null}],"description": "Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cc_6_7": {"name": "CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives","checks": {"acm_certificates_expiration_check": "PASS"},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_7","Section": "CC6.0 - Logical and Physical Access","Service": "acm","SubGroup": null,"SubSection": null}],"description": "Restricts the Ability to Perform Transmission - Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement and removal of information. Uses Encryption Technologies or Secure Communication Channels to Protect Data - Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. Protects Removal Media - Encryption technologies and physical asset protections are used for removable media (such as USB drives and back-up tapes), as appropriate. Protects Mobile Devices - Processes are in place to protect mobile devices (such as laptops, smart phones and tablets) that serve as information assets.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"cc_6_8": {"name": "CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_8","Section": "CC6.0 - Logical and Physical Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Restricts Application and Software Installation - The ability to install applications and software is restricted to authorized individuals. Detects Unauthorized Changes to Software and Configuration Parameters - Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. Uses a Defined Change Control Process - A management-defined change control process is used for the implementation of software. Uses Antivirus and Anti-Malware Software - Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software - Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"cc_7_1": {"name": "CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_7_1","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Uses Defined Configuration Standards - Management has defined configuration standards. Monitors Infrastructure and Software - The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives. Implements Change-Detection Mechanisms - The IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. Detects Unknown or Unauthorized Components - Procedures are in place to detect the introduction of unknown or unauthorized components. Conducts Vulnerability Scans - The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.","checks_status": {"fail": 2,"pass": 2,"total": 4,"manual": 0}},"cc_7_2": {"name": "CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_7_2","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implements Detection Policies, Procedures, and Tools - Detection policies and procedures are defined and implemented, and detection tools are implemented on Infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. Designs Detection Measures - Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. Implements Filters to Analyze Anomalies - Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events. Monitors Detection Tools for Effective Operation - Management has implemented processes to monitor the effectiveness of detection tools.","checks_status": {"fail": 7,"pass": 6,"total": 21,"manual": 0}},"cc_7_3": {"name": "CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","apigateway_restapi_logging_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_7_3","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Responds to Security Incidents - Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis. Communicates and Reviews Detected Security Events - Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. Develops and Implements Procedures to Analyze Security Incidents - Procedures are in place to analyze security incidents and determine system impact. Assesses the Impact on Personal Information - Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations. Determines Personal Information Used or Disclosed - When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.","checks_status": {"fail": 10,"pass": 3,"total": 17,"manual": 0}},"cc_7_4": {"name": "CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"guardduty_no_high_severity_findings": "FAIL","redshift_cluster_automated_snapshot": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_7_4","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Assigns Roles and Responsibilities - Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary. Contains Security Incidents - Procedures are in place to contain security incidents that actively threaten entity objectives. Mitigates Ongoing Security Incidents - Procedures are in place to mitigate the effects of ongoing security incidents. Ends Threats Posed by Security Incidents - Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. Restores Operations - Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives. Develops and Implements Communication Protocols for Security Incidents - Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. Obtains Understanding of Nature of Incident and Determines Containment Strategy - An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. Remediates Identified Vulnerabilities - Identified vulnerabilities are remediated through the development and execution of remediation activities. Communicates Remediation Activities - Remediation activities are documented and communicated in accordance with the incident response program. Evaluates the Effectiveness of Incident Response - The design of incident response activities is evaluated for effectiveness on a periodic basis. Periodically Evaluates Incidents - Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. Communicates Unauthorized Use and Disclosure - Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. Application of Sanctions - The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements.","checks_status": {"fail": 3,"pass": 3,"total": 16,"manual": 0}},"cc_7_5": {"name": "CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_7_5","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Restores the Affected Environment - The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. Communicates Information About the Event - Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). Determines Root Cause of the Event - The root cause of the event is determined. Implements Changes to Prevent and Detect Recurrences - Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. Improves Response and Recovery Procedures - Lessons learned are analyzed, and the incident response plan and recovery procedures are improved. Implements Incident Recovery Plan Testing - Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_8_1": {"name": "CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_8_1","Section": "CC8.0 - Change Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Manages Changes Throughout the System Lifecycle - A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity. Authorizes Changes - A process is in place to authorize system changes prior to development. Designs and Develops Changes - A process is in place to design and develop system changes. Documents Changes - A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. Tracks System Changes - A process is in place to track system changes prior to implementation. Configures Software - A process is in place to select and implement the configuration parameters used to control the functionality of software. Tests System Changes - A process is in place to test system changes prior to implementation. Approves System Changes - A process is in place to approve system changes prior to implementation. Deploys System Changes - A process is in place to implement system changes. Identifies and Evaluates System Changes - Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents - Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification. Creates Baseline Configuration of IT Technology - A baseline configuration of IT and control systems is created and maintained. Provides for Changes Necessary in Emergency Situations - A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe). Protects Confidential Information - The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Protects Personal Information - The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cc_9_1": {"name": "CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_9_1","Section": "CC9.0 - Risk Mitigation","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Considers Mitigation of Risks of Business Disruption - Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity's objectives during response, mitigation, and recovery efforts. Considers the Use of Insurance to Mitigate Financial Impact Risks - The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_9_2": {"name": "CC9.2 The entity assesses and manages risks associated with vendors and business partners","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_9_2","Section": "CC9.0 - Risk Mitigation","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establishes Requirements for Vendor and Business Partner Engagements - The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. Assesses Vendor and Business Partner Risks - The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives. Assigns Responsibility and Accountability for Managing Vendors and Business Partners - The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. Establishes Communication Protocols for Vendors and Business Partners - The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. Establishes Exception Handling Procedures From Vendors and Business Partners - The entity establishes exception handling procedures for service or product issues related to vendors and business partners. Assesses Vendor and Business Partner Performance - The entity periodically assesses the performance of vendors and business partners. Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments - The entity implements procedures for addressing issues identified with vendor and business partner relationships. Implements Procedures for Terminating Vendor and Business Partner Relationships - The entity implements procedures for terminating vendor and business partner relationships. Obtains Confidentiality Commitments from Vendors and Business Partners - The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners - On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. Obtains Privacy Commitments from Vendors and Business Partners - The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. Assesses Compliance with Privacy Commitments of Vendors and Business Partners - On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_a_1_1": {"name": "A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_a_1_1","Section": "CCA1.0 - Additional Criterial for Availability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Measures Current Usage - The use of the system components is measured to establish a baseline for capacity management and to use when evaluating the risk of impaired availability due to capacity constraints. Forecasts Capacity - The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. Makes Changes Based on Forecasts - The system change management process is initiated when forecasted usage exceeds capacity tolerances.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_a_1_2": {"name": "A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","redshift_cluster_automated_snapshot": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_a_1_2","Section": "CCA1.0 - Additional Criterial for Availability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Measures Current Usage - The use of the system components is measured to establish a baseline for capacity management and to use when evaluating the risk of impaired availability due to capacity constraints. Forecasts Capacity - The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. Makes Changes Based on Forecasts - The system change management process is initiated when forecasted usage exceeds capacity tolerances.","checks_status": {"fail": 6,"pass": 3,"total": 16,"manual": 0}},"cc_a_1_3": {"name": "A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_a_1_3","Section": "CCA1.0 - Additional Criterial for Availability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implements Business Continuity Plan Testing - Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results. Tests Integrity and Completeness of Back-Up Data - The integrity and completeness of back-up information is tested on a periodic basis.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_c_1_1": {"name": "C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality","checks": {"rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_c_1_1","Section": "CCC1.0 - Additional Criterial for Confidentiality","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifies Confidential information - Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained. Protects Confidential Information from Destruction - Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cc_c_1_2": {"name": "C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality","checks": {"s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_c_1_2","Section": "CCC1.0 - Additional Criterial for Confidentiality","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Identifies Confidential Information for Destruction - Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached. Destroys Confidential Information - Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 10,"requirements_failed": 10,"requirements_manual": 36,"total_requirements": 56,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "8f43ba1e-a5fb-42c5-95ca-d0b199c62975","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cis_3.0_aws","framework": "CIS","version": "3.0","description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.","region": "eu-west-1","requirements": {"1.1": {"name": "1.1","checks": {"account_maintain_current_contact_details": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info","Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.","DefaultValue": null,"AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing ) 1. Sign in to the AWS Management Console and open the Billing and Cost Management console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose Account. 3. On the Account Settings page, review and verify the current details. 4. Under Contact Information, review and verify the current details.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.","RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing ). 1. Sign in to the AWS Management Console and open the Billing and Cost Management console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose Account. 3. On the Account Settings page, next to Account Settings, choose Edit. 4. Next to the field that you need to update, choose Edit. 5. After you have entered your changes, choose Save changes. 6. After you have made your changes, choose Done. 7. To edit your contact information, under Contact Information, choose Edit. 8. For the fields that you want to change, type your updated information, and then choose Update.","AdditionalInformation": ""}],"description": "Maintain current contact details","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.2": {"name": "1.2","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if security contact information is present:**From Console:**1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.","RemediationProcedure": "Perform the following to establish security contact information:**From Console:**1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.","AdditionalInformation": ""}],"description": "Ensure security contact information is registered","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.3": {"name": "1.3","checks": {"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS account as the 'root' user 2. On the top right you will see the __ 3. Click on the __ 4. From the drop-down menu Click `My Account`5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.","RemediationProcedure": "**From Console:**1. Login to the AWS Account as the 'root' user 2. Click on the __ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`6. Click on each `Question` - From the drop-down select an appropriate question- Click on the `Answer` section- Enter an appropriate answer - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location","AdditionalInformation": ""}],"description": "Ensure security questions are registered in the AWS account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.4": {"name": "1.4","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/","Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .**From Command Line:**Run the following command: ```aws iam get-account-summary | grep \"AccountAccessKeysPresent\"``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.","RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys**From Console:**1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on __ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active- Click on `Make Inactive` - (Temporarily disable Key - may be needed again)- Click `Delete` - (Deleted keys cannot be recovered)","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region."}],"description": "Ensure no 'root' user account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.5": {"name": "1.5","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `mfa_active` field is set to `TRUE` .**From Command Line:**1. Run the following command: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.When you are finished, the virtual MFA device starts generating one-time passwords.In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions."}],"description": "Ensure MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.6": {"name": "1.6","checks": {"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:1. Run the following command to determine if the 'root' account has MFA setup: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ```The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```aws iam list-virtual-mfa-devices``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation: `\"SerialNumber\": \"arn:aws:iam::__:mfa/root-account-mfa-device\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.","RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.Remediation for this recommendation is not available through AWS CLI.","AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions."}],"description": "Ensure hardware MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.7": {"name": "1.7","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html","Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.**From Command Line:**Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '' ```Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.","RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.","AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user."}],"description": "Eliminate use of the 'root' user for administrative and daily tasks","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.8": {"name": "1.8","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.**From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"**From Command Line:** ```aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy requires minimum length of 14 or greater","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.9": {"name": "1.9","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24**From Command Line:** ``` aws iam get-account-password-policy``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24` **From Command Line:** ```aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy prevents password reuse","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.1": {"name": "3.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events","Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane- You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`**From Command Line:** ```aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true```` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name  ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`","ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html","AssessmentStatus": "Automated","RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated onAWS global services- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account","RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented- Click `Add new trail` - Enter a trail name in the `Trail name` box- Set the `Apply trail to all regions` option to `Yes` - Specify an S3 bucket name in the `S3 bucket` box- Click `Create`4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.**From Command Line:** ``` aws cloudtrail create-trail --name  --bucket-name  --is-multi-region-trailaws cloudtrail update-trail --name  --is-multi-region-trail ```Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.","AdditionalInformation": ""}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.2": {"name": "3.2","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.","DefaultValue": null,"AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled` **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.","RemediationProcedure": "Perform the following to enable log file validation on a given trail:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`7. Click `Save changes` **From Command Line:** ``` aws cloudtrail update-trail --name  --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn  --start-time  --end-time  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail log file validation is enabled","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.3": {"name": "3.3","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html","Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.","DefaultValue": null,"AuditProcedure": "Process to evaluate AWS Config configuration per region**From Console:**1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.- Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.**From Command Line:**1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])Sample Output:``` {\"ConfigurationRecorders\": [{\"recordingGroup\": {\"allSupported\": true,\"resourceTypes\": [],\"includeGlobalResourceTypes\": true},\"roleARN\": \"arn:aws:iam:::role/service-role/\",\"name\": \"default\"}] } ```3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`","ImpactStatement": "It is recommended AWS Config be enabled in all regions.","AssessmentStatus": "Automated","RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.","RemediationProcedure": "To implement AWS Config configuration:**From Console:**1. Select the region you want to focus on in the top right of the console 2. Click `Services`3. Click `Config`4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account**From Command Line:**1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name  ```","AdditionalInformation": ""}],"description": "Ensure AWS Config is enabled in all regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.4": {"name": "3.4","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html","Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.","DefaultValue": null,"AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `` _ click on `Logging`8. Ensure `Enabled` is checked.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket  ``` Ensure command does not returns empty output.Sample Output for a bucket with logging enabled:``` {\"LoggingEnabled\": {\"TargetPrefix\": \"\",\"TargetBucket\": \"\"} } ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.","RemediationProcedure": "Perform the following to enable S3 bucket logging:**From Console:**1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:`  click on `Logging`5. Configure bucket logging- Click on the `Enabled` checkbox- Select Target Bucket from list- Enter a Target Prefix 6. Click `Save`.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region  --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``: ``` {\"LoggingEnabled\": {\"TargetBucket\": \"\",\"TargetPrefix\": \"\",\"TargetGrants\": [{\"Grantee\": {\"Type\": \"AmazonCustomerByEmail\",\"EmailAddress\": \"\"},\"Permission\": \"FULL_CONTROL\"}]}} ``` 3. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket  --bucket-logging-status file:// ```","AdditionalInformation": ""}],"description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.5": {"name": "3.5","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html","Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.**From Command Line:**1. Run the following command: ```aws cloudtrail describe-trails``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.","ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.","AssessmentStatus": "Automated","RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.","RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`6. Select an existing CMK from the `KMS key Id` drop-down menu- Note: Ensure the CMK is located in the same region as the S3 bucket- Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes` **From Command Line:** ``` aws cloudtrail update-trail --name  --kms-id  aws kms put-key-policy --key-id  --policy  ```","AdditionalInformation": "3 statements which need to be added to the CMK policy:1\\. Enable Cloudtrail to describe CMK properties ``` 
{\"Sid\": \"Allow CloudTrail access\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:DescribeKey\",\"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` 
{\"Sid\": \"Allow CloudTrail to encrypt logs\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:GenerateDataKey*\",\"Resource\": \"*\",\"Condition\": {\"StringLike\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": [\"arn:aws:cloudtrail:*:aws-account-id:trail/*\"]}} } ``` 3\\. Granting decrypt permissions ``` 
{\"Sid\": \"Enable CloudTrail log decrypt permissions\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"arn:aws:iam::aws-account-id:user/username\"},\"Action\": \"kms:Decrypt\",\"Resource\": \"*\",\"Condition\": {\"Null\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"}} } ```"}],"description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.6": {"name": "3.6","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final","Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the KMS console at: https://console.aws.amazon.com/kms. 2. In the left navigation pane, click Customer-managed keys. 3. Select a customer managed CMK where Key spec = SYMMETRIC_DEFAULT. 4. Select the Key rotation tab. 5. Ensure the Automatically rotate this KMS key every year checkbox is checked. 6. Repeat steps 3–5 for all customer-managed CMKs where 'Key spec = SYMMETRIC_DEFAULT'.","ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.","AssessmentStatus": "Automated","RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the KMS console at: https://console.aws.amazon.com/kms. 2. In the left navigation pane, click Customer-managed keys. 3. Select a key where Key spec = SYMMETRIC_DEFAULT that does not have automatic rotation enabled. 4. Select the Key rotation tab. 5. Check the Automatically rotate this KMS key every year checkbox. 6. Click Save. 7. Repeat steps 3–6 for all customer-managed CMKs that do not have automatic rotation enabled.","AdditionalInformation": ""}],"description": "Ensure rotation for customer created symmetric CMKs is enabled","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.7": {"name": "3.7","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html","Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.**From Command Line:**1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region  --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.","ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.","RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`9. Click `Create Log Flow`10. Click on `CloudWatch Logs Group` **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.**From Command Line:**1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"test\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\"Action\": \"sts:AssumeRole\"}] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\":[\"logs:CreateLogGroup\",\"logs:CreateLogStream\",\"logs:DescribeLogGroups\",\"logs:DescribeLogStreams\",\"logs:PutLogEvents\",\"logs:GetLogEvents\",\"logs:FilterLogEvents\"],\"Resource\": \"*\"}] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name  --assume-role-policy-document file://role_policy_document.json``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name  --policy-document file://iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name  ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region  ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids  --traffic-type REJECT --log-group-name  --deliver-logs-permission-arn  ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.","AdditionalInformation": ""}],"description": "Ensure VPC flow logging is enabled in all VPCs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.8": {"name": "3.8","checks": {"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/ 2. In the left panel, click Trails and then click on the CloudTrail Name that you want to examine. 3. Review General details 4. Confirm that Multi-region trail is set to Yes 5. Scroll down to Data events 6. Confirm that it reads: Data Events:S3 Log selector template Log all events If 'basic events selectors' is being used it should read: Data events: S3 Bucket Name: All current and future S3 buckets Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below..","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/ 2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine. 3. Click Properties tab to see in detail bucket configuration. 4. In the AWS Cloud Trail data events' section select the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by slicking the Configure in Cloudtrailbutton or navigating to the Cloudtrail console linkhttps://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, Select the data Data Events check box. 6. Select S3 from the `Data event type drop down. 7. Select Log all events from the Log selector template drop down. 8. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for write events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.9": {"name": "3.9","checks": {"cloudtrail_s3_dataevents_read_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.**From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region  --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.**From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for read events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.1": {"name": "4.1","checks": {"cloudwatch_log_metric_filter_unauthorized_api_calls": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with \"Name\":` note ``- From value associated with \"CloudWatchLogsLogGroupArn\" note Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this `` that you captured in step 1:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```4. Note the \"filterName\" `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.","AssessmentStatus": "Automated","RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for unauthorized API calls","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2": {"name": "4.2","checks": {"cloudwatch_log_metric_filter_sign_in_without_mfa": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all `CloudTrails`:``` aws cloudtrail describe-trails ```- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region `CloudTrail` is active``` aws cloudtrail get-trail-status --name  ```Ensure in the output that `IsLogging` is set to `TRUE`- Ensure identified Multi-region 'Cloudtrail' captures all Management Events``` aws cloudtrail get-event-selectors --trail-name  ```Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `` taken from audit step 1.Use Command: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account."}],"description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.3": {"name": "4.3","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**- ensures that activities from all regions (used as well as unused) are monitored- ensures that activities on all supported global services are monitored- ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for usage of 'root' account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.4": {"name": "4.4","checks": {"cloudwatch_log_metric_filter_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for IAM policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.5": {"name": "4.5","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6": {"name": "4.6","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.7": {"name": "4.7","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.8": {"name": "4.8","checks": {"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for S3 bucket policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.9": {"name": "4.9","checks": {"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Config configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"5.1": {"name": "5.1","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison","Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "**From Console:**Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "**From Console:**Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Click `Edit inbound rules`- Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule- Click `Save`","AdditionalInformation": ""}],"description": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"5.2": {"name": "5.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.3": {"name": "5.3","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the ::/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.4": {"name": "5.4","checks": {"ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group","Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:Security Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules existSecurity Group Members1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'","ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.","AssessmentStatus": "Automated","RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.","RemediationProcedure": "Security Group MembersPerform the following to implement the prescribed state:1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security groupSecurity Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rulesRecommended:IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"","AdditionalInformation": ""}],"description": "Ensure the default security group of every VPC restricts all traffic","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.5": {"name": "5.5","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html","Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.","DefaultValue": null,"AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.**From Command Line:**1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a __ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.","RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.**From Command Line:**1. For each __ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id  --destination-cidr-block  ```2. Create a new compliant route: ``` aws ec2 create-route --route-table-id  --destination-cidr-block  --vpc-peering-connection-id  ```","AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table."}],"description": "Ensure routing tables for VPC peering are \"least access\"","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"5.6": {"name": "5.6","checks": {"ec2_instance_imdsv2_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/:https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html","Description": "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).","DefaultValue": null,"AuditProcedure": "From Console: 1. Sign in to the AWS Management Console and navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/. 2. In the left navigation panel, under the INSTANCES section, choose Instances. 3. Select the EC2 instance that you want to examine. 4. Check for the IMDSv2 status, and ensure that it is set to Required. From Command Line: 1. Run the describe-instances command using appropriate filtering to list the IDs of all the existing EC2 instances currently available in the selected region: aws ec2 describe-instances --region  --output table --query 'Reservations[*].Instances[*].InstanceId' 2. The command output should return a table with the requested instance IDs. 3. Now run the describe-instances command using an instance ID returned at the previous step and custom filtering to determine whether the selected instance has IMDSv2: aws ec2 describe-instances --region  --instance-ids  --query 'Reservations[*].Instances[*].MetadataOptions' --output table 4. Ensure for all ec2 instances HttpTokens is set to required and State is set to applied. 5. Repeat steps no. 3 and 4 to verify other EC2 instances provisioned within the current region. 6. Repeat steps no. 1 – 5 to perform the audit process for other AWS regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups. When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). With IMDSv2, every request is now protected by session authentication. A session begins and ends a series of requests that software running on an EC2 instance uses to access the locally-stored EC2 instance metadata and credentials. Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security.","RemediationProcedure": "From Console: 1. Sign in to the AWS Management Console and navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/. 2. In the left navigation panel, under the INSTANCES section, choose Instances. 3. Select the EC2 instance that you want to examine. 4. Choose Actions > Instance Settings > Modify instance metadata options. 5. Ensure Instance metadata service is set to Enable and set IMDSv2 to Required. 6. Repeat steps no. 1 – 5 to perform the remediation process for other EC2 Instances in the all applicable AWS region(s). From Command Line: 1. Run the describe-instances command using appropriate filtering to list the IDs of all the existing EC2 instances currently available in the selected region: aws ec2 describe-instances --region  --output table -- query 'Reservations[*].Instances[*].InstanceId' 2. The command output should return a table with the requested instance IDs. 3. Now run the modify-instance-metadata-options command using an instance ID returned at the previous step to update the Instance Metadata Version: aws ec2 modify-instance-metadata-options --instance-id  --http-tokens required --region  4. Repeat steps no. 1 – 3 to perform the remediation process for other EC2 Instances in the same AWS region. 5. Change the region by updating --region and repeat the entire process for other regions.","AdditionalInformation": ""}],"description": "Ensure that EC2 Metadata Service only allows IMDSv2","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.10": {"name": "1.10","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users","Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:**From Console:**1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8``` 2. The output of this command will produce a table similar to the following: ```user,password_enabled,mfa_activeelise,false,falsebrandon,true,truerakesh,false,falsehelene,false,falseparas,true,trueanitha,false,false``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`","ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to enable MFA:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords.8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.9. Click `Assign MFA`.","AdditionalInformation": "**Forced IAM User Self-Service Remediation**Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts."}],"description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.11": {"name": "1.11","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html","Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_dateelise,false,true,2015-04-16T15:14:00+00:00,false,N/Abrandon,true,true,N/A,false,N/Arakesh,false,false,N/A,false,N/Ahelene,false,true,2015-11-18T17:47:00+00:00,false,N/Aparas,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.","RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:**From Console:**1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. As an Administrator - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User- Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.**From Command Line:** ``` aws iam delete-access-key --access-key-id  --user-name  ```","AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\""}],"description": "Do not setup access keys during initial user setup for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.12": {"name": "1.12","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if unused credentials exist:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`8. Check and ensure that `Console last sign-in` is less than 45 days ago.**Note** - `Never` means the user has never logged in.9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.**From Command Line:****Download Credential Report:**1. Run the following commands: ```aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^' ```**Ensure unused credentials do not exist:**2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.","RemediationProcedure": "**From Console:**Perform the following to manage Unused Password (IAM user console access)1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`9. Under Console Access select `Disable` 10.Click `Apply`Perform the following to deactivate Access Keys:1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select any access keys that are over 45 days old and that have been used and - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and - Click the X to `Delete`","AdditionalInformation": " is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days."}],"description": "Ensure credentials unused for 45 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.13": {"name": "1.13","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html","Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.**From Command Line:**1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name  ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.- Repeat steps no. 2 and 3 for each IAM user in your AWS account.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.**From Command Line:**1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user**Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id  --status Inactive --user-name  ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name  ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.","AdditionalInformation": ""}],"description": "Ensure there is only one active access key available for any single IAM user","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.14": {"name": "1.14","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.**From Command Line:**``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.","RemediationProcedure": "Perform the following to rotate access keys:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`4. As an Administrator - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User- Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`7. Update programmatic call with new Access Key credentials**From Command Line:**1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```At this point, the user has two active access keys.2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```","AdditionalInformation": ""}],"description": "Ensure access keys are rotated every 90 days or less","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.15": {"name": "1.15","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html","Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:1. Run the following to get a list of IAM users: ```aws iam list-users --query 'Users[*].UserName' --output text``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.","RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group` Perform the following to add a user to a given group:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`3. Select the group to add a user to 4. Click `Add Users To Group`5. Select the users to be added to the group 6. Click `Add Users` Perform the following to remove a direct association between a user and policy:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:- Select the user- Click on the `Permissions` tab- Expand `Permissions policies` - Click `X` for each policy; then click Detach or Remove (depending on policy type)","AdditionalInformation": ""}],"description": "Ensure IAM Users Receive Permissions Only Through Groups","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.16": {"name": "1.16","checks": {"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam","Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.","DefaultValue": null,"AuditProcedure": "Perform the following to determine what policies are created:**From Command Line:**1. Run the following to get a list of IAM policies: ```aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```aws iam get-policy-version --policy-arn  --version-id  ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.","RemediationProcedure": "From Console: Perform the following to detach the policy that has full administrative privileges: 1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first Detach 5. Select all Users, Groups, Roles that have this policy attached 6. Click Detach Policy 7. In the policy action menu, select Detach 8. Select the newly detached policy and select Delete From Command Line: Perform the following to detach the policy that has full administrative privileges as found in the audit step: 1. Lists all IAM users, groups, and roles that the specified managed policy is attached to. aws iam list-entities-for-policy --policy-arn  2. Detach the policy from all IAM Users: aws iam detach-user-policy --user-name  --policy-arn  3. Detach the policy from all IAM Groups: aws iam detach-group-policy --group-name  --policy-arn  4. Detach the policy from all IAM Roles: aws iam detach-role-policy --role-name  --policy-arn ","AdditionalInformation": ""}],"description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.17": {"name": "1.17","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html","Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.","DefaultValue": null,"AuditProcedure": "**From Command Line:**1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'If it returns empty refer to the remediation below.","ImpactStatement": "All AWS Support plans include an unlimited number of account and billing supportcases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option toinclude multiple enabled accounts in an aggregated monthly billing calculation. Monthlycharges for the Business and Enterprise support plans are based on each month's AWSusage charges, subject to a monthly minimum, billed in advance.When assigning rights, keep in mind that other policies may grant access to Support aswell. This may include AdministratorAccess and other policies including customermanaged policies. Utilizing the AWS managed 'AWSSupportAccess' role is one simpleway of ensuring that this permission is properly granted.To better support the principle of separation of duties, it would be best to only attach thisrole where necessary.","AssessmentStatus": "Automated","RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.","RemediationProcedure": "**From Command Line:**1. Create an IAM role for managing incidents with AWS:- Create a trust relationship policy document that allows  to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"\"},\"Action\": \"sts:AssumeRole\"}]} ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name  --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name  ```","AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account."}],"description": "Ensure a support role has been created to manage incidents with AWS Support","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.18": {"name": "1.18","checks": {"ec2_instance_profile_attached": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html","Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.","DefaultValue": null,"AuditProcedure": "Where an instance is associated with a Role:For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.Where an Instance Contains Embedded Credentials:- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.Where an Instance Application Contains Embedded Credentials:- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.","RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.","AdditionalInformation": ""}],"description": "Ensure IAM instance roles are used for AWS resource access from instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.19": {"name": "1.19","checks": {"iam_no_expired_server_certificates_stored": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html","Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.","DefaultValue": null,"AuditProcedure": "**From Console:**Getting the certificates expiration information via AWS Management Console is not currently supported.To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**Run list-server-certificates command to list all the IAM-stored server certificates:``` aws iam list-server-certificates ```The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):``` {\"ServerCertificateMetadataList\": [{\"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\"ServerCertificateName\": \"MyServerCertificate\",\"Expiration\": \"2018-07-10T23:59:59Z\",\"Path\": \"/\",\"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\"UploadDate\": \"2018-06-10T11:56:08Z\"}] } ```Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.","ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.","AssessmentStatus": "Automated","RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.","RemediationProcedure": "**From Console:**Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**To delete Expired Certificate run following command by replacing  with the name of the certificate to delete:``` aws iam delete-server-certificate --server-certificate-name  ```When the preceding command is successful, it does not return any output.","AdditionalInformation": ""}],"description": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.20": {"name": "1.20","checks": {"accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html","Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region**From Command Line:**1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`3. Repeat the steps above for each active region.If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.","RemediationProcedure": "**From Console:**Perform the following to enable IAM Access analyzer for IAM policies:1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.7. Choose `Create Analyzer`. 8. Repeat these step for each active region**From Command Line:**Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name  --type  ``` Repeat this command above for each active region.**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.","AdditionalInformation": ""}],"description": "Ensure that IAM Access analyzer is enabled for all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.21": {"name": "1.21","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "","Description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.","DefaultValue": null,"AuditProcedure": "For multi-account AWS environments with an external identity provider: 1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click Services 4. Click IAM 5. Click Identity providers 6. Verify the configuration Then, determine all accounts that should not have local users present. For each account: 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click Services 5. Click IAM 6. Click Users 7. Confirm that no IAM users representing individuals are present For multi-account AWS environments implementing AWS Organizations without an external identity provider: 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click Services 5. Click IAM 6. Click Users 7. Confirm that no IAM users representing individuals are present","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.","RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.","AdditionalInformation": ""}],"description": "Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.22": {"name": "1.22","checks": {},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html","Description": "AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.","DefaultValue": null,"AuditProcedure": "**From Console** 1. Open the IAM console at https://console.aws.amazon.com/iam/2. In the left pane, select Policies3. Search for and select AWSCloudShellFullAccess4. On the Entities attached tab, ensure that there are no entities using this policy **From Command Line**1. List IAM policies, filter for the 'AWSCloudShellFullAccess' managed policy, and note the \"\"Arn\"\" element value:```aws iam list-policies --query \"\"Policies[?PolicyName == 'AWSCloudShellFullAccess']\"\"``` 2. Check if the 'AWSCloudShellFullAccess' policy is attached to any role: ```aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess```3. In Output, Ensure PolicyRoles returns empty. 'Example: Example: PolicyRoles: [ ]'If it does not return empty refer to the remediation below.Note: Keep in mind that other policies may grant access.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Access to this policy should be restricted as it presents a potential channel for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy which denies file transfer permissions.","RemediationProcedure": "**From Console**1. Open the IAM console at https://console.aws.amazon.com/iam/2. In the left pane, select Policies 3. Search for and select AWSCloudShellFullAccess4. On the Entities attached tab, for each item, check the box and select Detach","AdditionalInformation": ""}],"description": "Ensure access to AWSCloudShellFullAccess is restricted","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"4.10": {"name": "4.10","checks": {"cloudwatch_log_metric_filter_security_group_changes": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"\" --filter-name \"\" --metric-transformations metricName= \"\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"\" ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"\" --protocol  --notification-endpoint \"\" ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"\" --metric-name \"\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"\" ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for security group changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.11": {"name": "4.11","checks": {"cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.12": {"name": "4.12","checks": {"cloudwatch_changes_to_network_gateways_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to network gateways","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.13": {"name": "4.13","checks": {"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","DefaultValue": null,"AuditProcedure": "If you are using CloudTrails and CloudWatch , perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarmsconfigured:1. Identify the log group name configured for use with active multi-region CloudTrail:• List all CloudTrails: aws cloudtrail describe-trails• Identify Multi region Cloudtrails: Trails with 'IsMultiRegionTrail' set totrue• From value associated with CloudWatchLogsLogGroupArn noteExample: for CloudWatchLogsLogGroupArn that looks likearn:aws:logs:::log-group:NewGroup:*, would be NewGroup• Ensure Identified Multi region CloudTrail is activeaws cloudtrail get-trail-status --name ensure IsLogging is set to TRUE• Ensure identified Multi-region Cloudtrail captures all Management Eventsaws cloudtrail get-event-selectors --trail-name Ensure there is at least one Event Selector for a Trail with IncludeManagementEvents setto true and ReadWriteType set to All2. Get a list of all associated metric filters for this :aws logs describe-metric-filters --log-group-name''3. Ensure the output from the above command contains the following:'filterPattern': '{($.eventSource = ec2.amazonaws.com) && ($.eventName =CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName =ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName= DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName =DisassociateRouteTable) }'4. Note the  value associated with thefilterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the captured in step 4.aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName==``]'6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topicaws sns list-subscriptions-by-topic --topic-arn at least one subscription should have 'SubscriptionArn' with valid aws ARN.Example of valid 'SubscriptionArn':'arn:aws:sns::::'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security informationand event management (SIEM) environment for monitoring and alerting.Monitoring changes to route tables will help ensure that all VPC traffic flows through anexpected path and prevent any accidental or intentional modifications that may lead touncontrolled network traffic. An alarm should be triggered every time an AWS API call isperformed to create, replace, delete, or disassociate a Route Table.","RemediationProcedure": "If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: 1. Create a metric filter based on filter pattern provided which checks for route table changes and the  taken from audit step 1. aws logs put-metric-filter --log-group-name  -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. 2. Create an SNS topic that the alarm will notify aws sns create-topic --name  Note: you can execute this command once and then re-use the same topic for all monitoring alarms. 3. Create an SNS subscription to the topic created in step 2 aws sns subscribe --topic-arn  --protocol  - -notification-endpoint  Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. 4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 - -threshold 1 --comparison-operator GreaterThanOrEqualToThreshold -- evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions ","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure route table changes are monitored","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.14": {"name": "4.14","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for VPC changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.15": {"name": "4.15","checks": {"cloudwatch_log_metric_filter_aws_organizations_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.","DefaultValue": null,"AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name  ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.2. Get a list of all associated metric filters for this : ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `` value associated with the filterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":``` \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name  ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": ""}],"description": "Ensure a log metric filter and alarm exists for AWS Organizations changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.16": {"name": "4.16","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-get-started.html:https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-api:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/enable-security-hub.html","Description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.","DefaultValue": null,"AuditProcedure": "The process to evaluate AWS Security Hub configuration per region **From Console:**1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/. 2. On the top right of the console, select the target Region. 3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region. 4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions. 5. Repeat steps 2 to 4 for each region.","ImpactStatement": "It is recommended AWS Security Hub be enabled in all regions. AWS Security Hub requires AWS Config to be enabled.","AssessmentStatus": "Automated","RationaleStatement": "AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.","RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.Enabling Security Hub**From Console:**1. Use the credentials of the IAM identity to sign in to the Security Hub console. 2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub. 3. On the welcome page, Security standards list the security standards that Security Hub supports. 4. Choose Enable Security Hub.**From Command Line:**1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`. ``` aws securityhub enable-security-hub --enable-default-standards ```2. To enable the security hub without the default standards, include `--no-enable-default-standards`. ``` aws securityhub enable-security-hub --no-enable-default-standards ```","AdditionalInformation": ""}],"description": "Ensure AWS Security Hub is enabled","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.1": {"name": "2.1.1","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html","Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.","DefaultValue": null,"AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{\"Sid\": ,\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}' ``` `` and `` will be specific to your account5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket  | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.**From Console** using AWS Policy Generator:1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` =  5. Generate Policy 6. Copy the text and add it to the Bucket Policy.**From Command Line:**1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket  --query Policy --output text > policy.json ```2. Modify the policy.json file by adding in this statement: ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket  --policy file://policy.json ```","AdditionalInformation": ""}],"description": "Ensure S3 Bucket Policy is set to deny HTTP requests","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.2": {"name": "2.1.2","checks": {"s3_bucket_no_mfa_delete": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html","Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","DefaultValue": null,"AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket**From Console:**1. Login to the S3 console at `https://console.aws.amazon.com/s3/`2. Click the `Check` box next to the Bucket name you want to confirm3. In the window under `Properties`4. Confirm that Versioning is `Enabled`5. Confirm that MFA Delete is `Enabled`**From Command Line:**1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```Output example: ```  EnabledEnabled ```If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.","RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.**From Command line:**1. Run the s3api put-bucket-versioning command``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```","AdditionalInformation": ""}],"description": "Ensure MFA Delete is enabled on S3 buckets","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.3": {"name": "2.1.3","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html","Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.","DefaultValue": null,"AuditProcedure": "Perform the following steps to determine if Macie is running:**From Console:** 1. Login to the Macie console at https://console.aws.amazon.com/macie/ 2. In the left hand pane click on By job under findings. 3. Confirm that you have a Job setup for your S3 BucketsWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.","ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.","AssessmentStatus": "Manual","RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.","RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie**From Console:**1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`2. Click `Get started`.3. Click `Enable Macie`.Setup a repository for sensitive data discovery results1. In the Left pane, under Settings, click `Discovery results`.2. Make sure `Create bucket` is selected.3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.4. Click on `Advanced`.5. Block all public access, make sure `Yes` is selected.6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.7. Click on `Save`Create a job to discover sensitive data1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.2. Select the `check box` for each bucket that you want Macie to analyze as part of the job3. Click `Create job`.3. Click `Quick create`.4. For the Name and description step, enter a name and, optionally, a description of the job.5. Then click `Next`.6. For the Review and create step, click `Submit`.Review your findings1. In the left pane, click `Findings`.2. To view the details of a specific finding, choose any field other than the check box for the finding.If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.","AdditionalInformation": ""}],"description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.4": {"name": "2.1.4","checks": {"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html","Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.","DefaultValue": null,"AuditProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket  ``` Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"BlockPublicAcls\": true,\"IgnorePublicAcls\": true,\"BlockPublicPolicy\": true,\"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.**If utilizing Block Public Access (account settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.**From Command Line:**To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id  --region `Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"IgnorePublicAcls\": true, \"BlockPublicPolicy\": true, \"BlockPublicAcls\": true, \"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.","ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.","AssessmentStatus": "Automated","RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.","RemediationProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket  --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```**If utilizing Block Public Access (account settings)****From Console:**If the output reads `true` for the separate configuration settings then it is set on the account.1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.**From Command Line:**To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id  ```","AdditionalInformation": ""}],"description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.2.1": {"name": "2.2.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.2. Elastic Compute Cloud (EC2)","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/","Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.**Note:** EBS volume encryption is configured per region.","ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.**Note:** EBS volume encryption is configured per region.","AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically."}],"description": "Ensure EBS Volume Encryption is Enabled in all Regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.1": {"name": "2.3.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/","Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region  --db-snapshot-identifier  --db-instance-identifier  ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region  ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region  --source-db-snapshot-identifier  --target-db-snapshot-identifier  --copy-tags --kms-key-id  ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region  --db-instance-identifier  --db-snapshot-identifier  ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ```","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for RDS Instances","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.3.2": {"name": "2.3.2","checks": {"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to examine. 4. Click on the `Maintenance and backups` panel. 5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status. - If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to update. 4. Click on the `Modify` button placed on the top right side. 5. On the `Modify DB Instance: ` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button. 6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime. 7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime: ``` aws rds modify-db-instance --region  --db-instance-identifier  --auto-minor-version-upgrade --apply-immediately ``` 4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value. 5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.","AdditionalInformation": ""}],"description": "Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.3": {"name": "2.3.3","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to anypublicly accessible RDS database instance, you must disable the database PubliclyAccessible flag and update the VPC security group associated with the instance","DefaultValue": null,"AuditProcedure": "From Console: 1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click Databases. 3. Select the RDS instance that you want to examine. 4. Click Instance Name from the dashboard, Under `Connectivity and Security. 5. On the Security, check if the Publicly Accessible flag status is set to Yes, follow the below-mentioned steps to check database subnet access. • In the networking section, click the subnet link available under Subnets • The link will redirect you to the VPC Subnets page. • Select the subnet listed on the page and click the Route Table tab from the dashboard bottom panel. If the route table contains any entries with the destination CIDR block set to 0.0.0.0/0 and with an Internet Gateway attached. • The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet. 6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region. 7. Change the AWS region from the navigation bar and repeat the audit process for other regions. From Command Line: 1. Run describe-db-instances command to list all RDS database names, available in the selected AWS region: aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' 2. The command output should return each database instance identifier. 3. Run again describe-db-instances command using the PubliclyAccessible parameter as query filter to reveal the database instance Publicly Accessible flag status: aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].PubliclyAccessible' 4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to Yes. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access 5. Run again describe-db-instances command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance: aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.Subnets[]' • The command output should list the subnets available in the selected database subnet group. 6. Run describe-route-tables command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet: aws ec2 describe-route-tables --region  --filters 'Name=association.subnet-id,Values=' --query 'RouteTables[*].Routes[]' • If the command returns the route table associated with database instance subnet ID. Check the GatewayId and DestinationCidrBlock attributes values returned in the output. If the route table contains any entries with the GatewayId value set to igw-xxxxxxxx and the DestinationCidrBlock value set to 0.0.0.0/0, the selected RDS database instance was provisioned inside a public subnet. • Or • If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step 7. Run again describe-db-instances command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance: aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.VpcId' • The command output should show the VPC ID in the selected database subnet group 8. Now run describe-route-tables command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet: aws ec2 describe-route-tables --region  --filters 'Name=vpc- id,Values=' 'Name=association.main,Values=true' --query 'RouteTables[*].Routes[]' • The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the GatewayId and DestinationCidrBlock attributes values returned in the output. If the route table contains any entries with the GatewayId value set to igw-xxxxxxxx and the DestinationCidrBlock value set to 0.0.0.0/0, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.","RemediationProcedure": "From Console: 1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click Databases. 3. Select the RDS instance that you want to update. 4. Click Modify from the dashboard top menu. 5. On the Modify DB Instance panel, under the Connectivity section, click on Additional connectivity configuration and update the value for Publicly Accessible to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations: • Select the Connectivity and security tab, and click on the VPC attribute value inside the Networking section. • Select the Details tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. • On the Route table details page, select the Routes tab from the dashboard bottom panel and click on Edit routes. • On the Edit routes page, update the Destination of Target which is set to igw- xxxxx and click on Save routes. 6. On the Modify DB Instance panel Click on Continue and In the Scheduling of modifications section, perform one of the following actions based on your requirements: • Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window. • Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application. 7. Repeat steps 3 to 6 for each RDS instance available in the current region. 8. Change the AWS region from the navigation bar to repeat the process for other regions. From Command Line: 1. Run describe-db-instances command to list all RDS database names identifiers, available in the selected AWS region: aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' 2. The command output should return each database instance identifier. 3. Run modify-db-instance command to modify the selected RDS instance configuration. Then use the following command to disable the Publicly Accessible flag for the selected RDS instances. This command use the apply- immediately flag. If you want to avoid any downtime --no-apply-immediately flag can be used: aws rds modify-db-instance --region  --db-instance-identifier  --no-publicly-accessible --apply-immediately 4. The command output should reveal the PubliclyAccessible configuration under pending values and should get applied at the specified time. 5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure. 6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region. 7. Change the AWS region by using the --region filter to repeat the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that public access is not given to RDS Instance","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.4.1": {"name": "2.4.1","checks": {"efs_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.4 Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/index.html#efs","Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).","DefaultValue": null,"AuditProcedure": "**From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard. 2. Select `File Systems` from the left navigation panel. 3. Each item on the list has a visible Encrypted field that displays data at rest encryption status. 4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.**From CLI:** 1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region: ``` aws efs describe-file-systems --region  --output table --query 'FileSystems[*].FileSystemId' ``` 2. The command output should return a table with the requested file system IDs. 3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters: ``` aws efs describe-file-systems --region  --file-system-id  --query 'FileSystems[*].Encrypted' ``` 4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.","RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.**Steps to create an EFS file system with data encrypted at rest:****From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard. 2. Select `File Systems` from the left navigation panel. 3. Click `Create File System` button from the dashboard top menu to start the file system setup process. 4. On the `Configure file system access` configuration page, perform the following actions. - Choose the right VPC from the VPC dropdown list. - Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets. - Click `Next step` to continue.5. Perform the following on the `Configure optional settings` page. - Create `tags` to describe your new file system. - Choose `performance mode` based on your requirements. - Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS. - Click `Next step` to continue.6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system. 7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. 9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.**From CLI:** 1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource): ``` aws efs describe-file-systems --region  --file-system-id  ``` 2. The command output should return the requested configuration information. 3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\". 4. Run create-file-system command using the unique token created at the previous step. ``` aws efs create-file-system --region  --creation-token  --performance-mode generalPurpose --encrypted ``` 5. The command output should return the new file system configuration metadata. 6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target: ``` aws efs create-mount-target --region  --file-system-id  --subnet-id  ``` 7. The command output should return the new mount target metadata. 8. Now you can mount your file system from an EC2 instance. 9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. ``` aws efs delete-file-system --region  --file-system-id  ``` 11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for EFS file systems","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 51,"requirements_failed": 10,"requirements_manual": 1,"total_requirements": 62,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "a349f7c9-fce3-4ac4-821a-d0c974496c2b","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "nist_800_53_revision_5_aws","framework": "NIST-800-53-Revision-5","version": "","description": "The NIST 800-53 (Rev. 5) Low-Moderate-High framework represents the security controls and the associated assessment procedures that are defined in NIST SP 800-53 Revision 5 Recommended Security Controls for Federal Information Systems and Organizations. For any discrepancies that are noted in the content between this NIST SP 800-53 framework and the latest published NIST Special Publication SP 800-53 Revision 5, refer to the official published documents that are available at the NIST Computer Security Resource Center.","region": "eu-west-1","requirements": {"ac_3": {"name": "Access Enforcement (AC-3)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","checks_status": {"fail": 1,"pass": 7,"total": 21,"manual": 0}},"ac_4": {"name": "Information Flow Enforcement (AC-4)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"ac_6": {"name": "Least Privilege (AC-6)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_6","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"ca_7": {"name": "Continuous Monitoring (CA-7)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_7","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Continuously monitor configuration management processes. Determine security impact, environment and operational risks.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"cm_6": {"name": "Configuration Settings (CM-6)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_6","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"ia_2": {"name": "Identification and Authentication (Organizational users) (IA-2)","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5": {"name": "Authenticator Management (IA-5)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp_2": {"name": "Media Access (MP-2)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "mp_2","Section": "Media Protection (MP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"sc_6": {"name": "Resource Availability (SC-6)","checks": {"rds_instance_multi_az": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_6","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_8": {"name": "Transmission Confidentiality And Integrity (SC-8)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"ac_24": {"name": "Access Control Decisions (AC-24)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_24","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"au_10": {"name": "Non-Repudiation (AU-10)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_10","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].","checks_status": {"fail": 6,"pass": 2,"total": 13,"manual": 0}},"au_11": {"name": "Audit Record Retention (AU-11)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_11","Section": "Audit and Accountability (AU)","Service": "cloudwatch","SubGroup": null,"SubSection": null}],"description": "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_16": {"name": "Cross-Organizational Audit Logging (AU-16)","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_16","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cp_10": {"name": "System Recovery And Reconstitution (CP-10)","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_10","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.","checks_status": {"fail": 3,"pass": 1,"total": 7,"manual": 0}},"pm_16": {"name": "Threat Awareness Program (PM-16)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "pm_16","Section": "Program Management (PM)","Service": "guarduty","SubGroup": null,"SubSection": null}],"description": "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"pm_31": {"name": "Continuous Monitoring Strategy (PM-31)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_31","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"sc_12": {"name": "Cryptographic Key Establishment And Management (SC-12)","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_12","Section": "System and Communications Protection (SC)","Service": "kms","SubGroup": null,"SubSection": null}],"description": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_22": {"name": "Architecture And Provisioning For Name/Address Resolution Service (SC-22)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_22","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"sc_23": {"name": "Session Authenticity (SC-23)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_23","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Protect the authenticity of communications sessions.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc_25": {"name": "Thin Nodes (SC-25)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_25","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].","checks_status": {"fail": 1,"pass": 5,"total": 17,"manual": 0}},"sc_36": {"name": "Distributed Processing And Storage (SC-36)","checks": {"rds_instance_multi_az": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_36","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_12": {"name": "Information Management and Retention (SI-12)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_12","Section": "System and Information integrity (SI)","Service": "cloudwatch","SubGroup": null,"SubSection": null}],"description": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ac_2_1": {"name": "AC-2(1) Automated System Account Management","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Support the management of system accounts using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 1,"pass": 0,"total": 14,"manual": 0}},"ac_2_3": {"name": "AC-2(3) Disable Accounts","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period].","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_4": {"name": "AC-2(4) Automated Audit Actions","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Automatically audit account creation, modification, enabling, disabling, and removal actions.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac_2_6": {"name": "AC-2(6) Dynamic Privilege Management","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2_6","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Implement [Assignment: organization-defined dynamic privilege management capabilities].","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"ac_2_g": {"name": "AC-2(g)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_g","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: g. Monitors the use of information system accounts.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ac_2_j": {"name": "AC-2(j)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_j","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency].","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ac_3_1": {"name": "AC-3(1) Restricted Access To Privileged Functions","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac_3_2": {"name": "AC-3(2) Dual Authorization","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_3_2","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac_3_3": {"name": "AC-3(3) Mandatory Access Control","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4": {"name": "AC-3(4) Discretionary Access Control","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_7": {"name": "AC-3(7) Role-Based Access Control","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_7","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"ac_3_8": {"name": "AC-3(8) Revocation Of Access Authorizations","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_8","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_5_b": {"name": "AC-5(b)","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_5_b","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Separation Of Duties (AC-5)"}],"description": "Define system access authorizations to support separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_6_2": {"name": "AC-6(2)","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_6_2","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac_6_3": {"name": "AC-6(3)","checks": {"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_6_3","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac_6_9": {"name": "AC-6(9)","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_6_9","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "Log the execution of privileged functions.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac_7_4": {"name": "AC-7(4) Use Of Alternate Authentication Factor","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_7_4","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Unsuccessful Logon Attempts (AC-7)"}],"description": "Prevent non-privileged users from executing privileged functions.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"au_2_b": {"name": "AU-2(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_2_b","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Event Logging (AU-2)"}],"description": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_1": {"name": "AU-3(1) Additional Audit Information","checks": {"guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "au_3_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Generate audit records containing the following additional information: [Assignment: organization-defined additional information].","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"au_3_a": {"name": "AU-3(a)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_a","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: a. What type of event occurred.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_b": {"name": "AU-3(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_b","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: b. When the event occurred.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_c": {"name": "AU-3(c)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_c","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: c. Where the event occurred.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_d": {"name": "AU-3(d)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_d","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: d. Source of the event.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_e": {"name": "AU-3(e)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_e","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: e. Outcome of the event.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_f": {"name": "AU-3(f)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_f","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: e. Outcome of the event.","checks_status": {"fail": 5,"pass": 2,"total": 11,"manual": 0}},"au_4_1": {"name": "AU-4(1) Transfer To Alternate Storage","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_4_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Log Stprage Capacity (AU-4)"}],"description": "Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_6_1": {"name": "AU-6(1) Automated Process Integration","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"au_6_3": {"name": "AU-6(3) Correlate Audit Record Repositories","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_6_4": {"name": "AU-6(4) Central Review And Analysis","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_4","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_6_5": {"name": "AU-6(5) Central Review And Analysis","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_5","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"au_6_6": {"name": "AU-6(6) Correletion With Physical Monitoring","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_6","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_6_9": {"name": "AU-6(9) Correletion With From Nontechnical Sources","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_9","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_7_1": {"name": "AU-7(1) Automatic Processing","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_7_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Reduction And Report Generation (AU-7)"}],"description": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_8_b": {"name": "AU-8(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_8_b","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Time Stamps (AU-8)"}],"description": "Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_9_2": {"name": "AU-9(2) Store On Separate Physical Systems Or Components","checks": {"s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9_2","Section": "Audit and Accountability (AU)","Service": "s3","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_9_3": {"name": "AU-9(3) Cryptographic Protection","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.","checks_status": {"fail": 8,"pass": 3,"total": 17,"manual": 0}},"au_9_7": {"name": "AU-9(7) Store On Component With Different Operation Systems","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9_7","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "Store audit information on a component running a different operating system than the system or component being audited.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_9_a": {"name": "AU-9(a)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9_a","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ca_2_2": {"name": "CA-2(2) Specialized Assessments","checks": {"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_2_2","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": "Control Assessments (CA-2)"}],"description": "Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]].","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"ca_2_d": {"name": "CA-2(d)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ca_2_d","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": "Control Assessments (CA-2)"}],"description": "Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ca_7_b": {"name": "CA-7(b)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_7_b","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": "Continuous Monitoring (CA-7)"}],"description": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness.","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"ca_9_b": {"name": "CA-9(b)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_9_b","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": "Internal System Connections (CA-9)"}],"description": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_2_2": {"name": "CM-2(2) Automation Support For Accuracy And Currency","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Baseline Configuration (CM-2)"}],"description": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 5,"pass": 0,"total": 5,"manual": 0}},"cm_2_a": {"name": "CM-2(a)","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Baseline Configuration (CM-2)"}],"description": "Develop, document, and maintain under configuration control, a current baseline configuration of the system.","checks_status": {"fail": 5,"pass": 0,"total": 5,"manual": 0}},"cm_2_b": {"name": "CM-2(b)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Baseline Configuration (CM-2)"}],"description": "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_3_3": {"name": "CM-3(3) Automated Change Implementation","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_3_3","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Configuration Change Control (CM-3)"}],"description": "Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_3_a": {"name": "CM-3(a)","checks": {"elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_3_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Configuration Change Control (CM-3)"}],"description": "Determine and document the types of changes to the system that are configuration-controlled.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_6_a": {"name": "CM-6(a)","checks": {"iam_root_mfa_enabled": null,"vpc_flow_logs_enabled": "FAIL","iam_no_root_access_key": null,"s3_bucket_public_access": null,"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","iam_user_accesskey_unused": null,"ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_6_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Configuration Settings (CM-6)"}],"description": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations].","checks_status": {"fail": 8,"pass": 6,"total": 31,"manual": 0}},"cm_7_b": {"name": "CM-7(b)","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_7_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Least Functionality (CM-7)"}],"description": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cm_8_1": {"name": "CM-8(1) Updates During Installation And Removals","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_1","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Update the inventory of system components as part of component installations, removals, and system updates.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_2": {"name": "CM-8(2) Automated Maintenance","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cm_8_6": {"name": "CM-8(6) Assessed Configurations And Approved Deviations","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_6","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.","checks_status": {"fail": 5,"pass": 0,"total": 5,"manual": 0}},"cm_8_a": {"name": "CM-8(a)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability].","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_b": {"name": "CM-8(b)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Review and update the system component inventory [Assignment: organization-defined frequency].","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_9_b": {"name": "CM-9(b)","checks": {"iam_root_mfa_enabled": null,"vpc_flow_logs_enabled": "FAIL","iam_no_root_access_key": null,"s3_bucket_public_access": null,"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","iam_user_accesskey_unused": null,"ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_9_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Configuration Management Plan (CM-9)"}],"description": "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items.","checks_status": {"fail": 8,"pass": 6,"total": 31,"manual": 0}},"cp_1_2": {"name": "CP-1(2)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_1_2","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Policy And Procedures (CP-1)"}],"description": "Implement transaction recovery for systems that are transaction-based.","checks_status": {"fail": 2,"pass": 1,"total": 6,"manual": 0}},"cp_2_5": {"name": "CP-2(5) Continue Mission And Business Functions","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_5","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.","checks_status": {"fail": 5,"pass": 1,"total": 9,"manual": 0}},"cp_2_6": {"name": "CP-2(6) Alternate Processing And Storage Sites","checks": {"rds_instance_multi_az": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_6","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cp_2_a": {"name": "CP-2(a)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_a","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_2_d": {"name": "CP-2(d)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_d","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "Review the contingency plan for the system [Assignment: organization-defined frequency]","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_2_e": {"name": "CP-2(e)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_e","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_6_1": {"name": "CP-6(1) Separation From Primary Site","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_6_1","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Alternate Storage Sites (CP-6)"}],"description": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.","checks_status": {"fail": 2,"pass": 1,"total": 5,"manual": 0}},"cp_6_2": {"name": "CP-6(2) Recovery Time And Recovery Point Objectives","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_6_2","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Alternate Storage Sites (CP-6)"}],"description": "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.","checks_status": {"fail": 3,"pass": 1,"total": 7,"manual": 0}},"cp_6_a": {"name": "CP-6(a)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_6_a","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Alternate Storage Sites (CP-6)"}],"description": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information.","checks_status": {"fail": 2,"pass": 1,"total": 5,"manual": 0}},"cp_9_8": {"name": "CP-9(8) Cryptographic Protection","checks": {"s3_bucket_default_encryption": "PASS","rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_8","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information].","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"cp_9_a": {"name": "CP-9(a)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_a","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"cp_9_b": {"name": "CP-9(b)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_b","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"cp_9_c": {"name": "CP-9(c)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_c","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"cp_9_d": {"name": "CP-9(d)","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_d","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Protect the confidentiality, integrity, and availability of backup information.","checks_status": {"fail": 5,"pass": 3,"total": 13,"manual": 0}},"ia_2_1": {"name": "IA-2(1) Multi-Factor Authentication To Privileged Accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_1","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement multi-factor authentication for access to privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_2_2": {"name": "IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement multi-factor authentication for access to non-privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_2_6": {"name": "IA-2(6) Acces To Accounts — Separate Device","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_6","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_2_8": {"name": "IA-2(8) Access To Accounts — Replay Resistant","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_8","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_4_4": {"name": "IA-4(4)","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_4_4","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identifier Management (IA-4)"}],"description": "Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_4_8": {"name": "IA-4(8)","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_4_8","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identifier Management (IA-4)"}],"description": "Generate pairwise pseudonymous identifiers.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_4_b": {"name": "IA-4(b)","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_4_b","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identifier Management (IA-4)"}],"description": "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_4_d": {"name": "IA-4(d)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_4_d","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identifier Management (IA-4)"}],"description": "Manage system identifiers by: d. Preventing reuse of identifiers for [Assignment: organization-defined time period].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_8": {"name": "IA-5(8) Multiple System Accounts","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_8","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_b": {"name": "IA-5(b)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_b","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_c": {"name": "IA-5(c)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_c","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_d": {"name": "IA-5(d)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_d","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_f": {"name": "IA-5(f)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_f","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_h": {"name": "IA-5(h)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_h","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ir_4_a": {"name": "IR-4(a)","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir_4_a","Section": "Incident Response (IR)","Service": "guarduty","SubGroup": null,"SubSection": "Incident Handling (IR-4)"}],"description": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ma_4_c": {"name": "MA-4(c)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ma_4_c","Section": "Maintenance (MA)","Service": "iam","SubGroup": null,"SubSection": "Nonlocal Maintenance (MA-4)"}],"description": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"pe_6_2": {"name": "PE-6(2) Monitoring Physical Access","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "pe_6_2","Section": "Physical And Environmental Protection (PE)","Service": "guarduty","SubGroup": null,"SubSection": "Monitoring Physical Access (PE-6)"}],"description": "Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"pe_6_4": {"name": "PE-6(4) Monitoring Physical Access","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "pe_6_4","Section": "Physical And Environmental Protection (PE)","Service": "guarduty","SubGroup": null,"SubSection": "Monitoring Physical Access (PE-6)"}],"description": "Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_1_a": {"name": "RA-1(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_1_a","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Policy And Procedures (RA-1)"}],"description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_3_4": {"name": "RA-3(4) Predictive Cyber Analytics","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_3_4","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Risk Assessment (RA-3)"}],"description": "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_5_4": {"name": "RA-5(4) Discoverable Information","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_5_4","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Vulnerability Monitoring And Scanning (RA-5)"}],"description": "Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_5_a": {"name": "RA-5(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_5_a","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Vulnerability Monitoring And Scanning (RA-5)"}],"description": "Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sa_1_1": {"name": "SA-1(1)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_1_1","Section": "System and Services Acquisition (SA)","Service": "cloudtrail","SubGroup": null,"SubSection": "Policy And Procedures (SA-1)"}],"description": "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sa_9_6": {"name": "SA-9(6) Organization-Controlled Cryptographic Keys","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sa_9_6","Section": "System and Services Acquisition (SA)","Service": "kms","SubGroup": null,"SubSection": "External System Services (SA-9)"}],"description": "Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_5_1": {"name": "SC-5(1) Restrict Ability TO Attack Other Systems","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_1","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_5_2": {"name": "SC-5(2) Capacity, Bandwidth, And Redundancy","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_5_2","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.","checks_status": {"fail": 5,"pass": 1,"total": 10,"manual": 0}},"sc_5_a": {"name": "SC-5(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_a","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Denial Of Service Protection (SC-5)"}],"description": "[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_5_b": {"name": "SC-5(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_b","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_7_2": {"name": "SC-7(2) Public Access","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_2","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_3": {"name": "SC-7(3) Access Points","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_3","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Limit the number of external network connections to the system.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_5": {"name": "SC-7(5) Deny By Default — Allow By Exception","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]].","checks_status": {"fail": 5,"pass": 0,"total": 6,"manual": 0}},"sc_7_7": {"name": "SC-7(7) Split Tunneling For Remote Devices","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_7","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards].","checks_status": {"fail": 3,"pass": 5,"total": 16,"manual": 0}},"sc_7_a": {"name": "SC-7(a)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_a","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc_7_b": {"name": "SC-7(b)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_b","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_c": {"name": "SC-7(c)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_c","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc_8_1": {"name": "SC-8(1) Cryptographic Protection","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"sc_8_2": {"name": "SC-8(2) Pre- And Post-Transmission Handling","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_2","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc_8_3": {"name": "SC-8(3) Cryptographic Protection For Message Externals","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_3","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls].","checks_status": {"fail": 8,"pass": 3,"total": 18,"manual": 0}},"sc_8_4": {"name": "SC-8(4) Conceal Or Ramdomize Communications","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_4","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls].","checks_status": {"fail": 8,"pass": 3,"total": 18,"manual": 0}},"sc_8_5": {"name": "SC-8(5) Protected Distribution System","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"si_2_2": {"name": "SI-2(2) Automated Flaw Remediation Status","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_2","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"si_2_5": {"name": "SI-2(5) Automatic Software And Firmware Updated","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_5","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"si_2_a": {"name": "SI-2(a)","checks": {"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_a","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Identify, report, and correct system flaws.","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"si_2_c": {"name": "SI-2(c)","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_c","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"si_2_d": {"name": "SI-2(d)","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_d","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Incorporate flaw remediation into the organizational configuration management process.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"si_4_1": {"name": "SI-4(1) System-Wide Intrusion Detection System","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_1","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_2": {"name": "SI-4(2) Automated Tools For Real-Time Analysis","checks": {"guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_2","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Employ automated tools and mechanisms to support near real-time analysis of events.","checks_status": {"fail": 3,"pass": 2,"total": 9,"manual": 0}},"si_4_3": {"name": "SI-4(3) Automated Tools And Mechanism Integration","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_3","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_a": {"name": "SI-4(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_a","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_b": {"name": "SI-4(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_b","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_c": {"name": "SI-4(c)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_c","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_d": {"name": "SI-4(d)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_d","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Analyze detected events and anomalies.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_5_1": {"name": "SI-5(1) Automated Alerts And Advisories","checks": {"guardduty_is_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_5_1","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Secuity Alerts, Advisories, And Directives (SI-5)"}],"description": "Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 0,"pass": 1,"total": 5,"manual": 0}},"si_5_b": {"name": "SI-5(b)","checks": {"guardduty_is_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_5_b","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Secuity Alerts, Advisories, And Directives (SI-5)"}],"description": "Generate internal security alerts, advisories, and directives as deemed necessary.","checks_status": {"fail": 0,"pass": 1,"total": 5,"manual": 0}},"si_7_1": {"name": "SI-7(1) Integrity Checks","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_1","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_7_3": {"name": "SI-7(3) Centrally Managed Integrity Tools","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_3","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Employ centrally managed integrity verification tools.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_7_7": {"name": "SI-7(7) Integration Of Detection And Response","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_7","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_7_8": {"name": "SI-7(8) Auditing Capability For Significant Events","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_8","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"si_7_a": {"name": "SI-7(a)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_a","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ac_16_b": {"name": "AC-16(b)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_16_b","Section": "Access Control (AC)","Service": "cloudwatch","SubGroup": null,"SubSection": "Security And Privacy Attributes (AC-16)"}],"description": "Ensure that the attribute associations are made and retained with the information.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ac_17_1": {"name": "AC-17(1) Monitoring And Control","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Employ automated mechanisms to monitor and control remote access methods.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"ac_17_2": {"name": "AC-17(2) Protection Of Confidentiality And Integrity Using Encryption","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ac_17_9": {"name": "AC-17(9) Disconnect Or Disable Access","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_9","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"ac_17_b": {"name": "AC-17(b)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_b","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Authorize each type of remote access to the system prior to allowing such connections.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"ac_24_1": {"name": "AC-24(1)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_24_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Control Decisions (AC-24)"}],"description": "Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"ac_3_10": {"name": "AC-3(10) Audited Override Of Access Control Mechanisms","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_10","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac_3_13": {"name": "AC-3(13) Attribute-Based Access Control","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_13","Section": "Access Control (AC)","Service": "guarduty","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_4_21": {"name": "AC-4(21) Physical Or Logical Separation Of Infomation Flows","checks": {"ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"apigateway_restapi_waf_acl_attached": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4_21","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Flow Enforcement (AC-4)"}],"description": "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].","checks_status": {"fail": 5,"pass": 5,"total": 18,"manual": 0}},"ac_4_22": {"name": "AC-4(22) Access Only","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4_22","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Flow Enforcement (AC-4)"}],"description": "Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"ac_4_26": {"name": "AC-4(26) Audit Filtering Actions","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4_26","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Flow Enforcement (AC-4)"}],"description": "When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"ac_4_28": {"name": "AC-4(28) Linear Filter Pipelines","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4_28","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Flow Enforcement (AC-4)"}],"description": "When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_6_10": {"name": "AC-6(10)","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_6_10","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "Prevent non-privileged users from executing privileged functions.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"au_11_1": {"name": "AU-11(1) Long-Term Retrieval Capability","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_11_1","Section": "Audit and Accountability (AU)","Service": "cloudwatch","SubGroup": null,"SubSection": "Audit Record Retention (AU-11)"}],"description": "Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_12_1": {"name": "AU-12(1) System-Wide And Time-Correlated Audit Trial","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_12_2": {"name": "AU-12(2) Standardized Formats","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_2","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_12_3": {"name": "AU-12(3) Changes By Authorized Individuals","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"au_12_4": {"name": "AU-12(4) Query Parameter Audits Of Personally Identifiable Information","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_4","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_12_a": {"name": "AU-12(a)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_a","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components].","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_12_c": {"name": "AU-12(c)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_c","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_14_3": {"name": "AU-14(3) Remote Viewing And Listening","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_14_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Session Audit (AU-14)"}],"description": "Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_14_a": {"name": "AU-14(a)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_14_a","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Session Audit (AU-14)"}],"description": "Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances].","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"au_14_b": {"name": "AU-14(b)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_14_b","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Session Audit (AU-14)"}],"description": "Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"cm_12_b": {"name": "CM-12(b)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "cm_12_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Information Location (CM-12)"}],"description": "Identify and document the users who have access to the system and system components where the information is processed and stored.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cp_10_2": {"name": "CP-10(2) Transaction Recovery","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_10_2","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Recovery And Reconstitution (CP-10)"}],"description": "Implement transaction recovery for systems that are transaction-based.","checks_status": {"fail": 2,"pass": 1,"total": 6,"manual": 0}},"pm_11_b": {"name": "PM-11(b)","checks": {"s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_11_b","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": "Mission And Business Process Defination (PM-11)"}],"description": "Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"pm_14_b": {"name": "PM-14(b)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_14_b","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": "Testing, Training, And Monitoring (PM-14)"}],"description": "Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"pm_17_b": {"name": "PM-17(b)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_object_versioning": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_17_b","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": "Protecting Controlled Unclassified Information On External Systems (PM-17)"}],"description": "Review and update the policy and procedures [Assignment: organization-defined frequency].","checks_status": {"fail": 5,"pass": 0,"total": 6,"manual": 0}},"pm_21_b": {"name": "PM-21(b)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_21_b","Section": "Program Management (PM)","Service": "cloudwatch","SubGroup": null,"SubSection": "Accounting Of Disclosures (PM-21)"}],"description": "Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ra_10_a": {"name": "RA-10(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_10_a","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Threat Hunting (RA-10)"}],"description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sa_10_1": {"name": "SA-10(1) Software And Firmware Integrity Verification","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_10_1","Section": "System and Services Acquisition (SA)","Service": "kms","SubGroup": null,"SubSection": "Developer Configuration Management (SA-10)"}],"description": "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_12_2": {"name": "SC-12(2) Symmetric Keys","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_12_2","Section": "System and Communications Protection (SC)","Service": "kms","SubGroup": null,"SubSection": "Cryptographic Key Establishment And Management (SC-12)"}],"description": "Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_12_6": {"name": "SC-12(6) Physical Control Of Keys","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_12_6","Section": "System and Communications Protection (SC)","Service": "kms","SubGroup": null,"SubSection": "Cryptographic Key Establishment And Management (SC-12)"}],"description": "Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_13_a": {"name": "SC-13(a)","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_13_a","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Cryptographic Protection (SC-13)"}],"description": "Determine the [Assignment: organization-defined cryptographic uses].","checks_status": {"fail": 8,"pass": 3,"total": 18,"manual": 0}},"sc_16_1": {"name": "SC-16(1) Integrity Verification","checks": {"s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_16_1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Of Security And Privacy Attributes (SC-16)"}],"description": "Verify the integrity of transmitted security and privacy attributes.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"sc_23_3": {"name": "SC-23(3) Unique System-Generated Session Identifiers","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_23_3","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Session Authenticity (SC-23)"}],"description": "Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"sc_23_5": {"name": "SC-23(5) Allowed Certificate Authorities","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_23_5","Section": "System and Communications Protection (SC)","Service": "elb","SubGroup": null,"SubSection": "Session Authenticity (SC-23)"}],"description": "Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"sc_28_1": {"name": "SC-28(1) Cryptographic Protection","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_28_1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Protection Of Information At Rest (SC-28)"}],"description": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].","checks_status": {"fail": 5,"pass": 3,"total": 14,"manual": 0}},"sc_28_2": {"name": "SC-28(2) Offline Storage","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_28_2","Section": "System and Communications Protection (SC)","Service": "cloudwatch","SubGroup": null,"SubSection": "Protection Of Information At Rest (SC-28)"}],"description": "Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_43_b": {"name": "SC-43(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_43_b","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Usage Restrictions (SC-43)"}],"description": "Authorize, monitor, and control the use of such components within the system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_7_11": {"name": "SC-7(11) Restrict Incoming communications Traffic","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_11","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc_7_12": {"name": "SC-7(12) Host-Based Protection","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_12","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components].","checks_status": {"fail": 3,"pass": 7,"total": 17,"manual": 0}},"sc_7_16": {"name": "SC-7(16) Prevent Discovery Of System Components","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_16","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prevent the discovery of specific system components that represent a managed interface.","checks_status": {"fail": 3,"pass": 7,"total": 17,"manual": 0}},"sc_7_20": {"name": "SC-7(20) Prevent Discovery Of System Components","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_20","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prevent the discovery of specific system components that represent a managed interface.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_21": {"name": "SC-7(21) Isolation Of System Components","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_21","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc_7_25": {"name": "SC-7(25) Unclassified National Security System Connections","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_25","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].","checks_status": {"fail": 3,"pass": 5,"total": 15,"manual": 0}},"sc_7_26": {"name": "SC-7(26) Classified National Security System Connections","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_26","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device].","checks_status": {"fail": 3,"pass": 5,"total": 15,"manual": 0}},"sc_7_27": {"name": "SC-7(27) Unclassified Non-National Security System Connections","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_27","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].","checks_status": {"fail": 3,"pass": 5,"total": 15,"manual": 0}},"sc_7_28": {"name": "SC-7(28) Connections To Public Networks","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_28","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prohibit the direct connection of [Assignment: organization-defined system] to a public network.","checks_status": {"fail": 3,"pass": 5,"total": 15,"manual": 0}},"si_13_5": {"name": "SI-13(5) Failover Capability","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_13_5","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Predictable Failure Prevention (SI-13)"}],"description": "Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.","checks_status": {"fail": 4,"pass": 1,"total": 8,"manual": 0}},"si_19_4": {"name": "SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_19_4","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "De-Identification (SI-19)"}],"description": "Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.","checks_status": {"fail": 4,"pass": 3,"total": 13,"manual": 0}},"si_4_10": {"name": "SI-4(10) Visibility Of Encrypted Communications","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_10","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_12": {"name": "SI-4(12) Automated Organization-Generated Alerts","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_12","Section": "System and Information integrity (SI)","Service": "cloudwatch","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"si_4_14": {"name": "SI-4(14) Wireless Intrusion Detection","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_14","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_17": {"name": "SI-4(17) Integrated Situational Awareness","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_17","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"si_4_20": {"name": "SI-4(20) Privileged Users","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_20","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring].","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"si_4_23": {"name": "SI-4(23) Host-Based Devices","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_23","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_25": {"name": "SI-4(25) Optimize Network Traffic Analysis","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_25","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_17_10": {"name": "AC-17(10) Authenticate Remote Commands","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_10","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"ac_2_3_a": {"name": "AC-2(3)(a)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3_a","Section": "Access Control (AC)","Service": "iam","SubGroup": "AC-2(3) Disable Accounts","SubSection": "Account Management (AC-2)"}],"description": "Support the management of system accounts using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_3_b": {"name": "AC-2(3)(b)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3_b","Section": "Access Control (AC)","Service": "iam","SubGroup": "AC-2(3) Disable Accounts","SubSection": "Account Management (AC-2)"}],"description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_3_c": {"name": "AC-2(3)(c)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3_c","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-2(3) Disable Accounts","SubSection": "Account Management (AC-2)"}],"description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_3_d": {"name": "AC-2(3)(d)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3_d","Section": "Access Control (AC)","Service": "iam","SubGroup": "AC-2(3) Disable Accounts","SubSection": "Account Management (AC-2)"}],"description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period].","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_d_1": {"name": "AC-2(d)(1)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_d_1","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ac_2_i_2": {"name": "AC-2(i)(2)","checks": {"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_¡_2","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "i. Authorize access to the system based on: 2. Intended system usage.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac_3_3_a": {"name": "AC-3(3)(a)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_a","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_c": {"name": "AC-3(3)(c)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_c","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_a": {"name": "AC-3(4)(a)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_a","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_b": {"name": "AC-3(4)(b)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_b","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_c": {"name": "AC-3(4)(c)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_c","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_d": {"name": "AC-3(4)(d)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_d","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_e": {"name": "AC-3(4)(e)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_e","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_7_4_a": {"name": "AC-7(4)(a)","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_7_4_a","Section": "Access Control (AC)","Service": "iam","SubGroup": "AC-7(4) Use Of Alternate Authentication Factor","SubSection": "Unsuccessful Logon Attempts (AC-7)"}],"description": "Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"ca_7_4_c": {"name": "CA-7(4)(c)","checks": {"elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_7_4_c","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": "CA-7(4) Risk Monitoring","SubSection": "Continuous Monitoring (CA-7)"}],"description": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (c) Change monitoring.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_2_b_1": {"name": "CM-2(b)(1)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_b_1","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-2(b)","SubSection": "Baseline Configuration (CM-2)"}],"description": "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency].","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_2_b_2": {"name": "CM-2(b)(2)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_b_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-2(b)","SubSection": "Baseline Configuration (CM-2)"}],"description": "Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances].","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_2_b_3": {"name": "CM-2(b)(3)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_b_3","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-2(b)","SubSection": "Baseline Configuration (CM-2)"}],"description": "Review and update the baseline configuration of the system: 3 When system components are installed or upgraded.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_5_1_a": {"name": "CM-5(1)(a)","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_5_1_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-5(1) Automated Access Enforcement And Audit Records","SubSection": "Access Restrictions For Change (CM-5)"}],"description": "Enforce access restrictions using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 1,"pass": 2,"total": 15,"manual": 0}},"cm_5_1_b": {"name": "CM-5(1)(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_5_1_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-5(1) Automated Access Enforcement And Audit Records","SubSection": "Access Restrictions For Change (CM-5)"}],"description": "Automatically generate audit records of the enforcement actions.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"cm_8_3_a": {"name": "CM-8(3)(a)","checks": {"guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_3_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(3) Automated Unauthorized Component Detection","SubSection": "System Component Inventory (CM-8)"}],"description": "Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"cm_8_a_1": {"name": "CM-8(a)(1)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_1","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 1. Accurately reflects the system.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_a_2": {"name": "CM-8(a)(2)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 2. Includes all components within the system.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_a_3": {"name": "CM-8(a)(3)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_3","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_a_4": {"name": "CM-8(a)(4)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_4","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_a_5": {"name": "CM-8(a)(5)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_5","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability].","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cp_1_a_2": {"name": "CP-1(a)(2)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_1_a_2","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": "CP-1(a)","SubSection": "Policy And Procedures (CP-1)"}],"description": "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_2_a_6": {"name": "CP-2(a)(6)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_a_6","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": "CP-2(a)","SubSection": "Contingency Plan (CP-2)"}],"description": "Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_2_a_7": {"name": "CP-2(a)(7)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_a_7","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": "CP-2(a)","SubSection": "Contingency Plan (CP-2)"}],"description": "Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles].","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ia_2_6_a": {"name": "IA-2(6)(a)","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_6_a","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-2(6) Acces To Accounts — Separate Device","SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_3_3_b": {"name": "IA-3(3)(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ia_3_3_b","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": "IA-3(3) Dynamic Address Allocation","SubSection": "Device Identification And Authentication (IA-3)"}],"description": "Audit lease information when assigned to a device.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"ia_5_1_c": {"name": "IA-5(1)(c)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ia_5_1_c","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": "IA-5(1) Password-Based Authentication","SubSection": "Authenticator Management (IA-5)"}],"description": "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ia_5_1_f": {"name": "IA-5(1)(f)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_1_f","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(1) Password-Based Authentication","SubSection": "Authenticator Management (IA-5)"}],"description": "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_1_g": {"name": "IA-5(1)(g)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_1_g","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(1) Password-Based Authentication","SubSection": "Authenticator Management (IA-5)"}],"description": "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_1_h": {"name": "IA-5(1)(h)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_1_h","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(1) Password-Based Authentication","SubSection": "Authenticator Management (IA-5)"}],"description": "For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_8_2_b": {"name": "IA-8(2)(b)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_8_2_b","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-8(2) Acceptance Of External Authenticators","SubSection": "Identification And Authentication (Non-Organizational Users) (IA-8)"}],"description": "Document and maintain a list of accepted external authenticators.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ma_4_1_a": {"name": "MA-4(1)(a)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ma_4_1_a","Section": "Maintenance (MA)","Service": "aws","SubGroup": "MA-4(1) Logging And Review","SubSection": "Nonlocal Maintenance (MA-4)"}],"description": "Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"ra_1_a_1": {"name": "RA-1(a)(1)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_1_a_1","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": "RA-1(a)","SubSection": "Policy And Procedures (RA-1)"}],"description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_1_a_2": {"name": "RA-1(a)(2)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_1_a_2","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": "RA-1(a)","SubSection": "Policy And Procedures (RA-1)"}],"description": "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_3_a_1": {"name": "RA-3(a)(1)","checks": {"guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra_3_a_1","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Risk Assessment (RA-3)"}],"description": "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"sc_5_3_a": {"name": "SC-5(3)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_3_a","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": "SC-5(3) Detection And Monitoring","SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_5_3_b": {"name": "SC-5(3)(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_3_b","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": "SC-5(3) Detection And Monitoring","SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_7_4_b": {"name": "SC-7(4)(b)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_4_b","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(4) External Telecommunications Services","SubSection": "Boundary Protection (SC-7)"}],"description": "Establish a traffic flow policy for each managed interface.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc_7_4_g": {"name": "SC-7(4)(g)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_4_g","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(4) External Telecommunications Services","SubSection": "Boundary Protection (SC-7)"}],"description": "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc_7_9_a": {"name": "SC-7(9)(a)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_9_a","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(9) Restrict Threatening Outgoing Communications Traffic","SubSection": "Boundary Protection (SC-7)"}],"description": "Detect and deny outgoing communications traffic posing a threat to external systems.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_9_b": {"name": "SC-7(9)(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_9_b","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(9) Restrict Threatening Outgoing Communications Traffic","SubSection": "Boundary Protection (SC-7)"}],"description": "Audit the identity of internal users associated with denied communications.","checks_status": {"fail": 5,"pass": 2,"total": 11,"manual": 0}},"si_1_1_c": {"name": "SI-1(1)(c)","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_1_1_c","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Policy And Procedures (SI-1)"}],"description": "Audit the use of the manual override capability.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"si_1_a_2": {"name": "SI-1(a)(2)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_object_versioning": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_1_a_2","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Policy And Procedures (SI-1)"}],"description": "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;.","checks_status": {"fail": 5,"pass": 0,"total": 6,"manual": 0}},"si_3_8_a": {"name": "SI-3(8)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_3_8_a","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": "SI-3(8) Detect Unauthorized Commands","SubSection": "Malicious Code Protection (SI-3)"}],"description": "Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_3_8_b": {"name": "SI-3(8)(b)","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_3_8_b","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": "SI-3(8) Detect Unauthorized Commands","SubSection": "Malicious Code Protection (SI-3)"}],"description": "[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command].","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"si_3_c_2": {"name": "SI-3(c)(2)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_3_c_2","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Malicious Code Protection (SI-3)"}],"description": "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si_4_4_a": {"name": "SI-4(4)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_4_a","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(4) Inbound and Outbound Communications Traffic","SubSection": "System Monitoring (SI-4)"}],"description": "Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_4_b": {"name": "SI-4(4)(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_4_b","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(4) Inbound and Outbound Communications Traffic","SubSection": "System Monitoring (SI-4)"}],"description": "Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_a_1": {"name": "SI-4(a)(1)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_a_1","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(a)","SubSection": "System Monitoring (SI-4)"}],"description": "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_a_2": {"name": "SI-4(a)(2)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_a_2","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(a)","SubSection": "System Monitoring (SI-4)"}],"description": "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_17_4_a": {"name": "AC-17(4)(a)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_4_a","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-17(4) Privileged Commands And Access","SubSection": "Remote Access (AC-17)"}],"description": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];","checks_status": {"fail": 3,"pass": 5,"total": 16,"manual": 0}},"ac_2_12_a": {"name": "AC-2(12)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_12_a","Section": "Access Control (AC)","Service": "guarduty","SubGroup": "AC-2(12) Account Monitoring","SubSection": "Account Management (AC-2)"}],"description": "Monitor system accounts for [Assignment: organization-defined atypical usage].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_3_12_a": {"name": "AC-3(12)(a)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_12_a","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(12)Assert And Enforce Application Access","SubSection": "Access Enforcement (AC-3)"}],"description": "Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions].","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_12_b": {"name": "AC-3(12)(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_3_12_b","Section": "Access Control (AC)","Service": "guarduty","SubGroup": "AC-3(12) Assert And Enforce Application Access","SubSection": "Access Enforcement (AC-3)"}],"description": "Provide an enforcement mechanism to prevent unauthorized access;","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_3_15_a": {"name": "AC-3(15)(a)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_15_a","Section": "Access Control (AC)","Service": "guarduty","SubGroup": "AC-3(15) Discretionary And Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_15_b": {"name": "AC-3(15)(b)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_15_b","Section": "Access Control (AC)","Service": "guarduty","SubGroup": "AC-3(15) Discretionary And Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ia_5_18_a": {"name": "IA-5(18)(a)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_18_a","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(18) Password Managers","SubSection": "Authenticator Management (IA-5)"}],"description": "Employ [Assignment: organization-defined password managers] to generate and manage passwords.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_18_b": {"name": "IA-5(18)(b)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_18_b","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(18) Password Managers","SubSection": "Authenticator Management (IA-5)"}],"description": "Protect the passwords using [Assignment: organization-defined controls].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"pm_14_a_1": {"name": "PM-14(a)(1)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_14_a_1","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": "Testing, Training, And Monitoring (PM-14)"}],"description": "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained.","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"ra_10_a_1": {"name": "RA-10(a)(1)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_10_a_1","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": "RA-10(a)","SubSection": "Threat Hunting (RA-10)"}],"description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_10_a_2": {"name": "RA-10(a)(2)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_10_a_2","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": "RA-10(a)","SubSection": "Threat Hunting (RA-10)"}],"description": "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sa_15_a_4": {"name": "SA-15(a)(4)","checks": {"elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_15_a_4","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": "Development Process, Standards, And Tools (SA-15)"}],"description": "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"sc_36_1_a": {"name": "SC-36(1)(a)","checks": {"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_36_1_a","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Distributed Processing And Storage (SC-36)"}],"description": "Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components].","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"sc_7_24_b": {"name": "SC-7(24)(b)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_24_b","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(24) Personally Identifiable Information","SubSection": "Boundary Protection (SC-7)"}],"description": "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"si_10_1_c": {"name": "SI-10(1)(c)","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_10_1_c","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": "SI-10(1) Manual Override Capability","SubSection": "Information Input Validation (SI-10)"}],"description": "Audit the use of the manual override capability.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"si_4_13_a": {"name": "SI-4(13)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_13_a","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(13) Analyze Traffic And Event Patterns","SubSection": "System Monitoring (SI-4)"}],"description": "Analyze communications traffic and event patterns for the system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_3_3_b_1": {"name": "AC-3(3)(b)(1)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_1","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_b_2": {"name": "AC-3(3)(b)(2)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_2","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_b_3": {"name": "AC-3(3)(b)(3)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_3","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_b_4": {"name": "AC-3(3)(b)(4)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_4","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_b_5": {"name": "AC-3(3)(b)(5)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_5","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"cp_1_a_1_b": {"name": "CP-1(a)(1)(b)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_1_a_1_b","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": "CP-1(a)","SubSection": "Policy And Procedures (CP-1)"}],"description": "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}}},"requirements_passed": 86,"requirements_failed": 202,"requirements_manual": 0,"total_requirements": 288,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "c7fda251-1b8b-4668-be6e-6929da58d6af","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "rbi_cyber_security_framework_aws","framework": "RBI-Cyber-Security-Framework","version": "","description": "The Reserve Bank had prescribed a set of baseline cyber security controls for primary (Urban) cooperative banks (UCBs) in October 2018. On further examination, it has been decided to prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks.","region": "eu-west-1","requirements": {"annex_i_6": {"name": "Annex I (6)","checks": {"ssm_managed_compliant_patching": "FAIL","guardduty_no_high_severity_findings": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_6","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "Put in place systems and processes to identify, track, manage and monitor the status of patches to servers, operating system and application software running at the systems used by the UCB officials (end-users). Implement and update antivirus protection for all servers and applicable end points preferably through a centralised system.","checks_status": {"fail": 2,"pass": 1,"total": 6,"manual": 0}},"annex_i_12": {"name": "Annex I (12)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_12","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "Take periodic back up of the important data and store this data ‘off line’ (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files).","checks_status": {"fail": 2,"pass": 1,"total": 5,"manual": 0}},"annex_i_1_1": {"name": "Annex I (1.1)","checks": {"ec2_instance_managed_by_ssm": "FAIL","organizations_account_part_of_organizations": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_1_1","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: a) Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.), b. Details of systems where customer data are stored, c. Associated business applications, if any, d. Criticality of the IT asset (For example, High/Medium/Low).","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"annex_i_1_3": {"name": "Annex I (1.3)","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","backup_vaults_encrypted": "PASS","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","rds_snapshots_public_access": "PASS","ssm_documents_set_as_public": "PASS","s3_bucket_default_encryption": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","vpc_subnet_no_public_ip_by_default": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"sns_topics_kms_encryption_at_rest_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_1_3","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "Appropriately manage and provide protection within and outside UCB/network, keeping in mind how the data/information is stored, transmitted, processed, accessed and put to use within/outside the UCB’s network, and level of risk they are exposed to depending on the sensitivity of the data/information.","checks_status": {"fail": 12,"pass": 15,"total": 40,"manual": 0}},"annex_i_5_1": {"name": "Annex I (5.1)","checks": {"elbv2_waf_acl_attached": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_5_1","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically.","checks_status": {"fail": 4,"pass": 1,"total": 5,"manual": 0}},"annex_i_7_1": {"name": "Annex I (7.1)","checks": {"iam_no_root_access_key": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "annex_i_7_1","Section": null,"Service": "iam","SubGroup": null,"SubSection": null}],"description": "Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a ‘need to know’ and ‘need to do’ basis.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"annex_i_7_2": {"name": "Annex I (7.2)","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "annex_i_7_2","Section": null,"Service": "iam","SubGroup": null,"SubSection": null}],"description": "Passwords should be set as complex and lengthy and users should not use same passwords for all the applications/systems/devices.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"annex_i_7_3": {"name": "Annex I (7.3)","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "annex_i_7_3","Section": null,"Service": "vpc","SubGroup": null,"SubSection": null}],"description": "Remote Desktop Protocol (RDP) which allows others to access the computer remotely over a network or over the internet should be always disabled and should be enabled only with the approval of the authorised officer of the UCB. Logs for such remote access shall be enabled and monitored for suspicious activities.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"annex_i_7_4": {"name": "Annex I (7.4)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_7_4","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/super user/administrative access to critical systems (servers/databases, applications, network devices etc.)","checks_status": {"fail": 7,"pass": 3,"total": 15,"manual": 0}}},"requirements_passed": 3,"requirements_failed": 6,"requirements_manual": 0,"total_requirements": 9,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "c9352bc9-2107-40a5-8dc6-c67817863253","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "fedramp_moderate_revision_4_aws","framework": "FedRamp-Moderate-Revision-4","version": "","description": "The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011. It provides a cost-effective, risk-based approach for the adoption and use of cloud services by the U.S. federal government. FedRAMP empowers federal agencies to use modern cloud technologies, with an emphasis on the security and protection of federal information.","region": "eu-west-1","requirements": {"ac-3": {"name": "Access Enforcement (AC-3)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"ac-4": {"name": "Information Flow Enforcement (AC-4)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.","checks_status": {"fail": 3,"pass": 7,"total": 16,"manual": 0}},"ac-6": {"name": "Least Privilege (AC-6)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-6","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.","checks_status": {"fail": 1,"pass": 6,"total": 20,"manual": 0}},"au-3": {"name": "Content of Audit Records (AU-3)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au-9": {"name": "Protection of Audit Information (AU-9)","checks": {"cloudtrail_kms_encryption_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-9","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cm-2": {"name": "Baseline Configuration (CM-2)","checks": {"ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"ec2_instance_managed_by_ssm": "FAIL","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"ssm_managed_compliant_patching": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.","checks_status": {"fail": 8,"pass": 6,"total": 22,"manual": 0}},"ia-2": {"name": "Identification and Authentication (Organizational users) (IA-2)","checks": {"iam_no_root_access_key": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ra-5": {"name": "Vulnerability Scanning (RA-5)","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra-5","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": null}],"description": "Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"sc-2": {"name": "Application Partitioning (SC-2)","checks": {"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc-2","Section": "System and Communications Protection (SC)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "The information system separates user functionality (including user interface services) from information system management functionality.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"sc-4": {"name": "Information In Shared Resources (SC-4)","checks": {"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-4","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system prevents unauthorized and unintended information transfer via shared system resources.","checks_status": {"fail": 2,"pass": 5,"total": 14,"manual": 0}},"sc-5": {"name": "Denial Of Service Protection (SC-5)","checks": {"guardduty_is_enabled": "PASS","rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].","checks_status": {"fail": 4,"pass": 1,"total": 6,"manual": 0}},"sc-7": {"name": "Boundary Protection (SC-7)","checks": {"elb_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-7","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.","checks_status": {"fail": 6,"pass": 6,"total": 21,"manual": 0}},"sc-8": {"name": "Transmission Integrity (SC-8)","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-8","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the confidentiality AND integrity of transmitted information.","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"si-7": {"name": "Software, Firmware, and Information Integrity (SI-7)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-7","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au-11": {"name": "Audit Record Retention (AU-11)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-11","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cp-10": {"name": "Information System Recovery And Reconstitution (CP-10)","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp-10","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.","checks_status": {"fail": 4,"pass": 1,"total": 9,"manual": 0}},"sa-10": {"name": "Developer Configuration Management (SA-10)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa-10","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].","checks_status": {"fail": 2,"pass": 2,"total": 4,"manual": 0}},"sc-12": {"name": "Cryptographic Key Establishment And Management (SC-12)","checks": {"kms_cmk_rotation_enabled": null,"acm_certificates_expiration_check": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc-12","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"sc-13": {"name": "Use of Cryptography (SC-13)","checks": {"s3_bucket_default_encryption": "PASS","sns_topics_kms_encryption_at_rest_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-13","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"sc-23": {"name": "Session Authenticity (SC-23)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-23","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the authenticity of communications sessions.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc-28": {"name": "Protection of Information at Rest (SC-28)","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-28","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the confidentiality AND integrity of [Assignment: organization-defined information at rest].","checks_status": {"fail": 5,"pass": 2,"total": 13,"manual": 0}},"si-12": {"name": "Information Handling and Retention (SI-12)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-12","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac-2-1": {"name": "AC-2(1) Automated System Account Management","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization employs automated mechanisms to support the management of information system accounts.","checks_status": {"fail": 0,"pass": 2,"total": 15,"manual": 0}},"ac-2-3": {"name": "AC-2-3","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The information system automatically disables inactive accounts after 90 days for user accounts.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac-2-4": {"name": "AC-2(4) Automated Audit Actions","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-2-4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].","checks_status": {"fail": 3,"pass": 3,"total": 14,"manual": 0}},"ac-2-f": {"name": "AC-2(f)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-f","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions].","checks_status": {"fail": 0,"pass": 0,"total": 13,"manual": 0}},"ac-2-g": {"name": "AC-2(g)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-2-g","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: g. Monitors the use of information system accounts.","checks_status": {"fail": 3,"pass": 4,"total": 12,"manual": 0}},"ac-2-j": {"name": "AC-2(j)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-j","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency].","checks_status": {"fail": 0,"pass": 0,"total": 12,"manual": 0}},"ac-5-c": {"name": "AC-5(c)","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-5-c","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Separation Of Duties (AC-5)"}],"description": "The organization: c. Defines information system access authorizations to support separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 8,"manual": 0}},"au-7-1": {"name": "AU-7(1) Automatic Processing","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-7-1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Reduction And Report Generation (AU-7)"}],"description": "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"au-9-2": {"name": "AU-9(2) Audit Backup On Separate Physical Systems / Components","checks": {"s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-9-2","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cm-7-a": {"name": "CM-7(a)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-7-a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Least Functionality (CM-7)"}],"description": "The organization: a. Configures the information system to provide only essential capabilities.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm-8-1": {"name": "CM-8(1)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-8-1","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Information System Component Inventory (CM-8)"}],"description": "The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cp-9-b": {"name": "CP-9(b))","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp-9-b","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Information System Backup (CP-9)"}],"description": "The organization: b. Conducts backups of system-level information contained in the information system (daily incremental; weekly full).","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"ia-2-1": {"name": "IA-2(1) Network Access To Privileged Accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-2-1","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "The information system implements multi-factor authentication for network access to privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia-5-4": {"name": "IA-5(4) Automated Support For Password Strength Determination","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-5-4","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia-5-7": {"name": "IA-5(7) No Embedded Unencrypted Static Authenticators","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-5-7","Section": "Identification and Authentication (IA)","Service": "codebuild","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ir-4-1": {"name": "IR-4(1) Automated Incident Handling Processes","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir-4-1","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": "Incident Handling (IR-4)"}],"description": "The organization employs automated mechanisms to support the incident handling process.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"ir-6-1": {"name": "IR-6(1) Automated Reporting","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir-6-1","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": "Incident Reporting (IR-6)"}],"description": "The organization employs automated mechanisms to assist in the reporting of security incidents.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"ir-7-1": {"name": "IR-7(1) Automation Support For Availability Of Information / Support","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir-7-1","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": "Incident Response Assistance (IR-7)"}],"description": "The organization employs automated mechanisms to increase the availability of incident response-related information and support.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"sa-3-a": {"name": "SA-3(a)","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa-3-a","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": "System Development Life Cycle (SA-3)"}],"description": "The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc-7-3": {"name": "SC-7(3) Access Points","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-7-3","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "The organization limits the number of external network connections to the information system.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc-8-1": {"name": "SC-8(1) Cryptographic Or Alternate Physical Protection","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-8-1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Integrity (SC-8)"}],"description": "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"si-2-2": {"name": "Automated Flaw Remediation Status (SI-2(2))","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-2-2","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "The organization employs automated mechanisms at least monthly to determine the state of information system components with regard to flaw remediation.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si-4-1": {"name": "SI-4(1) System-Wide Intrusion Detection System","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-1","Section": "System and Information Integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si-4-2": {"name": "SI-4(2) Automated Tools For Real-Time Analysis","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-2","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization employs automated tools to support near real-time analysis of events.","checks_status": {"fail": 0,"pass": 4,"total": 12,"manual": 0}},"si-4-4": {"name": "SI-4(4) Inbound and Outbound Communications Traffic","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-4","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.","checks_status": {"fail": 0,"pass": 4,"total": 12,"manual": 0}},"si-4-5": {"name": "SI-4(5) System-Generated Alerts","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-5","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].","checks_status": {"fail": 0,"pass": 4,"total": 12,"manual": 0}},"si-7-1": {"name": "SI-7(1) Integrity Checks","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-7-1","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "The information system performs an integrity check of security relevant events at least monthly.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ac-17-1": {"name": "AC-17(1) Automated Monitoring/Control","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-17-1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "The information system monitors and controls remote access methods.","checks_status": {"fail": 3,"pass": 8,"total": 19,"manual": 0}},"ac-17-2": {"name": "AC-17(2) Protection Of Confidentiality/Integrity Using Encryption","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-17-2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.","checks_status": {"fail": 2,"pass": 1,"total": 3,"manual": 0}},"ac-21-b": {"name": "AC-21(b)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-21-b","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Sharing (AC-21)"}],"description": "The organization: b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.","checks_status": {"fail": 3,"pass": 4,"total": 15,"manual": 0}},"ac-6-10": {"name": "AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-6-10","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"si-4-16": {"name": "SI-4(16) Correlate Monitoring Information","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-16","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization correlates information from monitoring tools employed throughout the information system.","checks_status": {"fail": 0,"pass": 3,"total": 7,"manual": 0}},"au-2-a-d": {"name": "AU-2(a)(d)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-2-a-d","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Events (AU-2)"}],"description": "The organization: a. Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. d. Determines that the following events are to be audited within the information system: [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event].","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au-6-1-3": {"name": "AU-6(1)(3)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-6-1-3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Review, Analysis And Reporting (AU-6)"}],"description": "(1) The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.","checks_status": {"fail": 7,"pass": 4,"total": 19,"manual": 0}},"ca-7-a-b": {"name": "CA-7(a)(b)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca-7-a-b","Section": "Security Assessment And Authorization (CA)","Service": "aws","SubGroup": null,"SubSection": "Continuous Monitoring (CA-7)"}],"description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring.","checks_status": {"fail": 1,"pass": 4,"total": 13,"manual": 0}},"cm-8-3-a": {"name": "CM-8(3)(a)","checks": {"guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-8-3-a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Information System Component Inventory (CM-8)"}],"description": "The organization: a. Employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection, to detect the presence of unauthorized hardware, software, and firmware components within the information system","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"ia-2-1-2": {"name": "IA-2(1)(2)","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-2-1-2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "IA-2(1) Network Access To Privileged Accounts"}],"description": "(1) The information system implements multifactor authentication for network access to privileged accounts. (2) The information system implements multifactor authentication for network access to non- privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac-2-12-a": {"name": "AC-2(12)(a)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-12-a","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: a. Monitors information system accounts for [Assignment: organization-defined atypical use].","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"au-12-a-c": {"name": "AU-12(a)(c)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-12-a-c","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Generation (AU-12)"}],"description": "The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at all information system and network components where audit capability is deployed/available c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"si-4-a-b-c": {"name": "SI-4(a)(b)(c)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","apigateway_restapi_waf_acl_attached": "FAIL","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-4-a-b-c","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: i. strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization.","checks_status": {"fail": 4,"pass": 3,"total": 11,"manual": 0}},"ia-5-1-a-d-e": {"name": "IA-5(1)(a)(d)(e)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-5-1-a-d-e","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "IA-5(1) Password-Based Authentication"}],"description": "The information system, for password-based authentication: a. Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; d. Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; e. Prohibits password reuse for 24 generations","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 20,"requirements_failed": 43,"requirements_manual": 1,"total_requirements": 64,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "d7024b7f-64c1-4d70-8f9d-7844c9194c42","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "gdpr_aws","framework": "GDPR","version": "","description": "The General Data Protection Regulation (GDPR) is a new European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC. It's intended to harmonize data protection laws throughout the European Union (EU). It does this by applying a single data protection law that's binding throughout each EU member state.","region": "eu-west-1","requirements": {"article_25": {"name": "Article 25 Data protection by design and by default","checks": {"iam_root_mfa_enabled": null,"vpc_flow_logs_enabled": "FAIL","iam_no_root_access_key": null,"iam_support_role_created": null,"kms_cmk_rotation_enabled": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","iam_password_policy_minimum_length_14": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_log_metric_filter_policy_changes": null,"iam_inline_policy_no_administrative_privileges": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","cloudwatch_log_metric_filter_authentication_failures": null,"iam_aws_attached_policy_no_administrative_privileges": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"iam_customer_attached_policy_no_administrative_privileges": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "article_25","Section": "Article 25 Data protection by design and by default","Service": "aws","SubGroup": null,"SubSection": null}],"description": "To obtain the latest version of the official guide, please visit https://gdpr-info.eu/art-25-gdpr/. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.","checks_status": {"fail": 5,"pass": 2,"total": 42,"manual": 0}},"article_30": {"name": "Article 30 Records of processing activities","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","kms_cmk_rotation_enabled": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "article_30","Section": "Article 30 Records of processing activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": " To obtain the latest version of the official guide, please visit https://www.privacy-regulation.eu/en/article-30-records-of-processing-activities-GDPR.htm. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information like the name and contact details of the controller and where applicable, the joint controller, the controller's representative and the data protection officer, the purposes of the processing etc. Each processor and where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable of the controller's or the processor's representative, and the data protection officer, where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.","checks_status": {"fail": 5,"pass": 1,"total": 12,"manual": 0}},"article_32": {"name": "Article 32 Security of processing","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","rds_instance_backup_enabled": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"acm_certificates_expiration_check": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","redshift_cluster_automated_snapshot": null,"cloudfront_distributions_https_enabled": null,"cloudtrail_log_file_validation_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "article_32","Section": "Article 32 Security of processing","Service": "aws","SubGroup": null,"SubSection": null}],"description": " To obtain the latest version of the official guide, please visit https://gdpr-info.eu/art-32-gdpr/. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.","checks_status": {"fail": 9,"pass": 4,"total": 25,"manual": 0}}},"requirements_passed": 0,"requirements_failed": 3,"requirements_manual": 0,"total_requirements": 3,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "df010cc1-e468-42d1-8b7c-37d614adf364","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_well_architected_framework_security_pillar_aws","framework": "AWS-Well-Architected-Framework-Security-Pillar","version": "","description": "Best Practices for AWS Well-Architected Framework Security Pillar. The focus of this framework is the security pillar of the AWS Well-Architected Framework. It provides guidance to help you apply best practices, current recommendations in the design, delivery, and maintenance of secure AWS workloads.","region": "eu-west-1","requirements": {"SEC01-BP01": {"name": "SEC01-BP01","checks": {"organizations_account_part_of_organizations": null},"status": "PASS","attributes": [{"Name": "SEC01-BP01 Separate workloads using accounts","Section": "Security foundations","SubSection": "AWS account management and separation","Description": "Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_multi_accounts.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_multi_accounts","WellArchitectedQuestionId": "securely-operate"}],"description": "Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC01-BP02": {"name": "SEC01-BP02","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Name": "SEC01-BP02 Secure account root user and properties","Section": "Security foundations","SubSection": "AWS account management and separation","Description": "The root user is the most privileged user in an AWS account, with full administrative access to all resources within the account, and in some cases cannot be constrained by security policies. Deactivating programmatic access to the root user, establishing appropriate controls for the root user, and avoiding routine use of the root user helps reduce the risk of inadvertent exposure of the root credentials and subsequent compromise of the cloud environment.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_aws_account.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_aws_account","WellArchitectedQuestionId": "securely-operate"}],"description": "The root user is the most privileged user in an AWS account, with full administrative access to all resources within the account, and in some cases cannot be constrained by security policies. Deactivating programmatic access to the root user, establishing appropriate controls for the root user, and avoiding routine use of the root user helps reduce the risk of inadvertent exposure of the root credentials and subsequent compromise of the cloud environment.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"SEC01-BP03": {"name": "SEC01-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC01-BP03 Identify and validate control objectives","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Based on your compliance requirements and risks identified from your threat model, derive and validate the control objectives and controls that you need to apply to your workload. Ongoing validation of control objectives and controls help you measure the effectiveness of risk mitigation.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_control_objectives.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_control_objectives","WellArchitectedQuestionId": "securely-operate"}],"description": "Based on your compliance requirements and risks identified from your threat model, derive and validate the control objectives and controls that you need to apply to your workload. Ongoing validation of control objectives and controls help you measure the effectiveness of risk mitigation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC01-BP04": {"name": "SEC01-BP04","checks": {},"status": "PASS","attributes": [{"Name": "SEC01-BP04 Keep up-to-date with security threats","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "To help you define and implement appropriate controls, recognize attack vectors by staying up to date with the latest security threats. Consume AWS Managed Services to make it easier to receive notification of unexpected or unusual behavior in your AWS accounts. Investigate using AWS Partner tools or third-party threat information feeds as part of your security information flow. The Common Vulnerabilities and Exposures (CVE) Listlist contains publicly disclosed cyber security vulnerabilities that you can use to stay up to date.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_updated_threats.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_updated_threats","WellArchitectedQuestionId": "securely-operate"}],"description": "To help you define and implement appropriate controls, recognize attack vectors by staying up to date with the latest security threats. Consume AWS Managed Services to make it easier to receive notification of unexpected or unusual behavior in your AWS accounts. Investigate using AWS Partner tools or third-party threat information feeds as part of your security information flow. The Common Vulnerabilities and Exposures (CVE) Listlist contains publicly disclosed cyber security vulnerabilities that you can use to stay up to date.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC01-BP05": {"name": "SEC01-BP05","checks": {},"status": "PASS","attributes": [{"Name": "SEC01-BP05 Keep up-to-date with security recommendations","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Stay up-to-date with both AWS and industry security recommendations to evolve the security posture of your workload. AWS Security Bulletins contain important information about security and privacy notifications.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_updated_recommendations.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_updated_recommendations","WellArchitectedQuestionId": "securely-operate"}],"description": "Stay up-to-date with both AWS and industry security recommendations to evolve the security posture of your workload. AWS Security Bulletins contain important information about security and privacy notifications.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC01-BP06": {"name": "SEC01-BP06","checks": {"ec2_instance_managed_by_ssm": "FAIL","ecr_repositories_scan_images_on_push_enabled": "FAIL","ecr_repositories_scan_vulnerabilities_in_latest_image": null},"status": "FAIL","attributes": [{"Name": "SEC01-BP06 Automate testing and validation of security controls in pipelines","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Establish secure baselines and templates for security mechanisms that are tested and validated as part of your build, pipelines, and processes. Use tools and automation to test and validate all security controls continuously. For example, scan items such as machine images and infrastructure-as-code templates for security vulnerabilities, irregularities, and drift from an established baseline at each stage. AWS CloudFormation Guard can help you verify that CloudFormation templates are safe, save you time, and reduce the risk of configuration error.Reducing the number of security misconfigurations introduced into a production environment is critical—the more quality control and reduction of defects you can perform in the build process, the better. Design continuous integration and continuous deployment (CI/CD) pipelines to test for security issues whenever possible. CI/CD pipelines offer the opportunity to enhance security at each stage of build and delivery. CI/CD security tooling must also be kept updated to mitigate evolving threats.Track changes to your workload configuration to help with compliance auditing, change management, and investigations that may apply to you. You can use AWS Config to record and evaluate your AWS and third-party resources. It allows you to continuously audit and assess the overall compliance with rules and conformance packs, which are collections of rules with remediation actions.Change tracking should include planned changes, which are part of your organization's change control process (sometimes referred to as MACD—Move, Add, Change, Delete), unplanned changes, and unexpected changes, such as incidents. Changes might occur on the infrastructure, but they might also be related to other categories, such as changes in code repositories, machine images and application inventory changes, process and policy changes, or documentation changes.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_test_validate_pipeline.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_test_validate_pipeline","WellArchitectedQuestionId": "securely-operate"}],"description": "Establish secure baselines and templates for security mechanisms that are tested and validated as part of your build, pipelines, and processes. Use tools and automation to test and validate all security controls continuously. For example, scan items such as machine images and infrastructure-as-code templates for security vulnerabilities, irregularities, and drift from an established baseline at each stage. AWS CloudFormation Guard can help you verify that CloudFormation templates are safe, save you time, and reduce the risk of configuration error.Reducing the number of security misconfigurations introduced into a production environment is critical—the more quality control and reduction of defects you can perform in the build process, the better. Design continuous integration and continuous deployment (CI/CD) pipelines to test for security issues whenever possible. CI/CD pipelines offer the opportunity to enhance security at each stage of build and delivery. CI/CD security tooling must also be kept updated to mitigate evolving threats.Track changes to your workload configuration to help with compliance auditing, change management, and investigations that may apply to you. You can use AWS Config to record and evaluate your AWS and third-party resources. It allows you to continuously audit and assess the overall compliance with rules and conformance packs, which are collections of rules with remediation actions.Change tracking should include planned changes, which are part of your organization's change control process (sometimes referred to as MACD—Move, Add, Change, Delete), unplanned changes, and unexpected changes, such as incidents. Changes might occur on the infrastructure, but they might also be related to other categories, such as changes in code repositories, machine images and application inventory changes, process and policy changes, or documentation changes.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"SEC01-BP07": {"name": "SEC01-BP07","checks": {"wellarchitected_workload_no_high_or_medium_risks": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC01-BP07 Identify threats and prioritize mitigations using a threat model","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Perform threat modeling to identify and maintain an up-to-date register of potential threats and associated mitigations for your workload. Prioritize your threats and adapt your security control mitigations to prevent, detect, and respond. Revisit and maintain this in the context of your workload, and the evolving security landscape.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_threat_model.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_threat_model","WellArchitectedQuestionId": "securely-operate"}],"description": "Perform threat modeling to identify and maintain an up-to-date register of potential threats and associated mitigations for your workload. Prioritize your threats and adapt your security control mitigations to prevent, detect, and respond. Revisit and maintain this in the context of your workload, and the evolving security landscape.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"SEC01-BP08": {"name": "SEC01-BP08","checks": {},"status": "PASS","attributes": [{"Name": "SEC01-BP08 Evaluate and implement new security services and features regularly","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Evaluate and implement security services and features from AWS and AWS Partners that allow you to evolve the security posture of your workload. The AWS Security Blog highlights new AWS services and features, implementation guides, and general security guidance. What's New with AWS? is a great way to stay up to date with all new AWS features, services, and announcements.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_implement_services_features.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_implement_services_features","WellArchitectedQuestionId": "securely-operate"}],"description": "Evaluate and implement security services and features from AWS and AWS Partners that allow you to evolve the security posture of your workload. The AWS Security Blog highlights new AWS services and features, implementation guides, and general security guidance. What's New with AWS? is a great way to stay up to date with all new AWS features, services, and announcements.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC02-BP01": {"name": "SEC02-BP01","checks": {"iam_avoid_root_usage": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_user_hardware_mfa_enabled": null,"iam_user_two_active_access_key": null,"iam_user_mfa_enabled_console_access": null,"iam_user_no_setup_initial_access_key": null,"iam_password_policy_minimum_length_14": null,"directoryservice_supported_mfa_radius_enabled": null,"directoryservice_radius_server_security_protocol": null,"sagemaker_notebook_instance_root_access_disabled": null,"opensearch_service_domains_use_cognito_authentication_for_kibana": null},"status": "PASS","attributes": [{"Name": "SEC02-BP01 Use strong sign-in mechanisms","Section": "Identity and access management","SubSection": "Identity management","Description": "Sign-ins (authentication using sign-in credentials) can present risks when not using mechanisms like multi-factor authentication (MFA), especially in situations where sign-in credentials have been inadvertently disclosed or are easily guessed. Use strong sign-in mechanisms to reduce these risks by requiring MFA and strong password policies.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_enforce_mechanisms.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_enforce_mechanisms","WellArchitectedQuestionId": "identities"}],"description": "Sign-ins (authentication using sign-in credentials) can present risks when not using mechanisms like multi-factor authentication (MFA), especially in situations where sign-in credentials have been inadvertently disclosed or are easily guessed. Use strong sign-in mechanisms to reduce these risks by requiring MFA and strong password policies.","checks_status": {"fail": 0,"pass": 0,"total": 15,"manual": 0}},"SEC02-BP02": {"name": "SEC02-BP02","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Name": "SEC02-BP02 Use temporary credentials","Section": "Identity and access management","SubSection": "Identity management","Description": "When doing any type of authentication, it’s best to use temporary credentials instead of long-term credentials to reduce or eliminate risks, such as credentials being inadvertently disclosed, shared, or stolen.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_unique.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_unique","WellArchitectedQuestionId": "identities"}],"description": "When doing any type of authentication, it’s best to use temporary credentials instead of long-term credentials to reduce or eliminate risks, such as credentials being inadvertently disclosed, shared, or stolen.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC02-BP03": {"name": "SEC02-BP03","checks": {"ssm_document_secrets": "PASS","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","awslambda_function_no_secrets_in_code": "PASS","cloudformation_stack_outputs_find_secrets": "PASS","awslambda_function_no_secrets_in_variables": "PASS","ecs_task_definitions_no_environment_secrets": "PASS","autoscaling_find_secrets_ec2_launch_configuration": "PASS"},"status": "PASS","attributes": [{"Name": "SEC02-BP03 Store and use secrets securely","Section": "Identity and access management","SubSection": "Identity management","Description": "A workload requires an automated capability to prove its identity to databases, resources, and third-party services. This is accomplished using secret access credentials, such as API access keys, passwords, and OAuth tokens. Using a purpose-built service to store, manage, and rotate these credentials helps reduce the likelihood that those credentials become compromised.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_secrets.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_secrets","WellArchitectedQuestionId": "identities"}],"description": "A workload requires an automated capability to prove its identity to databases, resources, and third-party services. This is accomplished using secret access credentials, such as API access keys, passwords, and OAuth tokens. Using a purpose-built service to store, manage, and rotate these credentials helps reduce the likelihood that those credentials become compromised.","checks_status": {"fail": 0,"pass": 8,"total": 8,"manual": 0}},"SEC02-BP04": {"name": "SEC02-BP04","checks": {"iam_role_cross_service_confused_deputy_prevention": null},"status": "PASS","attributes": [{"Name": "SEC02-BP04 Rely on a centralized identity provider","Section": "Identity and access management","SubSection": "Identity management","Description": "For workforce identities, rely on an identity provider that enables you to manage identities in a centralized place. This makes it easier to manage access across multiple applications and services, because you are creating, managing, and revoking access from a single location. For example, if someone leaves your organization, you can revoke access for all applications and services (including AWS) from one location. This reduces the need for multiple credentials and provides an opportunity to integrate with existing human resources (HR) processes. For federation with individual AWS accounts, you can use centralized identities for AWS with a SAML 2.0-based provider with AWS Identity and Access Management. You can use any provider— whether hosted by you in AWS, external to AWS, or supplied by the AWS Partner—that is compatible with the SAML 2.0 protocol. You can use federation between your AWS account and your chosen provider to grant a user or application access to call AWS API operations by using a SAML assertion to get temporary security credentials. Web-based single sign-on is also supported, allowing users to sign in to the AWS Management Console from your sign in website. For federation to multiple accounts in your AWS Organizations, you can configure your identity source in AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center), and specify where your users and groups are stored. Once configured, your identity provider is your source of truth, and information can be synchronized using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. You can then look up users or groups and grant them IAM Identity Center access to AWS accounts, cloud applications, or both. IAM Identity Center integrates with AWS Organizations, which enables you to configure your identity provider once and then grant access to existing and new accounts managed in your organization. IAM Identity Center provides you with a default store, which you can use to manage your users and groups. If you choose to use the IAM Identity Center store, create your users and groups and assign their level of access to your AWS accounts and applications, keeping in mind the best practice of least privilege. Alternatively, you can choose to Connect to Your External Identity Provider using SAML 2.0, or Connect to Your Microsoft AD Directory using AWS Directory Service. Once configured, you can sign into the AWS Management Console, or the AWS mobile app, by authenticating through your central identity provider. For managing end-users or consumers of your workloads, such as a mobile app, you can use Amazon Cognito. It provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with sign-in credentials, or through a third party, such as Amazon, Apple, Facebook, or Google.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_identity_provider.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_identity_provider","WellArchitectedQuestionId": "identities"}],"description": "For workforce identities, rely on an identity provider that enables you to manage identities in a centralized place. This makes it easier to manage access across multiple applications and services, because you are creating, managing, and revoking access from a single location. For example, if someone leaves your organization, you can revoke access for all applications and services (including AWS) from one location. This reduces the need for multiple credentials and provides an opportunity to integrate with existing human resources (HR) processes. For federation with individual AWS accounts, you can use centralized identities for AWS with a SAML 2.0-based provider with AWS Identity and Access Management. You can use any provider— whether hosted by you in AWS, external to AWS, or supplied by the AWS Partner—that is compatible with the SAML 2.0 protocol. You can use federation between your AWS account and your chosen provider to grant a user or application access to call AWS API operations by using a SAML assertion to get temporary security credentials. Web-based single sign-on is also supported, allowing users to sign in to the AWS Management Console from your sign in website. For federation to multiple accounts in your AWS Organizations, you can configure your identity source in AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center), and specify where your users and groups are stored. Once configured, your identity provider is your source of truth, and information can be synchronized using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. You can then look up users or groups and grant them IAM Identity Center access to AWS accounts, cloud applications, or both. IAM Identity Center integrates with AWS Organizations, which enables you to configure your identity provider once and then grant access to existing and new accounts managed in your organization. IAM Identity Center provides you with a default store, which you can use to manage your users and groups. If you choose to use the IAM Identity Center store, create your users and groups and assign their level of access to your AWS accounts and applications, keeping in mind the best practice of least privilege. Alternatively, you can choose to Connect to Your External Identity Provider using SAML 2.0, or Connect to Your Microsoft AD Directory using AWS Directory Service. Once configured, you can sign into the AWS Management Console, or the AWS mobile app, by authenticating through your central identity provider. For managing end-users or consumers of your workloads, such as a mobile app, you can use Amazon Cognito. It provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with sign-in credentials, or through a third party, such as Amazon, Apple, Facebook, or Google.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC02-BP05": {"name": "SEC02-BP05","checks": {"kms_cmk_rotation_enabled": null,"iam_rotate_access_key_90_days": null,"secretsmanager_automatic_rotation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC02-BP05 Audit and rotate credentials periodically","Section": "Identity and access management","SubSection": "Identity management","Description": "When you cannot rely on temporary credentials and require long-term credentials, audit credentials to ensure that the defined controls for example, multi-factor authentication (MFA), are enforced, rotated regularly, and have the appropriate access level. Periodic validation, preferably through an automated tool, is necessary to verify that the correct controls are enforced. For human identities, you should require users to change their passwords periodically and retire access keys in favor of temporary credentials. As you are moving from users to centralized identities, you can generate a credential report to audit your users. We also recommend that you enforce MFA settings in your identity provider. You can set up AWS Config Rules to monitor these settings. For machine identities, you should rely on temporary credentials using IAM roles. For situations where this is not possible, frequent auditing and rotating access keys is necessary.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_audit.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_audit","WellArchitectedQuestionId": "identities"}],"description": "When you cannot rely on temporary credentials and require long-term credentials, audit credentials to ensure that the defined controls for example, multi-factor authentication (MFA), are enforced, rotated regularly, and have the appropriate access level. Periodic validation, preferably through an automated tool, is necessary to verify that the correct controls are enforced. For human identities, you should require users to change their passwords periodically and retire access keys in favor of temporary credentials. As you are moving from users to centralized identities, you can generate a credential report to audit your users. We also recommend that you enforce MFA settings in your identity provider. You can set up AWS Config Rules to monitor these settings. For machine identities, you should rely on temporary credentials using IAM roles. For situations where this is not possible, frequent auditing and rotating access keys is necessary.","checks_status": {"fail": 1,"pass": 0,"total": 3,"manual": 0}},"SEC02-BP06": {"name": "SEC02-BP06","checks": {"iam_policy_allows_privilege_escalation": null,"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Name": "SEC02-BP06 Leverage user groups and attributes","Section": "Identity and access management","SubSection": "Identity management","Description": "As the number of users you manage grows, you will need to determine ways to organize them so that you can manage them at scale. Place users with common security requirements in groups defined by your identity provider, and put mechanisms in place to ensure that user attributes that may be used for access control (for example, department or location) are correct and updated. Use these groups and attributes to control access, rather than individual users. This allows you to manage access centrally by changing a user's group membership or attributes once with a permission set, rather than updating many individual policies when a user's access needs change. You can use AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) to manage user groups and attributes. IAM Identity Center supports most commonly used attributes whether they are entered manually during user creation or automatically provisioned using a synchronization engine, such as defined in the System for Cross-Domain Identity Management (SCIM) specification.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_groups_attributes.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_groups_attributes","WellArchitectedQuestionId": "identities"}],"description": "As the number of users you manage grows, you will need to determine ways to organize them so that you can manage them at scale. Place users with common security requirements in groups defined by your identity provider, and put mechanisms in place to ensure that user attributes that may be used for access control (for example, department or location) are correct and updated. Use these groups and attributes to control access, rather than individual users. This allows you to manage access centrally by changing a user's group membership or attributes once with a permission set, rather than updating many individual policies when a user's access needs change. You can use AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) to manage user groups and attributes. IAM Identity Center supports most commonly used attributes whether they are entered manually during user creation or automatically provisioned using a synchronization engine, such as defined in the System for Cross-Domain Identity Management (SCIM) specification.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"SEC03-BP01": {"name": "SEC03-BP01","checks": {"ec2_instance_imdsv2_enabled": "PASS","ec2_instance_profile_attached": "PASS","cloudwatch_cross_account_sharing_disabled": null},"status": "PASS","attributes": [{"Name": "SEC03-BP01 Define access requirements","Section": "Identity and access management","SubSection": "Permissions management","Description": "Each component or resource of your workload needs to be accessed by administrators, end users, or other components. Have a clear definition of who or what should have access to each component, choose the appropriate identity type and method of authentication and authorization.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_define.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_define","WellArchitectedQuestionId": "permissions"}],"description": "Each component or resource of your workload needs to be accessed by administrators, end users, or other components. Have a clear definition of who or what should have access to each component, choose the appropriate identity type and method of authentication and authorization.","checks_status": {"fail": 0,"pass": 2,"total": 3,"manual": 0}},"SEC03-BP02": {"name": "SEC03-BP02","checks": {"ec2_instance_profile_attached": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_internal_user_database_enabled": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Name": "SEC03-BP02 Grant least privilege access","Section": "Identity and access management","SubSection": "Permissions management","Description": "Grant only the access that identities require by allowing access to specific actions on specific AWS resources under specific conditions. Rely on groups and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, when a developer is removed from the group, access for the developer is revoked everywhere that group was used for access control, without requiring any changes to the access policies.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_least_privileges.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_least_privileges","WellArchitectedQuestionId": "permissions"}],"description": "Grant only the access that identities require by allowing access to specific actions on specific AWS resources under specific conditions. Rely on groups and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, when a developer is removed from the group, access for the developer is revoked everywhere that group was used for access control, without requiring any changes to the access policies.","checks_status": {"fail": 0,"pass": 1,"total": 6,"manual": 0}},"SEC03-BP03": {"name": "SEC03-BP03","checks": {"account_maintain_current_contact_details": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Name": "SEC03-BP03 Establish emergency access process","Section": "Identity and access management","SubSection": "Permissions management","Description": "A process that allows emergency access to your workload in the unlikely event of an automated process or pipeline issue. This will help you rely on least privilege access, but ensure users can obtain the right level of access when they require it. For example, establish a process for administrators to verify and approve their request, such as an emergency AWS cross-account role for access, or a specific process for administrators to follow to validate and approve an emergency request.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_emergency_process.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_emergency_process","WellArchitectedQuestionId": "permissions"}],"description": "A process that allows emergency access to your workload in the unlikely event of an automated process or pipeline issue. This will help you rely on least privilege access, but ensure users can obtain the right level of access when they require it. For example, establish a process for administrators to verify and approve their request, such as an emergency AWS cross-account role for access, or a specific process for administrators to follow to validate and approve an emergency request.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"SEC03-BP04": {"name": "SEC03-BP04","checks": {"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Name": "SEC03-BP04 Reduce permissions continuously","Section": "Identity and access management","SubSection": "Permissions management","Description": "As your teams determine what access is required, remove unneeded permissions and establish review processes to achieve least privilege permissions. Continually monitor and remove unused identities and permissions for both human and machine access.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_continuous_reduction.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_continuous_reduction","WellArchitectedQuestionId": "permissions"}],"description": "As your teams determine what access is required, remove unneeded permissions and establish review processes to achieve least privilege permissions. Continually monitor and remove unused identities and permissions for both human and machine access.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"SEC03-BP05": {"name": "SEC03-BP05","checks": {"organizations_account_part_of_organizations": null},"status": "PASS","attributes": [{"Name": "SEC03-BP05 Define permission guardrails for your organization","Section": "Identity and access management","SubSection": "Permissions management","Description": "Establish common controls that restrict access to all identities in your organization. For example, you can restrict access to specific AWS Regions, or prevent your operators from deleting common resources, such as an IAM role used for your central security team.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_define_guardrails.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_define_guardrails","WellArchitectedQuestionId": "permissions"}],"description": "Establish common controls that restrict access to all identities in your organization. For example, you can restrict access to specific AWS Regions, or prevent your operators from deleting common resources, such as an IAM role used for your central security team.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC03-BP06": {"name": "SEC03-BP06","checks": {"ec2_elastic_ip_unassigned": "FAIL","elbv2_listeners_underneath": "PASS","codebuild_project_older_90_days": "FAIL","appstream_fleet_maximum_session_duration": null,"ecr_repositories_lifecycle_policy_enabled": "FAIL","appstream_fleet_session_disconnect_timeout": null,"appstream_fleet_session_idle_disconnect_timeout": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "FAIL","attributes": [{"Name": "SEC03-BP06 Manage access based on lifecycle","Section": "Identity and access management","SubSection": "Permissions management","Description": "Integrate access controls with operator and application lifecycle and your centralized federation provider. For example, remove a user's access when they leave the organization or change roles. As you manage workloads using separate accounts, there will be cases where you need to share resources between those accounts. We recommend that you share resources using AWS Resource Access Manager (AWS RAM). This service enables you to easily and securely share AWS resources within your AWS Organizations and Organizational Units. Using AWS RAM, access to shared resources is automatically granted or revoked as accounts are moved in and out of the Organization or Organization Unit with which they are shared. This helps ensure that resources are only shared with the accounts that you intend.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_lifecycle.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_lifecycle","WellArchitectedQuestionId": "permissions"}],"description": "Integrate access controls with operator and application lifecycle and your centralized federation provider. For example, remove a user's access when they leave the organization or change roles. As you manage workloads using separate accounts, there will be cases where you need to share resources between those accounts. We recommend that you share resources using AWS Resource Access Manager (AWS RAM). This service enables you to easily and securely share AWS resources within your AWS Organizations and Organizational Units. Using AWS RAM, access to shared resources is automatically granted or revoked as accounts are moved in and out of the Organization or Organization Unit with which they are shared. This helps ensure that resources are only shared with the accounts that you intend.","checks_status": {"fail": 4,"pass": 1,"total": 9,"manual": 0}},"SEC03-BP07": {"name": "SEC03-BP07","checks": {"ec2_ami_public": null,"elb_internet_facing": "FAIL","elbv2_internet_facing": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"apigateway_restapi_public": "FAIL","efs_not_publicly_accessible": "FAIL","rds_snapshots_public_access": "PASS","ssm_documents_set_as_public": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","emr_cluster_publicly_accesible": null,"redshift_cluster_public_access": null,"kms_key_not_publicly_accessible": null,"awslambda_function_url_cors_policy": null,"sns_topics_not_publicly_accessible": "PASS","sqs_queues_not_publicly_accessible": "PASS","eks_cluster_not_publicly_accessible": null,"glacier_vaults_policy_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ecr_repositories_not_publicly_accessible": "PASS","emr_cluster_account_public_block_enabled": "PASS","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","appstream_fleet_default_internet_access_disabled": null,"opensearch_service_domains_not_publicly_accessible": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","codeartifact_packages_external_public_publishing_disabled": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Name": "SEC03-BP07 Analyze public and cross-account access","Section": "Identity and access management","SubSection": "Permissions management","Description": "Continuously monitor findings that highlight public and cross-account access. Reduce public access and cross-account access to only resources that require this type of access.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_analyze_cross_account.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_analyze_cross_account","WellArchitectedQuestionId": "permissions"}],"description": "Continuously monitor findings that highlight public and cross-account access. Reduce public access and cross-account access to only resources that require this type of access.","checks_status": {"fail": 4,"pass": 13,"total": 35,"manual": 0}},"SEC03-BP08": {"name": "SEC03-BP08","checks": {"ssm_document_secrets": "PASS","awslambda_function_not_publicly_accessible": "PASS","codebuild_project_user_controlled_buildspec": "PASS","opensearch_service_domains_not_publicly_accessible": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "PASS","attributes": [{"Name": "SEC03-BP08 Share resources securely within your organization","Section": "Identity and access management","SubSection": "Permissions management","Description": "Govern the consumption of shared resources across accounts or within your AWS Organizations. Monitor shared resources and review shared resource access.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_share_securely.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_share_securely","WellArchitectedQuestionId": "permissions"}],"description": "Govern the consumption of shared resources across accounts or within your AWS Organizations. Monitor shared resources and review shared resource access.","checks_status": {"fail": 0,"pass": 3,"total": 5,"manual": 0}},"SEC04-BP01": {"name": "SEC04-BP01","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"apigatewayv2_api_access_logging_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","cloudfront_distributions_logging_enabled": null,"rds_instance_integration_cloudwatch_logs": "FAIL","acm_certificates_transparency_logs_enabled": "PASS","eks_control_plane_logging_all_types_enabled": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"directoryservice_directory_log_forwarding_enabled": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"route53_public_hosted_zones_cloudwatch_logging_enabled": null,"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC04-BP01 Configure service and application logging","Section": "Detection","SubSection": "Detection","Description": "Retain security event logs from services and applications. This is a fundamental principle of security for audit, investigations, and operational use cases, and a common security requirement driven by governance, risk, and compliance (GRC) standards, policies, and procedures.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html#implementation-guidance.","WellArchitectedPracticeId": "sec_detect_investigate_events_app_service_logging","WellArchitectedQuestionId": "detect-investigate-events"}],"description": "Retain security event logs from services and applications. This is a fundamental principle of security for audit, investigations, and operational use cases, and a common security requirement driven by governance, risk, and compliance (GRC) standards, policies, and procedures.","checks_status": {"fail": 8,"pass": 3,"total": 21,"manual": 0}},"SEC04-BP02": {"name": "SEC04-BP02","checks": {"vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Name": "SEC04-BP02 Analyze logs, findings, and metrics centrally","Section": "Detection","SubSection": "Detection","Description": "Security operations teams rely on the collection of logs and the use of search tools to discover potential events of interest, which might indicate unauthorized activity or unintentional change. However, simply analyzing collected data and manually processing information is insufficient to keep up with the volume of information flowing from complex architectures. Analysis and reporting alone don't facilitate the assignment of the right resources to work an event in a timely fashion. A best practice for building a mature security operations team is to deeply integrate the flow of security events and findings into a notification and workflow system such as a ticketing system, a bug or issue system, or other security information and event management (SIEM) system. This takes the workflow out of email and static reports, and allows you to route, escalate, and manage events or findings. Many organizations are also integrating security alerts into their chat or collaboration, and developer productivity platforms. For organizations embarking on automation, an API-driven, low-latency ticketing system offers considerable flexibility when planning what to automate first. This best practice applies not only to security events generated from log messages depicting user activity or network events, but also from changes detected in the infrastructure itself. The ability to detect change, determine whether a change was appropriate, and then route that information to the correct remediation workflow is essential in maintaining and validating a secure architecture, in the context of changes where the nature of their undesirability is sufficiently subtle that their execution cannot currently be prevented with a combination of AWS Identity and Access Management (IAM) and AWS Organizations configuration. Amazon GuardDuty and AWS Security Hub provide aggregation, deduplication, and analysis mechanisms for log records that are also made available to you via other AWS services. GuardDuty ingests, aggregates, and analyzes information from sources such as AWS CloudTrail management and data events, VPC DNS logs, and VPC Flow Logs. Security Hub can ingest, aggregate, and analyze output from GuardDuty, AWS Config, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and a significant number of third-party security products available in the AWS Marketplace, and if built accordingly, your own code. Both GuardDuty and Security Hub have an Administrator-Member model that can aggregate findings and insights across multiple accounts, and Security Hub is often used by customers who have an on- premises SIEM as an AWS-side log and alert preprocessor and aggregator from which they can then ingest Amazon EventBridge through a AWS Lambda-based processor and forwarder.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_analyze_all.html#implementation-guidance.","WellArchitectedPracticeId": "sec_detect_investigate_events_analyze_all","WellArchitectedQuestionId": "detect-investigate-events"}],"description": "Security operations teams rely on the collection of logs and the use of search tools to discover potential events of interest, which might indicate unauthorized activity or unintentional change. However, simply analyzing collected data and manually processing information is insufficient to keep up with the volume of information flowing from complex architectures. Analysis and reporting alone don't facilitate the assignment of the right resources to work an event in a timely fashion. A best practice for building a mature security operations team is to deeply integrate the flow of security events and findings into a notification and workflow system such as a ticketing system, a bug or issue system, or other security information and event management (SIEM) system. This takes the workflow out of email and static reports, and allows you to route, escalate, and manage events or findings. Many organizations are also integrating security alerts into their chat or collaboration, and developer productivity platforms. For organizations embarking on automation, an API-driven, low-latency ticketing system offers considerable flexibility when planning what to automate first. This best practice applies not only to security events generated from log messages depicting user activity or network events, but also from changes detected in the infrastructure itself. The ability to detect change, determine whether a change was appropriate, and then route that information to the correct remediation workflow is essential in maintaining and validating a secure architecture, in the context of changes where the nature of their undesirability is sufficiently subtle that their execution cannot currently be prevented with a combination of AWS Identity and Access Management (IAM) and AWS Organizations configuration. Amazon GuardDuty and AWS Security Hub provide aggregation, deduplication, and analysis mechanisms for log records that are also made available to you via other AWS services. GuardDuty ingests, aggregates, and analyzes information from sources such as AWS CloudTrail management and data events, VPC DNS logs, and VPC Flow Logs. Security Hub can ingest, aggregate, and analyze output from GuardDuty, AWS Config, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and a significant number of third-party security products available in the AWS Marketplace, and if built accordingly, your own code. Both GuardDuty and Security Hub have an Administrator-Member model that can aggregate findings and insights across multiple accounts, and Security Hub is often used by customers who have an on- premises SIEM as an AWS-side log and alert preprocessor and aggregator from which they can then ingest Amazon EventBridge through a AWS Lambda-based processor and forwarder.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"SEC04-BP03": {"name": "SEC04-BP03","checks": {"elb_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC04-BP03 Automate response to events","Section": "Detection","SubSection": "Detection","Description": "Using automation to investigate and remediate events reduces human effort and error, and enables you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. In AWS, investigating events of interest and information on potentially unexpected changes into an automated workflow can be achieved using Amazon EventBridge. This service provides a scalable rules engine designed to broker both native AWS event formats (such as AWS CloudTrail events), as well as custom events you can generate from your application. Amazon GuardDuty also allows you to route events to a workflow system for those building incident response systems (AWS Step Functions), or to a central Security Account, or to a bucket for further analysis. Detecting change and routing this information to the correct workflow can also be accomplished using AWS Config Rules and Conformance Packs. AWS Config detects changes to in-scope services (though with higher latency than EventBridge) and generates events that can be parsed using AWS Config Rules for rollback, enforcement of compliance policy, and forwarding of information to systems, such as change management platforms and operational ticketing systems. As well as writing your own Lambda functions to respond to AWS Config events, you can also take advantage of the AWS Config Rules Development Kit, and a library of open source AWS Config Rules. Conformance packs are a collection of AWS Config Rules and remediation actions you deploy as a single entity authored as a YAML template. A sample conformance pack template is available for the Well-Architected Security Pillar.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_auto_response.html#implementation-guidance.","WellArchitectedPracticeId": "sec_detect_investigate_events_auto_response","WellArchitectedQuestionId": "detect-investigate-events"}],"description": "Using automation to investigate and remediate events reduces human effort and error, and enables you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. In AWS, investigating events of interest and information on potentially unexpected changes into an automated workflow can be achieved using Amazon EventBridge. This service provides a scalable rules engine designed to broker both native AWS event formats (such as AWS CloudTrail events), as well as custom events you can generate from your application. Amazon GuardDuty also allows you to route events to a workflow system for those building incident response systems (AWS Step Functions), or to a central Security Account, or to a bucket for further analysis. Detecting change and routing this information to the correct workflow can also be accomplished using AWS Config Rules and Conformance Packs. AWS Config detects changes to in-scope services (though with higher latency than EventBridge) and generates events that can be parsed using AWS Config Rules for rollback, enforcement of compliance policy, and forwarding of information to systems, such as change management platforms and operational ticketing systems. As well as writing your own Lambda functions to respond to AWS Config events, you can also take advantage of the AWS Config Rules Development Kit, and a library of open source AWS Config Rules. Conformance packs are a collection of AWS Config Rules and remediation actions you deploy as a single entity authored as a YAML template. A sample conformance pack template is available for the Well-Architected Security Pillar.","checks_status": {"fail": 2,"pass": 1,"total": 3,"manual": 0}},"SEC04-BP04": {"name": "SEC04-BP04","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"directoryservice_directory_monitor_notifications": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Name": "SEC04-BP04 Implement actionable security events","Section": "Detection","SubSection": "Detection","Description": "Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For each detective mechanism you have, you should also have a process, in the form of a runbook or playbook, to investigate. For example, when you enable Amazon GuardDuty, it generates different findings. You should have a runbook entry for each finding type, for example, if a trojan is discovered, your runbook has simple instructions that instruct someone to investigate and remediate.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_actionable_events.html#implementation-guidance.","WellArchitectedPracticeId": "sec_detect_investigate_events_actionable_events","WellArchitectedQuestionId": "detect-investigate-events"}],"description": "Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For each detective mechanism you have, you should also have a process, in the form of a runbook or playbook, to investigate. For example, when you enable Amazon GuardDuty, it generates different findings. You should have a runbook entry for each finding type, for example, if a trojan is discovered, your runbook has simple instructions that instruct someone to investigate and remediate.","checks_status": {"fail": 1,"pass": 3,"total": 20,"manual": 0}},"SEC05-BP01": {"name": "SEC05-BP01","checks": {"cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL","eks_cluster_not_publicly_accessible": null,"sagemaker_models_vpc_settings_configured": null,"vpc_endpoint_connections_trust_boundaries": "FAIL","awslambda_function_not_publicly_accessible": "PASS","sagemaker_models_network_isolation_enabled": null,"sagemaker_training_jobs_vpc_settings_configured": null,"sagemaker_training_jobs_network_isolation_enabled": null,"opensearch_service_domains_not_publicly_accessible": null,"sagemaker_notebook_instance_vpc_settings_configured": null,"vpc_endpoint_services_allowed_principals_trust_boundaries": null},"status": "FAIL","attributes": [{"Name": "SEC05-BP01 Create network layers","Section": "Infrastructure protection","SubSection": "Protecting networks","Description": "Group components that share reachability requirements into layers. For example, a database cluster in a virtual private cloud (VPC) with no need for internet access should be placed in subnets with no route to or from the internet. In a serverless workload operating without a VPC, similar layering and segmentation with microservices can achieve the same goal. Components such as Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) database clusters, and AWS Lambda functions that share reachability requirements can be segmented into layers formed by subnets. For example, an Amazon RDS database cluster in a VPC with no need for internet access should be placed in subnets with no route to or from the internet. This layered approach for the controls mitigates the impact of a single layer misconfiguration, which could allow unintended access. For Lambda, you can run your functions in your VPC to take advantage of VPC-based controls. For network connectivity that can include thousands of VPCs, AWS accounts, and on-premises networks, you should use AWS Transit Gateway. It acts as a hub that controls how traffic is routed among all the connected networks, which act like spokes. Traffic between an Amazon Virtual Private Cloud and AWS Transit Gateway remains on the AWS private network, which reduces external threat vectors such as distributed denial of service (DDoS) attacks and common exploits, such as SQL injection, cross-site scripting, cross-site request forgery, or abuse of broken authentication code. AWS Transit Gateway inter-region peering also encrypts inter-region traffic with no single point of failure or bandwidth bottleneck.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_create_layers.html#implementation-guidance.","WellArchitectedPracticeId": "sec_network_protection_create_layers","WellArchitectedQuestionId": "network-protection"}],"description": "Group components that share reachability requirements into layers. For example, a database cluster in a virtual private cloud (VPC) with no need for internet access should be placed in subnets with no route to or from the internet. In a serverless workload operating without a VPC, similar layering and segmentation with microservices can achieve the same goal. Components such as Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) database clusters, and AWS Lambda functions that share reachability requirements can be segmented into layers formed by subnets. For example, an Amazon RDS database cluster in a VPC with no need for internet access should be placed in subnets with no route to or from the internet. This layered approach for the controls mitigates the impact of a single layer misconfiguration, which could allow unintended access. For Lambda, you can run your functions in your VPC to take advantage of VPC-based controls. For network connectivity that can include thousands of VPCs, AWS accounts, and on-premises networks, you should use AWS Transit Gateway. It acts as a hub that controls how traffic is routed among all the connected networks, which act like spokes. Traffic between an Amazon Virtual Private Cloud and AWS Transit Gateway remains on the AWS private network, which reduces external threat vectors such as distributed denial of service (DDoS) attacks and common exploits, such as SQL injection, cross-site scripting, cross-site request forgery, or abuse of broken authentication code. AWS Transit Gateway inter-region peering also encrypts inter-region traffic with no single point of failure or bandwidth bottleneck.","checks_status": {"fail": 2,"pass": 1,"total": 12,"manual": 0}},"SEC05-BP02": {"name": "SEC05-BP02","checks": {"ec2_ebs_public_snapshot": "PASS","s3_bucket_no_mfa_delete": "FAIL","s3_bucket_acl_prohibited": "FAIL","apigatewayv2_api_authorizers_enabled": "FAIL","apigateway_restapi_authorizers_enabled": "PASS","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Name": "SEC05-BP02 Control traffic at all layers","Section": "Infrastructure protection","SubSection": "Protecting networks","Description": "When architecting your network topology, you should examine the connectivity requirements of each component. For example, if a component requires internet accessibility (inbound and outbound), connectivity to VPCs, edge services, and external data centers. A VPC allows you to define your network topology that spans an AWS Region with a private IPv4 address range that you set, or an IPv6 address range AWS selects. You should apply multiple controls with a defense in depth approach for both inbound and outbound traffic, including the use of security groups (stateful inspection firewall), Network ACLs, subnets, and route tables. Within a VPC, you can create subnets in an Availability Zone. Each subnet can have an associated route table that defines routing rules for managing the paths that traffic takes within the subnet. You can define an internet routable subnet by having a route that goes to an internet or NAT gateway attached to the VPC, or through another VPC. When an instance, Amazon Relational Database Service(Amazon RDS) database, or other service is launched within a VPC, it has its own security group per network interface. This firewall is outside the operating system layer and can be used to define rules for allowed inbound and outbound traffic. You can also define relationships between security groups. For example, instances within a database tier security group only accept traffic from instances within the application tier, by reference to the security groups applied to the instances involved. Unless you are using non-TCP protocols, it shouldn't be necessary to have an Amazon Elastic Compute Cloud(Amazon EC2) instance directly accessible by the internet (even with ports restricted by security groups) without a load balancer, or CloudFront. This helps protect it from unintended access through an operating system or application issue. A subnet can also have a network ACL attached to it, which acts as a stateless firewall. You should configure the network ACL to narrow the scope of traffic allowed between layers, note that you need to define both inbound and outbound rules. Some AWS services require components to access the internet for making API calls, where AWS API endpoints are located. Other AWS services use VPC endpoints within your Amazon VPCs. Many AWS services, including Amazon S3 and Amazon DynamoDB, support VPC endpoints, and this technology has been generalized in AWS PrivateLink. We recommend you use this approach to access AWS services, third-party services, and your own services hosted in other VPCs securely. All network traffic on AWS PrivateLink stays on the global AWS backbone and never traverses the internet. Connectivity can only be initiated by the consumer of the service, and not by the provider of the service. Using AWS PrivateLink for external service access allows you to create air-gapped VPCs with no internet access and helps protect your VPCs from external threat vectors. Third-party services can use AWS PrivateLink to allow their customers to connect to the services from their VPCs over private IP addresses. For VPC assets that need to make outbound connections to the internet, these can be made outbound only (one-way) through an AWS managed NAT gateway, outbound only internet gateway, or web proxies that you create and manage.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_layered.html#implementation-guidance.","WellArchitectedPracticeId": "sec_network_protection_layered","WellArchitectedQuestionId": "network-protection"}],"description": "When architecting your network topology, you should examine the connectivity requirements of each component. For example, if a component requires internet accessibility (inbound and outbound), connectivity to VPCs, edge services, and external data centers. A VPC allows you to define your network topology that spans an AWS Region with a private IPv4 address range that you set, or an IPv6 address range AWS selects. You should apply multiple controls with a defense in depth approach for both inbound and outbound traffic, including the use of security groups (stateful inspection firewall), Network ACLs, subnets, and route tables. Within a VPC, you can create subnets in an Availability Zone. Each subnet can have an associated route table that defines routing rules for managing the paths that traffic takes within the subnet. You can define an internet routable subnet by having a route that goes to an internet or NAT gateway attached to the VPC, or through another VPC. When an instance, Amazon Relational Database Service(Amazon RDS) database, or other service is launched within a VPC, it has its own security group per network interface. This firewall is outside the operating system layer and can be used to define rules for allowed inbound and outbound traffic. You can also define relationships between security groups. For example, instances within a database tier security group only accept traffic from instances within the application tier, by reference to the security groups applied to the instances involved. Unless you are using non-TCP protocols, it shouldn't be necessary to have an Amazon Elastic Compute Cloud(Amazon EC2) instance directly accessible by the internet (even with ports restricted by security groups) without a load balancer, or CloudFront. This helps protect it from unintended access through an operating system or application issue. A subnet can also have a network ACL attached to it, which acts as a stateless firewall. You should configure the network ACL to narrow the scope of traffic allowed between layers, note that you need to define both inbound and outbound rules. Some AWS services require components to access the internet for making API calls, where AWS API endpoints are located. Other AWS services use VPC endpoints within your Amazon VPCs. Many AWS services, including Amazon S3 and Amazon DynamoDB, support VPC endpoints, and this technology has been generalized in AWS PrivateLink. We recommend you use this approach to access AWS services, third-party services, and your own services hosted in other VPCs securely. All network traffic on AWS PrivateLink stays on the global AWS backbone and never traverses the internet. Connectivity can only be initiated by the consumer of the service, and not by the provider of the service. Using AWS PrivateLink for external service access allows you to create air-gapped VPCs with no internet access and helps protect your VPCs from external threat vectors. Third-party services can use AWS PrivateLink to allow their customers to connect to the services from their VPCs over private IP addresses. For VPC assets that need to make outbound connections to the internet, these can be made outbound only (one-way) through an AWS managed NAT gateway, outbound only internet gateway, or web proxies that you create and manage.","checks_status": {"fail": 4,"pass": 2,"total": 7,"manual": 0}},"SEC05-BP03": {"name": "SEC05-BP03","checks": {"elbv2_waf_acl_attached": "FAIL","ec2_securitygroup_not_used": "FAIL","elbv2_desync_mitigation_mode": "FAIL","ec2_securitygroup_from_launch_wizard": "FAIL","route53_domains_transferlock_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","route53_domains_privacy_protection_enabled": null,"ec2_securitygroup_with_many_ingress_egress_rules": "PASS","shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC05-BP03 Automate network protections","Section": "Infrastructure protection","SubSection": "Protecting networks","Description": "Automate protection mechanisms to provide a self-defending network based on threat intelligence and anomaly detection. For example, intrusion detection and prevention tools that can adapt to current threats and reduce their impact. A web application firewall is an example of where you can automate network protection, for example, by using the AWS WAF Security Automations solution (https://github.com/awslabs/aws-waf-security-automations) to automatically block requests originating from IP addresses associated with known threat actors.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_auto_protect.html#implementation-guidance.","WellArchitectedPracticeId": "sec_network_protection_auto_protect","WellArchitectedQuestionId": "network-protection"}],"description": "Automate protection mechanisms to provide a self-defending network based on threat intelligence and anomaly detection. For example, intrusion detection and prevention tools that can adapt to current threats and reduce their impact. A web application firewall is an example of where you can automate network protection, for example, by using the AWS WAF Security Automations solution (https://github.com/awslabs/aws-waf-security-automations) to automatically block requests originating from IP addresses associated with known threat actors.","checks_status": {"fail": 8,"pass": 16,"total": 33,"manual": 0}},"SEC05-BP04": {"name": "SEC05-BP04","checks": {"guardduty_is_enabled": "PASS","vpc_flow_logs_enabled": "FAIL","apigateway_restapi_authorizers_enabled": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC05-BP04 Implement inspection and protection","Section": "Infrastructure protection","SubSection": "Protecting networks","Description": "Inspect and filter your traffic at each layer. You can inspect your VPC configurations for potential unintended access using VPC Network Access Analyzer. You can specify your network access requirements and identify potential network paths that do not meet them. For components transacting over HTTP-based protocols, a web application firewall can help protect from common attacks. AWS WAF is a web application firewall that lets you monitor and block HTTP(s) requests that match your configurable rules that are forwarded to an Amazon API Gateway API, Amazon CloudFront, or an Application Load Balancer. To get started with AWS WAF, you can use AWS Managed Rules in combination with your own, or use existing partner integrations. For managing AWS WAF, AWS Shield Advanced protections, and Amazon VPC security groups across AWS Organizations, you can use AWS Firewall Manager. It allows you to centrally configure and manage firewall rules across your accounts and applications, making it easier to scale enforcement of common rules. It also enables you to rapidly respond to attacks, using AWS Shield Advanced, or solutions that can automatically block unwanted requests to your web applications. Firewall Manager also works with AWS Network Firewall. AWS Network Firewall is a managed service that uses a rules engine to give you fine-grained control over both stateful and stateless network traffic. It supports the Suricata compatible open source intrusion prevention system (IPS) specifications for rules to help protect your workload.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_inspection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_network_protection_inspection","WellArchitectedQuestionId": "network-protection"}],"description": "Inspect and filter your traffic at each layer. You can inspect your VPC configurations for potential unintended access using VPC Network Access Analyzer. You can specify your network access requirements and identify potential network paths that do not meet them. For components transacting over HTTP-based protocols, a web application firewall can help protect from common attacks. AWS WAF is a web application firewall that lets you monitor and block HTTP(s) requests that match your configurable rules that are forwarded to an Amazon API Gateway API, Amazon CloudFront, or an Application Load Balancer. To get started with AWS WAF, you can use AWS Managed Rules in combination with your own, or use existing partner integrations. For managing AWS WAF, AWS Shield Advanced protections, and Amazon VPC security groups across AWS Organizations, you can use AWS Firewall Manager. It allows you to centrally configure and manage firewall rules across your accounts and applications, making it easier to scale enforcement of common rules. It also enables you to rapidly respond to attacks, using AWS Shield Advanced, or solutions that can automatically block unwanted requests to your web applications. Firewall Manager also works with AWS Network Firewall. AWS Network Firewall is a managed service that uses a rules engine to give you fine-grained control over both stateful and stateless network traffic. It supports the Suricata compatible open source intrusion prevention system (IPS) specifications for rules to help protect your workload.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"SEC06-BP01": {"name": "SEC06-BP01","checks": {"ec2_instance_imdsv2_enabled": "PASS","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"cloudtrail_log_file_validation_enabled": "FAIL","rds_instance_minor_version_upgrade_enabled": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","opensearch_service_domains_updated_to_the_latest_service_software_version": null},"status": "FAIL","attributes": [{"Name": "SEC06-BP01 Perform vulnerability management","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats. Starting with the configuration of your compute infrastructure, you can automate creating and updating resources using AWS CloudFormation. CloudFormation allows you to create templates written in YAML or JSON, either using AWS examples or by writing your own. This allows you to create secure-by-default infrastructure templates that you can verify with CloudFormation Guard, to save you time and reduce the risk of configuration error. You can build your infrastructure and deploy your applications using continuous delivery, for example with AWS CodePipeline, to automate the building, testing, and release. You are responsible for patch management for your AWS resources, including Amazon Elastic Compute Cloud(Amazon EC2) instances, Amazon Machine Images (AMIs), and many other compute resources. For Amazon EC2 instances, AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) You can use Patch Manager to install Service Packs on Windows instances and perform minor version upgrades on Linux instances. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows Server, Amazon Linux, Amazon Linux 2, CentOS, Debian Server, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Ubuntu Server. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_inspection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_vulnerability_management","WellArchitectedQuestionId": "protect-compute"}],"description": "Frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats. Starting with the configuration of your compute infrastructure, you can automate creating and updating resources using AWS CloudFormation. CloudFormation allows you to create templates written in YAML or JSON, either using AWS examples or by writing your own. This allows you to create secure-by-default infrastructure templates that you can verify with CloudFormation Guard, to save you time and reduce the risk of configuration error. You can build your infrastructure and deploy your applications using continuous delivery, for example with AWS CodePipeline, to automate the building, testing, and release. You are responsible for patch management for your AWS resources, including Amazon Elastic Compute Cloud(Amazon EC2) instances, Amazon Machine Images (AMIs), and many other compute resources. For Amazon EC2 instances, AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) You can use Patch Manager to install Service Packs on Windows instances and perform minor version upgrades on Linux instances. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows Server, Amazon Linux, Amazon Linux 2, CentOS, Debian Server, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Ubuntu Server. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.","checks_status": {"fail": 3,"pass": 2,"total": 7,"manual": 0}},"SEC06-BP02": {"name": "SEC06-BP02","checks": {"awslambda_function_not_publicly_accessible": "PASS","ecr_repositories_scan_images_on_push_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC06-BP02 Reduce attack surface","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Reduce your exposure to unintended access by hardening operating systems and minimizing the components, libraries, and externally consumable services in use. Start by reducing unused components, whether they are operating system packages or applications, for Amazon Elastic Compute Cloud (Amazon EC2)-based workloads, or external software modules in your code, for all workloads. You can find many hardening and security configuration guides for common operating systems and server software. For example, you can start with the Center for Internet Security and iterate.In Amazon EC2, you can create your own Amazon Machine Images (AMIs), which you have patched and hardened, to help you meet the specific security requirements for your organization. The patches and other security controls you apply on the AMI are effective at the point in time in which they were created—they are not dynamic unless you modify after launching, for example, with AWS Systems Manager.You can simplify the process of building secure AMIs with EC2 Image Builder. EC2 Image Builder significantly reduces the effort required to create and maintain golden images without writing and maintaining automation. When software updates become available, Image Builder automatically produces a new image without requiring users to manually initiate image builds. EC2 Image Builder allows you to easily validate the functionality and security of your images before using them in production with AWS-provided tests and your own tests. You can also apply AWS-provided security settings to further secure your images to meet internal security criteria. For example, you can produce images that conform to the Security Technical Implementation Guide (STIG) standard using AWS-provided templates.Using third-party static code analysis tools, you can identify common security issues such as unchecked function input bounds, as well as applicable common vulnerabilities and exposures (CVEs). You can use Amazon CodeGuru for supported languages. Dependency checking tools can also be used to determine whether libraries your code links against are the latest versions, are themselves free of CVEs, and have licensing conditions that meet your software policy requirements.Using Amazon Inspector, you can perform configuration assessments against your instances for known CVEs, assess against security benchmarks, and automate the notification of defects. Amazon Inspector runs on production instances or in a build pipeline, and it notifies developers and engineers when findings are present. You can access findings programmatically and direct your team to backlogs and bug-tracking systems. EC2 Image Builder can be used to maintain server images (AMIs) with automated patching, AWS-provided security policy enforcement, and other customizations. When using containers implement ECR Image Scanning in your build pipeline and on a regular basis against your image repository to look for CVEs in your containers.While Amazon Inspector and other tools are effective at identifying configurations and any CVEs that are present, other methods are required to test your workload at the application level. Fuzzing is a well-known method of finding bugs using automation to inject malformed data into input fields and other areas of your application.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_reduce_surface.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_reduce_surface","WellArchitectedQuestionId": "protect-compute"}],"description": "Reduce your exposure to unintended access by hardening operating systems and minimizing the components, libraries, and externally consumable services in use. Start by reducing unused components, whether they are operating system packages or applications, for Amazon Elastic Compute Cloud (Amazon EC2)-based workloads, or external software modules in your code, for all workloads. You can find many hardening and security configuration guides for common operating systems and server software. For example, you can start with the Center for Internet Security and iterate.In Amazon EC2, you can create your own Amazon Machine Images (AMIs), which you have patched and hardened, to help you meet the specific security requirements for your organization. The patches and other security controls you apply on the AMI are effective at the point in time in which they were created—they are not dynamic unless you modify after launching, for example, with AWS Systems Manager.You can simplify the process of building secure AMIs with EC2 Image Builder. EC2 Image Builder significantly reduces the effort required to create and maintain golden images without writing and maintaining automation. When software updates become available, Image Builder automatically produces a new image without requiring users to manually initiate image builds. EC2 Image Builder allows you to easily validate the functionality and security of your images before using them in production with AWS-provided tests and your own tests. You can also apply AWS-provided security settings to further secure your images to meet internal security criteria. For example, you can produce images that conform to the Security Technical Implementation Guide (STIG) standard using AWS-provided templates.Using third-party static code analysis tools, you can identify common security issues such as unchecked function input bounds, as well as applicable common vulnerabilities and exposures (CVEs). You can use Amazon CodeGuru for supported languages. Dependency checking tools can also be used to determine whether libraries your code links against are the latest versions, are themselves free of CVEs, and have licensing conditions that meet your software policy requirements.Using Amazon Inspector, you can perform configuration assessments against your instances for known CVEs, assess against security benchmarks, and automate the notification of defects. Amazon Inspector runs on production instances or in a build pipeline, and it notifies developers and engineers when findings are present. You can access findings programmatically and direct your team to backlogs and bug-tracking systems. EC2 Image Builder can be used to maintain server images (AMIs) with automated patching, AWS-provided security policy enforcement, and other customizations. When using containers implement ECR Image Scanning in your build pipeline and on a regular basis against your image repository to look for CVEs in your containers.While Amazon Inspector and other tools are effective at identifying configurations and any CVEs that are present, other methods are required to test your workload at the application level. Fuzzing is a well-known method of finding bugs using automation to inject malformed data into input fields and other areas of your application.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"SEC06-BP03": {"name": "SEC06-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC06-BP03 Implement managed services","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Implement services that manage resources, such as Amazon Relational Database Service (Amazon RDS), AWS Lambda, and Amazon Elastic Container Service (Amazon ECS), to reduce your security maintenance tasks as part of the shared responsibility model. For example, Amazon RDS helps you set up, operate, and scale a relational database, automates administration tasks such as hardware provisioning, database setup, patching, and backups. This means you have more free time to focus on securing your application in other ways described in the AWS Well-Architected Framework. Lambda lets you run code without provisioning or managing servers, so you only need to focus on the connectivity, invocation, and security at the code level–not the infrastructure or operating system.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_implement_managed_services.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_implement_managed_services","WellArchitectedQuestionId": "protect-compute"}],"description": "Implement services that manage resources, such as Amazon Relational Database Service (Amazon RDS), AWS Lambda, and Amazon Elastic Container Service (Amazon ECS), to reduce your security maintenance tasks as part of the shared responsibility model. For example, Amazon RDS helps you set up, operate, and scale a relational database, automates administration tasks such as hardware provisioning, database setup, patching, and backups. This means you have more free time to focus on securing your application in other ways described in the AWS Well-Architected Framework. Lambda lets you run code without provisioning or managing servers, so you only need to focus on the connectivity, invocation, and security at the code level–not the infrastructure or operating system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC06-BP04": {"name": "SEC06-BP04","checks": {"ec2_instance_managed_by_ssm": "FAIL","ec2_instance_profile_attached": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC06-BP04 Automate compute protection","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Automate your protective compute mechanisms including vulnerability management, reduction in attack surface, and management of resources. The automation will help you invest time in securing other aspects of your workload, and reduce the risk of human error.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_auto_protection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_auto_protection","WellArchitectedQuestionId": "protect-compute"}],"description": "Automate your protective compute mechanisms including vulnerability management, reduction in attack surface, and management of resources. The automation will help you invest time in securing other aspects of your workload, and reduce the risk of human error.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"SEC06-BP05": {"name": "SEC06-BP05","checks": {"ec2_instance_managed_by_ssm": "FAIL","ec2_instance_profile_attached": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC06-BP05 Enable people to perform actions at a distance","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Removing the ability for interactive access reduces the risk of human error, and the potential for manual configuration or management. For example, use a change management workflow to deploy Amazon Elastic Compute Cloud (Amazon EC2) instances using infrastructure-as-code, then manage Amazon EC2 instances using tools such as AWS Systems Manager instead of allowing direct access or through a bastion host. AWS Systems Manager can automate a variety of maintenance and deployment tasks, using features including automation workflows, documents (playbooks), and the run command. AWS CloudFormation stacks build from pipelines and can automate your infrastructure deployment and management tasks without using the AWS Management Console or APIs directly.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_actions_distance.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_actions_distance","WellArchitectedQuestionId": "protect-compute"}],"description": "Removing the ability for interactive access reduces the risk of human error, and the potential for manual configuration or management. For example, use a change management workflow to deploy Amazon Elastic Compute Cloud (Amazon EC2) instances using infrastructure-as-code, then manage Amazon EC2 instances using tools such as AWS Systems Manager instead of allowing direct access or through a bastion host. AWS Systems Manager can automate a variety of maintenance and deployment tasks, using features including automation workflows, documents (playbooks), and the run command. AWS CloudFormation stacks build from pipelines and can automate your infrastructure deployment and management tasks without using the AWS Management Console or APIs directly.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"SEC06-BP06": {"name": "SEC06-BP06","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC06-BP06 Validate software integrity","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Implement mechanisms (for example, code signing) to validate that the software, code and libraries used in the workload are from trusted sources and have not been tampered with. For example, you should verify the code signing certificate of binaries and scripts to confirm the author, and ensure it has not been tampered with since created by the author. AWS Signer can help ensure the trust and integrity of your code by centrally managing the code- signing lifecycle, including signing certification and public and private keys. You can learn how to use advanced patterns and best practices for code signing with AWS Lambda. Additionally, a checksum of software that you download, compared to that of the checksum from the provider, can help ensure it has not been tampered with.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_validate_software_integrity.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_validate_software_integrity","WellArchitectedQuestionId": "protect-compute"}],"description": "Implement mechanisms (for example, code signing) to validate that the software, code and libraries used in the workload are from trusted sources and have not been tampered with. For example, you should verify the code signing certificate of binaries and scripts to confirm the author, and ensure it has not been tampered with since created by the author. AWS Signer can help ensure the trust and integrity of your code by centrally managing the code- signing lifecycle, including signing certification and public and private keys. You can learn how to use advanced patterns and best practices for code signing with AWS Lambda. Additionally, a checksum of software that you download, compared to that of the checksum from the provider, can help ensure it has not been tampered with.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"SEC07-BP01": {"name": "SEC07-BP01","checks": {},"status": "PASS","attributes": [{"Name": "SEC07-BP01 Identify the data within your workload","Section": "Data protection","SubSection": "Data classification","Description": "It’s critical to understand the type and classification of data your workload is processing, the associated business processes, where the data is stored, and who is the data owner. You should also have an understanding of the applicable legal and compliance requirements of your workload, and what data controls need to be enforced. Identifying data is the first step in the data classification journey.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_data_classification_identify_data.html#implementation-guidance.","WellArchitectedPracticeId": "sec_data_classification_identify_data","WellArchitectedQuestionId": "data-classification"}],"description": "It’s critical to understand the type and classification of data your workload is processing, the associated business processes, where the data is stored, and who is the data owner. You should also have an understanding of the applicable legal and compliance requirements of your workload, and what data controls need to be enforced. Identifying data is the first step in the data classification journey.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC07-BP02": {"name": "SEC07-BP02","checks": {},"status": "PASS","attributes": [{"Name": "SEC07-BP02 Define data protection controls","Section": "Data protection","SubSection": "Data classification","Description": "Protect data according to its classification level. For example, secure data classified as public by using relevant recommendations while protecting sensitive data with additional controls.By using resource tags, separate AWS accounts per sensitivity (and potentially also for each caveat, enclave, or community of interest), IAM policies, AWS Organizations SCPs, AWS Key Management Service (AWS KMS), and AWS CloudHSM, you can define and implement your policies for data classification and protection with encryption. For example, if you have a project with S3 buckets that contain highly critical data or Amazon Elastic Compute Cloud (Amazon EC2) instances that process confidential data, they can be tagged with a Project=ABC tag. Only your immediate team knows what the project code means, and it provides a way to use attribute-based access control. You can define levels of access to the AWS KMS encryption keys through key policies and grants to ensure that only appropriate services have access to the sensitive content through a secure mechanism. If you are making authorization decisions based on tags you should make sure that the permissions on the tags are defined appropriately using tag policies in AWS Organizations.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_data_classification_define_protection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_data_classification_define_protection","WellArchitectedQuestionId": "data-classification"}],"description": "Protect data according to its classification level. For example, secure data classified as public by using relevant recommendations while protecting sensitive data with additional controls.By using resource tags, separate AWS accounts per sensitivity (and potentially also for each caveat, enclave, or community of interest), IAM policies, AWS Organizations SCPs, AWS Key Management Service (AWS KMS), and AWS CloudHSM, you can define and implement your policies for data classification and protection with encryption. For example, if you have a project with S3 buckets that contain highly critical data or Amazon Elastic Compute Cloud (Amazon EC2) instances that process confidential data, they can be tagged with a Project=ABC tag. Only your immediate team knows what the project code means, and it provides a way to use attribute-based access control. You can define levels of access to the AWS KMS encryption keys through key policies and grants to ensure that only appropriate services have access to the sensitive content through a secure mechanism. If you are making authorization decisions based on tags you should make sure that the permissions on the tags are defined appropriately using tag policies in AWS Organizations.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC07-BP03": {"name": "SEC07-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC07-BP03 Automate identification and classification","Section": "Data protection","SubSection": "Data classification","Description": "Automating the identification and classification of data can help you implement the correct controls. Using automation for this instead of direct access from a person reduces the risk of human error and exposure. You should evaluate using a tool, such as Amazon Macie, that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data, such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_data_classification_auto_classification.html#implementation-guidance.","WellArchitectedPracticeId": "sec_data_classification_auto_classification","WellArchitectedQuestionId": "data-classification"}],"description": "Automating the identification and classification of data can help you implement the correct controls. Using automation for this instead of direct access from a person reduces the risk of human error and exposure. You should evaluate using a tool, such as Amazon Macie, that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data, such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC07-BP04": {"name": "SEC07-BP04","checks": {},"status": "PASS","attributes": [{"Name": "SEC07-BP04 Define data lifecycle management","Section": "Data protection","SubSection": "Data classification","Description": "Your defined lifecycle strategy should be based on sensitivity level as well as legal and organization requirements. Aspects including the duration for which you retain data, data destruction processes, data access management, data transformation, and data sharing should be considered. When choosing a data classification methodology, balance usability versus access. You should also accommodate the multiple levels of access and nuances for implementing a secure, but still usable, approach for each level. Always use a defense in depth approach and reduce human access to data and mechanisms for transforming, deleting, or copying data. For example, require users to strongly authenticate to an application, and give the application, rather than the users, the requisite access permission to perform action at a distance. In addition, ensure that users come from a trusted network path and require access to the decryption keys. Use tools, such as dashboards and automated reporting, to give users information from the data rather than giving them direct access to the data.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_data_classification_lifecycle_management.html#implementation-guidance.","WellArchitectedPracticeId": "sec_data_classification_lifecycle_management","WellArchitectedQuestionId": "data-classification"}],"description": "Your defined lifecycle strategy should be based on sensitivity level as well as legal and organization requirements. Aspects including the duration for which you retain data, data destruction processes, data access management, data transformation, and data sharing should be considered. When choosing a data classification methodology, balance usability versus access. You should also accommodate the multiple levels of access and nuances for implementing a secure, but still usable, approach for each level. Always use a defense in depth approach and reduce human access to data and mechanisms for transforming, deleting, or copying data. For example, require users to strongly authenticate to an application, and give the application, rather than the users, the requisite access permission to perform action at a distance. In addition, ensure that users come from a trusted network path and require access to the decryption keys. Use tools, such as dashboards and automated reporting, to give users information from the data rather than giving them direct access to the data.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC08-BP01": {"name": "SEC08-BP01","checks": {"kms_cmk_are_used": null},"status": "PASS","attributes": [{"Name": "SEC08-BP01 Implement secure key management","Section": "Data protection","SubSection": "Protecting data at rest","Description": "By defining an encryption approach that includes the storage, rotation, and access control of keys, you can help provide protection for your content against unauthorized users and against unnecessary exposure to authorized users. AWS Key Management Service (AWS KMS) helps you manage encryption keys and integrates with many AWS services. This service provides durable, secure, and redundant storage for your AWS KMS keys. You can define your key aliases as well as key-level policies. The policies help you define key administrators as well as key users. Additionally, AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys in the AWS Cloud. It helps you meet corporate, contractual, and regulatory compliance requirements for data security by using FIPS 140-2 Level 3 validated HSMs.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_key_mgmt.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_key_mgmt","WellArchitectedQuestionId": "protect-data-rest"}],"description": "By defining an encryption approach that includes the storage, rotation, and access control of keys, you can help provide protection for your content against unauthorized users and against unnecessary exposure to authorized users. AWS Key Management Service (AWS KMS) helps you manage encryption keys and integrates with many AWS services. This service provides durable, secure, and redundant storage for your AWS KMS keys. You can define your key aliases as well as key-level policies. The policies help you define key administrators as well as key users. Additionally, AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys in the AWS Cloud. It helps you meet corporate, contractual, and regulatory compliance requirements for data security by using FIPS 140-2 Level 3 validated HSMs.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC08-BP02": {"name": "SEC08-BP02","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","ec2_ebs_snapshots_encrypted": "FAIL","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","workspaces_volume_encryption_enabled": null,"glue_database_connections_ssl_enabled": null,"sqs_queues_server_side_encryption_enabled": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"glue_etl_jobs_amazon_s3_encryption_enabled": "PASS","cloudwatch_log_group_kms_encryption_enabled": "FAIL","glue_etl_jobs_job_bookmark_encryption_enabled": "FAIL","glue_data_catalogs_metadata_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"glue_development_endpoints_s3_encryption_enabled": null,"glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"sagemaker_training_jobs_intercontainer_encryption_enabled": null,"glue_data_catalogs_connection_passwords_encryption_enabled": "FAIL","glue_development_endpoints_job_bookmark_encryption_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"glue_development_endpoints_cloudwatch_logs_encryption_enabled": null},"status": "FAIL","attributes": [{"Name": "SEC08-BP02 Enforce encryption at rest","Section": "Data protection","SubSection": "Protecting data at rest","Description": "You should ensure that the only way to store data is by using encryption. AWS Key Management Service (AWS KMS) integrates seamlessly with many AWS services to make it easier for you to encrypt all your data at rest. For example, in Amazon Simple Storage Service (Amazon S3), you can set default encryption on a bucket so that all new objects are automatically encrypted. Additionally, Amazon Elastic Compute Cloud (Amazon EC2) and Amazon S3 support the enforcement of encryption by setting default encryption. You can use AWS Config Rules to check automatically that you are using encryption, for example, for Amazon Elastic Block Store (Amazon EBS) volumes, Amazon Relational Database Service (Amazon RDS) instances, and Amazon S3 buckets.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_encrypt.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_encrypt","WellArchitectedQuestionId": "protect-data-rest"}],"description": "You should ensure that the only way to store data is by using encryption. AWS Key Management Service (AWS KMS) integrates seamlessly with many AWS services to make it easier for you to encrypt all your data at rest. For example, in Amazon Simple Storage Service (Amazon S3), you can set default encryption on a bucket so that all new objects are automatically encrypted. Additionally, Amazon Elastic Compute Cloud (Amazon EC2) and Amazon S3 support the enforcement of encryption by setting default encryption. You can use AWS Config Rules to check automatically that you are using encryption, for example, for Amazon Elastic Block Store (Amazon EBS) volumes, Amazon Relational Database Service (Amazon RDS) instances, and Amazon S3 buckets.","checks_status": {"fail": 9,"pass": 4,"total": 25,"manual": 0}},"SEC08-BP03": {"name": "SEC08-BP03","checks": {"s3_bucket_default_encryption": "PASS","sagemaker_notebook_instance_encryption_enabled": null},"status": "PASS","attributes": [{"Name": "SEC08-BP03 Automate data at rest protection","Section": "Data protection","SubSection": "Protecting data at rest","Description": "Use automated tools to validate and enforce data at rest controls continuously, for example, verify that there are only encrypted storage resources. You can automate validation that all EBS volumes are encrypted using AWS Config Rules. AWS Security Hub can also verify several different controls through automated checks against security standards. Additionally, your AWS Config Rules can automatically remediate noncompliant resources.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_automate_protection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_automate_protection","WellArchitectedQuestionId": "protect-data-rest"}],"description": "Use automated tools to validate and enforce data at rest controls continuously, for example, verify that there are only encrypted storage resources. You can automate validation that all EBS volumes are encrypted using AWS Config Rules. AWS Security Hub can also verify several different controls through automated checks against security standards. Additionally, your AWS Config Rules can automatically remediate noncompliant resources.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"SEC08-BP04": {"name": "SEC08-BP04","checks": {"s3_bucket_object_versioning": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","organizations_account_part_of_organizations": null},"status": "FAIL","attributes": [{"Name": "SEC08-BP04 Enforce access control","Section": "Data protection","SubSection": "Protecting data at rest","Description": "To help protect your data at rest, enforce access control using mechanisms, such as isolation and versioning, and apply the principle of least privilege. Prevent the granting of public access to your data.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_access_control.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_access_control","WellArchitectedQuestionId": "protect-data-rest"}],"description": "To help protect your data at rest, enforce access control using mechanisms, such as isolation and versioning, and apply the principle of least privilege. Prevent the granting of public access to your data.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"SEC08-BP05": {"name": "SEC08-BP05","checks": {},"status": "PASS","attributes": [{"Name": "SEC08-BP05 Use mechanisms to keep people away from data","Section": "Data protection","SubSection": "Protecting data at rest","Description": "Keep all users away from directly accessing sensitive data and systems under normal operational circumstances. For example, use a change management workflow to manage Amazon Elastic Compute Cloud (Amazon EC2) instances using tools instead of allowing direct access or a bastion host. This can be achieved using AWS Systems Manager Automation, which uses automation documents that contain steps you use to perform tasks. These documents can be stored in source control, be peer reviewed before running, and tested thoroughly to minimize risk compared to shell access. Business users could have a dashboard instead of direct access to a data store to run queries. Where CI/CD pipelines are not used, determine which controls and processes are required to adequately provide a normally disabled break-glass access mechanism.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_use_people_away.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_use_people_away","WellArchitectedQuestionId": "protect-data-rest"}],"description": "Keep all users away from directly accessing sensitive data and systems under normal operational circumstances. For example, use a change management workflow to manage Amazon Elastic Compute Cloud (Amazon EC2) instances using tools instead of allowing direct access or a bastion host. This can be achieved using AWS Systems Manager Automation, which uses automation documents that contain steps you use to perform tasks. These documents can be stored in source control, be peer reviewed before running, and tested thoroughly to minimize risk compared to shell access. Business users could have a dashboard instead of direct access to a data store to run queries. Where CI/CD pipelines are not used, determine which controls and processes are required to adequately provide a normally disabled break-glass access mechanism.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC09-BP01": {"name": "SEC09-BP01","checks": {"acm_certificates_expiration_check": "PASS","directoryservice_ldap_certificate_expiration": null},"status": "PASS","attributes": [{"Name": "SEC09-BP01 Implement secure key and certificate management","Section": "Data protection","SubSection": "Protecting data in transit","Description": "Store encryption keys and certificates securely and rotate them at appropriate time intervals with strict access control. The best way to accomplish this is to use a managed service, such as AWS Certificate Manager (ACM). It lets you easily provision, manage, and deploy public and private Transport Layer Security (TLS) certificates for use with AWS services and your internal connected resources. TLS certificates are used to secure network communications and establish the identity of websites over the internet as well as resources on private networks. ACM integrates with AWS resources, such as Elastic Load Balancers (ELBs), AWS distributions, and APIs on API Gateway, also handling automatic certificate renewals. If you use ACM to deploy a private root CA, both certificates and private keys can be provided by it for use in Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and so on.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_key_cert_mgmt.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_transit_key_cert_mgmt","WellArchitectedQuestionId": "protect-data-transit"}],"description": "Store encryption keys and certificates securely and rotate them at appropriate time intervals with strict access control. The best way to accomplish this is to use a managed service, such as AWS Certificate Manager (ACM). It lets you easily provision, manage, and deploy public and private Transport Layer Security (TLS) certificates for use with AWS services and your internal connected resources. TLS certificates are used to secure network communications and establish the identity of websites over the internet as well as resources on private networks. ACM integrates with AWS resources, such as Elastic Load Balancers (ELBs), AWS distributions, and APIs on API Gateway, also handling automatic certificate renewals. If you use ACM to deploy a private root CA, both certificates and private keys can be provided by it for use in Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and so on.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"SEC09-BP02": {"name": "SEC09-BP02","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","elb_insecure_ssl_ciphers": "PASS","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","cloudfront_distributions_https_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","cloudfront_distributions_field_level_encryption_enabled": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Name": "SEC09-BP02 Enforce encryption in transit","Section": "Data protection","SubSection": "Protecting data in transit","Description": "Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements. AWS services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with the AWS APIs. Insecure protocols, such as HTTP, can be audited and blocked in a VPC through the use of security groups. HTTP requests can also be automatically redirected to HTTPS in Amazon CloudFront or on an Application Load Balancer. You have full control over your computing resources to implement encryption in transit across your services. Additionally, you can use VPN connectivity into your VPC from an external network to facilitate encryption of traffic. Third-party solutions are available in the AWS Marketplace, if you have special requirements.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_encrypt.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_transit_encrypt","WellArchitectedQuestionId": "protect-data-transit"}],"description": "Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements. AWS services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with the AWS APIs. Insecure protocols, such as HTTP, can be audited and blocked in a VPC through the use of security groups. HTTP requests can also be automatically redirected to HTTPS in Amazon CloudFront or on an Application Load Balancer. You have full control over your computing resources to implement encryption in transit across your services. Additionally, you can use VPN connectivity into your VPC from an external network to facilitate encryption of traffic. Third-party solutions are available in the AWS Marketplace, if you have special requirements.","checks_status": {"fail": 4,"pass": 2,"total": 11,"manual": 0}},"SEC09-BP03": {"name": "SEC09-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC09-BP03 Automate detection of unintended data access","Section": "Data protection","SubSection": "Protecting data in transit","Description": "Use tools such as Amazon GuardDuty to automatically detect suspicious activity or attempts to move data outside of defined boundaries. For example, GuardDuty can detect Amazon Simple Storage Service (Amazon S3) read activity that is unusual with the Exfiltration:S3/AnomalousBehavior finding. In addition to GuardDuty, Amazon VPC Flow Logs, which capture network traffic information, can be used with Amazon EventBridge to trigger detection of abnormal connections–both successful and denied. Amazon S3 Access Analyzer can help assess what data is accessible to who in your Amazon S3 buckets.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_auto_unintended_access.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_transit_auto_unintended_access","WellArchitectedQuestionId": "protect-data-transit"}],"description": "Use tools such as Amazon GuardDuty to automatically detect suspicious activity or attempts to move data outside of defined boundaries. For example, GuardDuty can detect Amazon Simple Storage Service (Amazon S3) read activity that is unusual with the Exfiltration:S3/AnomalousBehavior finding. In addition to GuardDuty, Amazon VPC Flow Logs, which capture network traffic information, can be used with Amazon EventBridge to trigger detection of abnormal connections–both successful and denied. Amazon S3 Access Analyzer can help assess what data is accessible to who in your Amazon S3 buckets.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC09-BP04": {"name": "SEC09-BP04","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC09-BP04 Authenticate network communications","Section": "Data protection","SubSection": "Protecting data in transit","Description": "Verify the identity of communications by using protocols that support authentication, such as Transport Layer Security (TLS) or IPsec. Using network protocols that support authentication, allows for trust to be established between the parties. This adds to the encryption used in the protocol to reduce the risk of communications being altered or intercepted. Common protocols that implement authentication include Transport Layer Security (TLS), which is used in many AWS services, and IPsec, which is used in AWS Virtual Private Network (AWS VPN).","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_authentication.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_transit_authentication","WellArchitectedQuestionId": "protect-data-transit"}],"description": "Verify the identity of communications by using protocols that support authentication, such as Transport Layer Security (TLS) or IPsec. Using network protocols that support authentication, allows for trust to be established between the parties. This adds to the encryption used in the protocol to reduce the risk of communications being altered or intercepted. Common protocols that implement authentication include Transport Layer Security (TLS), which is used in many AWS services, and IPsec, which is used in AWS Virtual Private Network (AWS VPN).","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"SEC10-BP01": {"name": "SEC10-BP01","checks": {"iam_support_role_created": null,"account_maintain_current_contact_details": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Name": "SEC10-BP01 Identify key personnel and external resources","Section": "Incident response","SubSection": "Prepare","Description": "Identify internal and external personnel, resources, and legal obligations that would help your organization respond to an incident.When you define your approach to incident response in the cloud, in unison with other teams (such as your legal counsel, leadership, business stakeholders, AWS Support Services, and others), you must identify key personnel, stakeholders, and relevant contacts. To reduce dependency and decrease response time, make sure that your team, specialist security teams, and responders are educated about the services that you use and have opportunities to practice hands-on.We encourage you to identify external AWS security partners that can provide you with outside expertise and a different perspective to augment your response capabilities. Your trusted security partners can help you identify potential risks or threats that you might not be familiar with.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_identify_personnel.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_identify_personnel","WellArchitectedQuestionId": "incident-response"}],"description": "Identify internal and external personnel, resources, and legal obligations that would help your organization respond to an incident.When you define your approach to incident response in the cloud, in unison with other teams (such as your legal counsel, leadership, business stakeholders, AWS Support Services, and others), you must identify key personnel, stakeholders, and relevant contacts. To reduce dependency and decrease response time, make sure that your team, specialist security teams, and responders are educated about the services that you use and have opportunities to practice hands-on.We encourage you to identify external AWS security partners that can provide you with outside expertise and a different perspective to augment your response capabilities. Your trusted security partners can help you identify potential risks or threats that you might not be familiar with.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"SEC10-BP02": {"name": "SEC10-BP02","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP02 Develop incident management plans","Section": "Incident response","SubSection": "Prepare","Description": "Create plans to help you respond to, communicate during, and recover from an incident. For example, you can start an incident response plan with the most likely scenarios for your workload and organization. Include how you would communicate and escalate both internally and externally.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_develop_management_plans.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_develop_management_plans","WellArchitectedQuestionId": "incident-response"}],"description": "Create plans to help you respond to, communicate during, and recover from an incident. For example, you can start an incident response plan with the most likely scenarios for your workload and organization. Include how you would communicate and escalate both internally and externally.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP03": {"name": "SEC10-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP03 Prepare forensic capabilities","Section": "Incident response","SubSection": "Prepare","Description": "It's important for your incident responders to understand when and how the forensic investigation fits into your response plan. Your organization should define what evidence is collected and what tools are used in the process. Identify and prepare forensic investigation capabilities that are suitable, including external specialists, tools, and automation. A key decision that you should make upfront is if you will collect data from a live system. Some data, such as the contents of volatile memory or active network connections, will be lost if the system is powered off or rebooted.Your response team can combine tools, such as AWS Systems Manager, Amazon EventBridge, and AWS Lambda, to automatically run forensic tools within an operating system and VPC traffic mirroring to obtain a network packet capture, to gather non-persistent evidence. Conduct other activities, such as log analysis or analyzing disk images, in a dedicated security account with customized forensic workstations and tools accessible to your responders.Routinely ship relevant logs to a data store that provides high durability and integrity. Responders should have access to those logs. AWS offers several tools that can make log investigation easier, such as Amazon Athena, Amazon OpenSearch Service (OpenSearch Service), and Amazon CloudWatch Logs Insights. Additionally, preserve evidence securely using Amazon Simple Storage Service (Amazon S3) Object Lock. This service follows the WORM (write-once- read-many) model and prevents objects from being deleted or overwritten for a defined period. As forensic investigation techniques require specialist training, you might need to engage external specialists.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_prepare_forensic.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_prepare_forensic","WellArchitectedQuestionId": "incident-response"}],"description": "It's important for your incident responders to understand when and how the forensic investigation fits into your response plan. Your organization should define what evidence is collected and what tools are used in the process. Identify and prepare forensic investigation capabilities that are suitable, including external specialists, tools, and automation. A key decision that you should make upfront is if you will collect data from a live system. Some data, such as the contents of volatile memory or active network connections, will be lost if the system is powered off or rebooted.Your response team can combine tools, such as AWS Systems Manager, Amazon EventBridge, and AWS Lambda, to automatically run forensic tools within an operating system and VPC traffic mirroring to obtain a network packet capture, to gather non-persistent evidence. Conduct other activities, such as log analysis or analyzing disk images, in a dedicated security account with customized forensic workstations and tools accessible to your responders.Routinely ship relevant logs to a data store that provides high durability and integrity. Responders should have access to those logs. AWS offers several tools that can make log investigation easier, such as Amazon Athena, Amazon OpenSearch Service (OpenSearch Service), and Amazon CloudWatch Logs Insights. Additionally, preserve evidence securely using Amazon Simple Storage Service (Amazon S3) Object Lock. This service follows the WORM (write-once- read-many) model and prevents objects from being deleted or overwritten for a defined period. As forensic investigation techniques require specialist training, you might need to engage external specialists.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP04": {"name": "SEC10-BP04","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP04 Automate containment capability","Section": "Incident response","SubSection": "Iterate","Description": "Automate containment and recovery of an incident to reduce response times and organizational impact.Once you create and practice the processes and tools from your playbooks, you can deconstruct the logic into a code-based solution, which can be used as a tool by many responders to automate the response and remove variance or guess-work by your responders. This can speed up the lifecycle of a response. The next goal is to enable this code to be fully automated by being invoked by the alerts or events themselves, rather than by a human responder, to create an event-driven response. These processes should also automatically add relevant data to your security systems. For example, an incident involving traffic from an unwanted IP address can automatically populate an AWS WAF block list or Network Firewall rule group to prevent further activity.With an event-driven response system, a detective mechanism triggers a responsive mechanism to automatically remediate the event. You can use event-driven response capabilities to reduce the time-to-value between detective mechanisms and responsive mechanisms. To create this event-driven architecture, you can use AWS Lambda, which is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. For example, assume that you have an AWS account with the AWS CloudTrail service enabled. If CloudTrail is ever disabled (through the cloudtrail:StopLogging API call), you can use Amazon EventBridge to monitor for the specific cloudtrail:StopLogging event, and invoke a Lambda function to call cloudtrail:StartLogging to restart logging.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_auto_contain.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_auto_contain","WellArchitectedQuestionId": "incident-response"}],"description": "Automate containment and recovery of an incident to reduce response times and organizational impact.Once you create and practice the processes and tools from your playbooks, you can deconstruct the logic into a code-based solution, which can be used as a tool by many responders to automate the response and remove variance or guess-work by your responders. This can speed up the lifecycle of a response. The next goal is to enable this code to be fully automated by being invoked by the alerts or events themselves, rather than by a human responder, to create an event-driven response. These processes should also automatically add relevant data to your security systems. For example, an incident involving traffic from an unwanted IP address can automatically populate an AWS WAF block list or Network Firewall rule group to prevent further activity.With an event-driven response system, a detective mechanism triggers a responsive mechanism to automatically remediate the event. You can use event-driven response capabilities to reduce the time-to-value between detective mechanisms and responsive mechanisms. To create this event-driven architecture, you can use AWS Lambda, which is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. For example, assume that you have an AWS account with the AWS CloudTrail service enabled. If CloudTrail is ever disabled (through the cloudtrail:StopLogging API call), you can use Amazon EventBridge to monitor for the specific cloudtrail:StopLogging event, and invoke a Lambda function to call cloudtrail:StartLogging to restart logging.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP05": {"name": "SEC10-BP05","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP05 Pre-provision access","Section": "Incident response","SubSection": "Prepare","Description": "Verify that incident responders have the correct access pre-provisioned in AWS to reduce the time needed for investigation through to recovery.Common anti-patterns:Using the root account for incident response.Altering existing accounts.Manipulating IAM permissions directly when providing just-in-time privilege elevation.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_pre_provision_access.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_pre_provision_access","WellArchitectedQuestionId": "incident-response"}],"description": "Verify that incident responders have the correct access pre-provisioned in AWS to reduce the time needed for investigation through to recovery.Common anti-patterns:Using the root account for incident response.Altering existing accounts.Manipulating IAM permissions directly when providing just-in-time privilege elevation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP06": {"name": "SEC10-BP06","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP06 Pre-deploy tools","Section": "Incident response","SubSection": "Prepare","Description": "Ensure that security personnel have the right tools pre-deployed into AWS to reduce the time for investigation through to recovery.To automate security engineering and operations functions, you can use a comprehensive set of APIs and tools from AWS. You can fully automate identity management, network security, data protection, and monitoring capabilities and deliver them using popular software development methods that you already have in place. When you build security automation, your system can monitor, review, and initiate a response, rather than having people monitor your security position and manually react to events. An effective way to automatically provide searchable and relevant log data across AWS services to your incident responders is to enable Amazon Detective.If your incident response teams continue to respond to alerts in the same way, they risk alert fatigue. Over time, the team can become desensitized to alerts and can either make mistakes handling ordinary situations or miss unusual alerts. Automation helps avoid alert fatigue by using functions that process the repetitive and ordinary alerts, leaving humans to handle the sensitive and unique incidents. Integrating anomaly detection systems, such as Amazon GuardDuty, AWS CloudTrail Insights, and Amazon CloudWatch Anomaly Detection, can reduce the burden of common threshold-based alerts.You can improve manual processes by programmatically automating steps in the process. After you define the remediation pattern to an event, you can decompose that pattern into actionable logic, and write the code to perform that logic. Responders can then execute that code to remediate the issue. Over time, you can automate more and more steps, and ultimately automatically handle whole classes of common incidents.For tools that execute within the operating system of your Amazon Elastic Compute Cloud (Amazon EC2) instance, you should evaluate using the AWS Systems Manager Run Command, which enables you to remotely and securely administrate instances using an agent that you install on your Amazon EC2 instance operating system. It requires the Systems Manager Agent (SSM Agent), which is installed by default on many Amazon Machine Images (AMIs). Be aware, though, that once an instance has been compromised, no responses from tools or agents running on it should be considered trustworthy.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_pre_deploy_tools.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_pre_deploy_tools","WellArchitectedQuestionId": "incident-response"}],"description": "Ensure that security personnel have the right tools pre-deployed into AWS to reduce the time for investigation through to recovery.To automate security engineering and operations functions, you can use a comprehensive set of APIs and tools from AWS. You can fully automate identity management, network security, data protection, and monitoring capabilities and deliver them using popular software development methods that you already have in place. When you build security automation, your system can monitor, review, and initiate a response, rather than having people monitor your security position and manually react to events. An effective way to automatically provide searchable and relevant log data across AWS services to your incident responders is to enable Amazon Detective.If your incident response teams continue to respond to alerts in the same way, they risk alert fatigue. Over time, the team can become desensitized to alerts and can either make mistakes handling ordinary situations or miss unusual alerts. Automation helps avoid alert fatigue by using functions that process the repetitive and ordinary alerts, leaving humans to handle the sensitive and unique incidents. Integrating anomaly detection systems, such as Amazon GuardDuty, AWS CloudTrail Insights, and Amazon CloudWatch Anomaly Detection, can reduce the burden of common threshold-based alerts.You can improve manual processes by programmatically automating steps in the process. After you define the remediation pattern to an event, you can decompose that pattern into actionable logic, and write the code to perform that logic. Responders can then execute that code to remediate the issue. Over time, you can automate more and more steps, and ultimately automatically handle whole classes of common incidents.For tools that execute within the operating system of your Amazon Elastic Compute Cloud (Amazon EC2) instance, you should evaluate using the AWS Systems Manager Run Command, which enables you to remotely and securely administrate instances using an agent that you install on your Amazon EC2 instance operating system. It requires the Systems Manager Agent (SSM Agent), which is installed by default on many Amazon Machine Images (AMIs). Be aware, though, that once an instance has been compromised, no responses from tools or agents running on it should be considered trustworthy.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP07": {"name": "SEC10-BP07","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP07 Run game days","Section": "Incident response","SubSection": "Simulate","Description": "Game days, also known as simulations or exercises, are internal events that provide a structured opportunity to practice your incident management plans and procedures during a realistic scenario. These events should exercise responders using the same tools and techniques that would be used in a real-world scenario - even mimicking real-world environments. Game days are fundamentally about being prepared and iteratively improving your response capabilities. Some of the reasons you might find value in performing game day activities include:Validating readinessDeveloping confidence – learning from simulations and training staffFollowing compliance or contractual obligationsGenerating artifacts for accreditationBeing agile – incremental improvementBecoming faster and improving toolsRefining communication and escalationDeveloping comfort with the rare and the unexpectedFor these reasons, the value derived from participating in a simulation activity increases an organization's effectiveness during stressful events. Developing a simulation activity that is both realistic and beneficial can be a difficult exercise. Although testing your procedures or automation that handles well-understood events has certain advantages, it is just as valuable to participate in creative Security Incident Response Simulations (SIRS) activities to test yourself against the unexpected and continuously improve.Create custom simulations tailored to your environment, team, and tools. Find an issue and design your simulation around it. This could be something like a leaked credential, a server communicating with unwanted systems, or a misconfiguration that results in unauthorized exposure. Identify engineers who are familiar with your organization to create the scenario and another group to participate. The scenario should be realistic and challenging enough to be valuable. It should include the opportunity to get hands on with logging, notifications, escalations, and executing runbooks or automation. During the simulation, your responders should exercise their technical and organizational skills, and leaders should be involved to build their incident management skills. At the end of the simulation, celebrate the efforts of the team and look for ways to iterate, repeat, and expand into further simulations.AWS has created Incident Response Runbook templates that you can use not only to prepare your response efforts, but also as a basis for a simulation. When planning, a simulation can be broken into five phases.Evidence gathering: In this phase, a team will get alerts through various means, such as an internal ticketing system, alerts from monitoring tooling, anonymous tips, or even public news. Teams then start to review infrastructure and application logs to determine the source of the compromise. This step should also involve internal escalations and incident leadership. Once identified, teams move on to containing the incidentContain the incident: Teams will have determined there has been an incident and established the source of the compromise. Teams now should take action to contain it, for example, by disabling compromised credentials, isolating a compute resource, or revoking a role's permission.Eradicate the incident: Now that they've contained the incident, teams will work towards mitigating any vulnerabilities in applications or infrastructure configurations that were susceptible to the compromise. This could include rotating all credentials used for a workload, modifying Access Control Lists (ACLs) or changing network configurations.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_run_game_days.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_run_game_days","WellArchitectedQuestionId": "incident-response"}],"description": "Game days, also known as simulations or exercises, are internal events that provide a structured opportunity to practice your incident management plans and procedures during a realistic scenario. These events should exercise responders using the same tools and techniques that would be used in a real-world scenario - even mimicking real-world environments. Game days are fundamentally about being prepared and iteratively improving your response capabilities. Some of the reasons you might find value in performing game day activities include:Validating readinessDeveloping confidence – learning from simulations and training staffFollowing compliance or contractual obligationsGenerating artifacts for accreditationBeing agile – incremental improvementBecoming faster and improving toolsRefining communication and escalationDeveloping comfort with the rare and the unexpectedFor these reasons, the value derived from participating in a simulation activity increases an organization's effectiveness during stressful events. Developing a simulation activity that is both realistic and beneficial can be a difficult exercise. Although testing your procedures or automation that handles well-understood events has certain advantages, it is just as valuable to participate in creative Security Incident Response Simulations (SIRS) activities to test yourself against the unexpected and continuously improve.Create custom simulations tailored to your environment, team, and tools. Find an issue and design your simulation around it. This could be something like a leaked credential, a server communicating with unwanted systems, or a misconfiguration that results in unauthorized exposure. Identify engineers who are familiar with your organization to create the scenario and another group to participate. The scenario should be realistic and challenging enough to be valuable. It should include the opportunity to get hands on with logging, notifications, escalations, and executing runbooks or automation. During the simulation, your responders should exercise their technical and organizational skills, and leaders should be involved to build their incident management skills. At the end of the simulation, celebrate the efforts of the team and look for ways to iterate, repeat, and expand into further simulations.AWS has created Incident Response Runbook templates that you can use not only to prepare your response efforts, but also as a basis for a simulation. When planning, a simulation can be broken into five phases.Evidence gathering: In this phase, a team will get alerts through various means, such as an internal ticketing system, alerts from monitoring tooling, anonymous tips, or even public news. Teams then start to review infrastructure and application logs to determine the source of the compromise. This step should also involve internal escalations and incident leadership. Once identified, teams move on to containing the incidentContain the incident: Teams will have determined there has been an incident and established the source of the compromise. Teams now should take action to contain it, for example, by disabling compromised credentials, isolating a compute resource, or revoking a role's permission.Eradicate the incident: Now that they've contained the incident, teams will work towards mitigating any vulnerabilities in applications or infrastructure configurations that were susceptible to the compromise. This could include rotating all credentials used for a workload, modifying Access Control Lists (ACLs) or changing network configurations.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC11-BP02": {"name": "SEC11-BP02","checks": {"ecr_repositories_scan_images_on_push_enabled": "FAIL","ecr_repositories_scan_vulnerabilities_in_latest_image": null},"status": "FAIL","attributes": [{"Name": "SEC11-BP02 Automate testing throughout the development and release lifecycle","Section": "Application Security","SubSection": null,"Description": "Automate the testing for security properties throughout the development and release lifecycle. Automation makes it easier to consistently and repeatably identify potential issues in software prior to release, which reduces the risk of security issues in the software being provided. The goal of automated testing is to provide a programmatic way of detecting potential issues early and often throughout the development lifecycle. When you automate regression testing, you can rerun functional and non-functional tests to verify that previously tested software still performs as expected after a change. When you define security unit tests to check for common misconfigurations, such as broken or missing authentication, you can identify and fix these issues early in the development process. Test automation uses purpose-built test cases for application validation, based on the application’s requirements and desired functionality. The result of the automated testing is based on comparing the generated test output to its respective expected output, which expedites the overall testing lifecycle. Testing methodologies such as regression testing and unit test suites are best suited for automation. Automating the testing of security properties allows builders to receive automated feedback without having to wait for a security review. Automated tests in the form of static or dynamic code analysis can increase code quality and help detect potential software issues early in the development lifecycle.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_appsec_automate_testing_throughout_lifecycle.html#implementation-guidance.","WellArchitectedPracticeId": "sec_appsec_automate_testing_throughout_lifecycle","WellArchitectedQuestionId": "application-security"}],"description": "Automate the testing for security properties throughout the development and release lifecycle. Automation makes it easier to consistently and repeatably identify potential issues in software prior to release, which reduces the risk of security issues in the software being provided. The goal of automated testing is to provide a programmatic way of detecting potential issues early and often throughout the development lifecycle. When you automate regression testing, you can rerun functional and non-functional tests to verify that previously tested software still performs as expected after a change. When you define security unit tests to check for common misconfigurations, such as broken or missing authentication, you can identify and fix these issues early in the development process. Test automation uses purpose-built test cases for application validation, based on the application’s requirements and desired functionality. The result of the automated testing is based on comparing the generated test output to its respective expected output, which expedites the overall testing lifecycle. Testing methodologies such as regression testing and unit test suites are best suited for automation. Automating the testing of security properties allows builders to receive automated feedback without having to wait for a security review. Automated tests in the form of static or dynamic code analysis can increase code quality and help detect potential software issues early in the development lifecycle.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}}},"requirements_passed": 17,"requirements_failed": 23,"requirements_manual": 17,"total_requirements": 57,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "e079e750-59b8-4d29-9e57-1a10a0e63be4","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_foundational_security_best_practices_aws","framework": "AWS-Foundational-Security-Best-Practices","version": "","description": "The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices.","region": "eu-west-1","requirements": {"s3": {"name": "Benchmark: S3","checks": {"s3_bucket_public_access": null,"s3_bucket_acl_prohibited": "FAIL","s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "s3","Section": "S3","Service": "s3","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS S3 resources and options.","checks_status": {"fail": 4,"pass": 2,"total": 9,"manual": 0}},"acm": {"name": "ACM","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "acm","Section": "Acm","Service": "acm","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring ACM resources.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"dms": {"name": "Benchmark: DMS","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "dms","Section": "DMS","Service": "dms","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS DMS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ec2": {"name": "Benchmark: EC2","checks": {"vpc_flow_logs_enabled": "FAIL","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","ec2_securitygroup_not_used": "FAIL","ec2_instance_imdsv2_enabled": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ec2","Section": "EC2","Service": "ec2","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring EC2 resources and options.","checks_status": {"fail": 6,"pass": 4,"total": 10,"manual": 0}},"ecr": {"name": "Benchmark: Elastic Container Registry","checks": {"ecr_repositories_lifecycle_policy_enabled": "FAIL","ecr_repositories_scan_images_on_push_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ecr","Section": "ECR","Service": "ecr","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS ECR resources and options.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"ecs": {"name": "Benchmark: Elastic Container Service","checks": {"ecs_task_definitions_no_environment_secrets": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ecs","Section": "ECS","Service": "ecs","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring ECS resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"efs": {"name": "Benchmark: EFS","checks": {"efs_have_backup_enabled": "FAIL","efs_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "efs","Section": "EFS","Service": "efs","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS EFS resources and options.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"eks": {"name": "Benchmark: EKS","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "eks","Section": "EKS","Service": "eks","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS EKS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elb": {"name": "Benchmark: ELB","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","elbv2_deletion_protection": "FAIL","elbv2_desync_mitigation_mode": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "elb","Section": "ELB","Service": "elb","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elastic Load Balancer resources and options.","checks_status": {"fail": 4,"pass": 0,"total": 4,"manual": 0}},"emr": {"name": "Benchmark: EMR","checks": {"emr_cluster_master_nodes_no_public_ip": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "emr","Section": "EMR","Service": "emr","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring EMR resources.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"iam": {"name": "Benchmark: IAM","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "iam","Section": "IAM","Service": "iam","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS IAM resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 10,"manual": 0}},"kms": {"name": "Benchmark: KMS","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "kms","Section": "KMS","Service": "kms","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS KMS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"rds": {"name": "Benchmark: RDS","checks": {"rds_instance_multi_az": "FAIL","rds_snapshots_public_access": "PASS","rds_instance_no_public_access": "PASS","rds_instance_storage_encrypted": "FAIL","rds_instance_deletion_protection": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "rds","Section": "RDS","Service": "rds","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS RDS resources and options.","checks_status": {"fail": 5,"pass": 3,"total": 10,"manual": 0}},"sns": {"name": "Benchmark: SNS","checks": {"sns_topics_kms_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sns","Section": "SNS","Service": "sns","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS SNS resources and options.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sqs": {"name": "Benchmark: SQS","checks": {"sqs_queues_server_side_encryption_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sqs","Section": "SQS","Service": "sqs","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS SQS resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ssm": {"name": "Benchmark: SSM","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ssm","Section": "SSM","Service": "ssm","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Systems Manager resources and options.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"waf": {"name": "Benchmark: WAF","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "waf","Section": "WAF","Service": "waf","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS WAF resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elbv2": {"name": "Benchmark: ELBv2","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "elbv2","Section": "ELBv2","Service": "elbv2","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elastic Load Balancer resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"config": {"name": "Benchmark: Config","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "config","Section": "Config","Service": "config","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Config.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"lambda": {"name": "Benchmark: Lambda","checks": {"awslambda_function_url_public": null,"awslambda_function_using_supported_runtimes": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "lambda","Section": "Lambda","Service": "lambda","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Lambda resources and options.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"account": {"name": "Account","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "account","Section": "Account","Service": "account","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Account.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"kinesis": {"name": "Benchmark: Kinesis","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "kinesis","Section": "Kinesis","Service": "kinesis","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Kinesis resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"dynamodb": {"name": "Benchmark: DynamoDB","checks": {"dynamodb_tables_pitr_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "dynamodb","Section": "DynamoDB","Service": "dynamodb","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Dynamo DB resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"redshift": {"name": "Benchmark: Redshift","checks": {"redshift_cluster_public_access": null,"redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "redshift","Section": "Redshift","Service": "redshift","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Redshift resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"codebuild": {"name": "Benchmark: CodeBuild","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "codebuild","Section": "CodeBuild","Service": "codebuild","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CodeBuild resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"guardduty": {"name": "Benchmark: GuardDuty","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "guardduty","Section": "GuardDuty","Service": "guardduty","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS GuardDuty resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sagemaker": {"name": "Benchmark: SageMaker","checks": {"sagemaker_notebook_instance_root_access_disabled": null,"sagemaker_notebook_instance_vpc_settings_configured": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sagemaker","Section": "SageMaker","Service": "sagemaker","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Sagemaker resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"cloudfront": {"name": "Benchmark: CloudFront","checks": {"cloudfront_distributions_using_waf": null,"cloudfront_distributions_https_enabled": null,"cloudfront_distributions_logging_enabled": null,"cloudfront_distributions_field_level_encryption_enabled": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "cloudfront","Section": "CloudFront","Service": "cloudfront","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudFront resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"cloudtrail": {"name": "Benchmark: CloudTrail","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cloudtrail","Section": "CloudTrail","Service": "cloudtrail","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudTrail resources and options.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"opensearch": {"name": "Benchmark: OpenSearch","checks": {"opensearch_service_domains_not_publicly_accessible": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "opensearch","Section": "OpenSearch","Service": "opensearch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring OpenSearch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"api-gateway": {"name": "API Gateway","checks": {"apigateway_restapi_logging_enabled": "PASS","apigateway_restapi_waf_acl_attached": "FAIL","apigatewayv2_api_authorizers_enabled": "FAIL","apigatewayv2_api_access_logging_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "api-gateway","Section": "API Gateway","Service": "apigateway","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring API Gateway resources.","checks_status": {"fail": 4,"pass": 1,"total": 5,"manual": 0}},"auto-scaling": {"name": "Benchmark: Auto Scaling","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "auto-scaling","Section": "Auto Scaling","Service": "autoscaling","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Auto Scaling resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elasticsearch": {"name": "Benchmark: Elasticsearch","checks": {"opensearch_service_domains_audit_logging_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "elasticsearch","Section": "ElasticSearch","Service": "elasticsearch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elasticsearch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"cloudformation": {"name": "Benchmark: CloudFormation","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "cloudformation","Section": "CloudFormation","Service": "cloudformation","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudFormation resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"secretsmanager": {"name": "Benchmark: Secrets Manager","checks": {"secretsmanager_automatic_rotation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "secretsmanager","Section": "Secrets Manager","Service": "secretsmanager","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Secrets Manager resources.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"network-firewall": {"name": "Benchmark: Network Firewall","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "network-firewall","Section": "Network Firewall","Service": "network-firewall","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Network Firewall resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elastic-beanstalk": {"name": "Benchmark: Elastic Beanstalk","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "elastic-beanstalk","Section": "Elastic Beanstalk","Service": "elasticbeanstalk","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Elastic Beanstalk resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}}},"requirements_passed": 14,"requirements_failed": 12,"requirements_manual": 11,"total_requirements": 37,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "e23a4728-558b-4a92-8e7d-f1473c21cc6e","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "ens_rd2022_aws","framework": "ENS","version": "RD2022","description": "The accreditation scheme of the ENS (National Security Scheme) has been developed by the Ministry of Finance and Public Administrations and the CCN (National Cryptological Center). This includes the basic principles and minimum requirements necessary for the adequate protection of information.","region": "eu-west-1","requirements": {"mp.s.1.aws.wm.1": {"name": "mp.s.1.aws.wm.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.s.1","DescripcionControl": "Se deberá hacer uso del cifrado de la información contenida en los correos electrónicos."}],"description": "Protección del correo electrónico","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.s.1.aws.wm.2": {"name": "mp.s.1.aws.wm.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.s.1","DescripcionControl": "Habilitar el registro de eventos de Workmail en CloudWatch para realizar el seguimiento de mensajes con spam."}],"description": "Protección del correo electrónico","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.s.1.aws.wm.3": {"name": "mp.s.1.aws.wm.3","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.s.1","DescripcionControl": "En SES, se debe hacer uso de la opción que permite a los usuarios enviar correo electrónico cifrado con S/MIME"}],"description": "Protección del correo electrónico","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.s.4.aws.as.1": {"name": "mp.s.4.aws.as.1","checks": {"autoscaling_group_multiple_az": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.4","DescripcionControl": "Activar la solución AWS Auto Scaling para dotar a los sistemas de la capacidad suficiente para atender la carga prevista con holgura y desplegar tecnologías para la prevención de ataques conocidos."}],"description": "Protección frente a la denegación de servicio ","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.s.2.aws.waf.1": {"name": "mp.s.2.aws.waf.1","checks": {"cloudfront_distributions_using_waf": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.2","DescripcionControl": "Todas las aplicaciones web distribuidas por el servicio de AWS CloudFront deben estar integradas con el servicio de firewall de aplicaciones web AWS WAF."}],"description": "Protección de servicios y aplicaciones web","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.s.2.aws.waf.2": {"name": "mp.s.2.aws.waf.2","checks": {"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.2","DescripcionControl": "Los API gateways deben tener un ACL WAF asociado."}],"description": "Protección de servicios y aplicaciones web","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.s.2.aws.waf.3": {"name": "mp.s.2.aws.waf.3","checks": {"elbv2_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.2","DescripcionControl": "Todos los balanceadores de aplicación deben estar integrados con el servicio de firewall de aplicación web para quedar protegidos ante ataques de la capa de aplicación"}],"description": "Protección de servicios y aplicaciones web","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.es.1": {"name": "mp.si.2.aws.es.1","checks": {"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre todos los dominios del servicio Amazon Elasticsearch Service (ES). En caso de usar este servicio, deberá asegurarse la activación del cifrado en reposo."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.s3.1": {"name": "mp.si.2.aws.s3.1","checks": {"s3_bucket_default_encryption": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre los distintos buckets de S3, de los cuales se debe asegurar que tengan activado el cifrado en reposo."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.pl.4.aws.sq.1": {"name": "op.pl.4.aws.sq.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4","DescripcionControl": "La entidad usuaria deberá llevar a cabo el estudio de capacidades a las que hace referencia la medida de seguridad, si bien (…) deberá tener especialmente en cuenta: * Las cuotas de los servicios a utilizar."}],"description": "Necesidades de procesamiento","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.1.aws.cf.1": {"name": "mp.com.1.aws.cf.1","checks": {"cloudfront_distributions_https_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Asegurar que la distribución entre frontales CloudFront y sus orígenes únicamente emplee tráfico HTTPs "}],"description": "Perímetro seguro","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.com.1.aws.s3.1": {"name": "mp.com.1.aws.s3.1","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Asegurar que los Buckets S3 de almacenamiento apliquen cifrado para la transferencia de datos empleando Secure Sockets Layer (SSL)"}],"description": "Perímetro seguro","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.1.aws.sg.1": {"name": "mp.com.1.aws.sg.1","checks": {"ec2_securitygroup_from_launch_wizard": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Asegurar que el Security Group restrinja todo el tráfico. Para ello, se deberán agregar las reglas del Security Group que se aplica por defecto cuando se crea una VPC."}],"description": "Perímetro seguro","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"mp.com.1.aws.sg.2": {"name": "mp.com.1.aws.sg.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Evitar la existencia de Security Groups que dejen abierto todo el tráfico entrante."}],"description": "Perímetro seguro","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.1.aws.sg.3": {"name": "mp.com.1.aws.sg.3","checks": {"ec2_securitygroup_not_used": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Evitar tener un repositorio de Security Groups que no estén siendo usados."}],"description": "Perímetro seguro","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.3.aws.cf.1": {"name": "mp.com.3.aws.cf.1","checks": {"cloudfront_distributions_https_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.3","DescripcionControl": "Asegurar que la distribución entre frontales CloudFront y sus orígenes únicamente emplee tráfico HTTPS."}],"description": "Protección de la integridad y de la autenticidad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.com.3.aws.s3.1": {"name": "mp.com.3.aws.s3.1","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.3","DescripcionControl": "Asegurar que los Buckets de almacenamiento S3 apliquen cifrado para la transferencia de datos empleando TLS."}],"description": "Protección de la integridad y de la autenticidad","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.4.aws.ws.1": {"name": "mp.com.4.aws.ws.1","checks": {"workspaces_vpc_2private_1public_subnets_nat": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "segregación de redes","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4","DescripcionControl": "Se deberán abrir solo los puertos necesarios para el uso del servicio AWS WorkSpaces."}],"description": "Separación de flujos de información en la red","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.elb.1": {"name": "mp.si.2.aws.elb.1","checks": {"ec2_ebs_snapshots_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Se recomienda dejar activada la opción de cifrado por defecto para nuevos volúmenes."}],"description": "Criptografía","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.kms.1": {"name": "mp.si.2.aws.kms.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre el almacenamiento de las instancias en todos sus volúmenes de datos."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.si.2.aws.rds.1": {"name": "mp.si.2.aws.rds.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre las bases de datos AWS RDS."}],"description": "Criptografía","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.sqs.1": {"name": "mp.si.2.aws.sqs.1","checks": {"sqs_queues_server_side_encryption_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre las colas de mensajes de AWS (Amazon SQS)."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.1.aws.re.1": {"name": "op.exp.1.aws.re.1","checks": {"resourceexplorer2_indexes_found": "PASS"},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "Se recomienda el uso de AWS Resource Explorer para la exploración de los recursos como instancias RDB, buckets S3o tablas de Amazon DynamoDB."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.5.aws.cm.1": {"name": "op.exp.5.aws.cm.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.5","DescripcionControl": "La entidad usuaria puede hacer uso de la utilidad AWS Change Manager para mantener un registro actualizado de las plantillas y peticiones de cambio en las que se incluya información en detalle sobre estos."}],"description": "Gestión de cambios","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.5.aws.ct.1": {"name": "op.exp.5.aws.ct.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.5","DescripcionControl": "Asegurar que CloudTrail esté activo para todas las regiones."}],"description": "Gestión de cambios","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.6.aws.gd.1": {"name": "op.exp.6.aws.gd.1","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.6","DescripcionControl": "Activar la protección contra software malintencionado de GuardDuty en todas las regiones."}],"description": "Protección frente a código dañino","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.7.aws.cf.1": {"name": "op.exp.7.aws.cf.1","checks": {"cloudfront_distributions_logging_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.7","DescripcionControl": "Habilitar los logs de acceso de CloudFront"}],"description": "Gestión de incidentes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.7.aws.gd.1": {"name": "op.exp.7.aws.gd.1","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.7","DescripcionControl": "Habilitar GuardDuty para la detección de incidentes de seguridad"}],"description": "Gestión de incidentes","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"op.exp.7.aws.sh.1": {"name": "op.exp.7.aws.sh.1","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.7","DescripcionControl": "Habilitar Security Hub"}],"description": "Gestión de incidentes","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.8.aws.ct.1": {"name": "op.exp.8.aws.ct.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Habilitar la herramienta CloudTrail en todas las regiones. Este serviio está habilitado por defecto cuando se crea una nueva cuenta, pero es posible deshabilitarlo."}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.8.aws.ct.2": {"name": "op.exp.8.aws.ct.2","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Establecer un filtro de métricas desde AWS CloudWatch para detectar cambios en las configuraciones de CloudTrail"}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.aws.ct.3": {"name": "op.exp.8.aws.ct.3","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Habilitar la validación de archivos en todos los trails, evitando así que estos se vean modificados o eliminados."}],"description": "Registro de actividad","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.aws.ct.4": {"name": "op.exp.8.aws.ct.4","checks": {"cloudtrail_s3_dataevents_write_enabled": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Habilitar la entrega continua de eventos de CloudTrail a un bucket S3 dedicado con el fin de unificar los archivos de registro."}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"op.exp.8.aws.ct.5": {"name": "op.exp.8.aws.ct.5","checks": {"cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Se deberán habilitar alertas para los siguientes eventos: * Llamadas no permitidas a la API, * Accesos no permitidos a la consola, * Todos los intentos de acceso sin el correcto uso de MFA, * Toda la actividad realizada sobre y por la cuenta root, * Cualquier cambio en las políticas IAM"}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"op.exp.8.aws.ct.6": {"name": "op.exp.8.aws.ct.6","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "medida","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Activar el servicio de AWS CloudTrail para registrar la actividad de los usuarios relativa a la configuración de los servicios VPN Site-to-Site y AWS DirectConnect"}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.8.aws.cw.1": {"name": "op.exp.8.aws.cw.1","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Crear alertas utilizando herramientas como Amazon CloudWatch Events para anunciar el inicio de sesión y el uso de las credenciales de usuario root de la cuenta de administración"}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.9.aws.ct.1": {"name": "op.exp.9.aws.ct.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.9","DescripcionControl": "Habilitar AWS Incident Manager y AWS CloudTrail en todas las regiones con el fin de recopilar información para generar contenido prescriptivo para la creación de informes exigidos por la medida de seguridad."}],"description": "Registro de la gestión de incidentes","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.ext.7.aws.am.1": {"name": "op.ext.7.aws.am.1","checks": {"account_maintain_current_contact_details": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.7","DescripcionControl": "Deberá proveerse la información relacionada con contactos alternativos (de facturación, operaciones y seguridad), con correos que no dependan de la misma persona. Deberá comprobarse regularmente que estas cuentas funcionan correctamente y mantener listas de correo para asegurar la recepción de avisos por personal disponible en cada momento. Además, deberán establecerse preguntas de desafío de seguridad y respuestas para el caso de que sea necesario autenticarse como propiterio de la cuenta para ponerse en contacto con el soporte de AWS."}],"description": "Gestión de incidentes","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"op.mon.1.aws.ct.1": {"name": "op.mon.1.aws.ct.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "Activar el servicio de eventos AWS CloudTrail para todas las regiones."}],"description": "Detección de intrusión","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.1.aws.gd.1": {"name": "op.mon.1.aws.gd.1","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "En ausencia de otras herramientas de terceros, habilitar Amazon GuarDuty para la detección de amenazas e intrusiones."}],"description": "Detección de intrusión","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.1.aws.gd.2": {"name": "op.mon.1.aws.gd.2","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "Deberá habilitarse Amazon GuardDuty para todas las regiones tanto en la cuenta raíz como en las cuentas miembro de un entorno multi-cuenta."}],"description": "Detección de intrusión","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.1.aws.gd.3": {"name": "op.mon.1.aws.gd.3","checks": {"guardduty_centrally_managed": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "Todas las cuentas miembro deberán estar añadidas para la supervisión bajo la cuenta raíz."}],"description": "Detección de intrusión","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.mon.1.aws.gd.4": {"name": "op.mon.1.aws.gd.4","checks": {},"status": "PASS","attributes": [{"Tipo": "medida","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.mon.1","DescripcionControl": "La administración de Amazon GuardDuty quedará delegada exclusivamente a la cuenta de seguridad para garantizar una correcta asignación de los roles para este servicio."}],"description": "Detección de intrusión","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.mon.2.aws.sh.1": {"name": "op.mon.2.aws.sh.1","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.2","DescripcionControl": "Utilizar Security Hub para obtener una vista consolidada de los hallazgos de seguridad en los servicios de AWS habilitados."}],"description": "Sistema de métricas","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.pl.4.aws.ec2.1": {"name": "op.pl.4.aws.ec2.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4","DescripcionControl": "La entidad usuaria deberá llevar a cabo el estudio de capacidades a las que hace referencia la medida de seguridad, si bien (…) deberá tener especialmente en cuenta: * Las capacidades de procesamiento, almacenamiento y comunicaciones de las instancais desplegadas en AWS."}],"description": "Necesidades de procesamiento","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.1.aws.elb.1": {"name": "mp.com.1.aws.elb.1","checks": {"elb_ssl_listeners": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Habilitar TLS en los balanceadores de carga ELB "}],"description": "Perímetro seguro","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.1.aws.elb.2": {"name": "mp.com.1.aws.elb.2","checks": {"elb_insecure_ssl_ciphers": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Evitar el uso de protocolos de cifrado inseguros para las políticas de seguridad de ELB. Esto podría dejar la conexión SSL entre balanceadores y clientes vulnerables a ser explotados. En particular deberá evitarse el uso de TLS 1.0. "}],"description": "Perímetro seguro","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.1.aws.nfw.1": {"name": "mp.com.1.aws.nfw.1","checks": {"networkfirewall_in_all_vpc": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Filtrar todo el tráfico entrante y saliente de la VPC a través de Firewalls de red."}],"description": "Perímetro seguro","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.1.aws.nfw.2": {"name": "mp.com.1.aws.nfw.2","checks": {"fms_policy_compliant": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Incidir en la utilización de AWS Firewall Manager para gestionar los firewalls de forma centralizada."}],"description": "Perímetro seguro","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.com.2.aws.vpn.1": {"name": "mp.com.2.aws.vpn.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.com.2","DescripcionControl": "Garantizar que las conexiones entre la VPC y la red local (remota) se canalizan a través de VPN Site-to-Site o bien a través de Direct Connect."}],"description": "Protección de la confidencialidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.2.aws.vpn.2": {"name": "mp.com.2.aws.vpn.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.com.2","DescripcionControl": "Garantizar que las conexiones entre la VPC y la red local (remota) se canalizan a través de VPN Site-to-Site o bien a través de Direct Connect."}],"description": "Protección de la confidencialidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.3.aws.elb.1": {"name": "mp.com.3.aws.elb.1","checks": {"elbv2_insecure_ssl_ciphers": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.3","DescripcionControl": "Habilitar TLS en los balanceadores de carga ELB."}],"description": "Protección de la integridad y de la autenticidad","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.3.aws.elb.2": {"name": "mp.com.3.aws.elb.2","checks": {"elbv2_insecure_ssl_ciphers": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.3","DescripcionControl": "Evitar el uso de protocolos de cifrado inseguros en la conexión TLS entre clientes y balanceadores de carga. En particular, se deberá evitar el uso de TLS 1.0."}],"description": "Protección de la integridad y de la autenticidad","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.4.aws.vpc.1": {"name": "mp.com.4.aws.vpc.1","checks": {"vpc_subnet_separate_private_public": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4","DescripcionControl": "Los flujos de información de red se deben separar a través de la utilización de diferentes subnets."}],"description": "Separación de flujos de información en la red","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.4.aws.vpc.2": {"name": "mp.com.4.aws.vpc.2","checks": {"ec2_instance_internet_facing_with_instance_profile": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4","DescripcionControl": "Evitar el uso de subnets con la opción de asignación automática de IPs (auto-assign Public IP)."}],"description": "Separación de flujos de información en la red","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.dydb.1": {"name": "mp.si.2.aws.dydb.1","checks": {"dynamodb_tables_kms_cmk_encryption_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre las bases de datos DynamoDB, que deben implementar cifrado seguro mediante el uso de claves de cliente (KMS)."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.1.aws.iam.1": {"name": "op.acc.1.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Utilizar los grupos y roles, en lugar de los usuarios individuales, para controlar el acceso. Esto permitirá implementar un conjunto de permisos en lugar de actualizar muchas políticas individuales cuando el acceso de un usuario necesita cambiar."}],"description": "Identificador único","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.2": {"name": "op.acc.1.aws.iam.2","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.1","DescripcionControl": "Es muy recomendable la utilización de un proveedor de identidades que permita administrar las identidades en un lugar centralizado, en vez de utilizar IAM para ello."}],"description": "Proveedor de identidad centralizado","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.1.aws.iam.3": {"name": "op.acc.1.aws.iam.3","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "El usuario raíz actúa como usuario IAM de seguridad (usuario \"breakglass\"), dado que no se encuentra sincronizado con el proveedor de identidades externo, lo que permite la recuperación de emergencia del acceso a AWS en caso de imposibilidad de autenticar a los usuarios a través del proveedor de identidades."}],"description": "Proveedor de identidad centralizado","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.4": {"name": "op.acc.1.aws.iam.4","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Utilizar identificadores únicos para los usuarios del sistema."}],"description": "Identificador único","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.5": {"name": "op.acc.1.aws.iam.5","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Cada cuenta estará asociada a un identificador único."}],"description": "Identificador único","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.6": {"name": "op.acc.1.aws.iam.6","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Las cuentas deben ser inhabilitadas en los siguientes casos: cuando el usuario deja la organización; cuando el usuario cesa en la función para la cual se requería la cuenta de usuario; o, cuando la persona que la autorizó, da orden en sentido contrario."}],"description": "Cuentas de usuario","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.7": {"name": "op.acc.1.aws.iam.7","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Las cuentas se retendrán durante el periodo necesario para atender a las necesidades de trazabilidad de los registros de actividad asociados a las mismas. A este periodo se le denominará periodo de retención."}],"description": "Cuentas de usuario","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.iam.1": {"name": "op.acc.2.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "Hacer uso de las políticas IAM para la asignación de privilegios de acceso. Deberán administrarse permisos para controlar el acceso de las identidades de personas y máquinas y sus cargas de trabajo."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.iam.2": {"name": "op.acc.2.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "Deberá definirse una política IAM que conceda permiso al usuario o rol de IAM para utilizar los recursos y las acciones de la API específicos que necesita"}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.iam.3": {"name": "op.acc.2.aws.iam.3","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "De acuerdo con las medidas del Esquema Nacional de seguridad los derechos de acceso de cada recurso, se establecerán según las decisiones de la persona responsable del recurso, ateniéndose a la política y normativa de seguridad del sistema"}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.iam.4": {"name": "op.acc.2.aws.iam.4","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.2","DescripcionControl": "Se deberá delegar en cuentas administradoras la administración de la organización, dejando la cuenta maestra sin uso y con las medidas de seguridad pertinentes."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.2.aws.vpn.1": {"name": "op.acc.2.aws.vpn.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "Deberá definirse una correcta política de permisos IAM para operaciones de Amazon WorkSpaces según las recomendaciónes establecidas en la sección 3.1.1 Control de Acceso de la guía CCN STIC-887A Guía de configuración segura AWS."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.vpn.2": {"name": "op.acc.2.aws.vpn.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "Deberán restringirse los permisos a usuarios para utilizar la acción ec2:DescribeVpnConnections. Esta acción permite a los usuarios ver la información de configuración de la gateway de cliente sobre las conexiones Site-to-Site VPN de su cuenta."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.vpn.3": {"name": "op.acc.2.aws.vpn.3","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "La rotación de certificados de VPN deberá asignarse siguiendo las recomendaciónes de segregación de funciones tal y como se explica en la sección 3.1.1."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.aws.iam.1": {"name": "op.acc.3.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3","DescripcionControl": "Enumerar los recursos específicos a los que puede obtener acceso una función de trabajo."}],"description": "Segregación de funciones y tareas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.aws.iam.2": {"name": "op.acc.3.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3","DescripcionControl": "Emplear correctamente el uso de RBAC/ABAC para separar las funciones de desarrollo y operación."}],"description": "Segregación de funciones y tareas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.aws.iam.3": {"name": "op.acc.3.aws.iam.3","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3","DescripcionControl": "Emplear correctamente el uso de RBAC/ABAC para separar las funciones de autorización y control de uso."}],"description": "Segregación de funciones y tareas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.aws.iam.4": {"name": "op.acc.3.aws.iam.4","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3","DescripcionControl": "Las políticas IAM deberían estar asociadas solo a grupos y a roles."}],"description": "Segregación de funciones y tareas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.1": {"name": "op.acc.4.aws.iam.1","checks": {"awslambda_function_url_public": null,"awslambda_function_url_cors_policy": null,"sqs_queues_not_publicly_accessible": "PASS","organizations_scp_check_deny_regions": null,"s3_bucket_policy_public_write_access": "PASS","iam_policy_allows_privilege_escalation": null,"cloudwatch_cross_account_sharing_disabled": null,"awslambda_function_not_publicly_accessible": "PASS","organizations_account_part_of_organizations": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Las políticas IAM deben permitir sólo los privilegios necesarios para cada rol. Se recomienda comenzar con el mínimo nivel de permisos e ir añadiendo permisos adicionales según vaya surgiendo la necesidad en lugar de comenzar con permisos administrativos."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 3,"total": 13,"manual": 0}},"op.acc.4.aws.iam.2": {"name": "op.acc.4.aws.iam.2","checks": {"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Evitar políticas con comodines (wildcards) en su definición, que puedan otorgar privilegios administrativos completos."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"op.acc.4.aws.iam.3": {"name": "op.acc.4.aws.iam.3","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automatico","IdGrupoControl": "op.acc.4","DescripcionControl": "Para una correcta implementación de la estrategia de políticas de acceso, se recomienda utilizar la herramienta Policy Simulator para probar y solucionar posibles problemas en la asignación de políticas."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.acc.4.aws.iam.4": {"name": "op.acc.4.aws.iam.4","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Se puede utilizar Acces Analyzer para identificar recursos y cuentas, validar las políticas contra las prácticas recomendadas y generar políticas con base en la actividad de acceso de registros de CloudTrail."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.5": {"name": "op.acc.4.aws.iam.5","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "En cuanto a los accesos a las instancias alojadas en AWS se recomienda emplear mecanismos para mantener a las personas alejadas de los datos. Es decir, limitar al máximo el acceso directo a los datos por parte de los usuarios."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.6": {"name": "op.acc.4.aws.iam.6","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Con AWS Systems Manager Automation pueden utilizarse documentos de automatización y diseñar flujos de trabajo para la administración de cambios o la ejecución de operaciones estándar para administrar las instancias EC2 (p. ej., actualizar los sistemas operativos), en lugar de permitir el acceso directo. "}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.acc.4.aws.iam.7": {"name": "op.acc.4.aws.iam.7","checks": {"iam_avoid_root_usage": null,"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Se restringirá todo acceso a las acciones especificadas para el usuario root de una cuenta."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.acc.4.aws.iam.8": {"name": "op.acc.4.aws.iam.8","checks": {"organizations_scp_check_deny_regions": null,"organizations_account_part_of_organizations": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Se restringirá todo acceso a las acciones especificadas para el usuario root de una cuenta."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.acc.4.aws.iam.9": {"name": "op.acc.4.aws.iam.9","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Se configurarán diferentes permisos a las cuentas de usuario, limitando la utilización de la cuenta “root” para tareas específicas que necesiten un nivel de privilegios elevado, esta configuración debe entenderse como un mecanismo para impedir que el trabajo directo con usuarios con privilegios de administrador repercuta negativamente en la seguridad, a acometer todas las acciones con el máximo privilegio cuando este no es siempre requerido."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"op.acc.4.aws.sys.1": {"name": "op.acc.4.aws.sys.1","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Habilitar systems manager automation para evitar acceso remoto humano a tareas automatizables."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.acc.4.aws.vpn.1": {"name": "op.acc.4.aws.vpn.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Las configuraciones de las políticas de las AWS VPN deben tener las redes específicas con las que se va a establecer la conectividad y evitar políticas genéricas basadas en routing donde se pierde el control granular de las redes permitidas en los SA de la VPN."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.vpn.2": {"name": "op.acc.4.aws.vpn.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "En configuraciones de AWS DirectConnect, deberán controlarse los AS y el routing que se lleva por BGP, de modo que se propague el mínimo de rutas y se asegure que no exista redistribución de rutas/redes privadas de entornos del cliente hacia el ISP."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.aws.iam.1": {"name": "op.acc.6.aws.iam.1","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6","DescripcionControl": "Evitar el uso permanente de múltiples claves de acceso para un mismo usuario IAM."}],"description": "Mecanismo de autenticación (usuarios de la organización)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.6.aws.iam.2": {"name": "op.acc.6.aws.iam.2","checks": {"iam_user_accesskey_unused": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6","DescripcionControl": "Las claves de acceso deberán rotarse cada 90 días o menos."}],"description": "Mecanismo de autenticación (usuarios de la organización)","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"op.acc.6.aws.iam.3": {"name": "op.acc.6.aws.iam.3","checks": {"iam_user_accesskey_unused": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6","DescripcionControl": "Deberá habilitarse el vencimiento de las credenciales de los usuarios. (Bien a través de la política de contraseñas de IAM o del proveedor de identidades federado)."}],"description": "Mecanismo de autenticación (usuarios de la organización)","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"op.acc.6.aws.iam.4": {"name": "op.acc.6.aws.iam.4","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6","DescripcionControl": "Se deberá evitar la asignación por defecto de claves de acceso para todos los usuarios que tengan acceso a la consola. Para cumplir con este requisito, se recomienda revisar qué usuarios se encuentran dados de alta en la cuenta de AWS y disponen de acceso a la consola de administración y evitar la asignación de claves de acceso cuando no son necesarias."}],"description": "Mecanismo de autenticación (usuarios de la organización)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.cont.2.aws.az.1": {"name": "op.cont.2.aws.az.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "continuidad del servicio","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.cont.2","DescripcionControl": "(Organizativo) Deberá implementarse correctamente la distribución de servicios según regiones y zonas de disponibilidad para limitar al máximo los riesgos asociados a una única ubicación."}],"description": "Plan de continuidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.1.aws.cfg.1": {"name": "op.exp.1.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "En lo referente al inventariado de activos, asegurar que AWS Config está habilitado en todas las regiones y utilizar la herramienta para obtener una vista de los recursos existentes en las cuentas de AWS."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.1.aws.cfg.2": {"name": "op.exp.1.aws.cfg.2","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "bajo","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "Configurar una regla de Config Rules que alerte sobre el despliegue de recursos sin las etiquetas correspondientes asociadas."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.1.aws.sys.1": {"name": "op.exp.1.aws.sys.1","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "En el ámbito del software desplegado en las instancias de EC2, habilitar AWS System Manager Inventory para todo el entorno de EC2 en caso de no utilizar herramientas de terceros."}],"description": "Inventario de activos","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"op.exp.1.aws.sys.2": {"name": "op.exp.1.aws.sys.2","checks": {"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "Asignar metadatos personalizados a cada nodo administrado con información sobre el responsable del activo."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.1.aws.tag.1": {"name": "op.exp.1.aws.tag.1","checks": {"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "Para la correcta identificación del responsable, asociar etiquetas para todos los activos."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.3.aws.cfg.1": {"name": "op.exp.3.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "bajo","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.3","DescripcionControl": "El cumplimiento de los requisitos se puede apoyar en la utilización de los servicios Config, Config Rules y Conformance Packs para identificar líneas base de configuración para evaluar si los recursos de AWS se ajustan a las prácticas autorizadas por la organización."}],"description": "Gestión de la configuración de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.4.aws.ami.1": {"name": "op.exp.4.aws.ami.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.4","DescripcionControl": "Una forma eficiente de garantizar la instalación de las versiones actualizadas y aprobadas del software de los sistemas es la utilización de Golden AMIs."}],"description": "Mantenimiento y actualizaciones de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.4.aws.sys.2": {"name": "op.exp.4.aws.sys.2","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.4","DescripcionControl": "Utilizar AWS Systems Manager Patch Manager para planificar y gestionar la aplicación de parches minimizando los riesgos asociados a tener instancias con software desactualizado y expuesto a vulnerabilidades conocidas."}],"description": "Mantenimiento y actualizaciones de seguridad","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"op.exp.5.aws.cal.1": {"name": "op.exp.5.aws.cal.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.5","DescripcionControl": "Utilizar AWS Change Calendar para establecer una ventana de tiempo (fecha y hora) en la que realizar los cambios y las pruebas de preproducción en equipos equivalentes a los de producción sin riesgo a que estas afecten a la continuidad del servicio prestado."}],"description": "Gestión de cambios","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.9.aws.img.1": {"name": "op.exp.9.aws.img.1","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssmincidents_enabled_with_plans": null},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.9","DescripcionControl": "Habilitar AWS Incident Manager y AWS CloudTrail en todas las regiones con el fin de recopilar información para generar contenido prescriptivo para la creación de informes exigidos por la medida de seguridad."}],"description": "Registro de la gestión de incidentes","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"op.mon.3.aws.cwl.1": {"name": "op.mon.3.aws.cwl.1","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automatico","IdGrupoControl": "op.mon.3","DescripcionControl": "Deberá asegurarse que todos los servicios que se utilicen en la arquitectura de la aplicación desplegada en AWS estén generando logs"}],"description": "Vigilancia","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.info.6.aws.iam.1": {"name": "mp.info.6.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.info.6","DescripcionControl": "La organización puede hacer uso de roles y políticas IAM para la definición y asignación de permisos en cuanto a controles de acceso de las copias de respaldo."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.info.6.aws.tag.1": {"name": "mp.info.6.aws.tag.1","checks": {"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.info.6","DescripcionControl": "Los planes de respaldo se pueden integrar con AWS Tags, acotando con base en las etiquetas de los recursos el alcance de cada proceso de copiado."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.4.aws.iam.10": {"name": "op.acc.4.aws.iam.10","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Se evitará que los usuarios puedan deshabilitar o modificar servicios relacionados con el área de seguridad como AWS Config o AWS CloudWatch."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.11": {"name": "op.acc.4.aws.iam.11","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Deberá definirse una política de IAM que conceda permiso al usuario o rol de IAMpara utilizar exclusivamente los recursos y las acciones de WorkSpace que necesita."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.12": {"name": "op.acc.4.aws.iam.12","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Las políticas IAM únicamente deben poder asignarse por el usuario que tenga la función de control de accesos expresamente atribuida."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.13": {"name": "op.acc.4.aws.iam.13","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "No utilizar el usuario raíz salvo necesidad expresa."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.cont.3.aws.drs.1": {"name": "op.cont.3.aws.drs.1","checks": {"drs_job_exist": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "continuidad del servicio","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.cont.3","DescripcionControl": "La organización puede hacer uso del servicio AWS Elastic Disaster Recovery, programando y ejecutando pruebas no disruptivas (simulacros que no afectan ni al servidor de origen ni a la replicación de datos en curso) que prueben el correcto funcionamiento de las recuperaciones del plan de continuidad."}],"description": "Pruebas periódicas","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.1": {"name": "op.exp.10.aws.cmk.1","checks": {"iam_policy_no_full_access_to_kms": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Los usuarios o roles con privilegios para la creación de claves deben ser diferentes a los que van a utilizar las claves para operaciones de cifrado."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.2": {"name": "op.exp.10.aws.cmk.2","checks": {"iam_policy_no_full_access_to_kms": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Utilizar claves gestionadas por los clientes (CMK)."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.3": {"name": "op.exp.10.aws.cmk.3","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Activar la rotación de las claves CMK."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.4": {"name": "op.exp.10.aws.cmk.4","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Para el archivo posterior a la explotación y destrucción de las claves se debe deshabilitar todas las claves CMK que no estén en uso."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.5": {"name": "op.exp.10.aws.cmk.5","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Eliminar las claves deshabilitadas que no estén en uso y no mantengan ningún objeto o recurso cifrado, completando el ciclo de vida de la clave."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.6": {"name": "op.exp.10.aws.cmk.6","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.10","DescripcionControl": "Utilizar el principio de mínimos privilegios para las políticas asociadas a claves."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.10.aws.cmk.7": {"name": "op.exp.10.aws.cmk.7","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.10","DescripcionControl": "Utilizar tags y alias para una mejor administración de las claves."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.10.aws.cmk.8": {"name": "op.exp.10.aws.cmk.8","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.10","DescripcionControl": "Utilizar las políticas IAM y las concesiones de claves para el acceso a las mismas."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.10.aws.tag.1": {"name": "op.exp.10.aws.tag.1","checks": {"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Se recomienda utilizar tags y alias para una mejor gestión y administración de las claves."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.mon.1.aws.flow.1": {"name": "op.mon.1.aws.flow.1","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "Activar el servicio VPC FlowLogs."}],"description": "Detección de intrusión","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.pl.2.aws.warch.1": {"name": "op.pl.2.aws.warch.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.2.r3","DescripcionControl": "Es recomendable que la entidad usuaria se apoye en el marco de trabajo AWS Well-Architected Framework"}],"description": "Validación de datos","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.cw.1": {"name": "op.pl.4.r1.aws.cw.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "En caso de no disponer de herramientas de terceros, se deberán utilizar las herramientas de monitorización de la capaciad indicadas para monitorizar las capacidades de la infraestructura y el grado de consumo de los servicios en función de las cuotas disponibles. (CloudWatch)"}],"description": "Mejora continua de la gestión de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.sq.1": {"name": "op.pl.4.r1.aws.sq.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "En caso de no disponer de herramientas de terceros, se deberán utilizar las herramientas de monitorización de la capaciad indicadas para monitorizar las capacidades de la infraestructura y el grado de consumo de los servicios en función de las cuotas disponibles. (Service Quotas)"}],"description": "Mejora continua de la gestión de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.sq.2": {"name": "op.pl.4.r1.aws.sq.2","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "En cuanto a la monitorización sobre el grado de consumo, utilizar la solución nativa Quota Monitor."}],"description": "Previsión y actualización de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.sq.3": {"name": "op.pl.4.r1.aws.sq.3","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "Visualizar las cuotas de servicio y configurar alarmas a través de la integración de AWS Service Quotas con CloudWatch."}],"description": "Monitorización de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.info.6.aws.bcku.1": {"name": "mp.info.6.aws.bcku.1","checks": {"backup_plans_exist": "PASS","backup_vaults_exist": null,"backup_reportplans_exist": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.info.6","DescripcionControl": "Para los procedimientos de respaldo de cualquiera de los dos entornos (local y nube) y siempre y cuando se utilicen recursos compatibles en el entorno local, la entidad puede hacer uso de AWS Backup, que permite elaboración de planes de respaldo y la definición de reglas de frecuencia, ciclo de vida, lugar de almacenamiento y etiquetado de las copias de seguridad."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 1,"total": 3,"manual": 0}},"mp.si.2.r1.aws.kms.1": {"name": "mp.si.2.r1.aws.kms.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.si.2.r1","DescripcionControl": "Utilizar productos certificados conforme a op.pl.5, si bien AWS KMS es un producto certificado cuyo uso satisface la exigencia de este control."}],"description": "Productos certificados","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.si.2.r2.aws.ebs.1": {"name": "mp.si.2.r2.aws.ebs.1","checks": {"ec2_ebs_snapshots_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2.r2","DescripcionControl": "Se deberá asegurar el cifrado de las copias de seguridad (snapshots) de EBS."}],"description": "Copias de seguridad","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.sw.2.r1.aws.acb.1": {"name": "mp.sw.2.r1.aws.acb.1","checks": {"codebuild_project_older_90_days": "FAIL","codebuild_project_user_controlled_buildspec": "PASS"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.sw.2.r1","DescripcionControl": "Habilitar Amazon CodeBuild para el apoyo de la realización de pruebas en entornos aisaldos."}],"description": "Aceptación y puesta en servicio","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"op.exp.8.r1.aws.ct.2": {"name": "op.exp.8.r1.aws.ct.2","checks": {"cloudtrail_insights_exist": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Configurar la herramienta CloudTrail de manera que realice el registro de eventos de administración, eventos de datos y eventos anómalos (insights)."}],"description": "Revisión de los registros","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"op.exp.8.r1.aws.ct.3": {"name": "op.exp.8.r1.aws.ct.3","checks": {"cloudtrail_insights_exist": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Registrar los eventos de lectura y escritura de datos."}],"description": "Revisión de los registros","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"op.exp.8.r1.aws.ct.4": {"name": "op.exp.8.r1.aws.ct.4","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Registrar los eventos de lectura y escritura de datos."}],"description": "Revisión de los registros","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.exp.8.r1.aws.ct.6": {"name": "op.exp.8.r1.aws.ct.6","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Habilitar la entrega continua de eventos de CloudTrail a un bucket de Amazon S3"}],"description": "Revisión de los registros","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r1.aws.ct.7": {"name": "op.exp.8.r1.aws.ct.7","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Integrar CloudTrail con el servicio CloudWatch Logs"}],"description": "Revisión de los registros","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r1.aws.cw.1": {"name": "op.exp.8.r1.aws.cw.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Utilizar el servicio AWS CloudWatch para centralizar y revisar los registros de todos los sistemas independientemente de su origen."}],"description": "Revisión de los registros","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.8.r3.aws.ct.1": {"name": "op.exp.8.r3.aws.ct.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.8.r3","DescripcionControl": "Ejecutar la acción PutRetentionPolicy de Amazon CloudWatch, permitiendo así establecer la retención del grupo de registros especificado y configurar el número de días durante los cuales se conservarán los eventos de registro en el grupo seleccionado de acuerdo con el documento de seguridad correspondiente. Paralelamente, se debe definir un periodo de retención para los datos almacenados en CloudTrail Lakes."}],"description": "Retención de registros","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.8.r3.aws.cw.1": {"name": "op.exp.8.r3.aws.cw.1","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r3","DescripcionControl": "Ejecutar la acción PutRetentionPolicy de Amazon CloudWatch, permitiendo así establecer la retención del grupo de registros especificado y configurar el número de días durante los cuales se conservarán los eventos de registro en el grupo seleccionado de acuerdo con el documento de seguridad correspondiente. Paralelamente, se debe definir un periodo de retención para los datos almacenados en CloudTrail Lakes."}],"description": "Retención de registros","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.1": {"name": "op.exp.8.r4.aws.ct.1","checks": {"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Asignar correctamente las políticas AWS IAM para el acceso y borrado de los registros y sus copias de seguridad haciendo uso del principio de mínimo privilegio."}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 0,"total": 7,"manual": 0}},"op.exp.8.r4.aws.ct.2": {"name": "op.exp.8.r4.aws.ct.2","checks": {"s3_bucket_public_access": null,"s3_bucket_policy_public_write_access": "PASS","cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Utilizar una política de bucket para restringir el acceso de forma pública e imponer restricciones sobre cuáles de los usuarios pueden eliminar objetos de Amazon S3."}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 2,"total": 3,"manual": 0}},"op.exp.8.r4.aws.ct.3": {"name": "op.exp.8.r4.aws.ct.3","checks": {"cloudtrail_bucket_requires_mfa_delete": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Activar el acceso por MFA al registro de actividad almacenado en los buckets de Amazon S3 dedicados para AWS CloudTrail."}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.4": {"name": "op.exp.8.r4.aws.ct.4","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Configurar los archivos de logs de AWS CloudTrail para aprovechar el cifrado del lado del servidor (SSE – Server Side Encryption) y las claves maestras creadas por el cliente (CMK de KMS)."}],"description": "Control de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.5": {"name": "op.exp.8.r4.aws.ct.5","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "El almacén de logs de CloudTrail no debería ser accesible de forma pública"}],"description": "Control de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.6": {"name": "op.exp.8.r4.aws.ct.6","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "El almacén de logs de CloudTrail no debería ser accesible de forma pública(ACLs)"}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.7": {"name": "op.exp.8.r4.aws.ct.7","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Cifrado de los trails con KMS"}],"description": "Control de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.8": {"name": "op.exp.8.r4.aws.ct.8","checks": {"iam_policy_allows_privilege_escalation": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Asignar correctamente las políticas IAM para el acceso y borrado de los registros y sus copias de seguridad haciendo uso del principio de mínimo privilegio."}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 0,"total": 7,"manual": 0}},"op.mon.3.r1.aws.gd.1": {"name": "op.mon.3.r1.aws.gd.1","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r1","DescripcionControl": "Activar GuardDuty y Security Hub o bien disponer de un SIEM externo a AWS"}],"description": "Correlación de eventos","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.3.r1.aws.sh.1": {"name": "op.mon.3.r1.aws.sh.1","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r1","DescripcionControl": "Activar GuardDuty y Security Hub o bien disponer de un SIEM externo a AWS"}],"description": "Correlación de eventos","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.3.r2.aws.sh.1": {"name": "op.mon.3.r2.aws.sh.1","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r2","DescripcionControl": "Utilizar las herramientas AWS Config y Security hub"}],"description": "Análisis dinámico","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.3.r3.aws.gd.1": {"name": "op.mon.3.r3.aws.gd.1","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r3","DescripcionControl": "Activar GuardDuty (ya cubierto)"}],"description": "Ciberamenazas avanzadas","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.pl.4.r1.aws.sns.1": {"name": "op.pl.4.r1.aws.sns.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "Para la creación de alarmas en materia de capacidad de las instancias, se debe configurar un tema de SNS que permita el envío de mails automáticos a la dirección de correo seleccionada."}],"description": "Monitorización de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.sns.2": {"name": "op.pl.4.r1.aws.sns.2","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "Configurar alarmas correspondientes a las diferentes capacidades (SNS) como uso de CPU, capacidad de almacenamiento o latencia."}],"description": "Monitorización de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.3.r1.aws.vpn.1": {"name": "mp.com.3.r1.aws.vpn.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.com.3.r1","DescripcionControl": "Utilizar VPN Site-to-Site para conectar las VPCs con las redes locales o externas."}],"description": "Redes privadas virtuales","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.4.r1.aws.vpc.1": {"name": "mp.com.4.r1.aws.vpc.1","checks": {"vpc_different_regions": null,"vpc_subnet_separate_private_public": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4.r1","DescripcionControl": "Implementar la segmentación a través de la utilización de diferentes VPCs."}],"description": "Segmentación lógica avanzada","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"mp.com.4.r2.aws.vpc.1": {"name": "mp.com.4.r2.aws.vpc.1","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": ["mp.com.4.r3"],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4.r2","DescripcionControl": "Implementar la segmentación a través de la utilización de diferentes VPCs conectadas entre sí por VPN."}],"description": "Segmentación lógica avanzada","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.4.r3.aws.vpc.1": {"name": "mp.com.4.r3.aws.vpc.1","checks": {"vpc_different_regions": null,"vpc_subnet_different_az": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad"],"Dependencias": ["mp.com.4.r2"],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4.r3","DescripcionControl": "Implementar la segmentación a través de diferentes VPCs situadas en diferentes ubicaciones."}],"description": "Segmentación física","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"mp.sw.2.r1.aws.cfgd.1": {"name": "mp.sw.2.r1.aws.cfgd.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.sw.2.r2","DescripcionControl": "Habilitar CloudFormation Guard para el apoyo en las tareas de inspección de recursos no conformes implementados en el código fuente."}],"description": "Aceptación y puesta en servicio","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.r1.aws.iam.1": {"name": "op.acc.1.r1.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1.r1","DescripcionControl": "Los identificadores de usuario deberán ser asignados en el proveedor de identidades (o en IAM) de modo que se permita singularizar a la persona asociada a cada identificador y cumplir con el resto de requisitos del refuerzo"}],"description": "Identificación de usuario","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.r1.aws.iam.1": {"name": "op.acc.2.r1.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2.r1","DescripcionControl": "Evitar el uso de asunción de roles para cualquier cuenta."}],"description": "Privilegios de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.r1.aws.iam.1": {"name": "op.acc.3.r1.aws.iam.1","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.3.r1","DescripcionControl": "En caso de ser de aplicación, la segregación deberá tener en cuenta la separación de las funciones de configuración y mantenimiento y de auditoría de cualquier otra."}],"description": "Segregación rigurosa","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.3.r2.aws.iam.1": {"name": "op.acc.3.r2.aws.iam.1","checks": {"iam_securityaudit_role_created": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.3.r2","DescripcionControl": "Disponer de cuentas con privilegios de auditoría estrictamente controladas y personalizadas."}],"description": "Privilegios de auditoría","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.3.r3.aws.iam.1": {"name": "op.acc.3.r3.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3.r3","DescripcionControl": "Limitar el acceso a la información de seguridad del sistema a los administradores de seguridad utilizando los mecanismos de acceso imprescindibles (consola, interfaz web, acceso remoto etc.)."}],"description": "Acceso a la información de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r1.aws.iam.1": {"name": "op.acc.6.r1.aws.iam.1","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": ["op.acc.6.r2","op.acc.6.r4"],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r1","DescripcionControl": "Las contraseñas de los usuarios deberán tener normas de complejidad mínima y robustez."}],"description": "Contraseñas","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"op.acc.6.r2.aws.iam.1": {"name": "op.acc.6.r2.aws.iam.1","checks": {"iam_root_mfa_enabled": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": ["op.acc.6.r1","op.acc.6.r4"],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r2","DescripcionControl": "MFA deberá estar habilitado para todas las cuentas que tengan contraseña para acceder a la consola, incluyendo el usuario root."}],"description": "Contraseña + otro factor de autenticación","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"op.acc.6.r2.aws.iam.2": {"name": "op.acc.6.r2.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.r2","DescripcionControl": "Se recomienda que la organización determine qué llamadas a la API deben también contar con seguridad reforzada a través de un doble factor de autenticación."}],"description": "Contraseña + otro factor de autenticación","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r3.aws.iam.1": {"name": "op.acc.6.r3.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.r3","DescripcionControl": "Utilizar el servicio AWS IAM Roles Anywhere para crear un ancla de confianza en la que se haga referencia al servicio AWS Certificate Manager Private CA o registrar sus propias autoridades de certificación (CA), permitiendo usar el certificado emitido por la misma para obtener credenciales temporales para el acceso al entorno AWS. Estos certificados deberán estar protegidos por un segundo factor."}],"description": "Certificados","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r4.aws.iam.1": {"name": "op.acc.6.r4.aws.iam.1","checks": {"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": ["op.acc.6.r1","op.acc.6.r3"],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r4","DescripcionControl": "Habilitar los dispositivos MFA físicos para todos los usuarios IAM mediante la consola, línea de comandos o la propia API de IAM. Del mismo modo, el uso de estos certificados deberá estar protegido por un segundo factor de tipo PIN o biométrico."}],"description": "Certificados en dispositvo físico","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.acc.6.r5.aws.iam.1": {"name": "op.acc.6.r5.aws.iam.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r5","DescripcionControl": "Para registrar los intentos de acceso, se deberá habilitar CloudTrail en todas las regiones y activar el registro de acceso de usuarios."}],"description": "Registro","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.acc.6.r5.aws.iam.2": {"name": "op.acc.6.r5.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.r5","DescripcionControl": "Habilitar la información de usuario sobre la fecha de último uso de sus claves de acceso."}],"description": "Registro","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r7.aws.iam.1": {"name": "op.acc.6.r7.aws.iam.1","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r7","DescripcionControl": "Activar la deshabilitación de las credenciales de los usuarios IAM que no hayan sido empleadas durante un periodo de tiempo (o bien, se deberá establecer la deshabilitación en el proveedor de identidades)."}],"description": "Suspensión por no utilización","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.acc.6.r8.aws.iam.1": {"name": "op.acc.6.r8.aws.iam.1","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r8","DescripcionControl": "Se deberá emplear como mecanismo de autenticación o bien una contraseña más otro factor de autenticación, o bien un certificado cualificado (con o sin soporte físico) protegido por un doble factor de autenticación."}],"description": "Doble factor para acceso desde o a través de zonas no controladas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.6.r9.aws.iam.1": {"name": "op.acc.6.r9.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.9","DescripcionControl": "Deberá asegurarse que se está haciendo uso de HTTPS en todas las llamadas a API. Esto se puede lograr a través de una política IAM que rechace el tráfico que no sea HTTPS."}],"description": "Acceso remoto (todos los niveles)","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r9.aws.iam.2": {"name": "op.acc.6.r9.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.9","DescripcionControl": "En caso de que las llamadas a las APIs no se produzcan de manera constante, se recomienda condicionar su realización a aquellas franjas horarias en las que sean necesarias. "}],"description": "Acceso remoto (todos los niveles)","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.1.r3.aws.tag.1": {"name": "op.exp.1.r3.aws.tag.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.1.r4","DescripcionControl": "Mantener actualizada una relación de los componentes software de terceros utilizados en el despliegue del sistema. Listado equivalente a lo requerido en mp.sw.1.r5."}],"description": "Lista de componentes software","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.3.r3.aws.cfg.1": {"name": "op.exp.3.r3.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.3.r3","DescripcionControl": "La entidad usuaria puede consultar el histórico de configuraciones de recursos en AWS Config."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.3.r4.aws.cfg.2": {"name": "op.exp.3.r4.aws.cfg.2","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.3.r3","DescripcionControl": "Desplegar toda la infraestructura de AWS a través de código con el servicio AWS CloudFormation."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.4.r2.aws.sys.1": {"name": "op.exp.4.r2.aws.sys.1","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.4.r2","DescripcionControl": "Utilizar la solución AWS Systems Manager Automation para automatizar las tareas de corrección en servicios de AWS como EC2 y RDS."}],"description": "Prevención de fallos","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.6.r1.aws.sys.1": {"name": "op.exp.6.r1.aws.sys.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.6.r1","DescripcionControl": "Automatizar las operaciones estándar a llevar a cabo para la respuesta en caso de incidente a través de AWS System Manager"}],"description": "Escaneo periódico","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.6.r3.aws.sys.1": {"name": "op.exp.6.r3.aws.sys.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.6.r3","DescripcionControl": "Hacer uso de AWS System Manager Inventory para definir, a nivel de software, una lista blanca de aplicaciones."}],"description": "Lista blanca","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.6.r4.aws.sys.1": {"name": "op.exp.6.r4.aws.sys.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.6.r4","DescripcionControl": "Automatizar tareas estándar a través de AWS System Manager"}],"description": "Capacidad de respuesta en caso de incidente","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.mon.3.r2.aws.cfg.1": {"name": "op.mon.3.r2.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r2","DescripcionControl": "Utilizar las herramientas AWS Config y Security hub"}],"description": "Análisis dinámico","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.mon.3.r6.aws.cfg.1": {"name": "op.mon.3.r6.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r6","DescripcionControl": "Utilizar Config Rules y AWS Inspector"}],"description": "Inspecciones de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.4.r4.aws.insp.1": {"name": "op.exp.4.r4.aws.insp.1","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.4.r4","DescripcionControl": "Desplegar a nivel de sistema una estrategia de monitorización continua de amenazas y vulnerabilidades detallando: indicadores críticos de seguridad, política de aplicación de parches y criterios de revisión regular y excepcional de amenazas del sistema."}],"description": "Monitorización continua","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"op.mon.3.r2.aws.insp.1": {"name": "op.mon.3.r2.aws.insp.1","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r2","DescripcionControl": "Utilizar la herramienta Inspector para la detección de posibles vulneerabilidades de las instancias EC2, las funciones Lambda y las imágenes de contenedor."}],"description": "Análisis dinámico","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"op.mon.3.r6.aws.insp.1": {"name": "op.mon.3.r6.aws.insp.1","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r6","DescripcionControl": "Utilizar Config Rules y AWS Inspector."}],"description": "Inspecciones de seguridad","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"mp.info.6.r2.aws.bcku.1": {"name": "mp.info.6.r2.aws.bcku.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.info.6.r2","DescripcionControl": "La organización puede hacer uso de la nube de AWS como ubicación diferente para el almacenamiento de la copia de seguridad separada del resto o, incluo, utilizar los servicios de ubicación para separar una copia de seguridad en una ubicación diferente dentro de la propia nube."}],"description": "Protección de las copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.1.r2.aws.sminv.1": {"name": "op.exp.1.r2.aws.sminv.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.1.r2","DescripcionControl": "Disponer de herramientas que permitan visualizar de forma continua el estado de todos los equipos en la red, en particular servidores y los dispositivos de red y comunicaciones."}],"description": "Identificación periódica de activos","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.s.4.r1.aws.shieldadv.1": {"name": "mp.s.4.r1.aws.shieldadv.1","checks": {"shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"shield_advanced_protection_in_internet_facing_load_balancers": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.4.r1","DescripcionControl": "Activar AWS Shield Advanced con el fin de disponer de una herramienta de prevención, detección y mitigación de ataques de denegación de servicio."}],"description": "Detección y reacción","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}}},"requirements_passed": 83,"requirements_failed": 37,"requirements_manual": 69,"total_requirements": 189,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "eeee198e-1eda-48dc-aeb6-eb28e98f8dde","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "kisa_isms_p_2023_korean_aws","framework": "KISA-ISMS-P","version": "2023-korean","description": "ISMS-P 인증은 한국인터넷진흥원(KISA)이 제정한 정보보호 및 개인정보보호 관리체계를 기반으로, 독립적인 심사기관이 기업이나 조직의 보안 및 개인정보 보호 활동이 인증 기준을 충족하는지 평가한 후 인증을 부여하는 제도입니다. 이를 통해 기업과 기관은 제공하는 서비스에 대한 대중의 신뢰를 높이고, 점점 복잡해지는 사이버 위협에 효과적으로 대응할 수 있습니다. 또한, ISMS-P는 정보보호와 개인정보 보호를 체계적으로 수립하고 운영할 수 있는 포괄적인 지침을 제공합니다.","region": "eu-west-1","requirements": {"1.1.1": {"name": "경영진의 참여","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.1 경영진의 참여","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 보고 체계(의사소통계획 등)","정보보호 및 개인정보보호 위원회 회의록","정보보호 및 개인정보보호 정책·지침(경영진 승인내역 포함)","정보보호계획 및 내부 관리계획(경영진 승인내역 포함)","정보보호 및 개인정보보호 조직도"],"AuditChecklist": ["정보보호 및 개인정보보호 관리체계의 수립 및 운영활동 전반에 경영진의 참여가 이루어질 수 있도록 보고 및 의사결정 등의 책임과 역할을 문서화하고 있는가?","경영진이 정보보호 및 개인정보보호 활동에 관한 의사결정에 적극적으로 참여할 수 있는 보고, 검토 및 승인 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 정책서에 분기별로 정보보호 및 개인정보보호 현황을 경영진에게 보고하도록 명시하였으나, 장기간 관련 보고를 수행하지 않은 경우","사례 2 : 중요 정보보호 활동(위험평가, 위험수용수준 결정, 정보보호대책 및 이행계획 검토, 정보보호대책 이행결과 검토, 보안감사 등)을 수행하면서 관련 활동관련 보고, 승인 등 의사결정에 경영진 또는 경영진의 권한을 위임받은 자가 참여하지 않았거나 관련 증거자료가 확인되지 않은 경우"],"RelatedRegulations": []}],"description": "최고경영자는 정보보호 및 개인정보보호 관리체계의 수립과 운영활동 전반에 경영진의 참여가 이루어질 수 있도록 보고 및 의사결정 체계를 수립하여 운영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.2": {"name": "최고책임자의 지정","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.2 최고책임자의 지정","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 최고책임자 및 개인정보 보호책임자 임명관련 자료(인사명령, 인사카드 등)","정보보호 및 개인정보보호 조직도","정보보호 및 개인정보보호 정책·지침","직무기술서(정보보호 최고책임자 및 개인정보 보호책임자의 역할 및 책임에 관한 사항)","정보보호 최고책임자 신고 내역","내부 관리계획(개인정보 보호책임자 지정에 관한 사항)"],"AuditChecklist": ["최고경영자는 정보보호 및 개인정보보호 처리에 관한 업무를 총괄하여 책임질 최고책임자를 공식적으로 지정하고 있는가?","정보보호 최고책임자 및 개인정보 보호책임자는 예산, 인력 등 자원을 할당할 수 있는 임원급으로 지정하고 있으며, 관련 법령에 따른 자격요건을 충족하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보통신망법에 따른 정보보호 최고책임자 지정 및 신고 의무 대상자임에도 불구하고 정보보호 최고책임자를 지정 및 신고하지 않은 경우","사례 2 : 개인정보 보호와 관련된 실질적인 권한 및 지위를 보유하고 있지 않은 인원을 개인정보 보호 책임자로 지정하고 있어, 개인정보 처리에 관한 업무를 총괄해서 책임질 수 있다고 보기 어려운 경우","사례 3 : 조직도상에 정보보호 최고책임자 및 개인정보 보호책임자를 명시하고 있으나, 인사발령 등의 공식적인 지정절차를 거치지 않은 경우","사례 4 : ISMS 인증 의무대상자이면서 전년도 말 기준 자산총액이 5천억 원을 초과한 정보통신서비스 제공자이지만 정보보호 최고책임자가 CIO를 겸직하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무), 제31조(개인정보 보호책임자의 지정)","정보통신망법 제45조의3(정보보호 최고책임자의 지정 등)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "최고경영자는 정보보호 업무를 총괄하는 정보보호 최고책임자와 개인정보보호 업무를 총괄하는 개인정보보호 책임자를 예산·인력 등 자원을 할당할 수 있는 임원급으로 지정하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.3": {"name": "조직 구성","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.3 조직 구성","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 위원회 규정·회의록","정보보호 및 개인정보보호 실무 협의체 규정·회의록","정보보호 및 개인정보보호 조직도","내부 관리계획","직무기술서"],"AuditChecklist": ["정보보호 최고책임자 및 개인정보 보호책임자의 업무를 지원하고 조직의 정보보호 및 개인정보보호 활동을 체계적으로 이행하기 위하여 전문성을 갖춘 실무조직을 구성하여 운영하고 있는가?","조직 전반에 걸친 중요한 정보보호 및 개인정보보호 관련사항에 대하여 검토, 승인 및 의사결정을 할 수 있는 위원회를 구성하여 운영하고 있는가?","전사적 정보보호 및 개인정보보호 활동을 위하여 정보보호 및 개인정보보호 관련 담당자 및 부서별 담당자로 구성된 실무 협의체를 구성하여 운영하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 위원회를 구성하였으나, 임원 등 경영진이 포함되어 있지 않고 실무 부서의 장으로 구성되어 있어 조직의 중요 정보 및 개인정보 보호에 관한 사항을 결정할 수 없는 경우","사례 2 : 내부 지침에 따라 중요 정보처리 부서 및 개인정보처리 부서의 장(팀장급)으로 구성된 정보보호 및 개인정보보호 실무 협의체를 구성하였으나, 장기간 운영 실적이 없는 경우","사례 3 : 정보보호 및 개인정보보호 위원회를 개최하였으나, 연간 정보보호 및 개인정보보호 계획 및 교육 계획, 예산 및 인력 등 정보보호 및 개인정보보호에 관한 주요 사항이 검토 및 의사결정이 되지 않은 경우","사례 4 : 정보보호 및 개인정보보호 관련 심의·의결을 위해 정보보호위원회를 구성하여 운영하고 있으나, 운영 및 IT보안 관련 조직만 참여하고 개인정보보호 관련 조직은 참여하지 않고 있어 개인정보보호에 관한 사항을 결정할 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "최고경영자는 정보보호와 개인정보보호의 효과적 구현을 위한 실무조직, 조직 전반의 정보보호와 개인정보보호 관련 주요 사항을 검토 및 의결할 수 있는 위원회, 전사적 보호활동을 위한 부서별 정보보호와 개인정보보호 담당자로 구성된 협의체를 구성하여 운영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.4": {"name": "범위 설정","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.4 범위 설정","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 관리체계 범위 정의서","정보자산 및 개인정보 목록","문서 목록","서비스 흐름도","개인정보 흐름도","전사 조직도","시스템 및 네트워크 구성도"],"AuditChecklist": ["조직의 핵심 서비스 및 개인정보 처리에 영향을 줄 수 있는 핵심자산을 포함하도록 관리체계 범위를 설정하고 있는가?","정의된 범위 내에서 예외사항이 있을 경우 명확한 사유 및 관련자 협의·책임자 승인 등 관련 근거를 기록·관리하고 있는가?","정보보호 및 개인정보보호 관리체계 범위를 명확히 확인할 수 있도록 관련된 내용(주요 서비스 및 업무 현황, 정보시스템 목록, 문서목록 등)이 포함된 문서를 작성하여 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템 및 개인정보처리시스템 개발업무에 관련한 개발 및 시험 시스템, 외주업체직원, PC, 테스트용 단말기 등이 관리체계 범위에서 누락된 경우","사례 2 : 정보보호 및 개인정보보호 관리체계 범위로 설정된 서비스 또는 사업에 대하여 중요 의사결정자 역할을 수행하고 있는 임직원, 사업부서 등의 핵심 조직(인력)을 인증범위에 포함하지 않은 경우","사례 3 : 정보시스템 및 개인정보처리시스템 개발업무에 관련한 개발 및 시험 시스템, 개발자 PC, 테스트용 단말기, 개발조직 등이 관리체계 범위에서 누락된 경우"],"RelatedRegulations": []}],"description": "조직의 핵심 서비스와 개인정보 처리 현황 등을 고려하여 관리체계 범위를 설정하고, 관련된 서비스를 비롯하여 개인정보 처리 업무와 조직, 자산, 물리적 위치 등을 문서화하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.5": {"name": "정책 수립","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.5 정책 수립","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 정책·지침·절차서(제·개정 내역 포함)","정보보호 및 개인정보보호 정책·지침절차서 제·개정 시 이해관계자 검토 회의록","개인정보 내부 관리계획","정보보호 및 개인정보보호 정책·지침 제·개정 공지내역(그룹웨어, 사내게시판 등)","정보보호 및 개인정보보호 위원회 회의록"],"AuditChecklist": ["조직이 수행하는 모든 정보보호 및 개인정보보호 활동의 근거를 포함하는 최상위 수준의 정보보호 및 개인정보보호 정책을 수립하고 있는가?","정보보호 및 개인정보보호 정책의 시행을 위하여 필요한 세부적인 방법, 절차, 주기 등을 규정한 지침, 절차, 매뉴얼 등을 수립하고 있는가?","정보보호 및 개인정보보호 정책·시행문서의 제·개정 시 최고경영자 또는 최고경영자로부터 권한을 위임받은 자의 승인을 받고 있는가?","정보보호 및 개인정보보호 정책·시행문서의 최신본을 관련 임직원에게 이해하기 쉬운 형태로 제공하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 규정에 따르면 정보보호 및 개인정보보호 정책서 제·개정 시에는 정보보호 및 개인정보보호 위원회의 의결을 거치도록 하고 있으나, 최근 정책서 개정 시 위원회에 안건으로 상정하지 않고 정보보호 최고책임자 및 개인정보 보호책임자의 승인을 근거로만 개정한 경우","사례 2 : 정보보호 및 개인정보보호 정책 및 지침서가 최근에 개정되었으나, 해당 사항이 관련 부서 및 임직원에게 공유·전달되지 않아 일부 부서에서는 구버전의 지침서를 기준으로 업무를 수행하고 있는 경우","사례 3 : 정보보호 및 개인정보보호 정책 및 지침서를 보안부서에서만 관리하고 있고, 임직원이 열람할 수 있도록 게시판, 문서 등의 방법으로 제공하지 않는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "정보보호와 개인정보보호 정책 및 시행문서를 수립·작성하며, 이때 조직의 정보보호와 개인정보보호 방침 및 방향을 명확하게 제시하여야 한다. 또한 정책과 시행문서는 경영진의 승인을 받고, 임직원 및 관련자에게 이해하기 쉬운 형태로 전달하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.6": {"name": "자원 할당","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.6 자원 할당","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 활동 연간 추진계획서(예산 및 인력운영계획)","정보보호 및 개인정보보호 활동 결과 보고서","정보보호 및 개인정보보호 투자 내역","정보보호 및 개인정보보호 조직도"],"AuditChecklist": ["정보보호 및 개인정보보호 분야별 전문성을 갖춘 인력을 확보하고 있는가?","정보보호 및 개인정보보호 관리체계의 효과적 구현과 지속적 운영을 위하여 필요한 자원을 평가하여 필요한 예산과 인력을 지원하고 있는가?","연도별 정보보호 및 개인정보보호 업무 세부추진 계획을 수립·시행하고, 그 추진결과에 대한 심사분석·평가를 실시하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 조직을 구성하는데, 분야별 전문성을 갖춘 인력이 아닌 정보보호 관련 또는 IT 관련 전문성이 없는 인원으로만 보안인력을 구성한 경우","사례 2 : 개인정보처리시스템의 기술적·관리적 보호조치의 요건을 갖추기 위한 최소한의 보안 솔루션 도입, 안전조치 적용 등을 위한 비용을 최고경영자가 지원하지 않고 있는 경우","사례 3 : 인증을 취득한 이후에 인력과 예산 지원을 대폭 줄이고 기존 인력을 다른 부서로 배치하거나 일부 예산을 다른 용도로 사용하는 경우"],"RelatedRegulations": []}],"description": "최고경영자는 정보보호와 개인정보보호 분야별 전문성을 갖춘 인력을 확보하고, 관리체계의 효과적 구현과 지속적 운영을 위한 예산 및 자원을 할당하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.1": {"name": "정보자산 식별","checks": {"macie_is_enabled": "PASS","resourceexplorer2_indexes_found": "PASS","config_recorder_all_regions_enabled": null,"organizations_account_part_of_organizations": null,"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.2.1 정보자산 식별","Subdomain": "1.2. 위험 관리","AuditEvidence": ["정보자산 및 개인정보 자산분류 기준","정보자산 및 개인정보 자산목록(자산관리시스템 화면)","정보자산 및 개인정보 보안등급","자산실사 내역","위험분석 보고서(자산식별 내역)"],"AuditChecklist": ["정보자산의 분류기준을 수립하고 정보보호 및 개인정보보호 관리체계 범위 내의 모든 자산을 식별하여 목록으로 관리하고 있는가?","식별된 정보자산에 대하여 법적 요구사항 및 업무에 미치는 영향 등을 고려하여 중요도를 결정하고 보안등급을 부여하고 있는가?","정기적으로 정보자산 현황을 조사하여 정보자산목록을 최신으로 유지하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 관리체계 범위 내의 자산 목록에서 중요정보 취급자 및 개인정보 취급자 PC를 통제하는 데 사용되는 출력물 보안, 문서암호화, USB매체제어 등의 내부정보 유출통제 시스템이 누락된 경우","사례 2 : 정보보호 및 개인정보보호 관리체계 범위 내에서 제3자로부터 제공받은 개인정보가 있으나, 해당 개인정보에 대한 자산 식별이 이루어지지 않은 경우","사례 3 : 내부 지침에 명시된 정보자산 및 개인정보 보안등급 분류 기준과 자산관리 대장의 분류 기준이 일치하지 않은 경우","사례 4 : 온프레미스 자산에 대해서는 식별이 이루어졌으나, 외부에 위탁한 IT 서비스(웹호스팅, 서버호스팅, 클라우드 등)에 대한 자산 식별이 누락된 경우(단, 인증범위 내)","사례 5 : 고유식별정보 등 개인정보를 저장하고 있는 백업서버의 기밀성 등급을 (하)로 산정하는 등 정보자산 중요도 평가의 합리성 및 신뢰성이 미흡한 경우"],"RelatedRegulations": []}],"description": "조직의 업무특성에 따라 정보자산 분류기준을 수립하여 관리체계 범위 내 모든 정보자산을 식별·분류하고, 중요도를 산정한 후 그 목록을 최신으로 관리하여야 한다.","checks_status": {"fail": 0,"pass": 2,"total": 5,"manual": 0}},"1.2.2": {"name": "현황 및 흐름분석","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.2.2 현황 및 흐름분석","Subdomain": "1.2. 위험 관리","AuditEvidence": ["정보서비스 현황표","정보서비스 업무흐름표·업무흐름도","개인정보 처리 현황표(ISMS-P 인증인 경우)","개인정보 흐름표·흐름도(ISMS-P 인증인 경우)"],"AuditChecklist": ["관리체계 전 영역에 대한 정보서비스 현황을 식별하고 업무 절차와 흐름을 파악하여 문서화하고 있는가?","관리체계 범위 내 개인정보 처리 현황을 식별하고 개인정보의 흐름을 파악하여 개인정보 흐름도 등으로 문서화하고 있는가?","서비스 및 업무, 정보자산 등의 변화에 따른 업무절차 및 개인정보 흐름을 주기적으로 검토하여 흐름도 등 관련 문서의 최신성을 유지하고 있는가?"],"NonComplianceCases": ["사례 1 : 관리체계 범위 내 주요 서비스의 업무 절차·흐름 및 현황에 문서화가 이루어지지 않은 경우","사례 2 : 개인정보 흐름도를 작성하였으나, 실제 개인정보의 흐름과 상이한 부분이 다수 존재하거나 중요한 개인정보 흐름이 누락되어 있는 경우","사례 3 : 최초 개인정보 흐름도 작성 이후에 현행화가 이루어지지 않아 변화된 개인정보 흐름이 흐름도에 반영되지 않고 있는 경우"],"RelatedRegulations": []}],"description": "관리체계 전 영역에 대한 정보서비스 및 개인정보 처리 현황을 분석하고 업무 절차와 흐름을 파악하여 문서화하며, 이를 주기적으로 검토하여 최신성을 유지하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.3": {"name": "위험 평가","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.2.3 위험 평가","Subdomain": "1.2. 위험 관리","AuditEvidence": ["위험관리 지침","위험관리 매뉴얼·가이드","위험관리 계획서","위험평가 결과보고서","정보보호 및 개인정보보호 위원회 회의록","정보보호 및 개인정보보호 실무 협의회 회의록","정보자산 및 개인정보자산 목록","정보서비스 및 개인정보 흐름표·흐름도"],"AuditChecklist": ["조직 또는 서비스의 특성에 따라 다양한 측면에서 발생할 수 있는 위험을 식별하고 평가할 수 있는 방법을 정의하고 있는가?","위험관리 방법 및 절차(수행인력, 기간, 대상, 방법, 예산 등)를 구체화한 위험관리계획을 매년 수립하고 있는가?","위험관리계획에 따라 연 1회 이상 정기적으로 또는 필요한 시점에 위험평가를 수행하고 있는가?","조직에서 수용 가능한 목표 위험수준을 정하고, 그 수준을 초과하는 위험을 식별하고 있는가?","위험식별 및 평가 결과를 경영진에게 보고하고 있는가?"],"NonComplianceCases": ["사례 1 : 수립된 위험관리계획서에 위험평가 기간 및 위험관리 대상과 방법이 정의되어 있으나, 위험관리 수행 인력과 소요 예산 등 구체적인 실행계획이 누락되어 있는 경우","사례 2 : 전년도에는 위험평가를 수행하였으나, 금년도에는 자산 변경이 없었다는 사유로 위험 평가를 수행하지 않은 경우","사례 3 : 위험관리 계획에 따라 위험 식별 및 평가를 수행하고 있으나, 범위 내 중요 정보자산에 대한 위험 식별 및 평가를 수행하지 않았거나, 정보보호 관련 법적 요구 사항 준수 여부에 따른 위험을 식별 및 평가하지 않은 경우","사례 4 : 위험관리 계획에 따라 위험 식별 및 평가를 수행하고 수용 가능한 목표 위험수준을 설정하였으나, 관련 사항을 경영진(정보보호 최고책임자 등)에 보고하여 승인받지 않은 경우","사례 5 : 내부 지침에 정의한 위험 평가 방법과 실제 수행한 위험 평가 방법이 상이할 경우","사례 6 : 정보보호 관리체계와 관련된 관리적·물리적 영역의 위험 식별 및 평가를 수행하지 않고, 단순히 기술적 취약점진단 결과를 위험 평가 결과로 갈음하고 있는 경우","사례 7 : 수용 가능한 목표 위험수준(DoA)을 타당한 사유 없이 과도하게 높이는 것으로 결정함에 따라, 실질적으로 대응이 필요한 주요 위험들이 조치가 불필요한 위험(수용 가능한 위험)으로 지정된 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "조직의 대내외 환경분석을 통하여 유형별 위협정보를 수집하고 조직에 적합한 위험 평가 방법을 선정하여 관리체계 전 영역에 대하여 연 1회 이상 위험을 평가하며, 수용할 수 있는 위험은 경영진의 승인을 받아 관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.4": {"name": "보호대책 선정","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.2.4 보호대책 선정","Subdomain": "1.2. 위험 관리","AuditEvidence": ["정보보호 및 개인정보보호 이행계획서·위험관리계획서","정보보호 및 개인정보보호 대책서","정보보호 및 개인정보보호 마스터플랜","정보보호 및 개인정보보호 이행계획 경영진 보고 및 승인 내역"],"AuditChecklist": ["식별된 위험에 대한 처리 전략(감소, 회피, 전가, 수용 등)을 수립하고 위험처리를 위한 보호대책을 선정하고 있는가?","보호대책의 우선순위를 고려하여 일정, 담당부서 및 담당자, 예산 등의 항목을 포함한 보호대책 이행계획을 수립하고 경영진에 보고하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 대책에 대한 이행계획은 수립하였으나, 정보보호 최고책임자 및 개인정보 보호책임자에게 보고가 이루어지지 않은 경우","사례 2 : 위험감소가 요구되는 일부 위험의 조치 이행계획이 누락되어 있는 경우","사례 3 : 법에 따라 의무적으로 이행하여야 할 사항, 보안 취약성이 높은 위험 등을 별도의 보호조치 계획 없이 위험수용으로 결정하여 조치하지 않은 경우","사례 4 : 위험수용에 대한 근거와 타당성이 미흡하고, 시급성 및 구현 용이성 등의 측면에서 즉시 또는 단기 조치가 가능한 위험요인에 대해서도 특별한 사유 없이 장기 조치계획으로 분류한 경우"],"RelatedRegulations": []}],"description": "위험 평가 결과에 따라 식별된 위험을 처리하기 위하여 조직에 적합한 보호대책을 선정하고, 보호대책의 우선순위와 일정·담당자·예산 등을 포함한 이행계획을 수립하여 경영진의 승인을 받아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.1": {"name": "보호대책 구현","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.3.1 보호대책 구현","Subdomain": "1.3. 관리체계 운영","AuditEvidence": ["정보보호 및 개인정보보호 이행계획서·위험관리계획서","정보보호 및 개인정보보호 대책서","정보보호 및 개인정보보호 이행계획 경과보고서(경영진 보고 포함)","정보보호 및 개인정보보호 이행 완료 보고서(경영진 보고 포함)","정보보호 및 개인정보보호 운영명세서"],"AuditChecklist": ["이행계획에 따라 보호대책을 효과적으로 구현하고 이행결과의 정확성 및 효과성 여부를 경영진이 확인할 수 있도록 보고하고 있는가?","관리체계 인증기준별로 보호대책 구현 및 운영 현황을 기록한 운영명세서를 구체적으로 작성하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 대책에 대한 이행완료 결과를 정보보호 최고책임자 및 개인정보 보호책임자에게 보고하지 않은 경우","사례 2 : 위험조치 이행결과보고서는 ʻ조치 완료ʼ로 명시되어 있으나, 관련된 위험이 여전히 존재하거나 이행결과의 정확성 및 효과성이 확인되지 않은 경우","사례 3 : 전년도 정보보호대책 이행계획에 따라 중·장기로 분류된 위험들이 해당연도에 구현이 되고 있지 않거나 이행결과를 경영진이 검토 및 확인하고 있지 않은 경우","사례 4 : 운영명세서에 작성된 운영 현황이 실제와 일치하지 않고, 운명명세서에 기록되어 있는 관련 문서, 결재 내용, 회의록 등이 존재하지 않는 경우","사례 5 : 이행계획 시행에 대한 결과를 정보보호 최고책임자 및 개인정보 보호책임자에게 보고하였으나, 일부 미이행된 건에 대한 사유 보고 및 후속 조치가 이루어지지 않은 경우"],"RelatedRegulations": []}],"description": "선정한 보호대책은 이행계획에 따라 효과적으로 구현하고, 경영진은 이행결과의 정확성과 효과성 여부를 확인하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.2": {"name": "보호대책 공유","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.3.2 보호대책 공유","Subdomain": "1.3. 관리체계 운영","AuditEvidence": ["정보보호 및 개인정보보호 대책별 운영부서 또는 시행부서 현황","정보보호 및 개인정보 관리계획 내부공유 증거자료(공지 내역, 교육자료, 공유 자료 등)"],"AuditChecklist": ["구현된 보호대책을 운영 또는 시행할 부서 및 담당자를 명확하게 파악하고 있는가?","구현된 보호대책을 운영 또는 시행할 부서 및 담당자에게 관련 내용을 공유 또는 교육하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호대책을 마련하여 구현하고 있으나, 관련 내용을 충분히 공유·교육하지 않아 실제 운영 또는 수행 부서 및 담당자가 해당 내용을 인지하지 못하고 있는 경우"],"RelatedRegulations": []}],"description": "보호대책의 실제 운영 또는 시행할 부서 및 담당자를 파악하여 관련 내용을 공유하고 교육하여 지속적으로 운영되도록 하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.3": {"name": "운영현황 관리","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.3.3 운영현황 관리","Subdomain": "1.3. 관리체계 운영","AuditEvidence": ["정보보호 및 개인정보보호 연간계획서","정보보호 및 개인정보보호 운영현황표","정보보호 및 개인정보보호 활동 수행 여부 점검 결과"],"AuditChecklist": ["관리체계 운영을 위하여 주기적 또는 상시적으로 수행하여야 하는 정보보호 및 개인정보보호 활동을 문서화하여 관리하고 있는가?","경영진은 주기적으로 관리체계 운영활동의 효과성을 확인하고 이를 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 관리체계 운영현황 중 주기적 또는 상시적인 활동이 요구되는 활동 현황을 문서화하지 않은 경우","사례 2 : 정보보호 및 개인정보보호 관리체계 운영현황에 대한 문서화는 이루어졌으나, 해당 운영현황에 대한 주기적인 검토가 이루어지지 않아 월별 및 분기별 활동이 요구되는 일부 정보보호 및 개인정보보호 활동이 누락되었고 일부는 이행 여부를 확인할 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제31조(개인정보 보호책임자의 지정)","정보통신망법 제45조의3(정보보호 최고책임자의 지정 등)"]}],"description": "조직이 수립한 관리체계에 따라 상시적 또는 주기적으로 수행하여야 하는 운영활동 및 수행 내역은 식별 및 추적이 가능하도록 기록하여 관리하고, 경영진은 주기적으로 운영활동의 효과성을 확인하여 관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.1": {"name": "법적 요구사항 준수 검토","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.4.1 법적 요구사항 준수 검토","Subdomain": "1.4. 관리체계 점검 및 개선","AuditEvidence": ["법적 준거성 검토 내역","정보보호 및 개인정보보호 정책·지침 검토 및 개정이력","정책·지침 신구대조표","법 개정사항 내부공유 자료","개인정보 손해배상 책임보장 입증 자료(사이버보험 약정서 등)","정보보호 공시 내역"],"AuditChecklist": ["조직이 준수하여야 하는 정보보호 및 개인정보보호 관련 법적 요구사항을 파악하여 최신성을 유지하고 있는가?","법적 요구사항의 준수 여부를 연 1회 이상 정기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보통신망법 및 개인정보 보호법이 최근 개정되었으나 개정사항이 조직에 미치는 영향을 검토하지 않았으며, 정책서·시행문서 및 법적준거성 체크리스트 등에도 해당 내용을 반영하지 않아 정책서·시행문서 및 법적준거성 체크리스트 등의 내용이 법령 내용과 일치하지 않은 경우","사례 2 : 조직에서 준수하여야 할 법률이 개정되었으나, 해당 법률 준거성 검토를 장기간 수행하지 않은 경우","사례 3 : 법적 준거성 준수 여부에 대한 검토가 적절히 이루어지지 않아 개인정보 보호법 등 법규 위반 사항이 다수 발견된 경우","사례 4 : 개인정보 보호법에 따라 개인정보 손해배상책임 보장제도 적용 대상이 되었으나, 이를 인지하지 못하여 보험 가입이나 준비금 적립을 하지 않은 경우 또는 보험 가입을 하였으나 이용자 수 및 매출액에 따른 최저가입금액 기준을 준수하지 못한 경우","사례 5 : 정보보호 공시 의무대상 사업자이지만 법에 정한 시점 내에 정보보호 공시가 시행되지 않은 경우","사례 6 : 모바일앱을 통해 위치정보사업자로부터 이용자의 개인위치정보를 전송받아 서비스에 이용하고 있으나, 위치기반서비스사업 신고를 하지 않은 경우","사례 7 : 국내에 주소 또는 영업소가 없는 개인정보처리자로서 전년도 말 기준 직전 3개월 간 그 개인정보가 저장·관리되고 있는 국내 정보주체의 수가 일일평균 100만명 이상인 자에 해당되어 국내대리인 지정의무에 해당됨에도 불구하고, 국내대리인을 문서로 지정하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "조직이 준수하여야 할 정보보호 및 개인정보보호 관련 법적 요구사항을 주기적으로 파악하여 규정에 반영하고, 준수 여부를 지속적으로 검토하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.2": {"name": "관리체계 점검","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.4.2 관리체계 점검","Subdomain": "1.4. 관리체계 점검 및 개선","AuditEvidence": ["관리체계 점검 계획서(내부점검 계획서, 내부감사 계획서)","관리체계 점검 결과보고서","정보보호 및 개인정보보호 위원회 회의록"],"AuditChecklist": ["법적 요구사항 및 수립된 정책에 따라 정보보호 및 개인정보보호 관리체계가 효과적으로 운영되는지를 점검하기 위한 관리체계 점검기준, 범위, 주기, 점검인력 자격요건 등을 포함한 관리체계 점검 계획을 수립하고 있는가?","관리체계 점검 계획에 따라 독립성, 객관성 및 전문성이 확보된 인력을 구성하여 연 1회 이상 점검을 수행하고 발견된 문제점을 경영진에게 보고하고 있는가?"],"NonComplianceCases": ["사례 1 : 관리체계 점검 인력에 점검 대상으로 식별된 전산팀 직원이 포함되어 전산팀 관리 영역에 대한 점검에 관여하고 있어, 점검의 독립성이 훼손된 경우","사례 2 : 금년도 관리체계 점검을 실시하였으나, 점검범위가 일부 영역에 국한되어 있어 정보보호 및 개인정보보호 관리체계 범위를 충족하지 못한 경우","사례 3 : 관리체계 점검팀이 위험평가 또는 취약점 점검 등 관리체계 구축 과정에 참여한 내부 직원 및 외부 컨설턴트로만 구성되어, 점검의 독립성이 확보되었다고 볼 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "관리체계가 내부 정책 및 법적 요구사항에 따라 효과적으로 운영되고 있는지 독립성과 전문성이 확보된 인력을 구성하여 연 1회 이상 점검하고, 발견된 문제점을 경영진에게 보고하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.3": {"name": "관리체계 개선","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.4.3 관리체계 개선","Subdomain": "1.4. 관리체계 점검 및 개선","AuditEvidence": ["관리체계 점검 결과보고서","관리체계 점검 조치계획서·이행조치결과서","재발방지 대책","효과성 측정 지표 및 측정 결과(경영진 보고 포함)"],"AuditChecklist": ["법적 요구사항 준수검토 및 관리체계 점검을 통하여 식별된 관리체계상의 문제점에 대한 근본 원인을 분석하여 재발방지 및 개선 대책을 수립·이행하고 있는가?","재발방지 및 개선 결과의 정확성 및 효과성 여부를 확인하기 위한 기준과 절차를 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부점검을 통하여 발견된 정보보호 및 개인정보보호 관리체계 운영상 문제점이 매번 동일하게 반복되어 발생되는 경우","사례 2 : 내부 규정에는 내부점검 시 발견된 문제점에 대해서는 근본원인에 대한 분석 및 재발방지 대책을 수립하도록 되어 있으나, 최근에 수행된 내부점검에서는 발견된 문제점에 대하여 근본원인 분석 및 재발방지 대책이 수립되지 않은 경우","사례 3 : 관리체계상 문제점에 대한 재발방지 대책을 수립하고 핵심성과지표를 마련하여 주기적으로 측정하고 있으나, 그 결과에 대하여 경영진 보고가 장기간 이루어지지 않은 경우","사례 4 : 관리체계 점검 시 발견된 문제점에 대하여 조치계획을 수립하지 않았거나 조치 완료 여부를 확인하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "법적 요구사항 준수검토 및 관리체계 점검을 통하여 식별된 관리체계상의 문제점에 대한 원인을 분석하고 재발방지 대책을 수립·이행하여야 하며, 경영진은 개선 결과의 정확성과 효과성 여부를 확인하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.1": {"name": "정책의 유지관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.1.1 정책의 유지관리","Subdomain": "2.1. 정책, 조직, 자산 관리","AuditEvidence": ["정보보호 및 개인정보보호 정책 및 시행문서(지침, 절차, 가이드, 매뉴얼 등)","정책·지침 정기·비정기 타당성 검토 결과","정책·지침 관련 부서와의 검토 회의록, 회람내용","정책·지침 제·개정 이력"],"AuditChecklist": ["정보보호 및 개인정보보호 관련 정책 및 시행문서에 대한 정기적인 타당성 검토 절차를 수립·이행하고 있는가?","조직의 대내외 환경에 중대한 변화 발생 시 정보보호 및 개인정보보호 관련 정책 및 시행문서에 미치는 영향을 검토하고 필요시 제·개정하고 있는가?","정보보호 및 개인정보보호 관련 정책 및 시행문서의 제·개정 시 이해 관계자의 검토를 받고 있는가?","정보보호 및 개인정보보호 관련 정책 및 시행문서의 제·개정 내역에 대하여 이력관리를 하고 있는가?"],"NonComplianceCases": ["사례 1 : 지침서와 절차서 간 패스워드 설정 규칙에 일관성이 없는 경우","사례 2 : 정보보호 활동(정보보호 교육, 암호화, 백업 등)의 대상, 주기, 수준, 방법 등이 관련 내부 규정, 지침, 절차에 서로 다르게 명시되어 일관성이 없는 경우","사례 3 : 데이터베이스에 대한 접근 및 작업이력을 효과적으로 기록 및 관리하기 위하여 데이터베이스 접근통제 솔루션을 신규로 도입하여 운영하고 있으나, 보안시스템 보안 관리지침 및 데이터베이스 보안 관리지침 등 내부 보안지침에 접근통제, 작업이력, 로깅, 검토 등에 관한 사항이 반영되어 있지 않은 경우","사례 4 : 개인정보보호 정책이 개정되었으나 정책 시행 기준일이 명시되어 있지 않으며, 관련 정책의 작성일, 작성자 및 승인자 등이 누락되어 있는 경우","사례 5 : 개인정보 보호 관련 법령, 고시 등에 중대한 변경사항이 발생하였으나, 이러한 변경이 개인정보보호 정책 및 시행문서에 미치는 영향을 검토하지 않았거나 변경사항을 반영하여 개정하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "정보보호 및 개인정보보호 관련 정책과 시행문서는 법령 및 규제, 상위 조직 및 관련 기관 정책과의 연계성, 조직의 대내외 환경변화 등에 따라 주기적으로 검토하여 필요한 경우 제·개정하고 그 내역을 이력관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.2": {"name": "조직의 유지관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.1.2 조직의 유지관리","Subdomain": "2.1. 정책, 조직, 자산 관리","AuditEvidence": ["정보보호 및 개인정보보호 조직도","정보보호 및 개인정보보호 조직 직무기술서","정보보호 및 개인정보보호 업무 분장표","정보보호 및 개인정보보호 정책·지침, 내부 관리계획","정보보호 및 개인정보보호 의사소통 관리계획","의사소통 수행 이력(월간보고, 주간보고, 내부공지 등)","의사소통 채널(정보보호포털, 게시판 등)"],"AuditChecklist": ["정보보호 및 개인정보보호 관련 책임자와 담당자의 역할 및 책임을 명확히 정의하고 있는가?","정보보호 및 개인정보보호 관련 책임자와 담당자의 활동을 평가할 수 있는 체계를 수립하고 있는가?","정보보호 및 개인정보보호 관련 조직 및 조직의 구성원 간 상호 의사소통할 수 있는 체계 및 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 지침 및 직무기술서에 정보보호 최고책임자, 개인정보 보호책임자 및 관련 담당자의 역할과 책임을 정의하고 있으나, 실제 운영현황과 일치하지 않는 경우","사례 2 : 정보보호 최고책임자 및 관련 담당자의 활동을 주기적으로 평가할 수 있는 목표, 기준, 지표 등의 체계가 마련되어 있지 않은 경우","사례 3 : 내부 지침에는 부서별 정보보호 담당자는 정보보호와 관련된 KPI를 설정하여 인사평가 시 반영하도록 되어 있으나, 부서별 정보보호 담당자의 KPI에 정보보호와 관련된 사항이 전혀 반영되어 있지 않은 경우","사례 4 : 정보보호 최고책임자 및 개인정보 보호책임자가 지정되어 있으나, 관련 법령에서 요구하는 역할 및 책임이 내부 지침이나 직무기술서 등에 구체적으로 명시되어 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무), 제31조(개인정보 보호책임자의 지정)","정보통신망법 제45조의3(정보보호 최고책임자의 지정 등)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "조직의 각 구성원에게 정보보호와 개인정보보호 관련 역할 및 책임을 할당하고, 그 활동을 평가할 수 있는 체계와 조직 및 조직의 구성원 간 상호 의사소통할 수 있는 체계를 수립하여 운영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.3": {"name": "정보자산 관리","checks": {"macie_is_enabled": "PASS","resourceexplorer2_indexes_found": "PASS","config_recorder_all_regions_enabled": null,"account_maintain_current_contact_details": null,"organizations_account_part_of_organizations": null,"organizations_tags_policies_enabled_and_attached": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null,"account_maintain_different_contact_details_to_security_billing_and_operations": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.1.3 정보자산 관리","Subdomain": "2.1. 정책, 조직, 자산 관리","AuditEvidence": ["정보자산 목록(책임자, 담당자 지정)","정보자산 취급 절차(문서, 정보시스템 등)","정보자산 관리 시스템 화면","정보자산 보안등급 표시 내역"],"AuditChecklist": ["정보자산의 보안등급에 따른 취급절차(생성·도입, 저장, 이용, 파기) 및 보호대책을 정의하고 이행하고 있는가?","식별된 정보자산에 대하여 책임자 및 관리자를 지정하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 지침에 따라 문서에 보안등급을 표기하도록 되어 있으나, 이를 표시하지 않은 경우","사례 2 : 정보자산별 담당자 및 책임자를 식별하지 않았거나, 자산목록 현행화가 미흡하여 퇴직, 전보 등 인사이동이 발생하여 주요 정보자산의 담당자 및 책임자가 변경되었음에도 이를 식별하지 않은 경우","사례 3 : 식별된 정보자산에 대한 중요도 평가를 실시하여 보안등급을 부여하고 정보 자산목록에 기록하고 있으나, 보안등급에 따른 취급절차를 정의하지 않은 경우"],"RelatedRegulations": []}],"description": "정보자산의 용도와 중요도에 따른 취급 절차 및 보호대책을 수립·이행하고, 자산별 책임소재를 명확히 정의하여 관리하여야 한다.","checks_status": {"fail": 0,"pass": 2,"total": 9,"manual": 0}},"2.2.1": {"name": "주요 직무자 지정 및 관리","checks": {"iam_support_role_created": null,"organizations_delegated_administrators": null,"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.1 주요 직무자 지정 및 관리","Subdomain": "2.2. 인적 보안","AuditEvidence": ["주요 직무 기준","주요직무자 목록","개인정보취급자 목록","중요 정보시스템 및 개인정보처리시스템 계정 및 권한 관리 대장","주요 직무자에 대한 관리 현황(교육 결과, 보안서약서 등)"],"AuditChecklist": ["개인정보 및 중요정보의 취급, 주요 시스템 접근 등 주요 직무의 기준을 명확히 정의하고 있는가?","주요 직무를 수행하는 임직원 및 외부자를 주요 직무자로 지정하고 그 목록을 최신으로 관리하고 있는가?","업무상 개인정보를 취급하는 자를 개인정보취급자로 지정하고 목록을 최신으로 관리하고 있는가?","업무 필요성에 따라 주요 직무자 및 개인정보취급자 지정을 최소화하는 등 관리방안을 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 주요 직무자 명단(개인정보취급자 명단, 비밀정보관리자 명단 등)을 작성하고 있으나, 대량의 개인정보 등 중요정보를 취급하는 일부 임직원(DBA, DLP 관리자 등)을 명단에 누락한 경우","사례 2 : 주요 직무자 및 개인정보취급자 목록을 관리하고 있으나, 퇴사한 임직원이 포함되어 있고 최근 신규 입사한 인력이 포함되어 있지 않는 등 현행화 관리가 되어 있지 않은 경우","사례 3 : 부서 단위로 개인정보취급자 권한을 일괄 부여하고 있어 실제 개인정보를 취급할 필요가 없는 인원까지 과다하게 개인정보취급자로 지정된 경우","사례 4 : 내부 지침에는 주요 직무자 권한 부여 시에는 보안팀의 승인을 받고 주요 직무에 따른 보안서약서를 작성하도록 하고 있으나, 보안팀 승인 및 보안서약서 작성 없이 등록된 주요 직무자가 다수 존재하는 경우"],"RelatedRegulations": ["개인정보 보호법 제28조(개인정보취급자에 대한 감독), 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "개인정보 및 중요정보의 취급이나 주요 시스템 접근 등 주요 직무의 기준과 관리방안을 수립하고, 주요 직무자를 최소한으로 지정하여 그 목록을 최신으로 관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"2.2.2": {"name": "직무 분리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.2 직무 분리","Subdomain": "2.2. 인적 보안","AuditEvidence": ["직무 분리 관련 지침(인적 보안 지침 등)","직무기술서(시스템 운영·관리, 개발·운영 등)","직무 미분리 시 보완통제 현황"],"AuditChecklist": ["권한 오·남용 등으로 인한 잠재적인 피해 예방을 위하여 직무 분리 기준을 수립하여 적용하고 있는가?","직무 분리가 어려운 경우 직무자 간 상호 검토, 상위관리자 정기 모니터링 및 변경사항 승인, 책임추적성 확보 방안 등의 보완통제를 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 조직의 규모와 인원이 담당자별 직무 분리가 충분히 가능한 조직임에도 업무 편의성만을 사유로 내부 규정으로 정한 직무 분리 기준을 준수하고 있지 않은 경우","사례 2 : 조직의 특성상 경영진의 승인을 받은 후 개발과 운영 직무를 병행하고 있으나, 직무자 간 상호 검토, 상위관리자의 주기적인 직무수행 모니터링 및 변경 사항 검토·승인, 직무자의 책임추적성 확보 등의 보완통제 절차가 마련되어 있지 않은 경우"],"RelatedRegulations": []}],"description": "권한 오·남용 등으로 인한 잠재적인 피해 예방을 위하여 직무 분리 기준을 수립하고 적용하여야 한다. 다만 불가피하게 직무 분리가 어려운 경우 별도의 보완대책을 마련하여 이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.3": {"name": "보안 서약","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.3 보안 서약","Subdomain": "2.2. 인적 보안","AuditEvidence": ["정보보호 및 개인정보보호 서약서(임직원, 외부인력)","비밀유지서약서(퇴직자)"],"AuditChecklist": ["신규 인력 채용 시 정보보호 및 개인정보보호 책임이 명시된 정보보호 및 개인정보보호 서약서를 받고 있는가?","임시직원, 외주용역직원 등 외부자에게 정보자산에 대한 접근권한을 부여할 경우 정보보호 및 개인정보보호에 대한 책임, 비밀유지 의무 등이 명시된 서약서를 받고 있는가?","임직원 퇴직 시 별도의 비밀유지에 관련한 서약서를 받고 있는가?","정보보호, 개인정보보호 및 비밀유지 서약서는 안전하게 보관하고 필요시 쉽게 찾아볼 수 있도록 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 신규 입사자에 대해서는 입사 절차상에 보안서약서를 받도록 규정하고 있으나, 최근에 입사한 일부 직원의 보안서약서 작성이 누락된 경우","사례 2 : 임직원에 대해서는 보안서약서를 받고 있으나, 정보처리시스템에 직접 접속이 가능한 외주 인력에 대해서는 보안서약서를 받지 않은 경우","사례 3 : 제출된 정보보호 및 개인정보보호 서약서를 모아 놓은 문서철이 비인가자가 접근 가능한 상태로 사무실 책상에 방치되어 있는 등 관리가 미흡한 경우","사례 4 : 개인정보취급자에 대하여 보안서약서만 받고 있으나, 보안서약서 내에 비밀유지에 대한 내용만 있고 개인정보보호에 관한 책임 및 내용이 포함되어 있지 않은 경우"],"RelatedRegulations": []}],"description": "정보자산을 취급하거나 접근권한이 부여된 임직원·임시직원·외부자 등이 내부 정책 및","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.4": {"name": "인식제고 및 교육훈련","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.4 인식제고 및 교육훈련","Subdomain": "2.2. 인적 보안","AuditEvidence": ["정보보호 및 개인정보보호 교육 계획서","교육 결과보고서","공통, 직무별 교육자료","교육참석자 목록"],"AuditChecklist": ["정보보호 및 개인정보보호 교육의 시기, 기간, 대상, 내용, 방법 등의 내용이 포함된 연간 교육 계획을 수립하고 경영진의 승인을 받고 있는가?","관리체계 범위 내 모든 임직원과 외부자를 대상으로 연간 교육 계획에 따라 연 1회 이상 정기적으로 교육을 수행하고, 관련 법규 및 규정의 중대한 변경 시 이에 대한 추가교육을 수행하고 있는가?","임직원 채용 및 외부자 신규 계약 시 업무 시작 전에 정보보호 및 개인정보보호 교육을 시행하고 있는가?","IT 및 정보보호, 개인정보보호 조직 내 임직원은 정보보호 및 개인정보보호와 관련하여 직무별 전문성 제고를 위한 별도의 교육을 받고 있는가?","교육시행에 대한 기록을 남기고 교육 효과와 적정성을 평가하여 다음 교육 계획에 반영하고 있는가?"],"NonComplianceCases": ["사례 1 : 전년도에는 연간 정보보호 및 개인정보보호 교육 계획을 수립하여 이행하였으나, 당해 연도에 타당한 사유 없이 연간 정보보호 및 개인정보보호 교육 계획을 수립하지 않은 경우","사례 2 : 연간 정보보호 및 개인정보보호 교육 계획에 교육 주기와 대상은 명시하고 있으나, 시행 일정, 내용 및 방법 등의 내용이 포함되어 있지 않은 경우","사례 3 : 연간 정보보호 및 개인정보보호 교육 계획에 전 직원을 대상으로 하는 개인정보보호 인식 교육은 일정시간 계획되어 있으나, 개인정보 보호책임자 및 개인정보담당자 등 직무별로 필요한 개인정보보호 관련 교육 계획이 포함되어 있지 않은 경우","사례 4 : 정보보호 및 개인정보보호 교육 계획서 및 결과 보고서를 확인한 결과, 인증범위 내의 정보자산 및 설비에 접근하는 외주용역업체 직원(전산실 출입 청소원, 경비원, 외주개발자 등)을 교육 대상에서 누락한 경우","사례 5 : 당해 연도 정보보호 및 개인정보보호 교육을 실시하였으나, 교육시행 및 평가에 관한 기록(교육 자료, 출석부, 평가 설문지, 결과보고서 등) 일부를 남기지 않고 있는 경우","사례 6 : 정보보호 및 개인정보보호 교육 미이수자를 파악하지 않고 있거나, 해당 미이수자에 대한 추가교육 방법(전달교육, 추가교육, 온라인교육 등)을 수립·이행하고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한), 제28조(개인정보 취급자에 대한 감독), 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "임직원 및 관련 외부자가 조직의 관리체계와 정책을 이해하고 직무별 전문성을 확보할 수 있도록 연간 인식제고 활동 및 교육훈련 계획을 수립·운영하고, 그 결과에 따른 효과성을 평가하여 다음 계획에 반영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.5": {"name": "퇴직 및 직무변경 관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.5 퇴직 및 직무변경 관리","Subdomain": "2.2. 인적 보안","AuditEvidence": ["퇴직 및 직무변경 절차서","퇴직 시 자산(계정) 반납관리대장","퇴직자 보안점검 체크리스트 및 점검 내역"],"AuditChecklist": ["퇴직, 직무변경, 부서이동, 휴직 등으로 인한 인사변경 내용이 인사부서, 정보보호 및 개인정보보호 부서, 정보시스템 및 개인정보처리시스템 운영부서 간 공유되고 있는가?","조직 내 인력(임직원, 임시직원, 외주용역직원 등)의 퇴직 또는 직무변경 시 지체 없는 정보자산 반납, 접근권한 회수·조정, 결과 확인 등의 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 직무 변동에 따라 개인정보취급자에서 제외된 인력의 계정과 권한이 개인정보처리시스템에 그대로 남아 있는 경우","사례 2 : 최근에 퇴직한 주요직무자 및 개인정보취급자에 대하여 자산반납, 권한 회수 등의 퇴직절차 이행 기록이 확인되지 않은 경우","사례 3 : 임직원 퇴직 시 자산반납 관리는 잘 이행하고 있으나, 인사규정에서 정한 퇴직자 보안점검 및 퇴직확인서를 작성하지 않은 경우","사례 4 : 개인정보취급자 퇴직 시 개인정보처리시스템의 접근 권한은 지체 없이 회수되었지만, 출입통제 시스템 및 VPN 등 일부 시스템의 접근 권한이 회수되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "퇴직 및 직무변경 시 인사·정보보호·개인정보보호·IT 등 관련 부서별 이행하여야 할 자산반납, 계정 및 접근권한 회수·조정, 결과확인 등의 절차를 수립·관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.6": {"name": "보안 위반 시 조치","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.6 보안 위반 시 조치","Subdomain": "2.2. 인적 보안","AuditEvidence": ["인사 규정(정보보호 및 개인정보보호 관련 규정 위반에 따른 처벌규정)","정보보호 및 개인정보보호 지침 위반자 징계 내역","사고 사례(전사 공지, 교육 내용)"],"AuditChecklist": ["임직원 및 관련 외부자가 법령과 규제 및 내부정책에 따른 정보보호 및 개인정보보호 책임과 의무를 위반한 경우에 대한 처벌 규정을 수립하고 있는가?","정보보호 및 개인정보 보호 위반 사항이 적발된 경우 내부 절차에 따른 조치를 수행하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 규정 위반자에 대한 처리 기준 및 절차가 내부 규정에 전혀 포함되어 있지 않은 경우","사례 2 : 보안시스템(DLP, 데이터베이스 접근제어시스템, 내부정보유출통제시스템 등)을 통하여 정책 위반이 탐지된 관련자에게 경고 메시지를 전달하고 있으나, 이에 대한 소명 및 추가 조사, 징계 처분 등 내부 규정에 따른 후속 조치가 이행되고 있지 않은 경우"],"RelatedRegulations": []}],"description": "임직원 및 관련 외부자가 법령, 규제 및 내부정책을 위반한 경우 이에 따른 조치 절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.1": {"name": "외부자 현황 관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.3.1 외부자 현황 관리","Subdomain": "2.3. 외부자 보안","AuditEvidence": ["외부 위탁 및 외부 시설·서비스 현황","외부 위탁 계약서","위험분석 보고서 및 보호대책","위탁 보안관리 지침, 체크리스트 등"],"AuditChecklist": ["관리체계 범위 내에서 발생하고 있는 업무 위탁 및 외부 시설·서비스의 이용 현황을 식별하고 있는가?","업무 위탁 및 외부 시설·서비스의 이용에 따른 법적 요구사항과 위험을 파악하고 적절한 보호대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 규정에 따라 외부 위탁 및 외부 시설·서비스 현황을 목록으로 관리하고 있으나, 몇 개월 전에 변경된 위탁업체가 목록에 반영되어 있지 않은 등 현행화 관리가 미흡한 경우","사례 2 : 관리체계 범위 내 일부 개인정보처리시스템을 외부 클라우드 서비스로 이전하였으나, 이에 대한 식별 및 위험평가가 수행되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)","정보통신망법 제50조의3(영리목적의 광고성 정보 전송의 위탁 등)"]}],"description": "업무의 일부(개인정보취급, 정보보호, 정보시스템 운영 또는 개발 등)를 외부에 위탁하거나 외부의 시설 또는 서비스(집적정보통신시설, 클라우드 서비스, 애플리케이션 서비스 등)를 이용하는 경우 그 현황을 식별하고 법적 요구사항 및 외부 조직·서비스로부터 발생되는 위험을 파악하여 적절한 보호대책을 마련하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.2": {"name": "외부자 계약 시 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.3.2 외부자 계약 시 보안","Subdomain": "2.3. 외부자 보안","AuditEvidence": ["위탁 계약서","정보보호 및 개인정보보호 협약서(약정서, 부속합의서)","위탁 관련 내부 지침","위탁업체 선정 관련 RFP(제안요청서), 평가표"],"AuditChecklist": ["중요정보 및 개인정보 처리와 관련된 외부 서비스 및 위탁 업체를 선정하는 경우 정보보호 및 개인정보 보호 역량을 고려하도록 절차를 마련하고 있는가?","외부 서비스 이용 및 업무 위탁에 따른 정보보호 및 개인정보보호 요구사항을 식별하고 이를 계약서 또는 협정서에 명시하고 있는가?","정보시스템 및 개인정보처리시스템 개발을 위탁하는 경우 개발 시 준수하여야 할 정보보호 및 개인정보보호 요구사항을 계약서에 명시하고 있는가?"],"NonComplianceCases": ["사례 1 : IT 운영, 개발 및 개인정보 처리업무를 위탁하는 외주용역업체에 대한 위탁계약서가 존재하지 않는 경우","사례 2 : 개인정보 처리업무를 위탁하는 외부업체와의 위탁계약서상에 개인정보 보호법 등 법령에서 요구하는 일부 항목(관리·감독에 관한 사항 등)이 포함되어 있지 않은 경우","사례 3 : 인프라 운영과 개인정보 처리업무 일부를 외부업체에 위탁하고 있으나, 계약서 등에는 위탁업무의 특성에 따른 보안 요구사항을 식별·반영하지 않고 비밀유지 및 손해배상에 관한 일반 사항만 규정하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)"]}],"description": "외부 서비스를 이용하거나 외부자에게 업무를 위탁하는 경우 이에 따른 정보보호 및 개인정보보호 요구사항을 식별하고, 관련 내용을 계약서 또는 협정서 등에 명시하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.3": {"name": "외부자 보안 이행 관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.3.3 외부자 보안 이행 관리","Subdomain": "2.3. 외부자 보안","AuditEvidence": ["외부자 및 수탁자 보안점검 결과","외부자 및 수탁자 교육 내역(교육 결과, 참석자 명단, 교육교재 등)","개인정보 위탁 계약서","개인정보 처리업무 재위탁 시 위탁자 동의 증거자료"],"AuditChecklist": ["외부자가 계약서, 협정서, 내부정책에 명시된 정보보호 및 개인정보보호 요구사항을 준수하고 있는지 주기적으로 점검 또는 감사를 수행하고 있는가?","외부자에 대한 점검 또는 감사 시 발견된 문제점에 대하여 개선계획을 수립·이행하고 있는가?","개인정보 처리업무를 위탁받은 수탁자가 관련 업무를 제3자에게 재위탁하는 경우 위탁자의 동의를 받도록 하고 있는가?"],"NonComplianceCases": ["사례 1 : 회사 내에 상주하여 IT 개발 및 운영 업무를 수행하는 외주업체에 대해서는 정기적으로 보안점검을 수행하고 있지 않은 경우","사례 2 : 개인정보 수탁자에 대하여 보안교육을 실시하라는 공문을 발송하고 있으나, 교육 수행 여부를 확인하고 있지 않은 경우","사례 3 : 수탁자가 자체적으로 보안점검을 수행한 후 그 결과를 통지하도록 하고 있으나, 수탁자가 보안 점검을 충실히 수행하고 있는지 여부에 대하여 확인하는 절차가 존재하지 않아 보안점검 결과의 신뢰성이 매우 떨어지는 경우","사례 4 : 개인정보 처리업무 수탁자 중 일부가 위탁자의 동의 없이 해당 업무를 제3자에게 재위탁한 경우","사례 5 : 영리 목적의 광고성 정보전송 업무를 타인에게 위탁하면서 수탁자에 대한 관리·감독을 수행하지 않고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)","정보통신망법 제50조의3(영리목적의 광고성 정보 전송의 위탁 등)"]}],"description": "계약서, 협정서, 내부정책에 명시된 정보보호 및 개인정보보호 요구사항에 따라 외부자의 보호대책 이행 여부를 주기적인 점검 또는 감사 등 관리·감독하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.4": {"name": "외부자 계약 변경 및 만료 시 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.3.4 외부자 계약 변경 및 만료 시 보안","Subdomain": "2.3. 외부자 보안","AuditEvidence": ["정보보호 및 개인정보보호 서약서","비밀유지 확약서","정보 및 개인정보 파기 확약서","외부자 계약 종료와 관련된 내부 정책, 지침"],"AuditChecklist": ["외부자 계약만료, 업무 종료, 담당자 변경 시 공식적인 절차에 따른 정보자산 반납, 정보시스템 접근계정 삭제, 비밀유지 확약서 징구 등이 이루어질 수 있도록 보안대책을 수립·이행하고 있는가?","외부자 계약 만료 시 위탁 업무와 관련하여 외부자가 중요정보 및 개인정보를 보유하고 있는지 확인하고 이를 회수·파기할 수 있도록 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 일부 정보시스템에서 계약 만료된 외부자의 계정 및 권한이 삭제되지 않고 존재하는 경우","사례 2 : 외주용역사업 수행과정에서 일부 용역업체 담당자가 교체되거나 계약 만료로 퇴직하였으나, 관련 인력들에 대한 퇴사 시 보안서약서 등 내부 규정에 따른 조치가 이행되지 않은 경우","사례 3 : 개인정보 처리 위탁한 업체와 계약 종료 이후 보유하고 있는 개인정보를 파기하였는지 여부를 확인·점검하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)","정보통신망법 제50조의3(영리목적의 광고성 정보 전송의 위탁 등)"]}],"description": "외부자 계약만료, 업무종료, 담당자 변경 시에는 제공한 정보자산 반납, 정보시스템 접근계정 삭제, 중요정보 파기, 업무 수행 중 취득정보의 비밀유지 확약서 징구 등의 보호대책을 이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.1": {"name": "보호구역 지정","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.1 보호구역 지정","Subdomain": "2.4. 물리 보안","AuditEvidence": ["물리적 보안 지침(보호구역 지정 기준)","보호구역 지정 현황","보호구역 표시","보호구역별 보호대책 현황"],"AuditChecklist": ["물리적·환경적 위협으로부터 개인정보 및 중요정보, 문서, 저장매체, 주요 설비 및 시스템 등을 보호하기 위하여 통제구역, 제한구역, 접견구역 등 물리적 보호구역 지정기준을 마련하고 있는가?","물리적 보호구역 지정기준에 따라 보호구역을 지정하고 구역별 보호대책을 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 물리보안 지침에는 개인정보 보관시설 및 시스템 구역을 통제구역으로 지정한다고 명시되어 있으나, 멤버십 가입신청 서류가 보관되어 있는 문서고 등 일부 대상 구역이 통제구역에서 누락된 경우","사례 2 : 내부 물리보안 지침에 통제구역에 대해서는 지정된 양식의 통제구역 표지판을 설치하도록 명시하고 있으나, 일부 통제구역에 표시판을 설치하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치)"]}],"description": "물리적·환경적 위협으로부터 개인정보 및 중요정보, 문서, 저장매체, 주요 설비 및 시스템 등을 보호하기 위하여 통제구역·제한구역·접견구역 등 물리적 보호구역을 지정하고 구역별 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.2": {"name": "출입통제","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.2 출입통제","Subdomain": "2.4. 물리 보안","AuditEvidence": ["출입 관리대장 및 출입로그","출입 등록 신청서 및 승인 내역","출입기록 검토서","출입통제시스템 관리화면(출입자 등록 현황 등)"],"AuditChecklist": ["보호구역은 출입절차에 따라 출입이 허가된 자만 출입하도록 통제하고 있는가?","각 보호구역에 대한 내·외부자 출입기록을 일정기간 보존하고 출입기록 및 출입권한을 주기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 통제구역을 정의하여 보호대책을 수립하고 출입 가능한 임직원을 관리하고 있으나, 출입기록을 주기적으로 검토하지 않아 퇴직, 전배 등에 따른 장기 미출입자가 다수 존재하고 있는 경우","사례 2 : 전산실, 문서고 등 통제구역에 출입통제 장치가 설치되어 있으나, 타당한 사유 또는 승인 없이 장시간 개방 상태로 유지하고 있는 경우","사례 3 : 일부 외부 협력업체 직원에게 과도하게 전 구역을 상시 출입할 수 있는 출입카드를 부여하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치)"]}],"description": "보호구역은 인가된 사람만이 출입하도록 통제하고 책임추적성을 확보할 수 있도록 출입 및 접근 이력을 주기적으로 검토하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.3": {"name": "정보시스템 보호","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.3 정보시스템 보호","Subdomain": "2.4. 물리 보안","AuditEvidence": ["정보처리시설 도면","정보시스템 배치도","자산목록"],"AuditChecklist": ["정보시스템의 중요도, 용도, 특성 등을 고려하여 배치 장소를 분리하고 있는가?","정보시스템의 실제 물리적 위치를 손쉽게 확인할 수 있는 방안을 마련하고 있는가?","전력 및 통신케이블을 외부로부터의 물리적 손상 및 전기적 영향으로부터 안전하게 보호하고 있는가?"],"NonComplianceCases": ["사례 1 : 시스템 배치도가 최신 변경사항을 반영하여 업데이트되지 않아 장애가 발생된 정보시스템을 신속하게 확인할 수 없는 경우","사례 2 : 서버실 바닥 또는 랙에 많은 케이블이 정리되지 않고 뒤엉켜 있어 전기적으로 간섭, 손상, 누수, 부주의 등에 의한 장애 발생이 우려되는 경우"],"RelatedRegulations": []}],"description": "정보시스템은 환경적 위협과 유해요소, 비인가 접근 가능성을 감소시킬 수 있도록 중요도와 특성을 고려하여 배치하고, 통신 및 전력 케이블이 손상을 입지 않도록 보호하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.4": {"name": "보호설비 운영","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.4 보호설비 운영","Subdomain": "2.4. 물리 보안","AuditEvidence": ["물리적 보안 지침(보호설비 관련)","전산실 설비 현황 및 점검표","IDC 위탁운영 계약서, SLA 등"],"AuditChecklist": ["각 보호구역의 중요도 및 특성에 따라 화재, 수해, 전력 이상 등 인재 및 자연재해 등에 대비하여 필요한 설비를 갖추고 운영절차를 수립하여 운영하고 있는가?","외부 집적정보통신시설(IDC)에 위탁 운영하는 경우 물리적 보호에 필요한 요구사항을 계약서에 반영하고 운영상태를 주기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 본사 전산실 등 일부 보호구역에 내부 지침에 정한 보호설비를 갖추고 있지 않은 경우","사례 2 : 전산실 내에 UPS, 소화설비 등의 보호설비는 갖추고 있으나, 관련 설비에 대한 운영 및 점검 기준을 수립하고 있지 않은 경우","사례 3 : 운영지침에 따라 전산실 내에 온·습도 조절기를 설치하였으나, 용량 부족으로 인하여 표준 온·습도를 유지하지 못하여 장애발생 가능성이 높은 경우"],"RelatedRegulations": ["정보통신망법 제46조(집적된 정보통신시설의 보호)","집적정보 통신시설 보호지침","소방시설 설치 및 관리에 관한 법률(소방시설법) 제12조(특정소방대상물에 설치하는 소방시설의 관리 등), 제16조(피난시설, 방화구역 및 방화시설의 관리)"]}],"description": "보호구역에 위치한 정보시스템의 중요도 및 특성에 따라 온·습도 조절, 화재감지, 소화설비, 누수감지, UPS, 비상발전기, 이중전원선 등의 보호설비를 갖추고 운영절차를 수립·운영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.5": {"name": "보호구역 내 작업","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.5 보호구역 내 작업","Subdomain": "2.4. 물리 보안","AuditEvidence": ["작업 신청서, 작업 일지","통제구역 출입 대장","통제구역에 대한 출입기록 및 작업 기록 검토 내역"],"AuditChecklist": ["정보시스템 도입, 유지보수 등으로 보호구역 내 작업이 필요한 경우에 대한 공식적인 작업신청 및 수행 절차를 수립·이행하고 있는가?","보호구역 내 작업이 통제 절차에 따라 적절히 수행되었는지 여부를 확인하기 위하여 작업 기록을 주기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 전산실 출입로그에는 외부 유지보수 업체 직원의 출입기록이 남아 있으나, 이에 대한 보호구역 작업 신청 및 승인 내역이 존재하지 않은 경우(내부 규정에 따른 보호구역 작업 신청 없이 보호구역 출입 및 작업이 이루어지고 있는 경우)","사례 2 : 내부 규정에는 보호구역 내 작업 기록에 대하여 분기별 1회 이상 점검하도록 되어 있으나, 특별한 사유 없이 장기간 동안 보호구역 내 작업 기록에 대한 점검이 이루어지고 있지 않은 경우"],"RelatedRegulations": []}],"description": "보호구역 내에서의 비인가행위 및 권한 오·남용 등을 방지하기 위한 작업 절차를 수립 및이행하고, 작업 기록을 주기적으로 검토하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.6": {"name": "반출입 기기 통제","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.6 반출입 기기 통제","Subdomain": "2.4. 물리 보안","AuditEvidence": ["보호구역 내 반출입 신청서","반출입 관리대장","반출입 이력 검토 결과"],"AuditChecklist": ["정보시스템, 모바일 기기, 저장매체 등을 보호구역에 반입하거나 반출하는 경우 정보유출, 악성코드 감염 등 보안사고 예방을 위한 통제 절차를 수립·이행하고 있는가?","반출입 통제절차에 따른 기록을 유지·관리하고, 절차 준수 여부를 확인할 수 있도록 반출입 이력을 주기적으로 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 이동컴퓨팅기기 반출입에 대한 통제 절차를 수립하고 있으나, 통제구역 내 이동컴퓨팅기기 반입에 대한 통제를 하고 있지 않아 출입이 허용된 내·외부인이 이동컴퓨팅기기를 제약 없이 사용하고 있는 경우","사례 2 : 내부 지침에 따라 전산장비 반출입이 있는 경우 작업계획서에 반출입 내용을 기재하고 관리 책임자의 서명을 받도록 되어 있으나, 작업계획서의 반출입 기록에 관리책임자의 서명이 다수 누락되어 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치)"]}],"description": "보호구역 내 정보시스템, 모바일 기기, 저장매체 등에 대한 반출입 통제절차를 수립 및이행하고 주기적으로 검토하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.7": {"name": "업무환경 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.7 업무환경 보안","Subdomain": "2.4. 물리 보안","AuditEvidence": ["사무실 및 공용공간 보안점검 보고서","사무실 및 공용공간 보안점검표","미준수자에 대한 조치 사항(교육, 상벌 등)","출력·복사물 보호조치 현황"],"AuditChecklist": ["문서고, 공용 PC, 복합기, 파일서버 등 공용으로 사용하는 시설 및 사무용 기기에 대한 보호대책을 수립·이행하고 있는가?","업무용 PC, 책상, 서랍 등 개인업무 환경을 통한 개인정보 및 중요정보의 유·노출을 방지하기 위한 보호대책을 수립·이행하고 있는가?","개인정보가 포함된 종이 인쇄물 등 개인정보의 출력·복사물을 안전하게 관리하기 위해 필요한 보호조치를 하고 있는가?","개인 및 공용업무 환경에서의 정보보호 준수 여부를 주기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보 내부 관리계획서 내 개인정보보호를 위한 생활보안 점검(클린데스크 운영 등)을 정기적으로 수행하도록 명시하고 있으나, 이를 이행하지 않은 경우","사례 2 : 멤버십 가입신청서 등 개인정보가 포함된 서류를 잠금장치가 없는 사무실 문서함에 보관한 경우","사례 3 : 직원들의 컴퓨터 화면보호기 및 패스워드가 설정되어 있지 않고, 휴가자 책상 위에 중요문서가 장기간 방치되어 있는 경우","사례 4 : 회의실 등 공용 사무 공간에 설치된 공용PC에 대한 보호대책이 수립되어 있지 않아 개인정보가 포함된 파일이 암호화되지 않은 채로 저장되어 있거나, 보안 업데이트 미적용, 백신 미설치 등 취약한 상태로 유지하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치), 제12조(출력·복사시 안전조치)"]}],"description": "공용으로 사용하는 사무용 기기(문서고, 공용 PC, 복합기, 파일서버 등) 및 개인 업무환경(업무용 PC, 책상 등)을 통하여 개인정보 및 중요정보가 비인가자에게 노출 또는 유출되지 않도록 클린데스크, 정기점검 등 업무환경 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.5.1": {"name": "사용자 계정 관리","checks": {"iam_user_accesskey_unused": null,"iam_securityaudit_role_created": null,"iam_user_console_access_unused": null,"iam_policy_no_full_access_to_kms": null,"iam_role_administratoraccess_policy": null,"iam_user_administrator_access_policy": null,"organizations_scp_check_deny_regions": null,"iam_group_administrator_access_policy": null,"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_full_access_to_kms": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_policy_attached_only_to_group_or_roles": null,"cognito_user_pool_self_registration_disabled": null,"iam_role_cross_account_readonlyaccess_policy": null,"iam_inline_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_inline_policy_no_full_access_to_cloudtrail": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.1 사용자 계정 관리","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["사용자 계정 및 권한 신청서","사용자 계정 및 권한 관리대장 또는 화면","정보시스템 및 개인정보처리시스템별 접근권한 분류표","정보시스템 및 개인정보처리시스템별 사용자, 관리자, 개인정보취급자 목록"],"AuditChecklist": ["정보시스템과 개인정보 및 중요정보에 접근할 수 있는 사용자 계정 및 접근권한의 등록·변경·삭제에 관한 공식적인 절차를 수립·이행하고 있는가?","정보시스템과 개인정보 및 중요정보에 접근할 수 있는 사용자 계정 및 접근권한 생성 및 등록·변경 시 직무별 접근권한 분류 체계에 따라 업무상 필요한 최소한의 권한만을 부여하고 있는가?","사용자에게 계정 및 접근권한을 부여하는 경우 해당 계정에 대한 보안책임이 본인에게 있음을 명확히 인식시키고 있는가?"],"NonComplianceCases": ["사례 1 : 사용자 및 개인정보취급자에 대한 계정·권한에 대한 사용자 등록, 해지 및 승인절차 없이 구두 요청, 이메일 등으로 처리하여 이에 대한 승인 및 처리 이력이 확인되지 않는 경우","사례 2 : 개인정보취급자가 휴가, 출장, 공가 등에 따른 업무 백업을 사유로 공식적인 절차를 거치지 않고 개인정보취급자로 지정되지 않은 인원에게 개인정보취급자 계정을 알려주는 경우","사례 3 : 정보시스템 또는 개인정보처리시스템 사용자에게 필요 이상의 과도한 권한을 부여하여 업무상 불필요한 정보 또는 개인정보에 접근이 가능한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "정보시스템과 개인정보 및 중요정보에 대한 비인가 접근을 통제하고 업무 목적에 따른 접근권한을 최소한으로 부여할 수 있도록 사용자 등록·해지 및 접근권한 부여·변경·말소 절차를 수립·이행하고, 사용자 등록 및 권한부여 시 사용자에게 보안책임이 있음을 규정화하고 인식시켜야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 22,"manual": 0}},"2.5.2": {"name": "사용자 식별","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.2 사용자 식별","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["정보시스템 및 개인정보처리시스템 로그인 화면","정보시스템 및 개인정보처리시스템 관리자, 사용자, 개인정보취급자 계정 목록","예외 처리에 대한 승인 내역"],"AuditChecklist": ["정보시스템 및 개인정보처리시스템에서 사용자 및 개인정보취급자를 유일하게 구분할 수 있는 식별자를 할당하고 추측 가능한 식별자의 사용을 제한하고 있는가?","불가피한 사유로 동일한 식별자를 공유하여 사용하는 경우 그 사유와 타당성을 검토하고 보완대책을 마련하여 책임자의 승인을 받고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템(서버, 네트워크, 침입차단시스템, DBMS 등)의 계정 현황을 확인한 결과, 제조사에서 제공하는 기본 관리자 계정을 기술적으로 변경 가능함에도 불구하고 변경하지 않고 사용하고 있는 경우","사례 2 : 개발자가 개인정보처리시스템 계정을 공용으로 사용하고 있으나, 타당성 검토 또는 책임자의 승인 등이 없이 사용하고 있는 경우","사례 3 : 외부직원이 유지보수하고 있는 정보시스템의 운영계정을 별도의 승인 절차 없이 개인 계정처럼 사용하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "사용자 계정은 사용자별로 유일하게 구분할 수 있도록 식별자를 할당하고 추측 가능한 식별자 사용을 제한하여야 하며, 동일한 식별자를 공유하여 사용하는 경우 그 사유와 타당성을 검토하여 책임자의 승인 및 책임추적성 확보 등 보완대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.5.3": {"name": "사용자 인증","checks": {"iam_root_mfa_enabled": null,"iam_user_accesskey_unused": null,"iam_check_saml_providers_sts": null,"cognito_user_pool_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_two_active_access_key": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null,"iam_user_with_temporary_credentials": null,"apigatewayv2_api_authorizers_enabled": "FAIL","iam_user_no_setup_initial_access_key": null,"apigateway_restapi_authorizers_enabled": "PASS","rds_cluster_iam_authentication_enabled": "FAIL","rds_instance_iam_authentication_enabled": "FAIL","kafka_cluster_unrestricted_access_disabled": null,"cognito_identity_pool_guest_access_disabled": "FAIL","cognito_user_pool_advanced_security_enabled": null,"cognito_user_pool_self_registration_disabled": null,"directoryservice_supported_mfa_radius_enabled": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cognito_user_pool_client_token_revocation_enabled": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"opensearch_service_domains_internal_user_database_enabled": null,"cognito_user_pool_blocks_potential_malicious_sign_in_attempts": null,"opensearch_service_domains_use_cognito_authentication_for_kibana": null,"cognito_user_pool_blocks_compromised_credentials_sign_in_attempts": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.3 사용자 인증","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["정보시스템 및 개인정보처리시스템 로그인 화면","로그인 횟수 제한 설정 화면","로그인 실패 메시지 화면","외부 접속 시 절차(외부접속 신청서, 외부접속자 현황 등)"],"AuditChecklist": ["정보시스템 및 개인정보처리시스템에 대한 접근은 사용자 인증, 로그인 횟수 제한, 불법 로그인 시도 경고 등 안전한 사용자 인증 절차에 따라 통제하고 있는가?","정보통신망을 통하여 외부에서 개인정보처리시스템에 접속하려는 경우에는 법적 요구사항에 따라 안전한 인증수단 또는 안전한 접속수단을 적용하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보취급자가 공개된 외부 인터넷망을 통하여 이용자의 개인정보를 처리하는 개인정보처리 시스템에 접근 시 안전한 인증수단을 적용하지 않고 ID·비밀번호 방식으로만 인증하고 있는 경우","사례 2 : 정보시스템 및 개인정보처리시스템 로그인 실패 시 해당 ID가 존재하지 않거나 비밀번호가 틀림을 자세히 표시해 주고 있으며, 로그인 실패횟수에 대한 제한이 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리), 제6조(접근통제)"]}],"description": "정보시스템과 개인정보 및 중요정보에 대한 사용자의 접근은 안전한 인증절차와 필요에 따라 강화된 인증방식을 적용하여야 한다. 또한 로그인 횟수 제한, 불법 로그인 시도 경고 등 비인가자 접근 통제방안을 수립·이행하여야 한다.","checks_status": {"fail": 4,"pass": 1,"total": 29,"manual": 0}},"2.5.4": {"name": "비밀번호 관리","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null,"cognito_user_pool_password_policy_number": null,"cognito_user_pool_password_policy_symbol": null,"cognito_user_pool_password_policy_lowercase": null,"cognito_user_pool_password_policy_uppercase": null,"cognito_user_pool_temporary_password_expiration": null,"cognito_user_pool_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.4 비밀번호 관리","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["웹페이지, 정보시스템 및 개인정보처리시스템 비밀번호 설정 화면","비밀번호 관리 정책 및 절차"],"AuditChecklist": ["정보시스템에 대한 안전한 사용자 비밀번호 관리절차 및 작성규칙을 수립·이행하고 있는가?","정보주체(이용자)가 안전한 비밀번호를 이용할 수 있도록 비밀번호 작성규칙을 수립 및 이행하고 있는가?","개인정보취급자 또는 정보주체의 인증수단을 안전하게 적용하고 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 관련 정책, 지침 등에서 비밀번호 생성규칙의 기준을 정하고 있으나, 일부 정보시스템 및 개인정보처리시스템에서 내부 지침과 상이한 비밀번호를 사용하고 있는 경우","사례 2 : 비밀번호 관련 내부 규정에는 비밀번호를 초기화 시 임시 비밀번호를 부여받고 강제적으로 변경하도록 되어 있으나, 실제로는 임시 비밀번호를 그대로 사용하고 있는 경우","사례 3 : 비밀번호 관련 내부 규정에는 사용자 및 개인정보취급자의 비밀번호 변경주기를 정하고 이행하도록 하고 있음에도 불구하고 변경하지 않고 그대로 사용하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "법적 요구사항, 외부 위협요인 등을 고려하여 정보시스템 사용자 및 고객, 회원 등 정보주체(이용자)가 사용하는 비밀번호 관리절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 13,"manual": 0}},"2.5.5": {"name": "특수 계정 및 권한 관리","checks": {"iam_avoid_root_usage": null,"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_support_role_created": null,"rds_cluster_default_admin": "FAIL","rds_instance_default_admin": "FAIL","ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"organizations_delegated_administrators": null,"cloudwatch_log_metric_filter_root_usage": null,"sagemaker_notebook_instance_root_access_disabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.5 특수 계정 및 권한 관리","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["특수권한 관련 지침","특수권한 신청·승인 내역","특수권한자 목록","특수권한 검토 내용"],"AuditChecklist": ["관리자 권한 등 특수권한은 최소한의 인원에게만 부여될 수 있도록 공식적인 권한 신청 및 승인 절차를 수립·이행하고 있는가?","특수 목적을 위하여 부여한 계정 및 권한을 식별하고 별도 목록으로 관리하는 등 통제절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템 및 개인정보처리시스템의 관리자 및 특수권한 부여 등의 승인 이력이 시스템이나 문서상으로 확인이 되지 않거나, 승인 이력과 특수권한 내역이 서로 일치되지 않는 경우","사례 2 : 내부 규정에는 개인정보 관리자 및 특수권한 보유자를 목록으로 작성·관리하도록 되어 있으나 이를 작성·관리하고 있지 않거나, 보안시스템 관리자 등 일부 특수권한이 식별·관리되지 않는 경우","사례 3 : 정보시스템 및 개인정보처리시스템의 유지보수를 위하여 분기 1회에 방문하는 유지보수용 특수 계정이 사용기간 제한없이 상시로 활성화되어 있는 경우","사례 4 : 관리자 및 특수권한의 사용 여부를 정기적으로 검토하지 않아 일부 특수권한자의 업무가 변경되었음에도 불구하고 기존 관리자 및 특수권한을 계속 보유하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "정보시스템 관리, 개인정보 및 중요정보 관리 등 특수 목적을 위하여 사용하는 계정 및 권한은 최소한으로 부여하고 별도로 식별하여 통제하여야 한다.","checks_status": {"fail": 2,"pass": 1,"total": 11,"manual": 0}},"2.5.6": {"name": "접근권한 검토","checks": {"accessanalyzer_enabled": "PASS","cloudtrail_insights_exist": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.6 접근권한 검토","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["접근권한 검토 기준 및 절차","접근권한 검토 이력","접근권한 검토 결과보고서 및 후속조치 내역"],"AuditChecklist": ["정보시스템과 개인정보 및 중요정보에 대한 사용자 계정 및 접근권한 생성·등록·부여 및 이용·변경·말소 등의 이력을 남기고 있는가?","정보시스템과 개인정보 및 중요정보에 대한 사용자 계정 및 접근권한의 적정성 검토 기준, 검토주체, 검토방법, 주기 등을 수립하여 정기적 검토를 이행하고 있는가?","접근권한 검토 결과 접근권한 과다 부여, 권한부여 절차 미준수, 권한 오·남용 등 문제점이 발견된 경우 그에 따른 조치절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 접근권한 검토와 관련된 방법, 점검주기, 보고체계, 오·남용 기준 등이 관련 지침에 구체적으로 정의되어 있지 않아 접근권한 검토가 정기적으로 수행되지 않은 경우","사례 2 : 내부 정책, 지침 등에 장기 미사용자 계정에 대한 잠금(비활성화) 또는 삭제 조치하도록 되어 있으나, 6개월 이상 미접속한 사용자의 계정이 활성화되어 있는 경우(접근권한 검토가 충실히 수행되지 않아 해당 계정이 식별되지 않은 경우)","사례 3 : 접근권한 검토 시 접근권한의 과다 부여 및 오·남용 의심사례가 발견되었으나, 이에 대한 상세조사, 내부보고 등의 후속조치가 수행되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "정보시스템과 개인정보 및 중요정보에 접근하는 사용자 계정의 등록·이용·삭제 및 접근권한의 부여·변경·삭제 이력을 남기고 주기적으로 검토하여 적정성 여부를 점검하여야 한다.","checks_status": {"fail": 2,"pass": 1,"total": 14,"manual": 0}},"2.6.1": {"name": "네트워크 접근","checks": {"ec2_ami_public": null,"elb_internet_facing": "FAIL","ec2_elastic_ip_shodan": null,"elbv2_internet_facing": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","kafka_cluster_is_public": null,"s3_bucket_acl_prohibited": "FAIL","apigateway_restapi_public": "FAIL","lightsail_database_public": null,"lightsail_instance_public": null,"ec2_securitygroup_not_used": "FAIL","elbv2_listeners_underneath": "PASS","networkfirewall_in_all_vpc": "FAIL","s3_bucket_public_write_acl": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","ssm_documents_set_as_public": "PASS","awslambda_function_url_public": null,"dms_instance_no_public_access": null,"rds_instance_no_public_access": "PASS","emr_cluster_publicly_accesible": null,"redshift_cluster_public_access": null,"neptune_cluster_public_snapshot": null,"eks_cluster_private_nodes_enabled": null,"awslambda_function_url_cors_policy": null,"documentdb_cluster_public_snapshot": null,"eks_cluster_network_policy_enabled": null,"neptune_cluster_uses_public_subnet": null,"sns_topics_not_publicly_accessible": "PASS","sqs_queues_not_publicly_accessible": "PASS","vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","eks_cluster_not_publicly_accessible": null,"glacier_vaults_policy_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_access_point_public_access_block": "PASS","s3_bucket_level_public_access_block": "PASS","iam_user_administrator_access_policy": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"iam_group_administrator_access_policy": null,"s3_account_level_public_access_blocks": null,"apigateway_restapi_authorizers_enabled": "PASS","elasticache_cluster_uses_public_subnet": "PASS","rds_instance_iam_authentication_enabled": "FAIL","appstream_fleet_maximum_session_duration": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ecr_repositories_not_publicly_accessible": "PASS","emr_cluster_account_public_block_enabled": "PASS","sagemaker_models_vpc_settings_configured": null,"apigateway_restapi_public_with_authorizer": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","vpc_endpoint_connections_trust_boundaries": "FAIL","appstream_fleet_session_disconnect_timeout": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_instance_port_ldap_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","kafka_cluster_unrestricted_access_disabled": null,"sagemaker_models_network_isolation_enabled": null,"cognito_identity_pool_guest_access_disabled": "FAIL","ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","workspaces_vpc_2private_1public_subnets_nat": null,"ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_transitgateway_auto_accept_vpc_attachments": null,"appstream_fleet_session_idle_disconnect_timeout": null,"ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","rds_instance_event_subscription_security_groups": "FAIL","sagemaker_training_jobs_vpc_settings_configured": null,"vpc_peering_routing_tables_with_least_privilege": "PASS","appstream_fleet_default_internet_access_disabled": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","cloudfront_distributions_geo_restrictions_enabled": null,"sagemaker_training_jobs_network_isolation_enabled": null,"opensearch_service_domains_not_publicly_accessible": null,"sagemaker_notebook_instance_vpc_settings_configured": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","vpc_endpoint_services_allowed_principals_trust_boundaries": null,"ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","cognito_user_pool_blocks_potential_malicious_sign_in_attempts": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.1 네트워크 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["네트워크 구성도","IP 관리대장","정보자산 목록","방화벽룰"],"AuditChecklist": ["조직의 네트워크에 접근할 수 있는 모든 경로를 식별하고 접근통제 정책에 따라 내부 네트워크는 인가된 사용자만이 접근할 수 있도록 통제하고 있는가?","서비스, 사용자 그룹, 정보자산의 중요도, 법적 요구사항에 따라 네트워크 영역을 물리적 또는 논리적으로 분리하고 각 영역 간 접근통제를 적용하고 있는가?","네트워크 대역별 IP주소 부여 기준을 마련하고 데이터베이스 서버 등 외부 연결이 필요하지 않은 경우 사설 IP로 할당하는 등의 대책을 적용하고 있는가?","물리적으로 떨어진 IDC, 지사, 대리점 등과의 네트워크 연결 시 전송구간 보호대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 네트워크 구성도와 인터뷰를 통하여 확인한 결과, 외부 지점에서 사용하는 정보시스템 및 개인정보 처리시스템과 IDC에 위치한 서버 간 연결 시 일반 인터넷 회선을 통하여 데이터 송수신을 처리하고 있어 내부 규정에 명시된 VPN이나 전용망 등을 이용한 통신이 이루어지고 있지 않은 경우","사례 2 : 내부망에 위치한 데이터베이스 서버 등 일부 중요 서버의 IP주소가 내부 규정과 달리 공인 IP로 설정되어 있고, 네트워크 접근 차단이 적용되어 있지 않은 경우","사례 3 : 서버팜이 구성되어 있으나, 네트워크 접근제어 설정 미흡으로 내부망에서 서버팜으로의 접근이 과도하게 허용되어 있는 경우","사례 4 : 외부자(외부 개발자, 방문자 등)에게 제공되는 네트워크를 별도의 통제 없이 내부 업무 네트워크와 분리하지 않은 경우","사례 5 : 내부 규정과는 달리 MAC주소 인증, 필수 보안 소프트웨어 설치 등의 보호대책을 적용하지 않은 상태로 네트워크 케이블 연결만으로 사내 네트워크에 접근 및 이용할 수 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "네트워크에 대한 비인가 접근을 통제하기 위하여 IP관리, 단말인증 등 관리절차를 수립 및이행하고, 업무목적 및 중요도에 따라 네트워크 분리(DMZ, 서버팜, DB존, 개발존 등)와 접근통제를 적용하여야 한다.","checks_status": {"fail": 17,"pass": 54,"total": 112,"manual": 0}},"2.6.2": {"name": "정보시스템 접근","checks": {"ec2_elastic_ip_shodan": null,"ec2_instance_public_ip": "FAIL","ec2_elastic_ip_unassigned": "FAIL","lightsail_instance_public": null,"lightsail_static_ip_unused": null,"ec2_instance_managed_by_ssm": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.2 정보시스템 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["정보시스템 운영체제 계정 목록","서버 보안 설정","서버접근제어 정책(SecureOS 관리화면 등)","서버 및 네트워크 구성도","정보자산 목록"],"AuditChecklist": ["서버, 네트워크시스템, 보안시스템 등 정보시스템별 운영체제(OS)에 접근이 허용되는 사용자, 접근 가능 위치, 접근 수단 등을 정의하여 통제하고 있는가?","정보시스템에 접속 후 일정시간 업무처리를 하지 않는 경우 자동으로 시스템 접속이 차단되도록 하고 있는가?","정보시스템의 사용목적과 관계 없는 서비스를 제거하고 있는가?","주요 서비스를 제공하는 정보시스템은 독립된 서버로 운영하고 있는가?"],"NonComplianceCases": ["사례 1 : 사무실에서 서버관리자가 IDC에 위치한 윈도우 서버에 접근 시 터미널 서비스를 이용하여 접근하고 있으나, 터미널 서비스에 대한 세션 타임아웃 설정이 되어 있지 않아 장시간 아무런 작업을 하지 않아도 해당 세션이 차단되지 않는 경우","사례 2 : 서버 간 접속이 적절히 제한되지 않아 특정 사용자가 본인에게 인가된 서버에 접속한 후 해당 서버를 경유하여 다른 인가받지 않은 서버에도 접속할 수 있는 경우","사례 3 : 타당한 사유 또는 보완 대책 없이 안전하지 않은 접속 프로토콜(telnet, ftp 등)을 사용하여 접근하고 있으며, 불필요한 서비스 및 포트를 오픈하고 있는 경우","사례 4 : 모든 서버로의 접근은 서버접근제어 시스템을 통하도록 접근통제 정책을 가져가고 있으나, 서버접근제어 시스템을 통하지 않고 서버에 접근할 수 있는 우회 경로가 존재하는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "서버, 네트워크시스템 등 정보시스템에 접근을 허용하는 사용자, 접근제한 방식, 안전한 접근수단 등을 정의하여 통제하여야 한다.","checks_status": {"fail": 8,"pass": 13,"total": 24,"manual": 0}},"2.6.3": {"name": "응용프로그램 접근","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.3 응용프로그램 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["응용프로그램 접근권한 분류 체계","응용프로그램 계정·권한 관리 화면","응용프로그램 사용자·관리자 화면(개인정보 조회 등)","응용프로그램 세션 타임 및 동시접속 허용 여부 내역","응용프로그램 관리자 접속로그 모니터링 내역","정보자산 목록","개인정보처리시스템의 개인정보 조회, 검색 화면","개인정보 마스킹 표준","개인정보 마스킹 적용 화면"],"AuditChecklist": ["중요정보 접근을 통제하기 위하여 사용자의 업무에 따라 응용프로그램 접근권한을 차등 부여하고 있는가?","일정시간 동안 입력이 없는 세션은 자동 차단하고, 동일 사용자의 동시 세션 수를 제한하고 있는가?","관리자 전용 응용프로그램(관리자 웹페이지, 관리콘솔 등)은 비인가자가 접근할 수 없도록 접근을 통제하고 있는가?","개인정보 및 중요정보의 표시제한 보호조치의 일관성을 확보할 수 있도록 관련 기준을 수립하여 적용하고 있는가?","개인정보 및 중요정보의 불필요한 노출(조회, 화면표시, 인쇄, 다운로드 등)을 최소화할 수 있도록 응용프로그램을 구현하여 운영하고 있는가?"],"NonComplianceCases": ["사례 1 : 응용프로그램의 개인정보 처리화면 중 일부 화면의 권한 제어 기능에 오류가 존재하여 개인정보 열람 권한이 없는 사용자에게도 개인정보가 노출되고 있는 경우","사례 2 : 응용프로그램의 관리자 페이지가 외부인터넷에 오픈되어 있으면서 안전한 인증수단이 적용되어 있지 않은 경우","사례 3 : 응용프로그램에 대하여 타당한 사유 없이 세션 타임아웃 또는 동일 사용자 계정의 동시 접속을 제한하고 있지 않은 경우","사례 4 : 응용프로그램을 통하여 개인정보를 다운로드받는 경우 해당 파일 내에 주민등록번호 등 업무상 불필요한 정보가 과도하게 포함되어 있는 경우","사례 5 : 응용프로그램의 개인정보 조회화면에서 like 검색을 과도하게 허용하고 있어, 모든 사용자가 본인의 업무 범위를 초과하여 성씨만으로도 전체 고객 정보를 조회할 수 있는 경우","사례 6 : 개인정보 표시제한 조치 기준이 마련되어 있지 않거나 이를 준수하지 않는 등의 사유로 동일한 개인정보 항목에 대하여 개인정보처리시스템 화면별로 서로 다른 마스킹 기준이 적용된 경우","사례 7 : 개인정보처리시스템의 화면상에는 개인정보가 마스킹되어 표시되어 있으나, 웹브라우저 소스보기를 통하여 마스킹되지 않은 전체 개인정보가 노출되는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근권한의 관리), 제6조(접근통제), 제12조(출력·복사시 안전조치)"]}],"description": "사용자별 업무 및 접근 정보의 중요도 등에 따라 응용프로그램 접근권한을 제한하고, 불필요한 정보 또는 중요정보 노출을 최소화할 수 있도록 기준을 수립하여 적용하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.6.4": {"name": "데이터베이스 접근","checks": {"accessanalyzer_enabled": "PASS","lightsail_database_public": null,"rds_snapshots_public_access": "PASS","dms_instance_no_public_access": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"neptune_cluster_public_snapshot": null,"rds_instance_transport_encrypted": "FAIL","documentdb_cluster_public_snapshot": null,"neptune_cluster_uses_public_subnet": null,"vpc_subnet_separate_private_public": "FAIL","dynamodb_table_cross_account_access": null,"rds_cluster_iam_authentication_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","rds_instance_iam_authentication_enabled": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","neptune_cluster_iam_authentication_enabled": null,"ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","opensearch_service_domains_not_publicly_accessible": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_internal_user_database_enabled": null,"ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","opensearch_service_domains_use_cognito_authentication_for_kibana": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.4 데이터베이스 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["데이터베이스 현황(테이블, 컬럼 등)","데이터베이스 접속자 계정·권한 목록","데이터베이스 접근제어 정책(데이터베이스 접근제어시스템 관리화면 등)","네트워크 구성도(데이터베이스존 등)","정보자산 목록"],"AuditChecklist": ["데이터베이스의 테이블 목록 등 저장·관리되고 있는 정보를 식별하고 있는가?","데이터베이스 내 정보에 접근이 필요한 응용프로그램, 정보시스템(서버) 및 사용자를 명확히 식별하고 접근통제 정책에 따라 통제하고 있는가?"],"NonComplianceCases": ["사례 1 : 대량의 개인정보를 보관·처리하고 있는 데이터베이스를 인터넷을 통하여 접근 가능한 웹 응용프로그램과 분리하지 않고 물리적으로 동일한 서버에서 운영하고 있는 경우","사례 2 : 개발자 및 운영자들이 응응 프로그램에서 사용하고 있는 계정을 공유하여 운영 데이터베이스에 접속하고 있는 경우","사례 3 : 내부 규정에는 데이터베이스의 접속권한을 오브젝트별로 제한하도록 되어 있으나, 데이터베이스 접근권한을 운영자에게 일괄 부여하고 있어 개인정보 테이블에 접근할 필요가 없는 운영자에게도 과도하게 접근 권한이 부여된 경우","사례 4 : 데이터베이스 접근제어 솔루션을 도입하여 운영하고 있으나, 데이터베이스 접속자에 대한 IP주소 등이 적절히 제한되어 있지 않아 데이터베이스 접근제어 솔루션을 우회하여 데이터베이스에 접속하고 있는 경우","사례 5 : 개인정보를 저장하고 있는 데이터베이스의 테이블 현황이 파악되지 않아, 임시로 생성된 테이블에 불필요한 개인정보가 파기되지 않고 대량으로 저장되어 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근권한의 관리), 제6조(접근통제)"]}],"description": "테이블 목록 등 데이터베이스 내에서 저장·관리되고 있는 정보를 식별하고, 정보의 중요도와 응용프로그램 및 사용자 유형 등에 따른 접근통제 정책을 수립·이행하여야 한다.","checks_status": {"fail": 6,"pass": 19,"total": 37,"manual": 0}},"2.6.5": {"name": "무선 네트워크 접근","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.5 무선 네트워크 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["네트워크 구성도","AP 보안 설정 내역","비인가 무선 네트워크 점검 이력","무선네트워크 사용 신청·승인 이력"],"AuditChecklist": ["무선네트워크를 업무적으로 사용하는 경우 무선 AP 및 네트워크 구간 보안을 위하여 인증, 송수신 데이터 암호화 등 보호대책을 수립·이행하고 있는가?","인가된 임직원만이 무선네트워크를 사용할 수 있도록 사용 신청 및 해지 절차를 수립 및 이행하고 있는가?","AD Hoc 접속 및 조직 내 허가받지 않은 무선 AP 탐지·차단 등 비인가된 무선네트워크에 대한 보호대책을 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 외부인용 무선 네트워크와 내부 무선 네트워크 영역대가 동일하여 외부인도 무선네트워크를 통하여 별도의 통제 없이 내부 네트워크에 접근이 가능한 경우","사례 2 : 무선 AP 설정 시 정보 송수신 암호화 기능을 설정하였으나, 안전하지 않은 방식으로 설정한 경우","사례 3 : 업무 목적으로 내부망에 연결된 무선AP에 대하여 무선AP 관리자 비밀번호 노출(디폴트 비밀번호 사용), 접근제어 미적용 등 보안 설정이 미흡한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "무선 네트워크를 사용하는 경우 사용자 인증, 송수신 데이터 암호화, AP 통제 등 무선 네트워크 보호대책을 적용하여야 한다. 또한 AD Hoc 접속, 비인가 AP 사용 등 비인가 무선 네트워크 접속으로부터 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.6.6": {"name": "원격접근 통제","checks": {"vpc_flow_logs_enabled": "FAIL","networkfirewall_in_all_vpc": "FAIL","cognito_user_pool_mfa_enabled": null,"iam_user_console_access_unused": null,"vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","iam_user_mfa_enabled_console_access": null,"workspaces_volume_encryption_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","appstream_fleet_maximum_session_duration": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","appstream_fleet_session_disconnect_timeout": null,"ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","cognito_identity_pool_guest_access_disabled": "FAIL","workspaces_vpc_2private_1public_subnets_nat": null,"cognito_user_pool_self_registration_disabled": null,"appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"ec2_client_vpn_endpoint_connection_logging_enabled": null,"cloudwatch_log_metric_filter_authentication_failures": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.6 원격접근 통제","Subdomain": "2.6. 접근통제","AuditEvidence": ["VPN 등 사외접속 신청서","VPN 계정 목록","VPN 접근제어 정책 설정 현황","IP 관리대장","원격 접근제어 설정(서버 설정, 보안시스템 설정 등)","관리용 단말기 지정 및 관리 현황","네트워크 구성도"],"AuditChecklist": ["인터넷과 같은 외부 네트워크를 통한 정보시스템 원격운영은 원칙적으로 금지하고 장애대응 등 부득이하게 허용하는 경우 보완대책을 마련하고 있는가?","내부 네트워크를 통하여 원격으로 정보시스템을 운영하는 경우 특정 단말에 한해서만 접근을 허용하고 있는가?","재택근무, 원격협업, 스마트워크 등과 같은 원격업무 수행 시 중요정보 유출, 해킹 등 침해사고 예방을 위한 보호대책을 수립·이행하고 있는가?","개인정보처리시스템의 관리, 운영, 개발, 보안 등을 목적으로 원격으로 개인정보처리 시스템에 접속하는 단말기는 관리용 단말기로 지정하고 임의조작 및 목적 외 사용 금지 등 안전조치를 적용하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 규정에는 시스템에 대한 원격 접근은 원칙적으로 금지하고 불가피한 경우 IP 기반의 접근통제를 통하여 승인된 사용자만 접근할 수 있도록 명시하고 있으나, 시스템에 대한 원격 데스크톱 연결, SSH 접속이 IP주소 등으로 제한되어 있지 않아 모든 PC에서 원격 접속이 가능한 경우","사례 2 : 원격운영관리를 위하여 VPN을 구축하여 운영하고 있으나, VPN에 대한 사용 승인 또는 접속 기간 제한 없이 상시 허용하고 있는 경우","사례 3 : 외부 근무자를 위하여 개인 스마트 기기에 업무용 모바일 앱을 설치하여 운영하고 있으나, 악성코드, 분실·도난 등에 의한 개인정보 유출을 방지하기 위한 적절한 보호대책(백신, 초기화, 암호화 등)을 적용하고 있지 않은 경우","사례 4 : 외부 접속용 VPN에서 사용자별로 원격접근이 가능한 네트워크 구간 및 정보시스템을 제한하지 않아 원격접근 인증을 받은 사용자가 전체 내부망 및 정보시스템에 과도하게 접근이 가능한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "보호구역 이외 장소에서의 정보시스템 관리 및 개인정보 처리는 원칙적으로 금지하고, 재택근무·장애대응·원격협업 등 불가피한 사유로 원격접근을 허용하는 경우 책임자 승인, 접근 단말 지정, 접근 허용범위 및 기간 설정, 강화된 인증, 구간 암호화, 접속단말 보안(백신, 패치 등) 등 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 8,"pass": 5,"total": 26,"manual": 0}},"2.6.7": {"name": "인터넷 접속 통제","checks": {"ec2_elastic_ip_shodan": null,"vpc_flow_logs_enabled": "FAIL","ec2_instance_public_ip": "FAIL","ec2_elastic_ip_unassigned": "FAIL","networkfirewall_in_all_vpc": "FAIL","vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","workspaces_volume_encryption_enabled": null,"route53_dangling_ip_subdomain_takeover": null,"appstream_fleet_maximum_session_duration": null,"appstream_fleet_session_disconnect_timeout": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"workspaces_vpc_2private_1public_subnets_nat": null,"ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.7 인터넷 접속 통제","Subdomain": "2.6. 접근통제","AuditEvidence": ["비업무사이트(P2P 등) 차단정책(비업무사이트 차단시스템 관리화면 등)","인터넷 접속내역 모니터링 이력","인터넷망 차단조치 대상자 목록","망간 자료 전송 절차 및 처리내역(신청·승인내역 등)","네트워크 구성도"],"AuditChecklist": ["주요 직무 수행 및 개인정보 취급 단말기 등 업무용 PC의 인터넷 접속에 대한 통제정책을 수립·이행하고 있는가?","주요 정보시스템(DB서버 등)에서 불필요한 외부 인터넷 접속을 통제하고 있는가?","관련 법령에 따라 인터넷망 차단 의무가 부과된 경우 대상자를 식별하여 안전한 방식으로 인터넷망 차단 조치를 적용하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보 보호법에 따라 인터넷망 차단 조치를 적용하였으나, 개인정보처리시스템의 접근권한 설정 가능자 등 일부 의무대상자에 대하여 인터넷망 차단 조치 적용이 누락된 경우","사례 2 : 개인정보 보호법에 따른 인터넷망 차단 조치 의무대상으로서 인터넷망 차단 조치를 적용하였으나, 다른 서버를 경유한 우회접속이 가능하여 인터넷망 차단 조치가 적용되지 않은 환경에서 개인정보처리시스템에 접속하여 개인정보의 다운로드, 파기 등이 가능한 경우","사례 3 : DMZ 및 내부망에 위치한 일부 서버에서 불필요하게 인터넷으로의 직접 접속이 가능한 경우","사례 4 : 인터넷 PC와 내부 업무용 PC를 물리적 망분리 방식으로 인터넷망 차단 조치를 적용하고 망간 자료전송시스템을 구축·운영하고 있으나, 자료 전송에 대한 승인 절차가 부재하고 자료 전송 내역에 대한 주기적 검토가 이루어지고 있지 않은 경우","사례 5 : 내부 규정에는 개인정보취급자가 P2P 및 웹하드 사이트 접속 시 책임자 승인을 거쳐 특정 기간 동안만 허용하도록 되어 있으나, 승인절차를 거치지 않고 예외 접속이 허용된 사례가 다수 존재하는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "인터넷을 통한 정보 유출, 악성코드 감염, 내부망 침투 등을 예방하기 위하여 주요 정보시스템, 주요 직무 수행 및 개인정보 취급 단말기 등에 대한 인터넷 접속 또는 서비스(P2P, 웹하드, 메신저 등)를 제한하는 등 인터넷 접속 통제 정책을 수립·이행하여야 한다.","checks_status": {"fail": 6,"pass": 1,"total": 19,"manual": 0}},"2.7.1": {"name": "암호정책 적용","checks": {"elb_ssl_listeners": "FAIL","backup_vaults_exist": null,"elbv2_ssl_listeners": "FAIL","ssm_document_secrets": "PASS","backup_vaults_encrypted": "PASS","rds_snapshots_encrypted": "FAIL","elb_insecure_ssl_ciphers": "PASS","s3_bucket_kms_encryption": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","athena_workgroup_encryption": null,"ec2_ebs_snapshots_encrypted": "FAIL","s3_bucket_default_encryption": "PASS","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","rds_instance_transport_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","neptune_cluster_storage_encrypted": null,"s3_bucket_secure_transport_policy": "FAIL","documentdb_cluster_storage_encrypted": null,"workspaces_volume_encryption_enabled": null,"awslambda_function_no_secrets_in_code": "PASS","glue_database_connections_ssl_enabled": null,"athena_workgroup_enforce_configuration": null,"cloudfront_distributions_https_enabled": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudformation_stack_outputs_find_secrets": "PASS","codebuild_project_no_secrets_in_variables": "PASS","kafka_cluster_encryption_at_rest_uses_cmk": null,"sns_subscription_not_using_http_endpoints": "PASS","sns_topics_kms_encryption_at_rest_enabled": "FAIL","sqs_queues_server_side_encryption_enabled": "PASS","awslambda_function_no_secrets_in_variables": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"glue_etl_jobs_amazon_s3_encryption_enabled": "PASS","acm_certificates_with_secure_key_algorithms": "PASS","cloudwatch_log_group_kms_encryption_enabled": "FAIL","ecs_task_definitions_no_environment_secrets": "PASS","kafka_cluster_in_transit_encryption_enabled": null,"storagegateway_fileshare_encryption_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","glue_etl_jobs_job_bookmark_encryption_enabled": "FAIL","glue_data_catalogs_metadata_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"kafka_cluster_mutual_tls_authentication_enabled": null,"directoryservice_radius_server_security_protocol": null,"glue_development_endpoints_s3_encryption_enabled": null,"glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","autoscaling_find_secrets_ec2_launch_configuration": "PASS","eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"elasticache_redis_cluster_rest_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"cloudfront_distributions_field_level_encryption_enabled": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"elasticache_redis_cluster_in_transit_encryption_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"sagemaker_training_jobs_intercontainer_encryption_enabled": null,"glue_data_catalogs_connection_passwords_encryption_enabled": "FAIL","glue_development_endpoints_job_bookmark_encryption_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"glue_development_endpoints_cloudwatch_logs_encryption_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.7.1 암호정책 적용","Subdomain": "2.7. 암호화 적용","AuditEvidence": ["암호통제 정책(대상, 방식, 알고리즘 등)","암호화 적용현황(저장 및 전송 시)","위험도 분석 결과(내부망에서 주민등록번호 이외의 고유식별정보 암호화 미적용 시)","암호화 솔루션 관리 화면"],"AuditChecklist": ["개인정보 및 주요정보의 보호를 위하여 법적 요구사항을 반영한 암호화 대상, 암호강도, 암호사용 등이 포함된 암호정책을 수립하고 있는가?","암호정책에 따라 개인정보 및 주요정보의 저장, 전송, 전달 시 암호화를 수행하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 정책·지침에 암호통제 관련 법적 요구사항을 고려한 암호화 대상, 암호 강도, 저장 및 전송 시 암호화 방법, 암호화 관련 담당자의 역할 및 책임 등에 관한 사항이 적절히 명시되지 않은 경우","사례 2 : 암호정책을 수립하면서 해당 기업이 적용받는 법규를 잘못 적용하여 암호화 관련 법적 요구사항을 준수하지 못하고 있는 경우(예를 들어, 이용자의 계좌번호를 저장하면서 암호화 미적용)","사례 3 : 개인정보취급자 및 정보주체의 비밀번호에 대하여 일방향 암호화를 적용하였으나, 안전하지 않은 MD5 알고리즘을 사용한 경우","사례 4 : 개인정보처리자가 관련 법규 및 내부 규정에 따라 인터넷 쇼핑몰에 대하여 보안서버를 적용하였으나, 회원정보 조회 및 변경, 비밀번호 찾기, 비밀번호 변경 등 이용자의 개인정보가 전송되는 일부 구간에 암호화 조치가 누락된 경우","사례 5 : 정보시스템 접속용 비밀번호, 인증키 값 등이 시스템 설정파일 및 소스코드 내에 평문으로 저장되어 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제24조의2(주민등록번호 처리의 제한), 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제7조(개인정보의 암호화)"]}],"description": "개인정보 및 주요정보 보호를 위하여 법적 요구사항을 반영한 암호화 대상, 암호 강도, 암호 사용 정책을 수립하고 개인정보 및 주요정보의 저장·전송·전달 시 암호화를 적용하여야 한다.","checks_status": {"fail": 18,"pass": 19,"total": 66,"manual": 0}},"2.7.2": {"name": "암호키 관리","checks": {"kms_cmk_are_used": null,"kms_cmk_rotation_enabled": null,"kms_key_not_publicly_accessible": null,"kms_cmk_not_deleted_unintentionally": null,"rds_instance_certificate_expiration": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","acm_certificates_transparency_logs_enabled": "PASS","directoryservice_ldap_certificate_expiration": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.7.2 암호키 관리","Subdomain": "2.7. 암호화 적용","AuditEvidence": ["암호키 관리정책","암호키 관리대장 및 관리시스템 화면"],"AuditChecklist": ["암호키 생성, 이용, 보관, 배포, 변경, 복구, 파기 등에 관한 절차를 수립·이행하고 있는가?","암호키는 필요시 복구가 가능하도록 별도의 안전한 장소에 보관하고 암호키 사용에 관한 접근권한을 최소화하고 있는가?"],"NonComplianceCases": ["사례 1 : 암호 정책 내에 암호키 관리와 관련된 절차, 방법 등이 명시되어 있지 않아 담당자별로 암호키 관리 수준 및 방법 상이 등 암호키 관리에 취약사항이 존재하는 경우","사례 2 : 내부 규정에 중요 정보를 암호화 할 경우 관련 책임자 승인 하에 암호화 키를 생성하고 암호키 관리대장을 작성하도록 정하고 있으나, 암호키 관리대장에 일부 암호키가 누락되어 있거나 현행화되어 있지 않은 경우","사례 3 : 개발시스템에 적용되어 있는 암호키와 운영시스템에 적용된 암호키가 동일하여, 암호화된 실데이터가 개발시스템을 통해 쉽게 복호화가 가능한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제7조(개인정보의 암호화)"]}],"description": "암호키의 안전한 생성·이용·보관·배포·파기를 위한 관리 절차를 수립·이행하고, 필요 시 복구방안을 마련하여야 한다.","checks_status": {"fail": 1,"pass": 2,"total": 9,"manual": 0}},"2.8.1": {"name": "보안 요구사항 정의","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","accessanalyzer_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","codebuild_project_no_secrets_in_variables": "PASS","codebuild_project_user_controlled_buildspec": "PASS","wellarchitected_workload_no_high_or_medium_risks": "FAIL","codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.1 보안 요구사항 정의","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["정보시스템 인수 기준 및 절차","정보시스템 도입 RFP(제안요청서) 및 구매계약서","개발 산출물(사업수행계획서, 요구사항정의서, 화면설계서, 보안아키텍처 설계서, 시험계획서 등)","시큐어 코딩 표준"],"AuditChecklist": ["정보시스템을 신규로 도입·개발 또는 변경하는 경우 정보보호 및 개인정보보호 측면의 타당성 검토 및 인수 절차를 수립·이행하고 있는가?","정보시스템을 신규로 도입·개발 또는 변경하는 경우 법적 요구사항, 최신 취약점 등을 포함한 보안 요구사항을 명확히 정의하고 설계 단계에서부터 반영하고 있는가?","정보시스템의 안전한 구현을 위한 코딩 표준을 수립하여 적용하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템 인수 전 보안성 검증 기준 및 절차가 마련되어 있지 않은 경우","사례 2 : 신규 시스템 도입 시 기존 운영환경에 대한 영향 및 보안성을 검토하도록 내부 규정을 마련하고 있으나, 최근 도입한 일부 정보시스템에 대하여 인수 시 보안요건에 대해 세부 기준 및 계획이 수립되지 않았으며, 이에 따라 인수 시 보안성검토가 수행되지 않은 경우","사례 3 : 개발 관련 내부 지침에 개발과 관련된 주요 보안 요구사항(인증 및 암호화, 보안로그 등)이 정의되어 있지 않은 경우","사례 4 : ʻ개발표준정의서ʼ에 사용자 패스워드를 안전하지 않은 암호화 알고리즘(MD5, SHA1)으로 사용하도록 되어 있어 관련 법적 요구사항을 적절히 반영하지 않는 경우"],"RelatedRegulations": []}],"description": "정보시스템의 도입·개발·변경 시 정보보호 및 개인정보보호 관련 법적 요구사항, 최신 보안취약점, 안전한 코딩방법 등 보안 요구사항을 정의하고 적용하여야 한다.","checks_status": {"fail": 7,"pass": 7,"total": 16,"manual": 0}},"2.8.2": {"name": "보안 요구사항 검토 및 시험","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","accessanalyzer_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null,"guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","codebuild_project_no_secrets_in_variables": "PASS","codebuild_project_user_controlled_buildspec": "PASS","wellarchitected_workload_no_high_or_medium_risks": "FAIL","codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.2 보안 요구사항 검토 및 시험","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["정보시스템 인수 시험 결과","요구사항 추적 매트릭스","시험 계획서, 시험 결과서","취약점 점검 결과서","개인정보 영향평가서","개인정보 영향평가 개선계획 이행점검 확인서"],"AuditChecklist": ["정보시스템의 도입, 개발, 변경 시 분석 및 설계 단계에서 정의한 보안 요구사항이 효과적으로 적용되었는지를 확인하기 위한 시험을 수행하고 있는가?","정보시스템이 안전한 코딩 기준 등에 따라 안전하게 개발되었는지를 확인하기 위한 취약점 점검이 수행되고 있는가?","시험 및 취약점 점검 과정에서 발견된 문제점이 신속하게 개선될 수 있도록 개선계획 수립, 이행점검 등의 절차를 이행하고 있는가?","공공기관은 관련 법령에 따라 개인정보처리시스템 신규 개발 및 변경 시 분석·설계 단계에서 영향평가기관을 통하여 영향평가를 수행하고 그 결과를 개발 및 변경 시 반영하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템 구현 이후 개발 관련 내부 지침 및 문서에 정의된 보안 요구사항을 시험하지 않고 있는 경우","사례 2 : 응용프로그램 테스트 시나리오 및 기술적 취약점 점검항목에 입력값 유효성 체크 등의 중요 점검항목 일부가 누락된 경우","사례 3 : 구현 또는 시험 과정에서 알려진 기술적 취약점이 존재하는지 여부를 점검하지 않거나, 타당한 사유 또는 승인 없이 확인된 취약점에 대한 개선조치를 이행하지 않은 경우","사례 4 : 공공기관이 5만 명 이상 정보주체의 고유식별정보를 처리하는 등 영향평가 의무 대상 개인정보 파일 및 개인정보처리시스템을 신규로 구축하면서 영향평가를 실시하지 않은 경우","사례 5 : 공공기관이 영향평가를 수행한 후 영향평가기관으로부터 영향평가서를 받은 지 2개월이 지났음에도 불구하고 영향평가서를 개인정보 보호위원회에 제출하지 않은 경우","사례 6 : 신규 시스템 도입 시 기존 운영환경에 대한 영향 및 보안성을 검토(취약점 점검 등)하도록 내부 지침을 마련하고 있으나, 최근 도입한 일부 정보시스템에 대하여 인수 시 취약점 점검 등 보안성검토가 수행되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제33조(개인정보 영향평가)","개인정보 영향평가에 관한 고시"]}],"description": "사전 정의된 보안 요구사항에 따라 정보시스템이 도입 또는 구현되었는지를 검토하기 위하여 법적 요구사항 준수, 최신 보안취약점 점검, 안전한 코딩 구현, 개인정보 영향평가 등의 검토 기준과 절차를 수립·이행하고, 발견된 문제점에 대한 개선조치를 수행하여야 한다.","checks_status": {"fail": 10,"pass": 7,"total": 19,"manual": 0}},"2.8.3": {"name": "시험과 운영 환경 분리","checks": {"codebuild_project_user_controlled_buildspec": "PASS"},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.3 시험과 운영 환경 분리","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["네트워크 구성도(시험환경 구성 포함)","운영 환경과 개발·시험 환경 간 접근통제 적용 현황"],"AuditChecklist": ["정보시스템의 개발 및 시험 시스템을 운영시스템과 분리하고 있는가?","불가피한 사유로 개발과 운영환경의 분리가 어려운 경우 상호검토, 상급자 모니터링, 변경 승인, 책임추적성 확보 등의 보안대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 타당한 사유 또는 승인 없이 별도의 개발환경을 구성하지 않고 운영환경에서 직접 소스코드 변경을 수행하고 있는 경우","사례 2 : 불가피하게 개발시스템과 운영시스템을 분리하지 않고 운영 중에 있으나, 이에 대한 상호 검토 내역, 모니터링 내역 등이 누락되어 있는 경우","사례 3 : 개발시스템이 별도로 구성되어 있으나, 개발환경으로부터 운영환경으로의 접근이 통제되지 않아 개발자들이 개발시스템을 경유하여 불필요하게 운영시스템 접근이 가능한 경우"],"RelatedRegulations": []}],"description": "개발 및 시험 시스템은 운영시스템에 대한 비인가 접근 및 변경의 위험을 감소시키기 위하여 원칙적으로 분리하여야 한다.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.8.4": {"name": "시험 데이터 보안","checks": {"codebuild_project_no_secrets_in_variables": "PASS"},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.4 시험 데이터 보안","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["시험데이터 현황","시험데이터 생성 규칙","운영데이터를 시험환경에 사용한 경우, 관련 승인 이력"],"AuditChecklist": ["정보시스템의 개발 및 시험 과정에서 실제 운영 데이터의 사용을 제한하고 있는가?","불가피하게 운영데이터를 시험 환경에서 사용할 경우 책임자 승인, 접근 및 유출모니터링, 시험 후 데이터 삭제 등의 통제 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 개발 서버에서 사용할 시험 데이터 생성에 대한 구체적 기준 및 절차가 수립되어 있지 않은 경우","사례 2 : 타당한 사유 및 책임자 승인 없이 실 운영데이터를 가공하지 않고 시험 데이터로 사용하고 있는 경우","사례 3 : 불가피한 사유로 사전 승인을 받아 실 운영데이터를 시험 용도로 사용하면서, 테스트 데이터베이스에 대하여 운영 데이터베이스와 동일한 수준의 접근통제를 적용하고 있지 않은 경우","사례 4 : 실 운영데이터를 테스트 용도로 사용한 후 테스트가 완료되었음에도 실 운영데이터를 테스트 데이터베이스에서 삭제하지 않은 경우"],"RelatedRegulations": []}],"description": "시스템 시험 과정에서 운영데이터의 유출을 예방하기 위하여 시험 데이터의 생성과 이용 및 관리, 파기, 기술적 보호조치에 관한 절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.8.5": {"name": "소스 프로그램 관리","checks": {"ecr_repositories_not_publicly_accessible": "PASS","codeartifact_packages_external_public_publishing_disabled": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.5 소스 프로그램 관리","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["SVN 등 형상관리시스템 운영 현황(접근권한자 목록 등)","소스 프로그램 변경 이력"],"AuditChecklist": ["비인가자에 의한 소스 프로그램 접근을 통제하기 위한 절차를 수립·이행하고 있는가?","소스 프로그램은 장애 등 비상시를 대비하여 운영환경이 아닌 곳에 안전하게 보관하고 있는가?","소스 프로그램에 대한 변경이력을 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 별도의 소스 프로그램 백업 및 형상관리시스템이 구축되어 있지 않으며, 이전 버전의 소스 코드를 운영 서버 또는 개발자 PC에 승인 및 이력관리 없이 보관하고 있는 경우","사례 2 : 형상관리시스템을 구축하여 운영하고 있으나 형상관리시스템 또는 형상관리시스템에 저장된 소스코드에 대한 접근제한, 접근 및 변경이력이 적절히 관리되지 않고 있는 경우","사례 3 : 내부 규정에는 형상관리시스템을 통하여 소스 프로그램 버전관리를 하도록 되어 있으나, 최신 버전의 소스 프로그램은 개발자 PC에만 보관되어 있고 이에 대한 별도의 백업이 수행되고 있지 않은 경우"],"RelatedRegulations": []}],"description": "소스 프로그램은 인가된 사용자만이 접근할 수 있도록 관리하고, 운영환경에 보관하지 않는 것을 원칙으로 하여야 한다.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.8.6": {"name": "운영환경 이관","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.6 운영환경 이관","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["이관 절차","이관 내역(신청·승인, 시험, 이관 등)"],"AuditChecklist": ["신규 도입·개발 및 변경된 시스템을 운영환경으로 안전하게 이관하기 위한 통제 절차를 수립·이행하고 있는가?","운영환경으로 이관 시 발생할 수 있는 문제에 대한 대응 방안을 마련하고 있는가?","운영환경에는 서비스 실행에 필요한 파일만을 설치하고 있는가?"],"NonComplianceCases": ["사례 1 : 개발·변경이 완료된 소스 프로그램을 운영환경으로 이관 시 검토·승인하는 절차가 마련되어 있지 않은 경우","사례 2 : 운영서버에 서비스 실행에 불필요한 파일(소스코드 또는 배포모듈, 백업본, 개발 관련 문서, 매뉴얼 등)이 존재하는 경우","사례 3 : 내부 지침에 운영환경 이관 시 안전한 이관·복구를 위하여 변경작업 요청서 및 결과서를 작성하도록 정하고 있으나, 관련 문서가 확인되지 않은 경우","사례 4 : 내부 지침에는 모바일 앱을 앱마켓에 배포하는 경우 내부 검토 및 승인을 받도록 하고 있으나, 개발자가 해당 절차를 거치지 않고 임의로 앱마켓에 배포하고 있는 경우"],"RelatedRegulations": []}],"description": "신규 도입·개발 또는 변경된 시스템을 운영환경으로 이관할 때는 통제된 절차를 따라야 하고, 실행코드는 시험 및 사용자 인수 절차에 따라 실행되어야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.9.1": {"name": "변경관리","checks": {"codebuild_project_older_90_days": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.1 변경관리","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["변경관리 절차","변경관리 수행 내역(신청·승인, 변경 내역 등)","변경에 따른 영향분석 결과"],"AuditChecklist": ["정보시스템 관련 자산(하드웨어, 운영체제, 상용 소프트웨어 패키지 등) 변경에 관한 절차를 수립·이행하고 있는가?","정보시스템 관련 자산 변경을 수행하기 전 성능 및 보안에 미치는 영향을 분석하고 있는가?"],"NonComplianceCases": ["사례 1 : 최근 DMZ 구간 이중화에 따른 변경 작업을 수행하였으나, 변경 후 발생할 수 있는 보안위험성 및 성능 평가에 대한 수행·승인 증거자료가 확인되지 않은 경우","사례 2 : 최근 네트워크 변경 작업을 수행하였으나 관련 검토 및 공지가 충분히 이루어지지 않아 네트워크 구성도 및 일부 접근통제시스템(침입차단시스템, 데이터베이스 접근제어시스템 등)의 접근통제 리스트(ACL)에 적절히 반영되어 있지 않은 경우","사례 3 : 변경관리시스템을 구축하여 정보시스템 입고 또는 변경 시 성능 및 보안에 미치는 영향을 분석 및협의하고 관련 이력을 관리하도록 하고 있으나, 해당 시스템을 통하지 않고도 시스템 변경이 가능하며, 관련 변경사항이 적절히 검토되지 않는 경우"],"RelatedRegulations": []}],"description": "정보시스템 관련 자산의 모든 변경내역을 관리할 수 있도록 절차를 수립·이행하고, 변경 전 시스템의 성능 및 보안에 미치는 영향을 분석하여야 한다.","checks_status": {"fail": 2,"pass": 0,"total": 14,"manual": 0}},"2.9.2": {"name": "성능 및 장애관리","checks": {"rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","elbv2_is_in_multiple_az": "PASS","s3_bucket_no_mfa_delete": "FAIL","vpc_subnet_different_az": "PASS","neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"rds_cluster_backtrack_enabled": null,"cloudtrail_multi_region_enabled": "PASS","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_cross_region_replication": "FAIL","trustedadvisor_errors_and_warnings": null,"config_recorder_all_regions_enabled": null,"kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"networkfirewall_deletion_protection": null,"rds_instance_certificate_expiration": "PASS","route53_domains_transferlock_enabled": null,"cloudtrail_bucket_requires_mfa_delete": null,"elb_cross_zone_load_balancing_enabled": "PASS","documentdb_cluster_deletion_protection": null,"documentdb_cluster_cloudwatch_log_export": null,"ec2_instance_detailed_monitoring_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","iam_no_expired_server_certificates_stored": null,"kafka_cluster_enhanced_monitoring_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null,"directoryservice_ldap_certificate_expiration": null,"cognito_user_pool_deletion_protection_enabled": null,"trustedadvisor_premium_support_plan_subscribed": null,"directoryservice_directory_monitor_notifications": null,"cloudformation_stacks_termination_protection_enabled": "FAIL","cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.2 성능 및 장애관리","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["성능 및 용량 모니터링 절차","성능 및 용량 모니터링 증거자료(내부보고 결과 등)","장애대응 절차","장애조치보고서"],"AuditChecklist": ["정보시스템의 가용성 보장을 위하여 성능 및 용량을 지속적으로 모니터링할 수 있는 절차를 수립·이행하고 있는가?","정보시스템 성능 및 용량 요구사항(임계치)을 초과하는 경우에 대한 대응절차를 수립 및 이행하고 있는가?","정보시스템 장애를 즉시 인지하고 대응하기 위한 절차를 수립·이행하고 있는가?","장애 발생 시 절차에 따라 조치하고 장애조치보고서 등을 통하여 장애조치내역을 기록하여 관리하고 있는가?","심각도가 높은 장애의 경우 원인분석을 통한 재발방지 대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 성능 및 용량 관리를 위한 대상별 요구사항(임계치 등)을 정의하고 있지 않거나 정기 점검보고서 등에 기록하고 있지 않아 현황을 파악할 수 없는 경우","사례 2 : 성능 또는 용량 기준을 초과하였으나 관련 검토 및 후속조치방안 수립·이행이 이루어지고 있지 않은 경우","사례 3 : 전산장비 장애대응절차를 수립하고 있으나 네트워크 구성 및 외주업체 변경 등의 내·외부 환경변화가 적절히 반영되어 있지 않은 경우","사례 4 : 장애처리절차와 장애유형별 조치방법 간 일관성이 없거나 예상소요시간 산정에 대한 근거가 부족하여 신속·정확하고 체계적인 대응이 어려운 경우"],"RelatedRegulations": []}],"description": "정보시스템의 가용성 보장을 위하여 성능 및 용량 요구사항을 정의하고 현황을 지속적으로 모니터링하여야 하며, 장애 발생 시 효과적으로 대응하기 위한 탐지·기록·분석·복구·보고 등의 절차를 수립·관리하여야 한다.","checks_status": {"fail": 11,"pass": 6,"total": 39,"manual": 0}},"2.9.3": {"name": "백업 및 복구관리","checks": {"ec2_ami_public": null,"backup_plans_exist": "PASS","backup_vaults_exist": null,"backup_vaults_encrypted": "PASS","ec2_ebs_public_snapshot": "PASS","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"backup_reportplans_exist": null,"s3_bucket_kms_encryption": "FAIL","s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"ec2_ebs_snapshots_encrypted": "FAIL","rds_instance_backup_enabled": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","rds_cluster_backtrack_enabled": null,"neptune_cluster_backup_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","neptune_cluster_public_snapshot": null,"documentdb_cluster_backup_enabled": null,"documentdb_cluster_public_snapshot": null,"rds_cluster_copy_tags_to_snapshots": "FAIL","s3_bucket_cross_region_replication": "FAIL","rds_instance_copy_tags_to_snapshots": null,"redshift_cluster_automated_snapshot": null,"s3_access_point_public_access_block": "PASS","s3_bucket_policy_public_write_access": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","elasticache_redis_cluster_backup_enabled": null,"ecr_repositories_lifecycle_policy_enabled": "FAIL","directoryservice_directory_snapshots_limit": null,"ec2_ebs_snapshot_account_block_public_access": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.3 백업 및 복구관리","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["백업 및 복구 절차","복구테스트 결과","소산백업 현황"],"AuditChecklist": ["백업 대상, 주기, 방법, 절차 등이 포함된 백업 및 복구절차를 수립·이행하고 있는가?","백업된 정보의 완전성과 정확성, 복구절차의 적절성을 확인하기 위하여 정기적으로복구 테스트를 실시하고 있는가?","중요정보가 저장된 백업매체의 경우 재해·재난에 대처할 수 있도록 백업매체를물리적으로 떨어진 장소에 소산하고 있는가?"],"NonComplianceCases": ["사례 1 : 백업 대상, 주기, 방법, 절차 등이 포함된 백업 및 복구 절차가 수립되어 있지 않은 경우","사례 2 : 백업정책을 수립하고 있으나 법적 요구사항에 따라 장기간(6개월, 3년, 5년 등) 보관이 필요한 백업 대상 정보가 백업 정책에 따라 보관되고 있지 않은 경우","사례 3 : 상위 지침 또는 내부 지침에 따라 별도로 백업하여 관리하도록 명시된 일부 시스템(보안시스템 정책 및 로그 등)에 대한 백업이 이행되고 있지 않은 경우","사례 4 : 상위 지침 또는 내부 지침에는 주기적으로 백업매체에 대한 복구 테스트를 수행하도록 정하고 있으나 복구테스트를 장기간 실시하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치 의무)","개인정보의 안전성 확보조치 기준 제11조(재해·재난 대비 안전조치)"]}],"description": "정보시스템의 가용성과 데이터 무결성을 유지하기 위하여 백업 대상, 주기, 방법, 보관장소, 보관기간, 소산 등의 절차를 수립·이행하여야 한다. 아울러 사고 발생 시 적시에 복구할 수 있도록 관리하여야 한다.","checks_status": {"fail": 11,"pass": 8,"total": 37,"manual": 0}},"2.9.4": {"name": "로그 및 접속기록 관리","checks": {"macie_is_enabled": "PASS","elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_ebs_public_snapshot": "PASS","eventbridge_bus_exposed": "PASS","rds_snapshots_encrypted": "FAIL","s3_bucket_public_access": null,"s3_bucket_kms_encryption": "FAIL","cloudtrail_insights_exist": null,"s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"ec2_ebs_snapshots_encrypted": "FAIL","ec2_instance_managed_by_ssm": "FAIL","efs_not_publicly_accessible": "FAIL","guardduty_centrally_managed": "FAIL","rds_snapshots_public_access": "PASS","s3_bucket_default_encryption": "PASS","wafv2_webacl_logging_enabled": "FAIL","iam_securityaudit_role_created": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","config_recorder_all_regions_enabled": null,"s3_access_point_public_access_block": "PASS","s3_bucket_level_public_access_block": "PASS","eventbridge_bus_cross_account_access": "FAIL","s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"apigatewayv2_api_access_logging_enabled": "FAIL","cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"s3_bucket_server_access_logging_enabled": "FAIL","cloudfront_distributions_logging_enabled": null,"documentdb_cluster_cloudwatch_log_export": null,"ec2_instance_detailed_monitoring_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_cross_account_sharing_disabled": null,"kafka_cluster_enhanced_monitoring_enabled": null,"acm_certificates_transparency_logs_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"eks_control_plane_logging_all_types_enabled": null,"ec2_ebs_snapshot_account_block_public_access": null,"iam_inline_policy_no_full_access_to_cloudtrail": null,"trustedadvisor_premium_support_plan_subscribed": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"directoryservice_directory_monitor_notifications": null,"eventbridge_schema_registry_cross_account_access": "FAIL","glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"directoryservice_directory_log_forwarding_enabled": null,"ec2_client_vpn_endpoint_connection_logging_enabled": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","cloudwatch_log_metric_filter_authentication_failures": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"route53_public_hosted_zones_cloudwatch_logging_enabled": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","glue_development_endpoints_cloudwatch_logs_encryption_enabled": null,"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled": "PASS","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.4 로그 및 접속기록 관리","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["로그관리 절차","로그기록 내역","로그 저장장치에 대한 접근통제 내역","개인정보 접속기록 내역"],"AuditChecklist": ["서버, 응용프로그램, 보안시스템, 네트워크시스템 등 정보시스템에 대한 로그관리 절차를 수립하고 이에 따라 필요한 로그를 생성하여 보관하고 있는가?","정보시스템의 로그기록은 위·변조 및 도난, 분실되지 않도록 안전하게 보관하고 로그기록에 대한 접근권한은 최소화하여 부여하고 있는가?","개인정보처리시스템에 대한 접속기록은 법적 요구사항을 준수할 수 있도록 필요한 항목을 모두 포함하여 일정기간 안전하게 보관하고 있는가?"],"NonComplianceCases": ["사례 1 : 로그 기록 대상, 방법, 보존기간, 검토 주기, 담당자 등에 대한 세부 기준 및 절차가 수립되어 있지 않은 경우","사례 2 : 보안 이벤트 로그, 응용프로그램 및 서비스 로그(윈도우 2008 서버 이상) 등 중요 로그에 대한 최대 크기를 충분하게 설정하지 않아 내부 기준에 정한 기간 동안 기록·보관되고 있지 않은 경우","사례 3 : 중요 Linux/UNIX 계열 서버에 대한 로그 기록을 별도로 백업하거나 적절히 보호하지 않아 사용자의 명령 실행 기록 및 접속 이력 등을 임의로 삭제할 수 있는 경우","사례 4 : 개인정보처리시스템에 접속한 기록을 확인한 결과 접속자의 계정, 접속 일시, 접속자 IP주소 정보는 남기고 있으나, 처리한 정보주체 정보 및 수행업무(조회, 변경, 삭제, 다운로드 등)와 관련된 정보를 남기고 있지 않은 경우","사례 5 : 로그 서버의 용량의 충분하지 않아서 개인정보처리시스템 접속기록이 2개월 밖에 남아 있지 않은 경우","사례 6 : 개인정보처리자가 정보주체 10만 명의 개인정보를 처리하는 개인정보처리시스템의 개인정보취급자 접속기록을 1년간만 보관하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제8조(접속기록의 보관 및 점검)"]}],"description": "서버, 응용프로그램, 보안시스템, 네트워크시스템 등 정보시스템에 대한 사용자 접속기록, 시스템로그, 권한부여 내역 등의 로그유형, 보존기간, 보존방법 등을 정하고 위·변조, 도난, 분실되지 않도록 안전하게 보존·관리하여야 한다.","checks_status": {"fail": 25,"pass": 15,"total": 81,"manual": 0}},"2.9.5": {"name": "로그 및 접속기록 점검","checks": {"cloudtrail_insights_exist": null,"inspector2_active_findings_exist": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","cloudtrail_threat_detection_enumeration": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.5 로그 및 접속기록 점검","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["로그 검토 및 모니터링 절차","로그 검토 및 모니터링 결과(검토 내역, 보고서 등)","개인정보 접속기록 점검 내역","개인정보 다운로드 시 사유 확인 기준 및 결과","이상징후 발견 시 대응 증거자료"],"AuditChecklist": ["정보시스템 관련 오류, 오·남용(비인가접속, 과다조회 등), 부정행위 등 이상징후를 인지할 수 있도록 로그 검토 주기, 대상, 방법 등을 포함한 로그 검토 및 모니터링절차를 수립·이행하고 있는가?","로그 검토 및 모니터링 결과를 책임자에게 보고하고 이상징후 발견 시 절차에 따라 대응하고 있는가?","개인정보처리시스템의 접속기록은 관련 법령에서 정한 주기에 따라 정기적으로 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 중요 정보를 처리하고 있는 정보시스템에 대한 이상접속(휴일 새벽 접속, 우회경로 접속 등) 또는 이상행위(대량 데이터 조회 또는 소량 데이터의 지속적·연속적 조회 등)에 대한 모니터링 및 경고·알림 정책(기준)이 수립되어 있지 않은 경우","사례 2 : 내부 지침 또는 시스템 등에 접근 및 사용에 대한 주기적인 점검·모니터링 기준을 마련하고 있으나 실제 이상접속 및 이상행위에 대한 검토 내역이 확인되지 않은 경우","사례 3 : 개인정보처리자가 개인정보처리시스템의 접속기록 점검 주기를 분기 1회로 정하고 있는 경우","사례 4 : 개인정보처리자의 내부 관리계획에는 1,000명 이상의 정보주체에 대한 개인정보를 다운로드한 경우에는 사유를 확인하도록 기준이 책정되어 있는 상태에서 1,000건 이상의 개인정보 다운로드가 발생하였으나 그 사유를 확인하지 않고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제8조(접속기록의 보관 및 점검)"]}],"description": "정보시스템의 정상적인 사용을 보장하고 사용자 오·남용(비인가접속, 과다조회 등)을 방지하기 위하여 접근 및 사용에 대한 로그 검토기준을 수립하여 주기적으로 점검하며, 문제 발생 시 사후조치를 적시에 수행하여야 한다.","checks_status": {"fail": 6,"pass": 0,"total": 26,"manual": 0}},"2.9.6": {"name": "시간 동기화","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.6 시간 동기화","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["시간 동기화 설정","주요 시스템 시간 동기화 증거자료"],"AuditChecklist": ["정보시스템의 시간을 표준시간으로 동기화하고 있는가?","시간 동기화가 정상적으로 이루어지고 있는지 주기적으로 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 일부 중요 시스템(보안시스템, CCTV 등)의 시각이 표준시와 동기화되어 있지 않으며, 관련 동기화 여부에 대한 주기적 점검이 이행되고 있지 않은 경우","사례 2 : 내부 NTP 서버와 시각을 동기화하도록 설정하고 있으나 일부 시스템의 시각이 동기화되지 않고 있고, 이에 대한 원인분석 및 대응이 이루어지고 있지 않은 경우"],"RelatedRegulations": []}],"description": "로그 및 접속기록의 정확성을 보장하고 신뢰성 있는 로그분석을 위하여 관련 정보시스템의 시각을 표준시각으로 동기화하고 주기적으로 관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.9.7": {"name": "정보자산의 재사용 및 폐기","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.7 정보자산의 재사용 및 폐기","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["정보자산 폐기 및 재사용 절차","저장매체 관리대장","정보자산 및 저장매체 폐기 증거자료","정보자산 및 저장매체 폐기 관련 위탁계약서"],"AuditChecklist": ["정보자산의 안전한 재사용 및 폐기에 대한 절차를 수립·이행하고 있는가?","정보자산 및 저장매체를 재사용 및 폐기하는 경우 개인정보 및 중요정보를 복구되지 않는 방법으로 처리하고 있는가?","자체적으로 정보자산 및 저장매체를 폐기할 경우 관리대장을 통하여 폐기이력을 남기고 폐기확인 증적을 함께 보관하고 있는가?","외부업체를 통하여 정보자산 및 저장매체를 폐기할 경우 폐기 절차를 계약서에 명시하고 완전히 폐기하였는지 여부를 확인하고 있는가?","정보시스템, PC 등 유지보수, 수리 과정에서 저장매체 교체, 복구 등 발생 시 저장매체 내 정보를 보호하기 위한 대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보취급자 PC를 재사용할 경우 데이터 삭제프로그램을 이용하여 완전삭제 하도록 정책 및 절차가 수립되어 있으나, 실제로는 완전삭제 조치 없이 재사용하거나 기본 포맷만 하고 재사용하고 있는 등 관련 절차가 이행되고 있지 않은 경우","사례 2 : 외부업체를 통하여 저장매체를 폐기하고 있으나, 계약 내용상 안전한 폐기 절차 및 보호대책에 대한 내용이 누락되어 있고 폐기 이행 증거자료 확인 및 실사 등의 관리·감독이 이루어지지 않은 경우","사례 3 : 폐기된 HDD의 일련번호가 아닌 시스템명을 기록하거나 폐기 대장을 작성하지 않아 폐기 이력 및 추적할 수 있는 증거자료를 확인할 수 없는 경우","사례 4 : 회수한 폐기 대상 하드디스크가 완전삭제 되지 않은 상태로 잠금장치가 되지 않은 장소에 방치되고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제21조(개인정보의 파기)","개인정보의 안전성 확보조치 기준 제13조(개인정보의 파기)"]}],"description": "정보자산의 재사용과 폐기 과정에서 개인정보 및 중요정보가 복구·재생되지 않도록 안전한 재사용 및 폐기 절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.1": {"name": "개인정보 수집·이용","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.1 개인정보 수집·이용","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["온라인 개인정보 수집 양식(홈페이지 회원가입 화면, 모바일앱 회원가입 화면, 이벤트 참여 등)","오프라인 개인정보 수집 양식(회원가입신청서 등)","개인정보 수집 동의 기록(회원 데이터베이스 등)","법정대리인 동의 기록","개인정보 처리방침"],"AuditChecklist": ["개인정보를 수집하는 경우 정보주체 동의, 법령상 의무준수, 계약 체결·이행 등 적법 요건에 따라 수집하고 있는가?","정보주체에게 개인정보 수집 동의를 받는 경우 동의방법 및 시점은 적절하게 되어 있는가?","정보주체에게 개인정보 수집 동의를 받는 경우 관련 내용을 명확하게 고지하고 법령에서 정한 중요한 내용에 대해 알아보기 쉽게 표시하고 있는가?","만 14세 미만 아동의 개인정보에 대해 수집·이용·제공 등의 동의를 받는 경우 법정대리인에게 필요한 사항에 대하여 고지하고 동의를 받고 있는가?","법정대리인의 동의를 받기 위하여 필요한 최소한의 개인정보만을 수집하고 있으며, 법정대리인이 자격 요건을 갖추고 있는지 확인하는 절차와 방법을 마련하고 있는가?","만 14세 미만의 아동에게 개인정보 처리와 관련한 사항 등의 고지 시 이해하기 쉬운 양식과 명확하고 알기 쉬운 언어로 표현하고 있는가?","정보주체 및 법정대리인에게 동의를 받은 기록을 보관하고 있는가?","정보주체의 동의 없이 처리할 수 있는 개인정보에 대해서는 그 항목과 처리의 법적 근거를 정보주체의 동의를 받아 처리하는 개인정보와 구분하여 개인정보 처리방침에공개하거나 정보주체에게 알리고 있는가?","정보주체의 동의 없이 개인정보의 추가적인 이용 시 당초 수집 목적과의 관련성, 예측 가능성, 이익 침해 여부, 안전성 확보조치 등의 고려사항에 대한 판단기준을 수립 및 이행하고, 추가적인 이용이 지속적으로 발생하는 경우 고려사항에 대한 판단기준을개인정보 처리방침에 공개하고 이를 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보 보호법을 적용받는 개인정보처리자가 개인정보 수집 동의 시 고지 사항에 ʻ동의 거부 권리 및 동의 거부에 따른 불이익 내용ʼ을 누락한 경우","사례 2 : 개인정보 수집 동의 시 수집하는 개인정보 항목을 구체적으로 명시하지 않고 ʻ~ 등ʼ과 같이 포괄적으로 안내하는 경우","사례 3 : 쇼핑몰 홈페이지에서 회원가입 시 회원가입에 필요한 개인정보 외에 추후 물품 구매 시 필요한 결제·배송 정보를 미리 필수 항목으로 수집하는 경우","사례 4 : Q&A, 게시판을 통하여 비회원의 개인정보(이름, 이메일, 휴대폰번호)를 수집하면서 개인정보 수집 동의 절차를 거치지 않은 경우","사례 5 : 만 14세 미만 아동의 개인정보를 수집하면서 법정대리인의 동의를 받지 않은 경우","사례 6 : 만 14세 미만 아동에 대하여 서비스를 제공하고 있지 않지만, 회원가입 단계에서 입력받는 생년월일을 통하여 나이 체크를 하지 않아 법정대리인 동의 없이 가입된 만 14세 미만 아동 회원이 존재한 경우","사례 7 : 법정대리인의 진위 여부를 확인하는 절차가 미흡하여 미성년자 등 아동의 법정대리인으로 보기 어려운데도 법정대리인 동의가 가능한 경우","사례 8 : 만 14세 미만 아동으로부터 법정대리인 동의를 받는 목적으로 법정대리인의 개인정보(이름, 휴대폰번호)를 수집한 이후 법정대리인의 동의가 장기간 확인되지 않았음에도 이를 파기하지 않고 계속 보유하고 있는 경우","사례 9 : 법정대리인 동의에 근거하여 만 14세 미만 아동의 개인정보를 수집하였으나, 관련 기록을 보존하지 않아 법정대리인 동의와 관련된 사항(법정대리인 이름, 동의 일시 등)을 확인할 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제15조(개인정보의 수집·이용), 제22조(동의를 받는 방법), 제22조의2(아동의 개인정보 보호)","개인정보 처리 방법에 관한 고시"]}],"description": "개인정보는 적법하고 정당하게 수집·이용하여야 하며, 정보주체의 동의를 근거로 수집하는 경우에는 적법한 방법으로 정보주체의 동의를 받아야 한다. 또한 만 14세 미만 아동의 개인정보를 수집하는 경우에는 그 법정대리인의 동의를 받아야 하며 법정대리인이 동의하였는지를 확인하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.2": {"name": "개인정보 수집 제한","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.2 개인정보 수집 제한","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["온라인 개인정보 수집 양식(홈페이지 회원가입 화면, 이벤트 참여 화면 등)","오프라인 개인정보 수집 양식(멤버십 가입신청서 등)","개인정보 처리방침"],"AuditChecklist": ["개인정보를 수집하는 경우 그 목적에 필요한 범위에서 최소한의 정보만을 수집하고 있는가?","정보주체의 동의를 받아 개인정보를 수집하는 경우 필요한 최소한의 정보 외의 개인정보수집에는 동의하지 않을 수 있다는 사실을 구체적으로 알리고 있는가?","정보주체가 수집 목적에 필요한 최소한의 정보 이외의 개인정보 수집에 동의하지않는다는 이유로 서비스 또는 재화의 제공을 거부하지 않도록 하고 있는가?"],"NonComplianceCases": ["사례 1 : 계약의 체결 및 이행을 근거로 정보주체 동의 없이 개인정보를 수집하면서 계약의 체결 및 이행을 위해 반드시 필요하지 않은 개인정보 항목까지 과도하게 수집하는 경우","사례 2 : 정보주체로부터 선택사항에 대한 동의를 받으면서 해당 개인정보 수집에는 동의하지 아니할 수 있다는 사실을 구체적으로 알리지 않은 경우","사례 3 : 회원가입 양식에서 필수와 선택 정보를 구분하여 별도 동의를 받도록 되어 있었으나, 선택정보에 대하여 동의하지 않아도 회원가입이 가능함을 정보주체가 인지할 수 있도록 구체적으로 알리지 않은 경우(개인정보 입력 양식에 개인정보 항목별로 필수, 선택 여부가 표시되어 있지 않은 경우 등)","사례 4 : 홈페이지 회원가입 화면에서 선택사항에 대하여 동의하지 않거나 선택정보를 입력하지 않으면 다음 단계로 넘어가지 않거나 회원가입이 차단되는 경우","사례 5 : 채용 계약 시 채용 예정 직무와 직접 관련이 없는 가족사항 등 과도한 개인정보를 수집하는 경우"],"RelatedRegulations": ["개인정보 보호법 제16조(개인정보의 수집제한), 제22조(동의를 받는 방법)"]}],"description": "개인정보를 수집하는 경우 처리 목적에 필요한 최소한의 개인정보만을 수집하여야 하며, 정보주체가 선택적으로 동의할 수 있는 사항 등에 동의하지 아니한다는 이유로 정보주체에게 재화 또는 서비스의 제공을 거부하지 않아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.3": {"name": "주민등록번호 처리 제한","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.3 주민등록번호 처리 제한","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["개인정보 수집 양식(홈페이지 회원가입 화면, 이벤트 참여, 멤버십 가입신청서 등)","온라인 개인정보 수집 양식(본인확인 등 대체가입수단 제공 화면)","주민등록번호를 처리하는 경우 주민등록번호 처리 근거 증거자료","개인정보 처리방침"],"AuditChecklist": ["주민등록번호는 명확한 법적 근거가 있는 경우에만 처리하고 있는가?","주민등록번호의 수집 근거가 되는 법조항을 구체적으로 식별하고 있는가?","법적 근거에 따라 주민등록번호를 처리하는 경우에도 정보주체가 인터넷 홈페이지를 통하여 회원으로 가입하는 단계에서는 주민등록번호를 사용하지 아니하고도 회원으로 가입할 수 있는 방법을 제공하고 있는가?"],"NonComplianceCases": ["사례 1 : 홈페이지 가입과 관련하여 실명확인 등 단순 회원관리 목적을 위하여 정보주체의 동의에 근거하여 주민등록번호를 수집한 경우","사례 2 : 정보주체의 주민등록번호를 시행규칙이나 지방자치단체의 조례에 근거하여 수집한 경우","사례 3 : 비밀번호 분실 시 본인확인 등의 목적으로 주민등록번호 뒤 6자리를 수집하지만, 관련된 법적 근거가 없는 경우","사례 4 : 채용전형 진행단계에서 법적 근거 없이 입사지원자의 주민등록번호를 수집한 경우","사례 5 : 콜센터에 상품, 서비스 관련 문의 시 본인확인을 위하여 주민등록번호를 수집한 경우","사례 6 : 주민등록번호 수집의 법적 근거가 있다는 사유로 홈페이지 회원가입 단계에서 대체가입수단을 제공하지 않고 주민등록번호를 입력받는 본인확인 및 회원가입 방법만을 제공한 경우"],"RelatedRegulations": ["개인정보 보호법 제24조의2(주민등록번호 처리의 제한)","정보통신망법 제23조의2(주민등록번호의 사용 제한)"]}],"description": "주민등록번호는 법적 근거가 있는 경우를 제외하고는 수집·이용 등 처리할 수 없으며, 주민등록번호의 처리가 허용된 경우라 하더라도 인터넷 홈페이지 등에서 대체수단을 제공하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.4": {"name": "민감정보 및 고유식별정보의 처리 제한","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.4 민감정보 및 고유식별정보의 처리 제한","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["온라인 개인정보 수집 양식(홈페이지 회원가입 화면, 이벤트 참여 등)","오프라인 개인정보 수집 양식(회원가입신청서 등)","개인정보 처리방침"],"AuditChecklist": ["민감정보는 정보주체로부터 별도의 동의를 받거나 관련 법령에 근거가 있는 경우에만처리하고 있는가?","고유식별정보(주민등록번호 제외)는 정보주체로부터 별도의 동의를 받거나 관련 법령에 구체적인 근거가 있는 경우에만 처리하고 있는가?","재화 또는 서비스를 제공하는 과정에서 공개되는 정보에 정보주체의 민감정보가 포함됨으로써 사생활 침해의 위험성이 있다고 판단하는 때에는 재화 또는 서비스의 제공 전에 민감정보의 공개 가능성 및 비공개를 선택하는 방법을 정보주체가 알아보기 쉽게 알리고 있는가?"],"NonComplianceCases": ["사례 1 : 장애인에 대한 요금감면 등 혜택 부여를 위하여 장애 여부 등 건강에 관한 민감정보를 수집하면서 다른 개인정보 항목에 포함하여 일괄 동의를 받은 경우","사례 2 : 회원가입 시 외국인에 한하여 외국인등록번호를 수집하면서 다른 개인정보 항목에 포함하여 일괄 동의를 받은 경우","사례 3 : 민감정보 또는 고유식별정보의 수집에 대해 별도의 동의를 받으면서 고지하여야 할 4가지 사항 중에 일부를 누락하거나 잘못된 내용으로 고지하는 경우(동의 거부 권리 및 동의 거부에 따른 불이익 사항을 고지하지 않은 경우 등)"],"RelatedRegulations": ["개인정보 보호법 제23조(민감정보의 처리제한), 제24조(고유식별정보의 처리 제한)"]}],"description": "민감정보와 고유식별정보(주민등록번호 제외)를 처리하기 위해서는 법령에서 구체적으로 처리를 요구하거나 허용하는 경우를 제외하고는 정보주체의 별도 동의를 받아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.5": {"name": "개인정보 간접수집","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.5 개인정보 간접수집","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["개인정보 제공 관련 계약서(제공하는 자와의 계약 사항)","개인정보 수집출처에 대한 정보주체 통지 내역","개인정보 처리방침"],"AuditChecklist": ["정보주체 이외의 제3자로부터 개인정보를 제공받는 경우 개인정보 수집에 대한 동의획득 책임이 개인정보를 제공하는 자에게 있음을 계약을 통하여 명시하고 있는가?","공개된 매체 및 장소에서 개인정보를 수집하는 경우 정보주체의 공개 목적·범위 및 사회 통념상 동의 의사가 있다고 인정되는 범위 내에서만 수집·이용하고 있는가?","서비스 계약 이행을 위해 필요한 경우로서, 서비스 제공 과정에서 자동수집장치 등에 의하여 수집·생성하는 개인정보의 경우에도 최소수집 원칙을 적용하고 있는가?","정보주체 이외로부터 수집하는 개인정보에 대해 정보주체의 요구가 있는 경우 즉시 필요한 사항을 정보주체에게 알리고 있는가?","정보주체 이외로부터 수집한 개인정보를 처리하는 경우 개인정보의 종류·규모 등이 법적 요건에 해당하는 경우 필요한 사항을 정보주체에게 알리고 있는가?","정보주체에게 수집 출처에 대해 알린 기록을 해당 개인정보의 파기 시까지 보관 및 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 인터넷 홈페이지, SNS에 공개된 개인정보를 수집하고 있는 상태에서 정보주체의 수집 출처 요구에 대한 처리절차가 존재하지 않은 경우","사례 2 : 개인정보 보호법 제17조제1항제1호에 따라 다른 사업자로부터 개인정보 제공동의를 근거로 개인정보를 제공받았으나, 이에 대하여 해당 정보주체에게 3개월 내에 통지하지 않은 경우(다만 제공받은 자가 5만 명 이상 정보주체의 민감정보 또는 고유식별정보를 처리하거나 100만 명 이상 정보주체의 개인정보를 처리하는 경우)","사례 3 : 법적 의무 대상자에 해당되어 개인정보 수집 출처를 정보주체에게 통지하면서 개인정보의 처리목적 또는 동의를 철회할 권리가 있다는 사실 등 필수 통지사항을 일부 누락한 경우","사례 4 : 법적 의무 대상자에 해당되어 개인정보 수집 출처를 정보주체에게 통지하였으나, 수집 출처 통지에 관한 기록을 해당 개인정보의 파기 시까지 보관하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제16조(개인정보의 수집 제한), 제19조(개인정보를 제공받은 자의 이용·제공 제한), 제20조(정보주체 이외로부터 수집한 개인정보의 수집 출처 등 통지)"]}],"description": "정보주체 이외로부터 개인정보를 수집하거나 제3자로부터 제공받는 경우에는 업무에 필요한 최소한의 개인정보를 수집하거나 제공받아야 하며, 법령에 근거하거나 정보주체의 요구가 있으면 개인정보의 수집 출처, 처리목적, 처리정지의 요구권리를 알려야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.6": {"name": "영상정보처리기기 설치·운영","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.6 영상정보처리기기 설치·운영","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["영상정보처리기기 운영 현황","영상정보처리기기 안내판","영상정보처리기기 운영·관리방침","영상정보처리기기 관리화면(계정·권한 내역, 영상정보 보존기간 등)","영상정보처리기기 운영 수탁자와의 계약서 및 점검 이력"],"AuditChecklist": ["공개된 장소에 고정형 영상정보처리기기를 설치·운영할 경우 법적 허용 요건에 해당하는지를 검토하고 있는가?","공공기관 등이 공개된 장소에 고정형 영상정보처리기기를 설치·운영하려는 경우 공청회·설명회 개최 등의 법령에 따른 절차를 거쳐 관계 전문가 및 이해관계자의 의견을 수렴하고 있는가?","고정형 영상정보처리기기 설치·운영 시 정보주체가 쉽게 인식할 수 있도록 안내판 설치 등 필요한 조치를 하고 있는가?","업무를 목적으로 공개된 장소에서 이동형 영상정보처리기기를 운영하는 경우 법적 허용 요건에 해당하는지를 검토하고 있는가?","업무를 목적으로 공개된 장소에서 이동형 영상정보처리기기로 사람 또는 그 사람과 관련된 사물의 영상을 촬영하는 경우 불빛, 소리, 안내판 등의 방법으로 촬영 사실을 표시하고 알리고 있는가?","영상정보처리기기 및 영상정보의 안전한 관리를 위한 영상정보처리기기 운영·관리 방침을 마련하여 시행하고 있는가?","영상정보의 보관 기간을 정하고 있으며, 보관 기간 만료 시 지체 없이 파기하고 있는가?","영상정보처리기기 설치·운영에 관한 사무를 위탁하는 경우 관련 절차 및 요건에 따라 계약서에 반영하고 있는가?"],"NonComplianceCases": ["사례 1 : 영상정보처리기기 안내판의 고지 문구가 일부 누락되어 운영되고 있거나, 영상정보처리기기 운영 및 관리 방침을 수립·운영하고 있지 않은 경우","사례 2 : 영상정보처리기기 운영·관리 방침을 수립 운영하고 있으나, 방침 내용과 달리 보관기간을 준수하지 않고 운영되거나, 영상정보 보호를 위한 접근통제 및 로깅 등 방침에 기술한 사항이 준수되지 않는 등 관리가 미흡한 경우","사례 3 : 영상정보처리기기의 설치·운영 사무를 외부업체에 위탁하고 있으나, 영상정보의 관리 현황 점검에 관한 사항, 손해배상 책임에 관한 사항 등 법령에서 요구하는 내용을 영상정보처리기기 업무 위탁 계약서에 명시하지 않은 경우","사례 4 : 영상정보처리기기의 설치·운영 사무를 외부업체에 위탁하고 있으나, 영상정보처리기기 안내판에 수탁자의 명칭과 연락처를 누락하여 고지한 경우"],"RelatedRegulations": ["개인정보 보호법 제25조(고정형 영상정보처리기기의 설치·운영 제한), 제25조의2(이동형 영상정보처리기기의 운영 제한)"]}],"description": "고정형 영상정보처리기기를 공개된 장소에 설치·운영하거나 이동형 영상정보처리기기를 공개된 장소에서 업무를 목적으로 운영하는 경우 설치 목적 및 위치에 따라 법적 요구사항을 준수하고, 적절한 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.7": {"name": "마케팅 목적의 개인정보 수집·이용","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.7 마케팅 목적의 개인정보 수집·이용","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["온라인 개인정보 수집 양식(홈페이지 회원가입 화면, 모바일앱 회원가입 화면, 이벤트 참여 등)","오프라인 개인정보 수집 양식(회원가입신청서 등)","마케팅 동의 기록","광고성 정보전송 수신동의 기록 및 수신동의 의사확인 기록","광고성 정보 발송 시스템 관리자 화면(메일, SMS, 앱 푸시 등)","광고성 정보 발송 문구","개인정보 처리방침"],"AuditChecklist": ["정보주체에게 재화나 서비스를 홍보하거나 판매를 권유하기 위하여 개인정보 처리에 대한 동의를 받는 경우 정보주체가 이를 명확하게 인지할 수 있도록 알리고 별도의 동의를 받고 있는가?","전자적 전송매체를 이용하여 영리목적의 광고성 정보를 전송하는 경우 수신자의 명시적인 사전 동의를 받고 있으며, 2년마다 정기적으로 수신자의 수신동의 여부를 확인하고 있는가?","전자적 전송매체를 이용한 영리목적의 광고성 정보 전송에 대하여 수신자가 수신거부의사를 표시하거나 사전 동의를 철회한 경우 영리목적의 광고성 정보 전송을 중단하도록 하고 있는가?","영리목적의 광고성 정보를 전송하는 경우 전송자의 명칭, 수신거부 방법 등을 구체적으로 밝히고 있으며, 야간시간에는 전송하지 않도록 하고 있는가?"],"NonComplianceCases": ["사례 1 : ʻ홍보 및 마케팅ʼ 목적으로 개인정보를 수집하면서 ʻ부가서비스 제공ʼ, ʻ제휴 서비스 제공ʼ 등과 같이 목적을 모호하게 안내하는 경우 또는 다른 목적으로 수집하는 개인정보와 구분하지 않고 포괄 동의를 받는 경우","사례 2 : 모바일 앱에서 광고성 정보전송(앱 푸시)에 대하여 거부 의사를 밝혔으나, 프로그램 오류 등의 이유로 광고성 앱 푸시가 이루어지는 경우","사례 3 : 온라인 회원가입 화면에서 문자, 이메일에 의한 광고성 정보 전송에 대하여 디폴트로 체크되어 있는 경우","사례 4 : 광고성 정보 수신동의 여부에 대하여 2년마다 확인하지 않은 경우","사례 5 : 영리목적의 광고성 정보를 전자우편으로 전송하면서 제목이 시작되는 부분에 ʻ(광고)ʼ 표시를 하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제22조(동의를 받는 방법)","정보통신망법 제50조(광고성 정보 전송 제한)"]}],"description": "재화나 서비스의 홍보, 판매 권유, 광고성 정보전송 등 마케팅 목적으로 개인정보를 수집 및이용하는 경우 그 목적을 정보주체가 명확하게 인지할 수 있도록 고지하고 동의를 받아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.1": {"name": "개인정보 현황관리","checks": {"macie_is_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL"},"status": "FAIL","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.1 개인정보 현황관리","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["개인정보 현황표","개인정보 흐름표·흐름도","개인정보파일 등록 현황","개인정보파일 관리대장","개인정보 처리방침에 관한 사항을 기록한 개인정보파일","「조세범처벌법」에 따른 범칙행위 조사 및 「관세법」에 따른 범칙행위 조사에 관한 사항을 기록한 개인정보파일","일회성으로 운영되는 파일 등 지속적으로 관리할 필요가 낮다고 인정되어 대통령령으로 정하는 개인정보파일","회의 참석 수당 지급, 자료·물품의 송부, 금전의 정산 등 단순 업무 수행을 위해 운영되는 개인정보파일로서 지속적 관리 필요성이 낮은 개인정보파일","공중위생 등 공공의 안전과 안녕을 위하여 긴급히 필요한 경우로서 일시적으로 처리되는 개인정보파일","그 밖에 일회적 업무 처리만을 위해 수집된 개인정보파일로서 저장되거나 기록되지 않는 개인정보파일","다른 법령에 따라 비밀로 분류된 개인정보파일","국가안전보장과 관련된 정보 분석을 목적으로 수집 또는 제공 요청되는 개인정보파일","영상정보처리기기를 통하여 처리되는 개인영상정보파일","「금융실명거래 및 비밀보장에 관한 법률」에 따른 금융기관이 금융업무 취급을 위하여 보유하는 개인정보파일"],"AuditChecklist": ["수집·보유하고 있는 개인정보의 항목, 보유량, 처리 목적 및 방법, 보유기간 등 현황을 정기적으로 관리하고 있는가?","공공기관이 개인정보파일을 운용하거나 변경하는 경우 관련된 사항을 법률에서 정한 관계기관의 장에게 등록하고 있는가?","공공기관은 개인정보파일의 보유 현황을 개인정보 처리방침에 공개하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보파일을 홈페이지의 개인정보파일 등록 메뉴를 통하여 목록을 관리하고 있으나, 그 중 일부 홈페이지 서비스와 관련된 개인정보파일의 내용이 개인정보 처리방침에 누락되어 있는 경우","사례 2 : 신규 개인정보파일을 구축한 지 2개월이 경과하였으나, 해당 개인정보파일을 개인정보 보호위원회에 등록하지 않은 경우","사례 3 : 개인정보 보호위원회에 등록되어 공개된 개인정보파일의 내용(수집하는 개인정보의 항목 등)이 실제 처리하고 있는 개인정보파일 현황과 상이한 경우","사례 4 : 공공기관이 임직원의 개인정보파일, 통계법에 따라 수집되는 개인정보파일에 대해 개인정보파일 등록 예외사항에 해당되지 않음에도 불구하고 해당 개인정보파일을 개인정보 보호위원회에 등록하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제32조(개인정보파일의 등록 및 공개)"]}],"description": "수집·보유하는 개인정보의 항목, 보유량, 처리 목적 및 방법, 보유기간 등 현황을 정기적으로 관리하여야 하며, 공공기관의 경우 이를 법률에서 정한 관계기관의 장에게 등록하여야 한다.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"3.2.2": {"name": "개인정보 품질보장","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.2 개인정보 품질보장","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["정보주체 개인정보 수정·변경 양식(온라인, 오프라인)","개인정보 최신성 유지 절차"],"AuditChecklist": ["개인정보를 최신의 상태로 정확하게 유지하기 위한 절차 및 방안을 수립·이행하고있는가?","정보주체가 본인의 개인정보에 대하여 정확성, 완전성 및 최신성을 유지할 수 있는 방법을 제공하고 있는가?"],"NonComplianceCases": ["사례 1 : 인터넷 홈페이지를 통하여 회원정보를 변경할 때는 본인확인 절차를 거치고 있으나, 고객센터 상담원과의 통화를 통한 회원 정보 변경 시에는 본인확인 절차가 미흡하여 회원정보의 불법적인 변경이 가능한 경우","사례 2 : 온라인 회원에 대해서는 개인정보를 변경할 수 있는 방법을 제공하고 있으나, 오프라인 회원에 대해서는 개인정보를 변경할 수 있는 방법을 제공하고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제3조(개인정보 보호 원칙)"]}],"description": "수집된 개인정보는 처리 목적에 필요한 범위에서 개인정보의 정확성·완전성·최신성이 보장되도록 정보주체에게 관리절차를 제공하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.3": {"name": "이용자 단말기 접근 보호","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.3 이용자 단말기 접근 보호","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["앱 접근권한 동의 화면","앱 접근권한 설정 현황"],"AuditChecklist": ["정보주체(이용자)의 이동통신단말장치 내에 저장되어 있는 정보 및 이동통신단말장치에 설치된 기능에 대하여 접근할 수 있는 권한이 필요한 경우 명확하게 인지할 수 있도록 알리고 정보주체(이용자)의 동의를 받고 있는가?","이동통신단말장치 내에서 해당 서비스를 제공하기 위하여 반드시 필요한 접근권한이 아닌 경우, 정보주체(이용자)가 동의하지 않아도 서비스 제공을 거부하지 않도록 하고 있는가?","이동통신단말장치 내에서 해당 접근권한에 대한 정보주체(이용자)의 동의 및 철회방법을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 스마트폰 앱에서 서비스에 불필요함에도 불구하고 주소록, 사진, 문자 등 스마트폰 내 개인정보 영역에 접근할 수 있는 권한을 과도하게 설정한 경우","사례 2 : 정보통신서비스 제공자의 스마트폰 앱에서 스마트폰 내에 저장되어 있는 정보 및 설치된 기능에 접근하면서 접근권한에 대한 고지 및 동의를 받지 않고 있는 경우","사례 3 : 스마트폰 앱의 접근권한에 대한 동의를 받으면서 선택사항에 해당하는 권한을 필수권한으로 고지하여 동의를 받는 경우","사례 4 : 접근권한에 대한 개별동의가 불가능한 안드로이드 6.0 미만 버전을 지원하는 스마트폰 앱을 배포하면서 선택적 접근권한을 함께 설정하여, 선택적 접근권한에 대하여 거부할 수 없도록 하고 있는 경우"],"RelatedRegulations": ["정보통신망법 제22조의2(접근권한에 대한 동의)"]}],"description": "정보주체(이용자)의 이동통신단말장치 내에 저장되어 있는 정보 및 이동통신단말장치에 설치된 기능에 접근이 필요한 경우 이를 명확하게 인지할 수 있도록 알리고 정보주체(이용자)의 동의를 받아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.4": {"name": "개인정보 목적 외 이용 및 제공","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.4 개인정보 목적 외 이용 및 제공","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["개인정보 목적 외 이용 및 제3자 제공 내역(요청서 등 관련 증거자료 포함)","개인정보 목적 외 이용 및 제3자 제공 대장(공공기관인 경우)","홈페이지 또는 관보 게재 내역(공공기관인 경우)","자료 제공 요청 대응 지침","자료 제공 요청 공문 및 개인정보 제공내역, 대장 등"],"AuditChecklist": ["개인정보는 최초 수집 시 정보주체로부터 동의받은 목적 또는 법령에 근거한 범위 내에서만 이용·제공하고 있는가?","개인정보처리자로부터 개인정보를 제공받은 경우 제공받은 목적의 범위 내에서만 이용·제공하고 있는가?","개인정보를 수집 목적 또는 개인정보처리자로부터 제공받은 목적의 범위를 초과하여 이용하거나 제공하는 경우 정보주체에게 별도의 동의를 받거나 법적 근거가 있는 경우로 제한하고 있는가?","개인정보를 목적 외의 용도로 제3자에게 제공하는 경우 제공받는 자에게 이용목적 및 방법 등을 제한하거나 안전성 확보를 위하여 필요한 조치를 마련하도록 요청하고 있는가?","공공기관이 개인정보를 목적 외의 용도로 이용하거나 제3자에게 제공하는 경우 그 이용 또는 제공의 법적 근거, 목적 및 범위 등에 관하여 필요한 사항을 관보 또는 인터넷 홈페이지 등에 게재하고 있는가?","공공기관 등이 개인정보를 목적 외의 용도로 이용하거나 제3자에게 제공하는 경우 목적 외 이용 및 제3자 제공대장에 기록·관리하는 등 절차를 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 상품배송을 목적으로 수집한 개인정보를 사전에 동의 받지 않은 자사 상품의 통신판매 광고에 이용한 경우","사례 2 : 고객 만족도 조사, 경품 행사에 응모하기 위하여 수집한 개인정보를 자사의 할인판매행사 안내용 광고 발송에 이용한 경우","사례 3 : 공공기관이 다른 법률에 근거하여 민원인의 개인정보를 목적 외로 타 기관에 제공하면서 관련 사항을 관보 또는 인터넷 홈페이지에 게시하지 않은 경우","사례 4 : 공공기관이 범죄 수사의 목적으로 경찰서에 개인정보를 제공하면서 ʻ개인정보 목적 외 이용 및 제3자 제공 대장ʼ에 관련 사항을 기록하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제18조(개인정보의 목적 외 이용·제공 제한), 제19조(개인정보를 제공받은 자의 이용·제공 제한)"]}],"description": "개인정보는 수집 시의 정보주체에게 고지·동의를 받은 목적 또는 법령에 근거한 범위 내에서만 이용 또는 제공하여야 하며, 이를 초과하여 이용·제공하려는 때에는 정보주체의 추가 동의를 받거나 관계 법령에 따른 적법한 경우인지 확인하고 적절한 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.5": {"name": "가명정보 처리","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.5 가명정보 처리","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["가명처리·익명처리 적정성 평가 절차 및 결과","가명정보 처리 기록","개인정보 처리방침(가명정보 이용·제공에 관한 사항) 등"],"AuditChecklist": ["가명정보를 처리하는 경우 목적 제한, 가명처리 방법 및 기준, 적정성 검토, 재식별 금지 및 재식별 발생 시 조치사항 등 가명정보를 적정하게 처리하기 위한 절차를 수립하고 있는가?","개인정보를 가명처리하여 이용·제공 시 추가 정보의 사용·결합 없이는 개인을 알아볼 수 없도록 적정한 수준으로 가명처리를 수행하고 있는가?","다른 개인정보처리자와 가명정보를 결합하는 경우 결합전문기관 또는 데이터전문기관을 통해 결합하고 있는가?","가명정보를 처리하는 경우 추가 정보를 삭제 또는 별도로 분리하여 보관·관리, 관련 기록의 작성·보관 등 안전성 확보에 필요한 기술적·관리적 및 물리적 조치를 하고 있는가?","가명정보 처리목적 등을 고려하여 가명정보의 처리 기간을 적정한 기간으로 정하고 있으며, 해당 기간이 경과한 경우 지체 없이 파기하고 있는가?","개인정보를 익명처리하는 경우 시간·비용·기술 등을 합리적으로 고려할 때 다른 정보를 사용하여도 더 이상 특정 개인을 알아볼 수 없도록 적정한 수준으로 익명처리하고 있는가?"],"NonComplianceCases": ["사례 1 : 통계작성 및 과학적 연구를 위하여 정보주체 동의 없이 가명정보를 처리하면서 가명정보 처리에 관한 기록을 남기고 있지 않거나, 또는 개인정보 처리방침에 관련 사항을 공개하지 않은 경우","사례 2 : 가명정보와 동일한 데이터베이스 내에 추가 정보를 분리하지 않고 보관하고 있거나, 또는 가명 정보와 추가 정보에 대한 접근권한이 적절히 분리되지 않은 경우","사례 3 : 개인정보를 가명처리하여 활용하고 있으나 적정한 수준의 가명처리가 수행되지 않아 추가 정보의 사용 없이도 다른 정보와의 결합 등을 통하여 특정 개인을 알아볼 수 있는 가능성이 존재하는 경우","사례 4 : 테스트 데이터 생성, 외부 공개 등을 위하여 개인정보를 익명처리하였으나, 특이치 등으로 인하여 특정 개인에 대한 식별가능성이 존재하는 등 익명처리가 적정하게 수행되었다고 보기 어려운 경우"],"RelatedRegulations": ["개인정보 보호법 제2조(정의), 제28조의2(가명정보의 처리 등), 제28조의3(가명정보의 결합 제한), 제28조의4(가명정보에 대한 안전조치의무 등), 제28조의5(가명정보 처리 시 금지의무 등), 제28조의7(적용범위), 제58조의2(적용제외)"]}],"description": "가명정보를 처리하는 경우 목적제한, 결합제한, 안전조치, 금지의무 등 법적 요건을 준수하고 적정 수준의 가명처리를 보장할 수 있도록 가명처리 절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.1": {"name": "개인정보 제3자 제공","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.3.1 개인정보 제3자 제공","Subdomain": "3.3. 개인정보 제공 시 보호조치","AuditEvidence": ["온라인 개인정보 제3자 제공 관련 양식(홈페이지 회원가입 화면, 개인정보 제3자 제공 동의 화면 등)","오프라인 개인정보 제3자 제공 관련 양식(회원가입신청서, 개인정보 제3자 제공 동의서 등)","제3자 제공 내역","개인정보 처리방침"],"AuditChecklist": ["개인정보를 제3자에게 제공하는 경우 정보주체 동의, 법령상 의무준수 등 적법 요건을 명확히 식별하고 이를 준수하고 있는가?","정보주체에게 개인정보 제3자 제공 동의를 받는 경우 관련 사항을 명확하게 고지하고 다른 동의사항과 구분하여 적법하게 동의를 받고 있는가?","정보주체에게 개인정보 제3자 제공 동의를 받는 경우 관련 내용을 명확하게 고지하고 법령에서 정한 중요한 내용에 대해 명확히 표시하여 알아보기 쉽게 하고 있는가?","개인정보를 제3자에게 제공하는 경우 제공 목적에 맞는 최소한의 개인정보 항목으로 제한하고 있는가?","개인정보를 제3자에게 제공하는 경우 안전한 절차와 방법을 통해 제공하고 제공 내역을 기록하여 보관하고 있는가?","제3자에게 개인정보의 접근을 허용하는 경우 개인정보를 안전하게 보호하기 위한 보호절차에 따라 통제하고 있는가?","정보주체의 동의 없이 개인정보의 추가적인 제공 시 당초 수집 목적과의 관련성, 예측가능성, 이익 침해 여부, 안전성 확보조치 등의 고려사항에 대한 판단기준을 수립 및 이행하고, 추가적인 제공이 지속적으로 발생하는 경우 고려사항에 대한 판단기준을개인정보 처리방침에 공개하고 이를 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보처리자가 개인정보 제3자 제공 동의를 받을 때 정보주체에게 고지하는 사항 중에 일부 사항(동의 거부권, 제공하는 항목 등)을 누락한 경우","사례 2 : 개인정보를 제3자에게 제공하는 과정에서 제3자 제공 동의 여부를 적절히 확인하지 못하여 동의하지 않은 정보주체의 개인정보가 함께 제공된 경우","사례 3 : 개인정보를 제공 동의를 받을 때, 제공받는 자를 특정하지 않고 ʻ~ 등ʼ과 같이 포괄적으로 안내하고 동의를 받은 경우","사례 4 : 회원 가입 단계에서 선택사항으로 제3자 제공 동의를 받고 있으나, 제3자 제공에 동의하지 않으면 회원 가입 절차가 더 이상 진행되지 않도록 되어 있는 경우","사례 5 : 제공받는 자의 이용 목적과 관련 없이 지나치게 많은 개인정보를 제공하는 경우"],"RelatedRegulations": ["개인정보 보호법 제17조(개인정보의 제공), 제22조(동의를 받는 방법)","개인정보 처리 방법에 관한 고시"]}],"description": "개인정보를 제3자에게 제공하는 경우 법적 근거에 의하거나 정보주체의 동의를 받아야 하며, 제3자에게 개인정보의 접근을 허용하는 등 제공 과정에서 개인정보를 안전하게 보호하기 위한 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.2": {"name": "개인정보 처리 업무 위탁","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.3.2 개인정보 처리 업무 위탁","Subdomain": "3.3. 개인정보 제공 시 보호조치","AuditEvidence": ["개인정보 처리방침(개인정보 처리업무 위탁 관련 공개 내역)","개인정보 수집 양식","개인정보 처리 위탁 계약서","재화 또는 서비스 홍보·판매 권유 업무 위탁 관련 정보주체 통지 내역"],"AuditChecklist": ["개인정보 처리업무를 제3자에게 위탁(재위탁 포함)하는 경우 인터넷 홈페이지 등에 위탁하는 업무의 내용과 수탁자를 현행화하여 공개하고 있는가?","재화 또는 서비스를 홍보하거나 판매를 권유하는 업무를 위탁하는 경우에는 서면, 전자우편, 문자전송 등의 방법으로 위탁하는 업무의 내용과 수탁자를 정보주체에게 알리고 있는가?"],"NonComplianceCases": ["사례 1 : 홈페이지 개인정보 처리방침에 개인정보 처리업무 위탁 사항을 공개하고 있으나, 일부 수탁자와 위탁하는 업무의 내용이 누락된 경우","사례 2 : 재화 또는 서비스를 홍보하거나 판매를 권유하는 업무를 위탁하면서, 위탁하는 업무의 내용과 수탁자를 서면등의 방법으로 정보주체에게 알리지 않고 개인정보 처리방침에 공개하는 것으로 갈음한 경우","사례 3 : 기존 개인정보 처리업무 수탁자와의 계약 해지에 따라 개인정보 처리업무 수탁자가 변경되었으나, 이에 대하여 개인정보 처리방침에 지체 없이 반영하지 않은 경우","사례 4 : 개인정보 처리업무를 위탁받은 자가 해당 업무를 제3자에게 재위탁을 하고 있지만, 재위탁에 관한 사항을 인터넷 홈페이지 등에 공개하고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)"]}],"description": "개인정보 처리업무를 제3자에게 위탁하는 경우 위탁하는 업무의 내용과 수탁자 등 관련사항을 공개하여야 한다. 또한 재화 또는 서비스를 홍보하거나 판매를 권유하는 업무를 위탁하는 경우 위탁하는 업무의 내용과 수탁자를 정보주체에게 알려야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.3": {"name": "영업의 양도 등에 따른 개인정보 이전","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.3.3 영업의 양도 등에 따른 개인정보 이전","Subdomain": "3.3. 개인정보 제공 시 보호조치","AuditEvidence": ["개인정보 이전 관련 정보주체 고지 내역(영업 양수도 시)","개인정보 처리방침"],"AuditChecklist": ["영업의 전부 또는 일부의 양도·합병 등으로 개인정보를 다른 사람에게 이전하는 경우 필요한 사항을 사전에 정보주체에게 알리고 있는가?","개인정보를 이전받는 자는 법적 통지 요건에 해당될 경우 개인정보를 이전받은 사실 등 필요한 사항을 정보주체에게 지체 없이 알리고 있는가?","개인정보를 이전받는 자는 이전 당시의 본래 목적으로만 개인정보를 이용하거나 제3자에게 제공하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보처리자가 영업 양수를 통하여 개인정보를 이전받으면서 양도자가 개인정보 이전 사실을 알리지 않았음에도 개인정보 이전 사실을 정보주체에게 알리지 않은 경우","사례 2 : 영업 양수도 등에 의하여 개인정보를 이전받으면서 정보주체가 이전을 원하지 않은 경우 조치할 수 있는 방법과 절차를 마련하지 않거나, 이를 정보주체에게 알리지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제27조(영업양도 등에 따른 개인정보의 이전 제한)"]}],"description": "영업의 양도·합병 등으로 개인정보를 이전하거나 이전받는 경우 정보주체 통지 등 적절한 보호조치를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.4": {"name": "개인정보 국외이전","checks": {"s3_bucket_cross_region_replication": "FAIL"},"status": "FAIL","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.3.4 개인정보 국외이전","Subdomain": "3.3. 개인정보 제공 시 보호조치","AuditEvidence": ["개인정보 국외 이전 관련 동의 양식","개인정보 국외 이전 관련 계약서","개인정보 처리방침","개인정보 국외 처리위탁·보관 관련 통지 또는 공개 내역"],"AuditChecklist": ["개인정보를 국외로 이전하는 경우 정보주체에게 국외 이전에 관한 고지 사항을 모두 알리고 별도 동의를 받거나, 인증 또는 인정 등 적법 요건을 준수하고 있는가?","정보주체와의 계약의 체결 및 이행을 위한 개인정보의 국외 처리위탁·보관에 대해 정보주체에게 알리는 경우 필요한 사항을 모두 포함하여 적절한 방법으로 알리고 있는가?","개인정보 보호 관련 법령 준수 및 개인정보 보호 등에 관한 사항을 포함하여 국외 이전에 관한 계약을 체결하고 있는가?","개인정보를 국외로 이전하는 경우 개인정보 보호를 위하여 필요한 조치를 취하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보를 처리하는 과정에서 국외 사업자에게 개인정보 제3자 제공이 발생하였으나, 인증, 대상국 인정 등 동의 예외 요건에 해당되지 않음에도 불구하고 개인정보 국외 이전에 대한 별도 동의를 받지 않은 경우","사례 2 : 국외 클라우드 서비스(국외 리전)를 이용하여 개인정보 처리위탁 및 보관을 하면서 이전되는 국가, 이전 방법 등 관련 사항을 개인정보 처리방침에 공개하거나 정보주체에게 알리지 않은 경우","사례 3 : 개인정보 국외 이전에 대한 동의를 받으면서 이전받는 자의 명칭(업체명)만 고지하고 이전되는 국가 등에 대하여 알리지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제28조의8(개인정보의 국외 이전), 제28조의9(개인정보의 국외 이전 중지 명령), 제28조의10(상호주의), 제28조의11(준용규정)","개인정보 국외 이전 운영 등에 관한 규정"]}],"description": "개인정보를 국외로 이전하는 경우 국외 이전에 대한 동의, 관련 사항에 대한 공개 등 적절한 보호조치를 수립·이행하여야 한다.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.4.1": {"name": "개인정보 파기","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.4.1 개인정보 파기","Subdomain": "3.4. 개인정보 파기 시 보호조치","AuditEvidence": ["개인정보 보유기간 및 파기 관련 규정","개인정보 파기 결과(회원 데이터베이스 등)","개인정보 파기관리대장"],"AuditChecklist": ["개인정보의 보유기간 및 파기와 관련된 내부 정책을 수립하고 있는가?","개인정보의 처리목적이 달성되거나 보유기간이 경과한 경우 지체 없이 해당 개인정보를 파기하고 있는가?","개인정보를 파기할 때에는 복구·재생되지 않도록 안전한 방법으로 파기하고 있는가?","개인정보 파기에 대한 기록을 남기고 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 회원 탈퇴 등 목적이 달성되거나 보유기간이 경과된 경우 회원 데이터베이스에서는 해당 개인정보를 파기하였으나, CRM·DW 등 연계된 개인정보처리시스템에 복제되어 저장되어 있는 개인정보를 파기하지 않은 경우","사례 2 : 특정 기간 동안 이벤트를 하면서 수집된 개인정보에 대하여 이벤트가 종료된 이후에도 파기 기준이 수립되어 있지 않거나 파기가 이루어지고 있지 않은 경우","사례 3 : 콜센터에서 수집되는 민원처리 관련 개인정보(상담이력, 녹취 등)를 전자상거래법을 근거로 3년간 보존하고 있으나, 3년이 경과한 후에도 파기하지 않고 보관하고 있는 경우","사례 4 : 블록체인 등 기술적 특성으로 인하여 목적이 달성된 개인정보의 완전 파기가 어려워 완전파기 대신 익명처리를 하였으나, 익명처리가 적절하게 수행되지 않아 일부 개인정보의 재식별 등 복원이 가능한 경우"],"RelatedRegulations": ["개인정보 보호법 제21조(개인정보의 파기)","개인정보의 안전성 확보조치 기준 제13조(개인정보의 파기)"]}],"description": "개인정보의 보유기간 및 파기 관련 내부 정책을 수립하고 개인정보의 보유기간 경과, 처리목적 달성 등 파기 시점이 도달한 때에는 파기의 안전성 및 완전성이 보장될 수 있는 방법으로 지체 없이 파기하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.4.2": {"name": "처리목적 달성 후 보유 시 조치","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.4.2 처리목적 달성 후 보유 시 조치","Subdomain": "3.4. 개인정보 파기 시 보호조치","AuditEvidence": ["개인정보 보유기간 및 파기 관련 규정","분리 데이터베이스 현황(테이블 구조 등)","분리 데이터베이스 접근권한 현황"],"AuditChecklist": ["개인정보의 보유기간 경과 또는 처리목적 달성 후에도 관련 법령 등에 따라 파기하지 않고 보존하는 경우, 관련 법령에 따른 최소한의 기간으로 한정하여 최소한의 정보만을 보존하도록 관리하고 있는가?","개인정보의 보유기간 경과 또는 처리목적 달성 후에도 관련 법령 등에 따라 파기하지 않고 보존하는 경우 해당 개인정보 또는 개인정보파일을 다른 개인정보와 분리하여 저장·관리하고 있는가?","분리 보관하고 있는 개인정보에 대하여 법령에서 정한 목적 범위 내에서만 처리 가능하도록 관리하고 있는가?","분리 보관하고 있는 개인정보에 대하여 접근권한을 최소한의 인원으로 제한하고 있는가?"],"NonComplianceCases": ["사례 1 : 탈퇴회원 정보를 파기하지 않고 전자상거래법에 따라 일정기간 보관하면서 Flag값만 변경하여 다른 회원정보와 동일한 테이블에 보관하고 있는 경우","사례 2 : 전자상거래법에 따른 소비자 불만 및 분쟁처리에 관한 기록에 대해 관련 법적 요건을 잘못 적용하여 3년이 아닌 5년간 보존하도록 정하고 있는 경우","사례 3 : 분리 데이터베이스를 구성하였으나 접근권한을 별도로 설정하지 않아 업무상 접근이 불필요한 인원도 분리 데이터베이스에 자유롭게 접근이 가능한 경우","사례 4 : 탈퇴회원 정보를 파기하지 않고 전자상거래법에 따라 계약 또는 청약철회, 대금결제 및 재화 공급에 관한 기록을 분리하여 보존하였으나, 전자상거래법에 따른 보존의무가 없는 선택정보까지 과도하게 보존한 경우"],"RelatedRegulations": ["개인정보 보호법 제21조(개인정보의 파기)"]}],"description": "개인정보의 보유기간 경과 또는 처리목적 달성 후에도 관련 법령 등에 따라 파기하지 않고 보존하는 경우에는 해당 목적에 필요한 최소한의 항목으로 제한하고 다른 개인정보와 분리하여 저장·관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.1": {"name": "개인정보 처리방침 공개","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.5.1 개인정보 처리방침 공개","Subdomain": "3.5. 정보주체 권리보호","AuditEvidence": ["개인정보 처리방침","개인정보 처리방침 개정 관련 공지 내역(게시판 등)"],"AuditChecklist": ["개인정보 처리방침을 법령에서 요구하는 내용을 모두 포함하여 알기 쉬운 용어로 구체적이고 명확하게 작성하였는가?","개인정보 처리방침을 정보주체가 쉽게 확인할 수 있도록 인터넷 홈페이지 등에 지속적으로 현행화하여 공개하고 있는가?","개인정보 처리방침이 변경되는 경우 사유 및 변경 내용을 지체 없이 공지하고 정보주체가 언제든지 변경된 사항을 쉽게 알아 볼 수 있도록 조치하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보 처리방침에 공개되어 있는 개인정보 수집, 제3자 제공 내역이 실제 수집 및 제공하는 내역과 다른 경우","사례 2 : 개인정보 보호책임자의 변경, 수탁자 변경 등 개인정보 처리방침 공개 내용 중에 변경사항이 발생하였음에도 이를 반영하여 변경하지 않은 경우","사례 3 : 개인정보 처리방침이 공개는 되어 있으나, 명칭이 ʻ개인정보 처리방침ʼ이 아니라 ʻ개인정보 보호정책ʼ으로 되어 있고 글자 크기, 색상 등을 활용하여 정보주체가 쉽게 찾을 수 있도록 되어 있지 않은 경우","사례 4 : 개인정보 처리방침이 몇 차례 개정되었으나, 예전에 작성된 개인정보 처리방침의 내용을 확인할 수 있도록 공개되어 있지 않은 경우","사례 5 : 전자상거래법, 상법 등 다른 법령에 따라 개인정보를 파기하지 아니하고 일정기간 보관하고 있으나, 이에 따른 보존근거와 보존하는 개인정보 항목을 개인정보 처리방침에 공개하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제30조(개인정보 처리방침의 수립 및 공개), 제30조의2(개인정보 처리방침의 평가 및 개선권고)"]}],"description": "개인정보의 처리 목적 등 필요한 사항을 모두 포함하여 정보주체가 알기 쉽도록 개인정보 처리방침을 수립하고, 이를 정보주체가 언제든지 쉽게 확인할 수 있도록 적절한 방법에 따라 공개하고 지속적으로 현행화하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.2": {"name": "정보주체 권리보장","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.5.2 정보주체 권리보장","Subdomain": "3.5. 정보주체 권리보호","AuditEvidence": ["개인정보 처리방침","개인정보 열람등요구 처리 절차, 관련 양식","개인정보 열람등요구 시 조치 내역","회원 탈퇴 및 동의 철회 절차"],"AuditChecklist": ["정보주체 또는 그 대리인이 개인정보에 대한 열람, 정정·삭제, 처리정지 및 동의 철회 등(이하 '열람등요구'라 함)을 개인정보 수집방법·절차보다 어렵지 아니하도록 권리 행사 방법및 절차를 마련하여 공개하고 있는가?","정보주체 또는 그 대리인이 개인정보 열람등요구를 하는 경우 기간 내에 열람등요구에 따른 필요한 조치를 하고 있는가?","정보주체 또는 그 대리인이 개인정보 수집·이용·제공 등의 동의를 철회하는 경우 지체 없이 수집된 개인정보를 파기하는 등 필요한 조치를 취하고 있는가?","정보주체의 열람등요구에 대한 조치에 불복이 있는 경우 이의를 제기할 수 있도록 필요한 절차를 마련하여 안내하고 있는가?","정보주체의 열람등요구 및 처리 결과에 대하여 기록을 남기고 있는가?","정보통신망에서 사생활 침해 또는 명예훼손 등 타인의 권리를 침해한 경우 침해를 받은 자가 정보통신서비스 제공자에게 정보의 삭제 요청 등을 할 수 있는 절차를 마련하여 시행하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보의 열람, 정정·삭제, 처리정지 요구 방법을 정보주체가 알 수 있도록 공개하지 않은 경우","사례 2 : 개인정보의 열람 요구에 대하여 정당한 사유의 통지 없이 열람 요구를 접수받은 날로부터 10일을 초과하여 회신하고 있는 경우","사례 3 : 개인정보의 열람 민원에 대한 처리 내역 기록 및 보관이 이루어지지 않은 경우","사례 4 : 정보주체 당사자 또는 정당한 대리인이 맞는지에 대한 확인 절차 없이 열람 통지가 이루어지는 경우","사례 5 : 개인정보의 정정·삭제 요구에 대하여 정정·삭제 요구를 접수받은 날로부터 10일을 초과하여 회신하는 경우","사례 6 : 회원 가입 시에는 온라인을 통하여 쉽게 회원 가입이 가능하였으나, 회원 탈퇴 시에는 신분증 등 추가 서류를 제출하게 하거나 오프라인 방문을 통해서만 가능하도록 하는 경우"],"RelatedRegulations": ["개인정보 보호법 제34조의2(노출된 개인정보의 삭제·차단), 제35조(개인정보의 열람), 제35조의2(개인정보의 전송 요구), 제36조(개인정보의 정정·삭제), 제37조(개인정보의 처리정지 등), 제37조의2(자동화된 결정에 대한 정보주체의 권리 등), 제38조(권리행사의 방법 및 절차)","정보통신망법 제44조(정보통신망에서의 권리보호), 제44조의2(정보의 삭제요청 등), 제44조의3(임의의 임시조치)"]}],"description": "정보주체가 개인정보의 열람, 정정·삭제, 처리정지, 이의제기, 동의철회 등 요구를 수집 방법·절차보다 쉽게 할 수 있도록 권리행사 방법 및 절차를 수립·이행하고, 정보주체의 요구를 받은 경우 지체 없이 처리하고 관련 기록을 남겨야 한다. 또한 정보주체의 사생활 침해, 명예훼손 등 타인의 권리를 침해하는 정보가 유통되지 않도록 삭제요청, 임시조치 등의 기준을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.3": {"name": "정보주체에 대한 통지","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.5.3 정보주체에 대한 통지","Subdomain": "3.5. 정보주체 권리보호","AuditEvidence": ["개인정보 이용·제공 내역 통지 기록","개인정보 이용·제공 내역 통지 양식 및 문구"],"AuditChecklist": ["법적 의무 대상자에 해당하는 경우 개인정보 이용·제공 내역 또는 그 내역을 확인할 수 있는 정보시스템에 접속하는 방법을 정보주체에게 주기적으로 통지하고 있는가?","개인정보 이용·제공 내역 통지 항목은 법적 요구항목을 모두 포함하고 있는가?"],"NonComplianceCases": ["사례 1 : 전년도 말 기준 직전 3개월 간 일일 평균 저장·관리하고 있는 개인정보가 100만명 이상으로서 개인정보 이용제공 내역 통지 의무 대상자에 해당 됨에도 불구하고 금년도에 개인정보 이용 및내역을 통지하지 않은 경우","사례 2 : 개인정보 이용·제공 내역을 개별 정보주체에게 직접적으로 통지하는 대신 홈페이지에서 단순 팝업창이나 별도 공지사항으로 안내만 한 경우"],"RelatedRegulations": ["개인정보 보호법 제20조의2(개인정보 이용·제공 내역의 통지)"]}],"description": "개인정보의 이용·제공 내역 등 정보주체에게 통지하여야 할 사항을 파악하여 그 내용을 주기적으로 통지하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.1": {"name": "보안시스템 운영","checks": {"kms_cmk_are_used": null,"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","elbv2_waf_acl_attached": "FAIL","kms_cmk_rotation_enabled": null,"ec2_securitygroup_not_used": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","ssm_managed_compliant_patching": "FAIL","kms_key_not_publicly_accessible": null,"ssmincidents_enabled_with_plans": null,"inspector2_active_findings_exist": "FAIL","cloudfront_distributions_using_waf": null,"cognito_user_pool_waf_acl_attached": null,"trustedadvisor_errors_and_warnings": null,"apigateway_restapi_waf_acl_attached": "FAIL","config_recorder_all_regions_enabled": null,"guardduty_no_high_severity_findings": "FAIL","ec2_securitygroup_from_launch_wizard": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","organizations_delegated_administrators": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_instance_port_ldap_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","shield_advanced_protection_in_global_accelerators": null,"ec2_instance_internet_facing_with_instance_profile": "FAIL","shield_advanced_protection_in_route53_hosted_zones": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_authentication_failures": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.1 보안시스템 운영","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["보안시스템 구성","네트워크 구성","보안시스템 운영절차","방화벽 정책","방화벽 정책 설정·변경 요청서","보안시스템 예외자 목록","보안시스템별 관리 화면(방화벽, IPS, 서버접근제어, DLP, DRM 등)","보안시스템 정책 검토 이력"],"AuditChecklist": ["조직에서 운영하고 있는 보안시스템에 대한 운영절차를 수립·이행하고 있는가?","보안시스템 관리자 등 접근이 허용된 인원을 최소화하고 비인가자의 접근을 엄격하게 통제하고 있는가?","보안시스템별로 정책의 신규 등록, 변경, 삭제 등을 위한 공식적인 절차를 수립 및 이행하고 있는가?","보안시스템의 예외 정책 등록에 대하여 절차에 따라 관리하고 있으며, 예외 정책 사용자에 대하여 최소한의 권한으로 관리하고 있는가?","보안시스템에 설정된 정책의 타당성 여부를 주기적으로 검토하고 있는가?","개인정보처리시스템에 대한 불법적인 접근 및 개인정보 유출 방지를 위하여 관련 법령에서 정한 기능을 수행하는 보안시스템을 설치하여 운영하고 있는가?"],"NonComplianceCases": ["사례 1 : 침입차단시스템 보안정책에 대한 정기 검토가 수행되지 않아 불필요하거나 과도하게 허용된 정책이 다수 존재하는 경우","사례 2 : 보안시스템 보안정책의 신청, 변경, 삭제, 주기적 검토에 대한 절차 및 기준이 없거나, 절차는 있으나 이를 준수하지 않은 경우","사례 3 : 보안시스템의 관리자 지정 및 권한 부여 현황에 대한 관리감독이 적절히 이행되고 있지 않은 경우","사례 4 : 내부 지침에는 정보보호담당자가 보안시스템의 보안정책 변경 이력을 기록·보관하도록 정하고 있으나, 정책관리대장을 주기적으로 작성하지 않고 있거나 정책관리대장에 기록된 보안정책과 실제 운영 중인 시스템의 보안정책이 상이한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "보안시스템 유형별로 관리자 지정, 최신 정책 업데이트, 룰셋 변경, 이벤트 모니터링 등의 운영절차를 수립·이행하고 보안시스템별 정책적용 현황을 관리하여야 한다.","checks_status": {"fail": 16,"pass": 39,"total": 75,"manual": 0}},"2.10.2": {"name": "클라우드 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.2 클라우드 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["클라우드 서비스 관련 계약서 및 SLA","클라우드 서비스 위험분석 결과","클라우드 서비스 보안통제 정책","클라우드 서비스 관리자 권한 부여 현황","클라우드 서비스 구성도","클라우드 서비스 보안설정 현황","클라우드 서비스 보안설정 적정성 검토 이력"],"AuditChecklist": ["클라우드 서비스 제공자와 정보보호 및 개인정보보호에 대한 책임과 역할을 명확히정의하고 이를 계약서(SLA 등)에 반영하고 있는가?","클라우드 서비스 이용 시 서비스 유형에 따른 보안위험을 평가하여 비인가 접근,설정오류 등을 방지할 수 있도록 보안 구성 및 설정 기준, 보안설정 변경 및 승인 절차, 안전한 접속방법, 권한 체계 등 보안 통제 정책을 수립·이행하고 있는가?","클라우드 서비스 관리자 권한은 역할에 따라 최소화하여 부여하고 관리자 권한에 대한비인가 접근, 권한 오·남용 등을 방지할 수 있도록 강화된 인증, 암호화, 접근통제, 감사기록 등 보호대책을 적용하고 있는가?","클라우드 서비스의 보안 설정 변경, 운영 현황 등을 모니터링하고 그 적절성을 정기적으로검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 클라우드 서비스 계약서 내에 보안에 대한 책임 및 역할 등에 대한 사항이 포함되어 있지 않은 경우","사례 2 : 클라우드 서비스의 보안설정을 변경할 수 있는 권한이 업무상 반드시 필요하지 않은 직원들에게 과도하게 부여되어 있는 경우","사례 3 : 내부 지침에는 클라우드 내 사설 네트워크의 접근통제 룰(Rule) 변경 시 보안책임자 승인을 받도록 하고 있으나, 승인절차를 거치지 않고 등록·변경된 접근제어 룰이 다수 발견된 경우","사례 4 : 클라우드 서비스의 보안설정 오류로 내부 로그 파일이 인터넷을 통하여 공개되어 있는 경우"],"RelatedRegulations": []}],"description": "클라우드 서비스 이용 시 서비스 유형(SaaS, PaaS, IaaS 등)에 따른 비인가 접근, 설정 오류 등에 따라 중요정보와 개인정보가 유·노출되지 않도록 관리자 접근 및 보안 설정 등에 대한 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.3": {"name": "공개서버 보안","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","ssm_document_secrets": "PASS","elbv2_waf_acl_attached": "FAIL","elb_insecure_ssl_ciphers": "PASS","apigateway_restapi_public": "FAIL","lightsail_database_public": null,"lightsail_instance_public": null,"elbv2_insecure_ssl_ciphers": "PASS","lightsail_static_ip_unused": null,"networkfirewall_in_all_vpc": "FAIL","ec2_instance_imdsv2_enabled": "PASS","elbv2_desync_mitigation_mode": "FAIL","awslambda_function_inside_vpc": "FAIL","awslambda_function_url_public": null,"ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","ssm_managed_compliant_patching": "FAIL","inspector2_active_findings_exist": "FAIL","acm_certificates_expiration_check": "PASS","awslambda_function_url_cors_policy": null,"cloudfront_distributions_using_waf": null,"vpc_subnet_separate_private_public": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","apigatewayv2_api_authorizers_enabled": "FAIL","awslambda_function_no_secrets_in_code": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","apigateway_restapi_authorizers_enabled": "PASS","cloudfront_distributions_https_enabled": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","apigateway_restapi_public_with_authorizer": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","awslambda_function_no_secrets_in_variables": "PASS","awslambda_function_not_publicly_accessible": "PASS","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","route53_domains_privacy_protection_enabled": null,"ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","apigateway_restapi_client_certificate_enabled": "FAIL","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","kafka_cluster_mutual_tls_authentication_enabled": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","autoscaling_find_secrets_ec2_launch_configuration": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","cloudfront_distributions_using_deprecated_ssl_protocols": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.3 공개서버 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["네트워크 구성도","웹사이트 정보공개 절차 및 내역(신청·승인·게시 이력 등)","개인정보 및 중요정보 노출 여부 점검 이력"],"AuditChecklist": ["공개서버를 운영하는 경우 이에 대한 보호대책을 수립·이행하고 있는가?","공개서버는 내부 네트워크와 분리된 DMZ 영역에 설치하고 침입차단시스템 등 보안시스템을 통하여 보호하고 있는가?","공개서버에 개인정보 및 중요정보를 게시하거나 저장하여야 할 경우 책임자 승인 등 허가 및 게시절차를 수립·이행하고 있는가?","조직의 중요정보가 웹사이트 및 웹서버를 통하여 노출되고 있는지 여부를 주기적으로 확인하여 중요정보 노출을 인지한 경우 이를 즉시 차단하는 등의 조치를 취하고 있는가?"],"NonComplianceCases": ["사례 1 : 인터넷에 공개된 웹사이트의 취약점으로 인하여 구글 검색을 통하여 열람 권한이 없는 타인의 개인정보에 접근할 수 있는 경우","사례 2 : 웹사이트에 개인정보를 게시하는 경우 승인 절차를 거치도록 내부 규정이 마련되어 있으나, 이를 준수하지 않고 개인정보가 게시된 사례가 다수 존재한 경우","사례 3 : 게시판 등의 웹 응용프로그램에서 타인이 작성한 글을 임의로 수정·삭제하거나 비밀번호로 보호된 글을 열람할 수 있는 경우"],"RelatedRegulations": []}],"description": "외부 네트워크에 공개되는 서버의 경우 내부 네트워크와 분리하고 취약점 점검, 접근통제, 인증, 정보 수집·저장·공개 절차 등 강화된 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 19,"pass": 47,"total": 76,"manual": 0}},"2.10.4": {"name": "전자거래 및 핀테크 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.4 전자거래 및 핀테크 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["전자거래 및 핀테크 서비스 보호대책","결제시스템 연계 시 보안성 검토 결과"],"AuditChecklist": ["전자거래 및 핀테크 서비스를 제공하는 경우 거래의 안전성과 신뢰성 확보를 위한보호대책을 수립·이행하고 있는가?","전자거래 및 핀테크 서비스 제공을 위하여 결제시스템 등 외부 시스템과 연계하는 경우 송수신되는 관련 정보의 보호를 위한 대책을 수립·이행하고 안전성을 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 전자결제대행업체와 위탁 계약을 맺고 연계를 하였으나, 적절한 인증 및 접근제한 없이 특정 URL을 통하여 결제 관련 정보가 모두 평문으로 전송되는 경우","사례 2 : 전자결제대행업체와 외부 연계 시스템이 전용망으로 연결되어 있으나, 해당 연계 시스템에서 내부 업무 시스템으로의 접근이 침입차단시스템 등으로 적절히 통제되지 않고 있는 경우","사례 3 : 내부 지침에는 외부 핀테크 서비스 연계 시 정보보호팀의 보안성 검토를 받도록 되어 있으나, 최근에 신규 핀테크 서비스를 연계하면서 일정상 이유로 보안성 검토를 수행하지 않은 경우"],"RelatedRegulations": []}],"description": "전자거래 및 핀테크 서비스 제공 시 정보유출이나 데이터 조작·사기 등의 침해사고 예방을 위하여 인증·암호화 등의 보호대책을 수립하고, 결제시스템 등 외부 시스템과 연계할 경우 안전성을 점검하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.5": {"name": "정보전송 보안","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","elb_insecure_ssl_ciphers": "PASS","elbv2_insecure_ssl_ciphers": "PASS","rds_instance_transport_encrypted": "FAIL","s3_bucket_secure_transport_policy": "FAIL","glue_database_connections_ssl_enabled": null,"cloudfront_distributions_https_enabled": null,"sns_subscription_not_using_http_endpoints": "PASS","kafka_cluster_in_transit_encryption_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","kafka_cluster_mutual_tls_authentication_enabled": null,"directoryservice_radius_server_security_protocol": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"elasticache_redis_cluster_in_transit_encryption_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.5 정보전송 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["정보전송 협약서 또는 계약서","정보전송 기술표준","정보전송 관련 구성도, 인터페이스 정의서"],"AuditChecklist": ["외부 조직에 개인정보 및 중요정보를 전송할 경우 안전한 전송 정책을 수립하고 있는가?","업무상 조직 간 개인정보 및 중요정보를 상호교환하는 경우 안전한 전송을 위한 협약체결 등 보호대책을 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 대외 기관과 연계 시 전용망 또는 VPN을 적용하고 중계서버와 인증서 적용 등을 통하여 안전하게 정보를 전송하고 있으나, 외부 기관별 연계 시기, 방식, 담당자 및 책임자, 연계 정보, 법적 근거 등에 대한 현황관리가 적절히 이루어지지 않고 있는 경우","사례 2 : 중계과정에서의 암호 해제 구간 또는 취약한 암호화 알고리즘(DES, 3DES) 사용 등에 대한 보안성 검토, 보안표준 및 조치방안 수립 등에 대한 협의가 이행되고 있지 않은 경우"],"RelatedRegulations": []}],"description": "다른 조직에 개인정보 및 중요정보를 전송할 경우 안전한 전송 정책을 수립하고 조직 간 합의를 통하여 관리 책임, 전송방법, 개인정보 및 중요정보 보호를 위한 기술적 보호조치 등을 협약하고 이행하여야 한다.","checks_status": {"fail": 5,"pass": 3,"total": 17,"manual": 0}},"2.10.6": {"name": "업무용 단말기기 보안","checks": {"workspaces_volume_encryption_enabled": null,"appstream_fleet_maximum_session_duration": null,"appstream_fleet_session_disconnect_timeout": null,"workspaces_vpc_2private_1public_subnets_nat": null,"appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.6 업무용 단말기기 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["업무용 단말기 보안통제 지침 및 절차","업무용 단말기 등록현황","업무용 단말기 보안설정","업무용 단말기 기기인증 및 승인 이력","업무용 단말기 보안점검 현황"],"AuditChecklist": ["PC, 노트북, 가상PC, 태블릿 등 업무에 사용되는 단말기에 대하여 기기인증, 승인, 접근범위 설정, 기기 보안설정 등의 보안 통제 정책을 수립·이행하고 있는가?","업무용 단말기를 통하여 개인정보 및 중요정보가 유출되는 것을 방지하기 위하여 자료공유프로그램 사용 금지, 공유설정 제한, 무선망 이용 통제 등의 정책을 수립 및 이행하고 있는가?","업무용 모바일 기기의 분실, 도난 등으로 인한 개인정보 및 중요정보의 유·노출을 방지하기 위하여 보안대책을 적용하고 있는가?","업무용 단말기기에 대한 접근통제 대책의 적절성에 대하여 주기적으로 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 업무적인 목적으로 노트북, 태블릿PC 등 모바일 기기를 사용하고 있으나, 업무용 모바일 기기에 대한 허용 기준, 사용 범위, 승인 절차, 인증 방법 등에 대한 정책이 수립되어 있지 않은 경우","사례 2 : 모바일 기기 보안관리 지침에서는 모바일 기기의 업무용 사용을 원칙적으로 금지하고 필요시 승인 절차를 통하여 제한된 기간 동안 허가된 모바일 기기만 사용하도록 정하고 있으나, 허가된 모바일 기기가 식별·관리되지 않고 승인되지 않은 모바일 기기에서도 내부 정보시스템 접속이 가능한 경우","사례 3 : 개인정보 처리업무에 이용되는 모바일 기기에 대하여 비밀번호 설정 등 도난·분실에 대한 보호대책이 적용되어 있지 않은 경우","사례 4 : 내부 규정에서는 업무용 단말기의 공유폴더 사용을 금지하고 있으나, 이에 대한 주기적인 점검이 이루어지고 있지 않아 다수의 업무용 단말기에서 과도하게 공유폴더를 설정하여 사용하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "PC, 모바일 기기 등 단말기기를 업무 목적으로 네트워크에 연결할 경우 기기 인증 및 승인, 접근 범위, 기기 보안설정 등의 접근통제 대책을 수립하고 주기적으로 점검하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"2.10.7": {"name": "보조저장매체 관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.7 보조저장매체 관리","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["보조저장매체(USB, CD 등) 차단 정책","보조저장매체 관리대장","보조저장매체 실태점검 이력"],"AuditChecklist": ["외장하드, USB메모리, CD 등 보조저장매체 취급(사용), 보관, 폐기, 재사용에 대한 정책 및 절차를 수립·이행하고 있는가?","보조저장매체 보유현황, 사용 및 관리실태를 주기적으로 점검하고 있는가?","주요 정보시스템이 위치한 통제구역, 중요 제한구역 등에서 보조저장매체 사용을 제한하고 있는가?","보조저장매체를 통한 악성코드 감염 및 중요정보 유출 방지를 위한 대책을 마련하고 있는가?","개인정보 또는 중요정보가 포함된 보조저장매체를 잠금장치가 있는 안전한 장소에 보관하고 있는가?"],"NonComplianceCases": ["사례 1 : 통제구역인 서버실에서의 보조저장매체 사용을 제한하는 정책을 수립하여 운영하고 있으나, 예외 승인 절차를 준수하지 않고 보조저장매체를 사용한 이력이 다수 확인되었으며, 보조저장매체 관리실태에 대한 주기적 점검이 실시되지 않아 보조저장매체 관리대장의 현행화가 미흡한 경우","사례 2 : 개인정보가 포함된 보조저장매체를 잠금장치가 있는 안전한 장소에 보관하지 않고 사무실 서랍 등에 방치하고 있는 경우","사례 3 : 보조저장매체 통제 솔루션을 도입·운영하고 있으나, 일부 사용자에 대하여 적절한 승인 절차 없이 예외처리되어 쓰기 등이 허용된 경우","사례 4 : 전산실에 위치한 일부 공용 PC 및 전산장비에서 일반 USB메모리에 대한 쓰기가 가능한 상황이나 매체 반입 및 사용 제한, 사용이력 기록 및 검토 등 통제가 적용되고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치)"]}],"description": "보조저장매체를 통하여 개인정보 또는 중요정보의 유출이 발생하거나 악성코드가 감염되지 않도록 관리 절차를 수립·이행하고, 개인정보 또는 중요정보가 포함된 보조저장 매체는 안전한 장소에 보관하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.8": {"name": "패치관리","checks": {"ssm_managed_compliant_patching": "FAIL","kafka_cluster_uses_latest_version": null,"ec2_instance_account_imdsv2_enabled": null,"redshift_cluster_automatic_upgrades": null,"eks_cluster_uses_a_supported_version": null,"ec2_instance_older_than_specific_days": "FAIL","rds_instance_deprecated_engine_version": "PASS","rds_cluster_minor_version_upgrade_enabled": "PASS","dms_instance_minor_version_upgrade_enabled": null,"rds_instance_minor_version_upgrade_enabled": "PASS","awslambda_function_using_supported_runtimes": "FAIL","elasticache_redis_cluster_auto_minor_version_upgrades": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"opensearch_service_domains_updated_to_the_latest_service_software_version": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.8 패치관리","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["패치 적용 관리 정책·절차","시스템별 패치 적용 현황","패치 적용 관련 영향도 분석 결과"],"AuditChecklist": ["서버, 네트워크시스템, 보안시스템, PC 등 자산별 특성 및 중요도에 따라 운영체제(OS)와 소프트웨어의 패치관리 정책 및 절차를 수립·이행하고 있는가?","주요 서버, 네트워크시스템, 보안시스템 등의 경우 설치된 OS, 소프트웨어 패치 적용 현황을 주기적으로 관리하고 있는가?","서비스 영향도 등에 따라 취약점을 조치하기 위한 최신의 패치 적용이 어려운 경우 보완대책을 마련하고 있는가?","주요 서버, 네트워크시스템, 보안시스템 등의 경우 공개 인터넷 접속을 통한 패치를 제한하고 있는가?","패치관리시스템을 활용하는 경우 접근통제 등 충분한 보호대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 일부 시스템에서 타당한 사유나 책임자 승인 없이 OS패치가 장기간 적용되고 있지 않은 경우","사례 2 : 일부 시스템에 서비스 지원이 종료(EOS)된 OS버전을 사용 중이나, 이에 따른 대응계획이나 보완대책이 수립되어 있지 않은 경우","사례 3 : 상용 소프트웨어 및 OS에 대해서는 최신 패치가 적용되고 있으나, 오픈소스 프로그램(openssl, openssh, Apache 등)에 대해서는 최신 패치를 확인하고 적용하는 절차 및 담당자가 지정되어 있지 않아 최신 보안패치가 적용되고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제9조(악성프로그램 등 방지)"]}],"description": "소프트웨어, 운영체제, 보안시스템 등의 취약점으로 인한 침해사고를 예방하기 위하여 최신 패치를 적용하여야 한다. 다만 서비스 영향을 검토하여 최신 패치 적용이 어려울 경우 별도의 보완대책을 마련하여 이행하여야 한다.","checks_status": {"fail": 3,"pass": 3,"total": 14,"manual": 0}},"2.10.9": {"name": "악성코드 통제","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.9 악성코드 통제","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["악성프로그램 대응 지침·절차·매뉴얼","백신프로그램 설치 현황","백신프로그램 설정 화면","악성프로그램 대응 이력(대응 보고서 등)"],"AuditChecklist": ["바이러스, 웜, 트로이목마, 랜섬웨어 등의 악성코드로부터 정보시스템 및 업무용단말기 등을 보호하기 위하여 보호대책을 수립·이행하고 있는가?","백신 소프트웨어 등 보안프로그램을 통하여 최신 악성코드 예방·탐지 활동을 지속적으로 수행하고 있는가?","백신 소프트웨어 등 보안프로그램은 최신의 상태로 유지하고 필요시 긴급 보안 업데이트를 수행하고 있는가?","악성코드 감염 발견 시 악성코드 확산 및 피해 최소화 등의 대응절차를 수립·이행하고있는가?"],"NonComplianceCases": ["사례 1 : 일부 PC 및 서버에 백신이 설치되어 있지 않거나, 백신 엔진이 장기간 최신 버전으로 업데이트되지 않은 경우","사례 2 : 백신 프로그램의 환경설정(실시간 검사, 예약검사, 업데이트 설정 등)을 이용자가 임의로 변경할 수 있음에도 그에 따른 추가 보호대책이 수립되어 있지 않은 경우","사례 3 : 백신 중앙관리시스템에 접근통제 등 보호대책이 미비하여 중앙관리시스템을 통한 침해사고발생 가능성이 있는 경우 또는 백신 패턴에 대한 무결성 검증을 하지 않아 악의적인 사용자에 의한 악성코드 전파 가능성이 있는 경우","사례 4 : 일부 내부망 PC 및 서버에서 다수의 악성코드 감염이력이 확인되었으나, 감염 현황, 감염 경로 및 원인 분석, 그에 따른 조치내역 등이 확인되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제9조(악성프로그램 등 방지)"]}],"description": "바이러스·웜·트로이목마·랜섬웨어 등의 악성코드로부터 개인정보 및 중요정보, 정보시스템 및 업무용 단말기 등을 보호하기 위하여 악성코드 예방·탐지·대응 등의 보호대책을 수립 및 이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.11.1": {"name": "사고 예방 및 대응체계 구축","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.1 사고 예방 및 대응체계 구축","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["침해사고 대응 지침·절차·매뉴얼","침해사고 대응 조직도 및 비상연락망","보안관제서비스 계약서(SLA 등)"],"AuditChecklist": ["침해사고 및 개인정보 유출사고를 예방하고 사고 발생 시 신속하고 효과적으로 대응하기 위한 체계와 절차를 마련하고 있는가?","보안관제서비스 등 외부 기관을 통하여 침해사고 대응체계를 구축·운영하는 경우 침해사고 대응절차의 세부사항을 계약서에 반영하고 있는가?","침해사고의 모니터링, 대응 및 처리를 위하여 외부전문가, 전문업체, 전문기관 등과의 협조체계를 수립하고 있는가?"],"NonComplianceCases": ["사례 1 : 침해사고에 대비한 침해사고 대응 조직 및 대응 절차를 명확히 정의하고 있지 않은 경우","사례 2 : 내부 지침 및 절차에 침해사고 단계별(사고 전, 인지, 처리, 복구, 보고 등) 대응 절차를 수립하여 명시하고 있으나, 침해사고 발생 시 사고 유형 및 심각도에 따른 신고·통지 절차, 대응 및 복구 절차의 일부 또는 전부를 수립하고 있지 않은 경우","사례 3 : 침해사고 대응 조직도 및 비상연락망 등을 현행화하지 않고 있거나, 담당자별 역할과 책임이 명확히 정의되어 있지 않은 경우","사례 4 : 침해사고 신고·통지 및 대응 협조를 위한 대외기관 연락처에 기관명, 홈페이지, 연락처 등이 잘못 명시되어 있거나, 일부 기관 관련 정보가 누락 또는 현행화되지 않은 경우","사례 5 : 외부 보안관제 전문업체 등 유관기관에 침해사고 탐지 및 대응을 위탁하여 운영하고 있으나, 침해사고 대응에 대한 상호 간 관련 역할 및 책임 범위가 계약서나 SLA에 명확하게 정의되지 않은 경우","사례 6 : 침해사고 대응절차를 수립하였으나, 개인정보 침해 신고 기준, 시점 등이 법적 요구사항을 준수하지 못하는 경우"],"RelatedRegulations": ["개인정보 보호법 제34조(개인정보의 유출 등의 통지·신고)","정보통신망법 제48조의3(침해사고의 신고 등), 제48조의4(침해사고의 원인분석 등)"]}],"description": "침해사고 및 개인정보 유출 등을 예방하고 사고 발생 시 신속하고 효과적으로 대응할 수 있도록 내·외부 침해시도의 탐지·대응·분석 및 공유를 위한 체계와 절차를 수립하고, 관련 외부기관 및 전문가들과 협조체계를 구축하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.11.2": {"name": "취약점 점검 및 조치","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_document_secrets": "PASS","inspector2_is_enabled": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_centrally_managed": "FAIL","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","inspector2_active_findings_exist": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","awslambda_function_no_secrets_in_code": "PASS","cloudwatch_log_group_no_secrets_in_logs": "FAIL","ecr_registry_scan_images_on_push_enabled": "PASS","cloudformation_stack_outputs_find_secrets": "PASS","codebuild_project_no_secrets_in_variables": "PASS","awslambda_function_no_secrets_in_variables": "PASS","ecs_task_definitions_no_environment_secrets": "PASS","ecr_repositories_scan_images_on_push_enabled": "FAIL","trustedadvisor_premium_support_plan_subscribed": null,"autoscaling_find_secrets_ec2_launch_configuration": "PASS","ecr_repositories_scan_vulnerabilities_in_latest_image": null,"codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.2 취약점 점검 및 조치","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["취약점 점검 계획서","취약점 점검 결과보고서(웹, 모바일 앱, 서버, 네트워크시스템, 보안시스템, DBMS 등)","취약점 점검 이력","취약점 조치계획서","취약점 조치완료보고서","모의해킹 계획서·결과보고서"],"AuditChecklist": ["정보시스템 취약점 점검 절차를 수립하고, 정기적으로 점검을 수행하고 있는가?","발견된 취약점에 대한 조치를 수행하고, 그 결과를 책임자에게 보고하고 있는가?","최신 보안취약점 발생 여부를 지속적으로 파악하고, 정보시스템에 미치는 영향을 분석하여 조치하고 있는가?","취약점 점검 이력을 기록관리하여 전년도에 도출된 취약점이 재발생하는 등의 문제점에 대하여 보호대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 규정에 연 1회 이상 주요 시스템에 대한 기술적 취약점 점검을 하도록 정하고 있으나, 주요 시스템 중 일부가 취약점 점검 대상에서 누락된 경우","사례 2 : 취약점 점검에서 발견된 취약점에 대한 보완조치를 이행하지 않았거나, 단기간 내에 조치할 수 없는 취약점에 대한 타당성 검토 및 승인 이력이 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검), 제6조(접근통제)"]}],"description": "정보시스템의 취약점이 노출되어 있는지를 확인하기 위하여 정기적으로 취약점 점검을 수행하고, 발견된 취약점에 대해서는 신속하게 조치하여야 한다. 또한 최신 보안취약점의 발생 여부를 지속적으로 파악하고, 정보시스템에 미치는 영향을 분석하여 조치하여야 한다.","checks_status": {"fail": 6,"pass": 14,"total": 23,"manual": 0}},"2.11.3": {"name": "이상행위 분석 및 모니터링","checks": {"securityhub_enabled": "PASS","fms_policy_compliant": null,"vpc_flow_logs_enabled": "FAIL","cloudtrail_insights_exist": null,"networkfirewall_in_all_vpc": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","cloudtrail_threat_detection_enumeration": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.3 이상행위 분석 및 모니터링","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["이상행위 분석 및 모니터링 현황","이상행위 발견 시 대응 증거자료"],"AuditChecklist": ["내·외부에 의한 침해시도, 개인정보유출 시도, 부정행위 등 이상행위를 탐지할 수 있도록 주요 정보시스템, 응용프로그램, 네트워크, 보안시스템 등에서 발생한 네트워크 트래픽,데이터 흐름, 이벤트 로그 등을 수집하여 분석 및 모니터링하고 있는가?","침해시도, 개인정보유출시도, 부정행위 등의 여부를 판단하기 위한 기준 및 임계치를 정의하고 이에 따라 이상행위의 판단 및 조사 등 후속 조치가 적시에 이루어지고 있는가?"],"NonComplianceCases": ["사례 1 : 외부로부터의 서버, 네트워크, 데이터베이스, 보안시스템에 대한 침해 시도를 인지할 수 있도록 하는 상시 또는 정기적 모니터링 체계 및 절차를 마련하고 있지 않은 경우","사례 2 : 외부 보안관제 전문업체 등 외부 기관에 침해시도 모니터링 업무를 위탁하고 있으나, 위탁업체가 제공한 관련 보고서를 검토한 이력이 확인되지 않거나, 위탁 대상에서 제외된 시스템에 대한 자체 모니터링 체계를 갖추고 있지 않은 경우","사례 3 : 내부적으로 정의한 임계치를 초과하는 이상 트래픽이 지속적으로 발견되고 있으나, 이에 대한 대응조치가 이루어지고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "내·외부에 의한 침해시도, 개인정보유출 시도, 부정행위 등을 신속하게 탐지·대응할 수 있도록 네트워크 및 데이터 흐름 등을 수집하여 분석하며, 모니터링 및 점검 결과에 따른 사후조치는 적시에 이루어져야 한다.","checks_status": {"fail": 6,"pass": 1,"total": 28,"manual": 0}},"2.11.4": {"name": "사고 대응 훈련 및 개선","checks": {"ssmincidents_enabled_with_plans": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.4 사고 대응 훈련 및 개선","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["침해사고 및 개인정보 유출사고 대응 모의훈련 계획서","침해사고 및 개인정보 유출사고 대응 모의훈련 결과서","침해사고 대응 절차"],"AuditChecklist": ["침해사고 및 개인정보 유출사고 대응 절차에 관한 모의훈련계획을 수립하고 이에 따라 연 1회 이상 주기적으로 훈련을 실시하고 있는가?","침해사고 및 개인정보 유출사고 훈련 결과를 반영하여 침해사고 및 개인정보 유출사고 대응체계를 개선하고 있는가?"],"NonComplianceCases": ["사례 1 : 침해사고 모의훈련을 수행하지 않았거나 관련 계획서 및 결과보고서가 확인되지 않은 경우","사례 2 : 연간 침해사고 모의훈련 계획을 수립하였으나 타당한 사유 또는 승인 없이 해당 기간 내에 실시하지 않은 경우","사례 3 : 모의훈련을 계획하여 실시하였으나, 관련 내부 지침에 정한 절차 및 서식에 따라 수행하지 않은 경우"],"RelatedRegulations": []}],"description": "침해사고 및 개인정보 유출사고 대응 절차를 임직원과 이해관계자가 숙지하도록 시나리오에 따른 모의훈련을 연 1회 이상 실시하고 훈련결과를 반영하여 대응체계를 개선하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"2.11.5": {"name": "사고 대응 및 복구","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.5 사고 대응 및 복구","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["침해사고 대응 절차","침해사고 대응보고서","침해사고 관리대장","개인정보 유출신고서","비상연락망"],"AuditChecklist": ["침해사고 및 개인정보 유출의 징후 또는 발생을 인지한 경우 정의된 침해사고 대응절차에 따라 신속하게 대응 및 보고가 이루어지고 있는가?","개인정보 침해사고 발생 시 관련 법령에 따라 정보주체 통지 및 관계기관 신고 절차를 이행하고 있는가?","침해사고가 종결된 후 사고의 원인을 분석하여 그 결과를 보고하고 관련 조직 및인력과 공유하고 있는가?","침해사고 분석을 통하여 얻은 정보를 활용하여 유사 사고가 재발하지 않도록 대책을 수립하고 필요한 경우 침해사고 대응절차 등을 변경하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 침해사고 대응지침에는 침해사고 발생 시 내부 정보보호위원회 및 이해관계 부서에게 보고하도록 정하고 있으나, 침해사고 발생 시 담당 부서에서 자체적으로 대응 조치 후 정보보호위원회 및 이해관계 부서에 보고하지 않은 경우","사례 2 : 최근 DDoS 공격으로 의심되는 침해사고로 인하여 서비스 일부가 중단된 사례가 있으나, 이에 대한 원인분석 및 재발방지 대책이 수립되지 않은 경우","사례 3 : 외부 해킹에 의해 개인정보 유출사고가 발생하였으나, 유출된 개인정보 건수가 소량이라는 이유로 72시간 이내에 통지 및 신고가 이루어지지 않은 경우","사례 4 : 담당자의 실수에 의해 인터넷 홈페이지 게시판을 통해 1천명 이상 정보주체에 대한 개인정보 유출이 발생하였으나, 해당 정보주체에 대한 유출 통지가 이루어지지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제34조(개인정보의 유출 등의 통지·신고)","정보통신망법 제48조의3(침해사고의 신고 등), 제48조의4(침해사고의 원인분석 등)"]}],"description": "침해사고 및 개인정보 유출 징후나 발생을 인지한 때에는 법적 통지 및 신고 의무를 준수하여야 하며, 절차에 따라 신속하게 대응 및 복구하고 사고분석 후 재발방지 대책을 수립하여 대응체계에 반영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.12.1": {"name": "재해·재난 대비 안전조치","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","s3_bucket_object_lock": "FAIL","vpc_different_regions": null,"efs_have_backup_enabled": "FAIL","elbv2_is_in_multiple_az": "PASS","vpc_subnet_different_az": "PASS","backup_reportplans_exist": null,"neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","documentdb_cluster_backup_enabled": null,"s3_bucket_cross_region_replication": "FAIL","kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"redshift_cluster_automated_snapshot": null,"elb_cross_zone_load_balancing_enabled": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","documentdb_cluster_cloudwatch_log_export": null,"elasticache_redis_cluster_backup_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.12.1 재해·재난 대비 안전조치","Subdomain": "2.12. 재해 복구","AuditEvidence": ["IT 재해 복구 지침·절차","IT 재해 복구 계획(RTO, RPO 정의 포함)","비상연락망","개인정보처리시스템 위기대응 매뉴얼"],"AuditChecklist": ["조직의 핵심 서비스(업무) 연속성을 위협할 수 있는 IT 재해 유형을 식별하고, 유형별 피해규모 및 업무에 미치는 영향을 분석하여 핵심 IT 서비스(업무) 및 시스템을식별하고 있는가?","핵심 IT 서비스 및 시스템의 중요도 및 특성에 따른 복구 목표시간, 복구 목표시점을 정의하고 있는가?","재해·재난 발생 시에도 핵심 서비스 및 시스템의 연속성을 보장할 수 있도록 복구 전략 및 대책, 비상시 복구 조직, 비상연락체계, 복구 절차 등 재해 복구 계획을 수립 및 이행하고 있는가?"],"NonComplianceCases": ["사례 1 : IT 재해 복구 절차서 내에 IT 재해 복구 조직 및 역할 정의, 비상연락체계, 복구 절차 및 방법 등 중요한 내용이 누락되어 있는 경우","사례 2 : 비상사태 발생 시 정보시스템의 연속성 확보 및 피해 최소화를 위하여 백업센터를 구축하여 운영하고 있으나, 관련 정책에 백업센터를 활용한 재해 복구 절차 등이 수립되어 있지 않아 재해 복구 시험 및 복구가 효과적으로 진행되기 어려운 경우","사례 3 : 서비스 운영과 관련된 일부 중요 시스템에 대한 복구 목표시간이 정의되어 있지 않으며, 이에 대한 적절한 복구 대책을 마련하고 있지 않은 경우","사례 4 : 재해 복구 관련 지침서 등에 IT 서비스 또는 시스템에 대한 복구 우선순위, 복구 목표시간, 복구 목표시점 등이 정의되어 있지 않은 경우","사례 5 : 현실적 대책 없이 복구 목표시간을 과도 또는 과소하게 설정하고 있거나, 복구 목표시점과 백업정책(대상, 주기 등)이 적절히 연계되지 않아 복구 효과성을 보장할 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제11조(재해·재난 대비 안전조치)"]}],"description": "자연재해, 통신·전력 장애, 해킹 등 조직의 핵심 서비스 및 시스템의 운영 연속성을 위협할 수 있는 재해 유형을 식별하고, 유형별 예상 피해규모 및 영향을 분석하여야 한다. 또한 복구 목표시간, 복구 목표시점을 정의하고 복구 전략 및 대책, 비상시 복구 조직, 비상연락체계, 복구 절차 등 재해 복구체계를 구축하여야 한다.","checks_status": {"fail": 14,"pass": 5,"total": 33,"manual": 0}},"2.12.2": {"name": "재해 복구 시험 및 개선","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","s3_bucket_object_lock": "FAIL","vpc_different_regions": null,"efs_have_backup_enabled": "FAIL","elbv2_is_in_multiple_az": "PASS","vpc_subnet_different_az": "PASS","backup_reportplans_exist": null,"neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","documentdb_cluster_backup_enabled": null,"s3_bucket_cross_region_replication": "FAIL","kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"redshift_cluster_automated_snapshot": null,"elb_cross_zone_load_balancing_enabled": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","documentdb_cluster_cloudwatch_log_export": null,"elasticache_redis_cluster_backup_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.12.2 재해 복구 시험 및 개선","Subdomain": "2.12. 재해 복구","AuditEvidence": ["IT 재해 복구 절차서","IT 재해 복구 시험 계획서","IT 재해 복구 시험 결과서"],"AuditChecklist": ["수립된 IT 재해 복구체계의 실효성을 판단하기 위하여 재해 복구 시험계획을 수립 및 이행하고 있는가?","시험결과, 정보시스템 환경변화, 법률 등에 따른 변화를 반영할 수 있도록 복구전략 및 대책을 정기적으로 검토·보완하고 있는가?"],"NonComplianceCases": ["사례 1 : 재해 복구 훈련을 계획·시행하지 않았거나 관련 계획서 및 결과보고서가 확인되지 않은 경우","사례 2 : 재해 복구 훈련 계획을 수립하였으나, 타당한 사유 또는 승인 없이 계획대로 실시하지 않았거나 관련 결과보고가 확인되지 않은 경우","사례 3 : 재해 복구 훈련을 계획하여 실시하였으나, 내부 관련 지침에 정한 절차 및 서식에 따라 이행되지 않아 수립한 재해 복구 절차의 적정성 및 효과성을 평가하기 위한 훈련으로 보기 어려운 경우"],"RelatedRegulations": []}],"description": "재해 복구 전략 및 대책의 적정성을 정기적으로 시험하여 시험결과, 정보시스템 환경변화, 법규 등에 따른 변화를 반영하여 복구전략 및 대책을 보완하여야 한다.","checks_status": {"fail": 14,"pass": 5,"total": 33,"manual": 0}}},"requirements_passed": 10,"requirements_failed": 27,"requirements_manual": 64,"total_requirements": 101,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "f9e5248f-1b1d-4256-b2a1-3b571315c190","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cis_1.4_aws","framework": "CIS","version": "1.4","description": "The CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 1 and 2 provides prescriptive guidance for configuring security options for a subset of Amazon Web Services. It has an emphasis on foundational, testable, and architecture agnostic settings","region": "eu-west-1","requirements": {"1.1": {"name": "1.1","checks": {"account_maintain_current_contact_details": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info","Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.","DefaultValue": null,"AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, review and verify the current details. 4. Under `Contact Information`, review and verify the current details.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.","RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. 4. Next to the field that you need to update, choose `Edit`. 5. After you have entered your changes, choose `Save changes`. 6. After you have made your changes, choose `Done`. 7. To edit your contact information, under `Contact Information`, choose `Edit`. 8. For the fields that you want to change, type your updated information, and then choose `Update`.","AdditionalInformation": ""}],"description": "Maintain current contact details","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.2": {"name": "1.2","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if security contact information is present:**From Console:**1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.","RemediationProcedure": "Perform the following to establish security contact information:**From Console:**1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.","AdditionalInformation": ""}],"description": "Ensure security contact information is registered","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.3": {"name": "1.3","checks": {"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS account as the 'root' user 2. On the top right you will see the __ 3. Click on the __ 4. From the drop-down menu Click `My Account`5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.","RemediationProcedure": "**From Console:**1. Login to the AWS Account as the 'root' user 2. Click on the __ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`6. Click on each `Question` - From the drop-down select an appropriate question- Click on the `Answer` section- Enter an appropriate answer - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location","AdditionalInformation": ""}],"description": "Ensure security questions are registered in the AWS account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.4": {"name": "1.4","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/","Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .**From Command Line:**Run the following command: ```aws iam get-account-summary | grep \"AccountAccessKeysPresent\"``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.","RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys**From Console:**1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on __ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active- Click on `Make Inactive` - (Temporarily disable Key - may be needed again)- Click `Delete` - (Deleted keys cannot be recovered)","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region."}],"description": "Ensure no 'root' user account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.5": {"name": "1.5","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `mfa_active` field is set to `TRUE` .**From Command Line:**1. Run the following command: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.When you are finished, the virtual MFA device starts generating one-time passwords.In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions."}],"description": "Ensure MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.6": {"name": "1.6","checks": {"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:1. Run the following command to determine if the 'root' account has MFA setup: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ```The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```aws iam list-virtual-mfa-devices``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation: `\"SerialNumber\": \"arn:aws:iam::__:mfa/root-account-mfa-device\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.","RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.Remediation for this recommendation is not available through AWS CLI.","AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions."}],"description": "Ensure hardware MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.7": {"name": "1.7","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html","Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.**From Command Line:**Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '' ```Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.","RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.","AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user."}],"description": "Eliminate use of the 'root' user for administrative and daily tasks","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.8": {"name": "1.8","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.**From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"**From Command Line:** ```aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy requires minimum length of 14 or greater","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.9": {"name": "1.9","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24**From Command Line:** ``` aws iam get-account-password-policy``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24` **From Command Line:** ```aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy prevents password reuse","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.1": {"name": "3.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events","Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane- You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`**From Command Line:** ```aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true```` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name  ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`","ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html","AssessmentStatus": "Automated","RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated onAWS global services- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account","RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented- Click `Add new trail` - Enter a trail name in the `Trail name` box- Set the `Apply trail to all regions` option to `Yes` - Specify an S3 bucket name in the `S3 bucket` box- Click `Create`4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.**From Command Line:** ``` aws cloudtrail create-trail --name  --bucket-name  --is-multi-region-trailaws cloudtrail update-trail --name  --is-multi-region-trail ```Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.","AdditionalInformation": ""}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.2": {"name": "3.2","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.","DefaultValue": null,"AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled` **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.","RemediationProcedure": "Perform the following to enable log file validation on a given trail:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`7. Click `Save changes` **From Command Line:** ``` aws cloudtrail update-trail --name  --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn  --start-time  --end-time  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail log file validation is enabled","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.3": {"name": "3.3","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html","Description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails`3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties`6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.`9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 2. Ensure the `AllUsers` principal is not granted privileges to that `` : ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that ``: ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 4. Get the S3 Bucket Policy ```aws s3api get-bucket-policy --bucket ``` 5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.","RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User`6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.","AdditionalInformation": ""}],"description": "Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.4": {"name": "3.4","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html","Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Under `Trails` , click on the CloudTrail you wish to evaluate 3. Under the `CloudWatch Logs` section. 4. Ensure a `CloudWatch Logs` log group is configured and listed. 5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.**From Command Line:**1. Run the following command to get a listing of existing trails: ```aws cloudtrail describe-trails ``` 2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property. 3. Using the noted value of the `Name` property, run the following command: ```aws cloudtrail get-trail-status --name  ``` 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.If the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.","ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.","RemediationProcedure": "Perform the following to establish the prescribed state:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Select the `Trail` the needs to be updated. 3. Scroll down to `CloudWatch Logs` 4. Click `Edit` 5. Under `CloudWatch Logs` click the box `Enabled` 6. Under `Log Group` pick new or select an existing log group 7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group. 8. Under `IAM Role` pick new or select an existing. 9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role. 10. Click `Save changes.**From Command Line:** ``` aws cloudtrail update-trail --name  --cloudwatch-logs-log-group-arn  --cloudwatch-logs-role-arn  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail trails are integrated with CloudWatch Logs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.5": {"name": "3.5","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html","Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.","DefaultValue": null,"AuditProcedure": "Process to evaluate AWS Config configuration per region**From Console:**1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.- Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.**From Command Line:**1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])Sample Output:``` {\"ConfigurationRecorders\": [{\"recordingGroup\": {\"allSupported\": true,\"resourceTypes\": [],\"includeGlobalResourceTypes\": true},\"roleARN\": \"arn:aws:iam:::role/service-role/\",\"name\": \"default\"}] } ```3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`","ImpactStatement": "It is recommended AWS Config be enabled in all regions.","AssessmentStatus": "Automated","RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.","RemediationProcedure": "To implement AWS Config configuration:**From Console:**1. Select the region you want to focus on in the top right of the console 2. Click `Services`3. Click `Config`4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account**From Command Line:**1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name  ```","AdditionalInformation": ""}],"description": "Ensure AWS Config is enabled in all regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.6": {"name": "3.6","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html","Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.","DefaultValue": null,"AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `` _ click on `Logging`8. Ensure `Enabled` is checked.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket  ``` Ensure command does not returns empty output.Sample Output for a bucket with logging enabled:``` {\"LoggingEnabled\": {\"TargetPrefix\": \"\",\"TargetBucket\": \"\"} } ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.","RemediationProcedure": "Perform the following to enable S3 bucket logging:**From Console:**1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:`  click on `Logging`5. Configure bucket logging- Click on the `Enabled` checkbox- Select Target Bucket from list- Enter a Target Prefix 6. Click `Save`.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region  --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``: ``` {\"LoggingEnabled\": {\"TargetBucket\": \"\",\"TargetPrefix\": \"\",\"TargetGrants\": [{\"Grantee\": {\"Type\": \"AmazonCustomerByEmail\",\"EmailAddress\": \"\"},\"Permission\": \"FULL_CONTROL\"}]}} ``` 3. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket  --bucket-logging-status file:// ```","AdditionalInformation": ""}],"description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.7": {"name": "3.7","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html","Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.**From Command Line:**1. Run the following command: ```aws cloudtrail describe-trails``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.","ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.","AssessmentStatus": "Automated","RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.","RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`6. Select an existing CMK from the `KMS key Id` drop-down menu- Note: Ensure the CMK is located in the same region as the S3 bucket- Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes` **From Command Line:** ``` aws cloudtrail update-trail --name  --kms-id  aws kms put-key-policy --key-id  --policy  ```","AdditionalInformation": "3 statements which need to be added to the CMK policy:1\\. Enable Cloudtrail to describe CMK properties ``` 
{\"Sid\": \"Allow CloudTrail access\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:DescribeKey\",\"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` 
{\"Sid\": \"Allow CloudTrail to encrypt logs\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:GenerateDataKey*\",\"Resource\": \"*\",\"Condition\": {\"StringLike\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": [\"arn:aws:cloudtrail:*:aws-account-id:trail/*\"]}} } ``` 3\\. Granting decrypt permissions ``` 
{\"Sid\": \"Enable CloudTrail log decrypt permissions\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"arn:aws:iam::aws-account-id:user/username\"},\"Action\": \"kms:Decrypt\",\"Resource\": \"*\",\"Condition\": {\"Null\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"}} } ```"}],"description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.8": {"name": "3.8","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final","Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the `General configuration` panel open the tab `Key rotation` 5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"**From Command Line:**1. Run the following command to get a list of all keys and their associated `KeyIds````aws kms list-keys ``` 2. For each key, note the KeyId and run the following command ``` describe-key --key-id  ``` 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command ```aws kms get-key-rotation-status --key-id  ``` 4. Ensure `KeyRotationEnabled` is set to `true` 5. Repeat steps 2 - 4 for all remaining CMKs","ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.","AssessmentStatus": "Automated","RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` . 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the \"General configuration\" panel open the tab \"Key rotation\" 5. Check the \"Automatically rotate this KMS key every year.\" checkbox**From Command Line:**1. Run the following command to enable key rotation: ```aws kms enable-key-rotation --key-id  ```","AdditionalInformation": ""}],"description": "Ensure rotation for customer created symmetric CMKs is enabled","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.9": {"name": "3.9","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html","Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.**From Command Line:**1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region  --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.","ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.","RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`9. Click `Create Log Flow`10. Click on `CloudWatch Logs Group` **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.**From Command Line:**1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"test\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\"Action\": \"sts:AssumeRole\"}] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\":[\"logs:CreateLogGroup\",\"logs:CreateLogStream\",\"logs:DescribeLogGroups\",\"logs:DescribeLogStreams\",\"logs:PutLogEvents\",\"logs:GetLogEvents\",\"logs:FilterLogEvents\"],\"Resource\": \"*\"}] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name  --assume-role-policy-document file://role_policy_document.json``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name  --policy-document file://iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name  ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region  ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids  --traffic-type REJECT --log-group-name  --deliver-logs-permission-arn  ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.","AdditionalInformation": ""}],"description": "Ensure VPC flow logging is enabled in all VPCs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"4.1": {"name": "4.1","checks": {"cloudwatch_log_metric_filter_unauthorized_api_calls": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with \"Name\":` note ``- From value associated with \"CloudWatchLogsLogGroupArn\" note Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this `` that you captured in step 1:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```4. Note the \"filterName\" `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.","AssessmentStatus": "Automated","RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for unauthorized API calls","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2": {"name": "4.2","checks": {"cloudwatch_log_metric_filter_sign_in_without_mfa": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all `CloudTrails`:``` aws cloudtrail describe-trails ```- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region `CloudTrail` is active``` aws cloudtrail get-trail-status --name  ```Ensure in the output that `IsLogging` is set to `TRUE`- Ensure identified Multi-region 'Cloudtrail' captures all Management Events``` aws cloudtrail get-event-selectors --trail-name  ```Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `` taken from audit step 1.Use Command: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account."}],"description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.3": {"name": "4.3","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**- ensures that activities from all regions (used as well as unused) are monitored- ensures that activities on all supported global services are monitored- ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for usage of 'root' account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.4": {"name": "4.4","checks": {"cloudwatch_log_metric_filter_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for IAM policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.5": {"name": "4.5","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6": {"name": "4.6","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.7": {"name": "4.7","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.8": {"name": "4.8","checks": {"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for S3 bucket policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.9": {"name": "4.9","checks": {"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Config configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"5.1": {"name": "5.1","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison","Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "**From Console:**Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "**From Console:**Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Click `Edit inbound rules`- Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule- Click `Save`","AdditionalInformation": ""}],"description": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"5.2": {"name": "5.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.3": {"name": "5.3","checks": {"ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group","Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:Security Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules existSecurity Group Members1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'","ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.","AssessmentStatus": "Automated","RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.","RemediationProcedure": "Security Group MembersPerform the following to implement the prescribed state:1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security groupSecurity Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rulesRecommended:IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"","AdditionalInformation": ""}],"description": "Ensure the default security group of every VPC restricts all traffic","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.4": {"name": "5.4","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html","Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.","DefaultValue": null,"AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.**From Command Line:**1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a __ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.","RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.**From Command Line:**1. For each __ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id  --destination-cidr-block  ```2. Create a new compliant route: ``` aws ec2 create-route --route-table-id  --destination-cidr-block  --vpc-peering-connection-id  ```","AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table."}],"description": "Ensure routing tables for VPC peering are \"least access\"","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.10": {"name": "1.10","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users","Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:**From Console:**1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8``` 2. The output of this command will produce a table similar to the following: ```user,password_enabled,mfa_activeelise,false,falsebrandon,true,truerakesh,false,falsehelene,false,falseparas,true,trueanitha,false,false``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`","ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to enable MFA:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords.8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.9. Click `Assign MFA`.","AdditionalInformation": "**Forced IAM User Self-Service Remediation**Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts."}],"description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.11": {"name": "1.11","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html","Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_dateelise,false,true,2015-04-16T15:14:00+00:00,false,N/Abrandon,true,true,N/A,false,N/Arakesh,false,false,N/A,false,N/Ahelene,false,true,2015-11-18T17:47:00+00:00,false,N/Aparas,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.","RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:**From Console:**1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. As an Administrator - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User- Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.**From Command Line:** ``` aws iam delete-access-key --access-key-id  --user-name  ```","AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\""}],"description": "Do not setup access keys during initial user setup for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.12": {"name": "1.12","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if unused credentials exist:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`8. Check and ensure that `Console last sign-in` is less than 45 days ago.**Note** - `Never` means the user has never logged in.9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.**From Command Line:****Download Credential Report:**1. Run the following commands: ```aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^' ```**Ensure unused credentials do not exist:**2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.","RemediationProcedure": "**From Console:**Perform the following to manage Unused Password (IAM user console access)1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`9. Under Console Access select `Disable` 10.Click `Apply`Perform the following to deactivate Access Keys:1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select any access keys that are over 45 days old and that have been used and - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and - Click the X to `Delete`","AdditionalInformation": " is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days."}],"description": "Ensure credentials unused for 45 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.13": {"name": "1.13","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.**From Command Line:**1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name  ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.- Repeat steps no. 2 and 3 for each IAM user in your AWS account.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.**From Command Line:**1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user**Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id  --status Inactive --user-name  ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name  ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.","AdditionalInformation": ""}],"description": "Ensure there is only one active access key available for any single IAM user","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.14": {"name": "1.14","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.**From Command Line:**``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.","RemediationProcedure": "Perform the following to rotate access keys:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`4. As an Administrator - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User- Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`7. Update programmatic call with new Access Key credentials**From Command Line:**1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```At this point, the user has two active access keys.2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```","AdditionalInformation": ""}],"description": "Ensure access keys are rotated every 90 days or less","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.15": {"name": "1.15","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html","Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:1. Run the following to get a list of IAM users: ```aws iam list-users --query 'Users[*].UserName' --output text``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.","RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group` Perform the following to add a user to a given group:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`3. Select the group to add a user to 4. Click `Add Users To Group`5. Select the users to be added to the group 6. Click `Add Users` Perform the following to remove a direct association between a user and policy:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:- Select the user- Click on the `Permissions` tab- Expand `Permissions policies` - Click `X` for each policy; then click Detach or Remove (depending on policy type)","AdditionalInformation": ""}],"description": "Ensure IAM Users Receive Permissions Only Through Groups","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.16": {"name": "1.16","checks": {"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam","Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.","DefaultValue": null,"AuditProcedure": "Perform the following to determine what policies are created:**From Command Line:**1. Run the following to get a list of IAM policies: ```aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```aws iam get-policy-version --policy-arn  --version-id  ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.","RemediationProcedure": "**From Console:**Perform the following to detach the policy that has full administrative privileges:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first `Detach`5. Select all Users, Groups, Roles that have this policy attached 6. Click `Detach Policy`7. In the policy action menu, select `Detach` **From Command Line:**Perform the following to detach the policy that has full administrative privileges as found in the audit step:1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.```aws iam list-entities-for-policy --policy-arn  ``` 2. Detach the policy from all IAM Users: ```aws iam detach-user-policy --user-name  --policy-arn  ``` 3. Detach the policy from all IAM Groups: ```aws iam detach-group-policy --group-name  --policy-arn  ``` 4. Detach the policy from all IAM Roles: ```aws iam detach-role-policy --role-name  --policy-arn  ```","AdditionalInformation": ""}],"description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.17": {"name": "1.17","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html","Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.","DefaultValue": null,"AuditProcedure": "**From Command Line:**1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'If it returns empty refer to the remediation below.","ImpactStatement": "All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.","AssessmentStatus": "Automated","RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.","RemediationProcedure": "**From Command Line:**1. Create an IAM role for managing incidents with AWS:- Create a trust relationship policy document that allows  to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"\"},\"Action\": \"sts:AssumeRole\"}]} ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name  --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name  ```","AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account."}],"description": "Ensure a support role has been created to manage incidents with AWS Support","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.18": {"name": "1.18","checks": {"ec2_instance_profile_attached": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html","Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.","DefaultValue": null,"AuditProcedure": "Where an instance is associated with a Role:For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.Where an Instance Contains Embedded Credentials:- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.Where an Instance Application Contains Embedded Credentials:- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.","RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.","AdditionalInformation": ""}],"description": "Ensure IAM instance roles are used for AWS resource access from instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.19": {"name": "1.19","checks": {"iam_no_expired_server_certificates_stored": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html","Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.","DefaultValue": null,"AuditProcedure": "**From Console:**Getting the certificates expiration information via AWS Management Console is not currently supported.To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**Run list-server-certificates command to list all the IAM-stored server certificates:``` aws iam list-server-certificates ```The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):``` {\"ServerCertificateMetadataList\": [{\"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\"ServerCertificateName\": \"MyServerCertificate\",\"Expiration\": \"2018-07-10T23:59:59Z\",\"Path\": \"/\",\"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\"UploadDate\": \"2018-06-10T11:56:08Z\"}] } ```Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.","ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.","AssessmentStatus": "Automated","RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.","RemediationProcedure": "**From Console:**Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**To delete Expired Certificate run following command by replacing  with the name of the certificate to delete:``` aws iam delete-server-certificate --server-certificate-name  ```When the preceding command is successful, it does not return any output.","AdditionalInformation": ""}],"description": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.20": {"name": "1.20","checks": {"accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html","Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region**From Command Line:**1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`3. Repeat the steps above for each active region.If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.","RemediationProcedure": "**From Console:**Perform the following to enable IAM Access analyzer for IAM policies:1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.7. Choose `Create Analyzer`. 8. Repeat these step for each active region**From Command Line:**Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name  --type  ``` Repeat this command above for each active region.**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.","AdditionalInformation": ""}],"description": "Ensure that IAM Access analyzer is enabled for all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.21": {"name": "1.21","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "","Description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.","DefaultValue": null,"AuditProcedure": "For multi-account AWS environments with an external identity provider... 1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click `Services`4. Click `IAM`5. Click `Identity providers` 6. Verify the configurationThen..., determine all accounts that should not have local users present. For each account...1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are presentFor multi-account AWS environments implementing AWS Organizations without an external identity provider... 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are present","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.","RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.","AdditionalInformation": ""}],"description": "Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.10": {"name": "3.10","checks": {"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/` 2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine. 3. Review `General details` 4. Confirm that `Multi-region trail` is set to `Yes` 5. Scroll down to `Data events` 6. Confirm that it reads: Data events: S3 Bucket Name: All current and future S3 buckets Read: Enabled Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.**From Command Line:**1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions: ``` aws cloudtrail list-trails ``` 2. The command output will be a list of all the trail names to include. \"TrailARN\": \"arn:aws:cloudtrail:::trail/\", \"Name\": \"\", \"HomeRegion\": \"\" 3. Next run 'get-trail- command to determine Multi-region. ``` aws cloudtrail get-trail --name  --region  ``` 4. The command output should include: \"IsMultiRegionTrail\": true, 5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. \"Type\": \"AWS::S3::Object\",\"Values\": [\"arn:aws:s3\" 7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered. If Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled. 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.**From Command Line:**1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for write events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.11": {"name": "3.11","checks": {"cloudtrail_s3_dataevents_read_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.**From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region  --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.**From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for read events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.10": {"name": "4.10","checks": {"cloudwatch_log_metric_filter_security_group_changes": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"\" --filter-name \"\" --metric-transformations metricName= \"\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"\" ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"\" --protocol  --notification-endpoint \"\" ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"\" --metric-name \"\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"\" ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for security group changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.11": {"name": "4.11","checks": {"cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.12": {"name": "4.12","checks": {"cloudwatch_changes_to_network_gateways_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to network gateways","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.13": {"name": "4.13","checks": {"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for route table changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for route table changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.14": {"name": "4.14","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for VPC changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.15": {"name": "4.15","checks": {"cloudwatch_log_metric_filter_aws_organizations_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.","DefaultValue": null,"AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name  ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.2. Get a list of all associated metric filters for this : ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `` value associated with the filterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":``` \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name  ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": ""}],"description": "Ensure a log metric filter and alarm exists for AWS Organizations changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"2.1.1": {"name": "2.1.1","checks": {"s3_bucket_default_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html:https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources","Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select a Bucket. 3. Click on 'Properties'. 4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. Run command to list buckets ``` aws s3 ls ``` 2. For each bucket, run``` aws s3api get-bucket-encryption --bucket  ``` 3. Verify that either``` \"SSEAlgorithm\": \"AES256\" ```or``` \"SSEAlgorithm\": \"aws:kms\"```is displayed.","ImpactStatement": "Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select a Bucket. 3. Click on 'Properties'. 4. Click edit on `Default Encryption`. 5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 6. Click `Save` 7. Repeat for all the buckets in your AWS account lacking encryption.**From Command Line:**Run either``` aws s3api put-bucket-encryption --bucket  --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}' ```or``` aws s3api put-bucket-encryption --bucket  --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}' ```**Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.","AdditionalInformation": "S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does **not** encrypt objects previously stored within the bucket."}],"description": "Ensure all S3 buckets employ encryption-at-rest","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.2": {"name": "2.1.2","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html","Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.","DefaultValue": null,"AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{\"Sid\": ,\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}' ``` `` and `` will be specific to your account5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket  | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.**From Console** using AWS Policy Generator:1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` =  5. Generate Policy 6. Copy the text and add it to the Bucket Policy.**From Command Line:**1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket  --query Policy --output text > policy.json ```2. Modify the policy.json file by adding in this statement: ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket  --policy file://policy.json ```","AdditionalInformation": ""}],"description": "Ensure S3 Bucket Policy is set to deny HTTP requests","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.3": {"name": "2.1.3","checks": {"s3_bucket_no_mfa_delete": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html","Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","DefaultValue": null,"AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket**From Console:**1. Login to the S3 console at `https://console.aws.amazon.com/s3/`2. Click the `Check` box next to the Bucket name you want to confirm3. In the window under `Properties`4. Confirm that Versioning is `Enabled`5. Confirm that MFA Delete is `Enabled`**From Command Line:**1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```Output example: ```  EnabledEnabled ```If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.","RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.**From Command line:**1. Run the s3api put-bucket-versioning command``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```","AdditionalInformation": ""}],"description": "Ensure MFA Delete is enabled on S3 buckets","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.4": {"name": "2.1.4","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html","Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.","DefaultValue": null,"AuditProcedure": "Perform the following steps to determine if Macie is running:**From Console:** 1. Login to the Macie console at https://console.aws.amazon.com/macie/ 2. In the left hand pane click on By job under findings. 3. Confirm that you have a Job setup for your S3 BucketsWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.","ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.","AssessmentStatus": "Manual","RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.","RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie**From Console:**1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`2. Click `Get started`.3. Click `Enable Macie`.Setup a repository for sensitive data discovery results1. In the Left pane, under Settings, click `Discovery results`.2. Make sure `Create bucket` is selected.3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.4. Click on `Advanced`.5. Block all public access, make sure `Yes` is selected.6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.7. Click on `Save`Create a job to discover sensitive data1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.2. Select the `check box` for each bucket that you want Macie to analyze as part of the job3. Click `Create job`.3. Click `Quick create`.4. For the Name and description step, enter a name and, optionally, a description of the job.5. Then click `Next`.6. For the Review and create step, click `Submit`.Review your findings1. In the left pane, click `Findings`.2. To view the details of a specific finding, choose any field other than the check box for the finding.If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.","AdditionalInformation": ""}],"description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.5": {"name": "2.1.5","checks": {"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html","Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.","DefaultValue": null,"AuditProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket  ``` Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"BlockPublicAcls\": true,\"IgnorePublicAcls\": true,\"BlockPublicPolicy\": true,\"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.**If utilizing Block Public Access (account settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.**From Command Line:**To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id  --region `Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"IgnorePublicAcls\": true, \"BlockPublicPolicy\": true, \"BlockPublicAcls\": true, \"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.","ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.","AssessmentStatus": "Automated","RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.","RemediationProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket  --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```**If utilizing Block Public Access (account settings)****From Console:**If the output reads `true` for the separate configuration settings then it is set on the account.1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.**From Command Line:**To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id  ```","AdditionalInformation": ""}],"description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.2.1": {"name": "2.2.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.2. Elastic Compute Cloud (EC2)","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/","Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.**Note:** EBS volume encryption is configured per region.","ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.**Note:** EBS volume encryption is configured per region.","AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically."}],"description": "Ensure EBS Volume Encryption is Enabled in all Regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.1": {"name": "2.3.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/","Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region  --db-snapshot-identifier  --db-instance-identifier  ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region  ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region  --source-db-snapshot-identifier  --target-db-snapshot-identifier  --copy-tags --kms-key-id  ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region  --db-instance-identifier  --db-snapshot-identifier  ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ```","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for RDS Instances","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 48,"requirements_failed": 10,"requirements_manual": 0,"total_requirements": 58,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "fb07e872-c61f-4749-96d2-da2b68993ae5","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "gxp_21_cfr_part_11_aws","framework": "GxP-21-CFR-Part-11","version": "","description": "GxP refers to the regulations and guidelines that are applicable to life sciences organizations that make food and medical products. Medical products that fall under this include medicines, medical devices, and medical software applications. The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers. It's also to ensure the integrity of data that's used to make product-related safety decisions.","region": "eu-west-1","requirements": {"11.30": {"name": "11.30 Controls for open systems","checks": {"elb_ssl_listeners": "FAIL","kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.30","Section": "11.30 Controls for open systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.","checks_status": {"fail": 9,"pass": 4,"total": 21,"manual": 0}},"11.200": {"name": "11.200 Electronic signature components and controls","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "11.200","Section": "11.200 Electronic signature components and controls","Service": "aws","SubGroup": null,"SubSection": null}],"description": "(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.","checks_status": {"fail": 0,"pass": 0,"total": 12,"manual": 0}},"11.10-a": {"name": "11.10(a)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"ssm_managed_compliant_patching": "FAIL","rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null,"ec2_instance_older_than_specific_days": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-a","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.","checks_status": {"fail": 8,"pass": 1,"total": 13,"manual": 0}},"11.10-c": {"name": "11.10(c)","checks": {"s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","sagemaker_notebook_instance_encryption_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-c","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.","checks_status": {"fail": 5,"pass": 3,"total": 14,"manual": 0}},"11.10-d": {"name": "11.10(d)","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"secretsmanager_automatic_rotation_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-d","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting system access to authorized individuals.","checks_status": {"fail": 4,"pass": 8,"total": 38,"manual": 0}},"11.10-e": {"name": "11.10(e)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-d","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.","checks_status": {"fail": 7,"pass": 2,"total": 14,"manual": 0}},"11.10-g": {"name": "11.10(g)","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"ec2_ebs_volume_encryption": "PASS","iam_user_accesskey_unused": null,"ec2_ebs_default_encryption": "PASS","iam_password_policy_number": null,"iam_password_policy_symbol": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"secretsmanager_automatic_rotation_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"iam_customer_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-g","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.","checks_status": {"fail": 5,"pass": 10,"total": 44,"manual": 0}},"11.10-h": {"name": "11.10(h)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-h","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"11.10-k": {"name": "11.10(k)","checks": {"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-k","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.","checks_status": {"fail": 5,"pass": 5,"total": 17,"manual": 0}},"11.300-b": {"name": "11.300(b)","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.300-b","Section": "11.300 Controls for identification codes/passwords","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).","checks_status": {"fail": 1,"pass": 0,"total": 10,"manual": 0}},"11.300-d": {"name": "11.300(d)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.300-d","Section": "11.300 Controls for identification codes/passwords","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.","checks_status": {"fail": 1,"pass": 3,"total": 4,"manual": 0}}},"requirements_passed": 1,"requirements_failed": 10,"requirements_manual": 0,"total_requirements": 11,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}}]
+[{"model": "api.complianceoverview","pk": "07d0c342-abcb-4d91-b865-88f9c96adbfc","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cisa_aws","framework": "CISA","version": "","description": "Cybersecurity & Infrastructure Security Agency's (CISA) Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.","region": "eu-west-1","requirements": {"your-data-1": {"name": "Your Data-1","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-data-1","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Learn how your data is protected.","checks_status": {"fail": 4,"pass": 3,"total": 13,"manual": 0}},"your-data-2": {"name": "Your Data-2","checks": {"elb_ssl_listeners": "FAIL","elb_logging_enabled": "FAIL","elbv2_ssl_listeners": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"s3_bucket_acl_prohibited": "FAIL","ec2_ebs_volume_encryption": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_default_encryption": "PASS","rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_logging_enabled": "PASS","s3_bucket_policy_public_write_access": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-data-2","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Learn what is happening on your network, manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.","checks_status": {"fail": 18,"pass": 11,"total": 49,"manual": 0}},"your-data-3": {"name": "Your Data-3","checks": {"elbv2_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-data-3","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Domain name system protection.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"your-data-4": {"name": "Your Data-4","checks": {"efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-data-4","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish regular automated backups and redundancies of key systems.","checks_status": {"fail": 4,"pass": 1,"total": 8,"manual": 0}},"your-data-5": {"name": "Your Data-5","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "your-data-5","Section": "your data","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Leverage protections for backups, including physical security, encryption and offline copies.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"your-systems-1": {"name": "Your Systems-1","checks": {"ec2_elastic_ip_unassigned": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-systems-1","Section": "your systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack.","checks_status": {"fail": 4,"pass": 0,"total": 4,"manual": 0}},"your-systems-2": {"name": "Your Systems-2","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-systems-2","Section": "your systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Leverage automatic updates for all operating systems and third-party software.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"your-systems-3": {"name": "Your Systems-3","checks": {"elb_ssl_listeners": "FAIL","elb_logging_enabled": "FAIL","elbv2_ssl_listeners": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"rds_instance_multi_az": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","elbv2_deletion_protection": "FAIL","iam_user_accesskey_unused": null,"ec2_ebs_default_encryption": "PASS","iam_password_policy_number": null,"iam_password_policy_symbol": null,"rds_instance_backup_enabled": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","iam_user_console_access_unused": null,"rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","rds_instance_deletion_protection": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_logging_enabled": "PASS","apigateway_restapi_waf_acl_attached": "FAIL","iam_user_mfa_enabled_console_access": null,"redshift_cluster_automated_snapshot": null,"s3_bucket_policy_public_write_access": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"emr_cluster_master_nodes_no_public_ip": null,"iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","secretsmanager_automatic_rotation_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","vpc_endpoint_connections_trust_boundaries": "FAIL","awslambda_function_not_publicly_accessible": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","codebuild_project_user_controlled_buildspec": "PASS","apigateway_restapi_client_certificate_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-systems-3","Section": "your systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement security configurations for all hardware and software assets.","checks_status": {"fail": 25,"pass": 16,"total": 84,"manual": 0}},"your-surroundings-1": {"name": "Your Surroundings-1","checks": {"vpc_flow_logs_enabled": "FAIL","ec2_elastic_ip_unassigned": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-surroundings-1","Section": "your surroundings","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.).","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"your-surroundings-2": {"name": "Your Surroundings-2","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "your-surroundings-2","Section": "your surroundings","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"your-surroundings-3": {"name": "Your Surroundings-3","checks": {"elbv2_ssl_listeners": "FAIL","iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "your-surroundings-3","Section": "your surroundings","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Grant access and admin permissions based on need-to-know and least privilege.","checks_status": {"fail": 1,"pass": 0,"total": 6,"manual": 0}},"your-surroundings-4": {"name": "Your Surroundings-4","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "your-surroundings-4","Section": "your surroundings","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Leverage unique passwords for all user accounts.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"your-crisis-response-2": {"name": "Your Crisis Response-2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "your-crisis-response-2","Section": "your crisis response","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Lead development of an internal reporting structure to detect, communicate and contain attacks.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"booting-up-thing-to-do-first-1": {"name": "YBooting Up: Things to Do First-1","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "booting-up-thing-to-do-first-1","Section": "booting up thing to do first","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Lead development of an internal reporting structure to detect, communicate and contain attacks.","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"booting-up-thing-to-do-first-2": {"name": "YBooting Up: Things to Do First-2","checks": {"iam_root_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "booting-up-thing-to-do-first-2","Section": "booting up thing to do first","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"booting-up-thing-to-do-first-3": {"name": "YBooting Up: Things to Do First-3","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "booting-up-thing-to-do-first-1","Section": "booting up thing to do first","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}}},"requirements_passed": 4,"requirements_failed": 11,"requirements_manual": 1,"total_requirements": 16,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "089cf697-547a-4a34-a811-e7a19b78b9fd","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_foundational_technical_review_aws","framework": "AWS-Foundational-Technical-Review","version": "","description": "The AWS Foundational Technical Review (FTR) assesses an AWS Partner's solution against a specific set of Amazon Web Services (AWS) best practices around security, performance, and operational processes that are most critical for customer success. Passing the FTR is required to qualify AWS Software Partners for AWS Partner Network (APN) programs such as AWS Competency and AWS Service Ready but any AWS Partner who offers a technology solution may request a FTR review through AWS Partner Central.","region": "eu-west-1","requirements": {"S3-001": {"name": "Review all Amazon S3 buckets to determine appropriate access levels","checks": {"s3_bucket_object_lock": "FAIL","s3_bucket_public_access": null,"s3_bucket_acl_prohibited": "FAIL","s3_bucket_kms_encryption": "FAIL","s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_level_public_access_block": "PASS","s3_bucket_policy_public_write_access": "PASS","s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "You must ensure that buckets that require public access have been reviewed to determine if public read or write access is needed and if appropriate controls are in place to control public access. When assigning access permissions, follow the principle of least privilege, an AWS best practice. For more information, refer to overview of managing access.","checks_status": {"fail": 5,"pass": 3,"total": 11,"manual": 0}},"ARC-001": {"name": "Use root user only by exception","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "The root user has unlimited access to your account and its resources, and using it only by exception helps protect your AWS resources. The AWS root user must not be used for everyday tasks, even administrative ones. Instead, adhere to the best practice of using the root user only to create your first AWS Identity and Access Management (IAM) user. Then securely lock away the root user credentials and use them to perform only a few accounts and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User. FTR does not require you to actively monitor root usage.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ARC-003": {"name": "Enable multi-factor authentication (MFA) on the root user for all AWS accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Enabling MFA provides an additional layer of protection against unauthorized access to your account. To configure MFA for the root user, follow the instructions for enabling either a virtual MFA or hardware MFA device. If you are using AWS Organizations to create new accounts, the initial password for the root user is set to a random value that is never exposed to you. If you do not recover the password for the root user of these accounts, you do not need to enable MFA on them. For any accounts where you do have access to the root user’s password, you must enable MFA","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ARC-004": {"name": "Remove access keys for the root user","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Programmatic access to AWS APIs should never use the root user. It is best not to generate static an access key for the root user. If one already exists, you should transition any processes using that key to use temporary access keys from an AWS Identity and Access Management (IAM) role, or, if necessary, static access keys from an IAM user.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ARC-005": {"name": "Develop incident management plans","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "An incident management plan is critical to respond, mitigate, and recover from the potential impact of security incidents. An incident management plan is a structured process for identifying, remediating, and responding in a timely matter to security incidents. An effective incident management plan must be continually iterated upon, remaining current with your cloud operations goal. For more information on developing incident management plan please see Develop incident management plans.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"BAR-001": {"name": "Configure automatic data backups","checks": {"backup_plans_exist": "PASS","backup_vaults_exist": null,"backup_vaults_encrypted": "PASS","efs_have_backup_enabled": "FAIL","backup_reportplans_exist": null,"rds_instance_backup_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "You must perform regular backups to a durable storage service. Backups ensure that you have the ability to recover from administrative, logical, or physical error scenarios. Configure backups to be taken automatically based on a periodic schedule, or by changes in the dataset. RDS instances, EBS volumes, DynamoDB tables, and S3 objects can all be configured for automatic backup. AWS Backup, AWS Marketplace solutions or third-party solutions can also be used. If objects in S3 bucket are write-once-read-many (WORM), compensating controls such as object lock can be used meet this requirement. If it is customers’ responsibility to backup their data, it must be clearly stated in the documentation and the Partner must provide clear instructions on how to backup the data.","checks_status": {"fail": 1,"pass": 3,"total": 6,"manual": 0}},"BAR-002": {"name": "Periodically recover data to verify the integrity of your backup process","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "To confirm that your backup process meets your recovery time objectives (RTO) and recovery point objectives (RPO), run a recovery test on a regular schedule and after making significant changes to your cloud environment. For more information, refer to Getting Started - Backup and Restore with AWS.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-001": {"name": "Use cross-account roles to access customer AWS accounts","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Cross-account roles reduce the amount of sensitive information AWS Partners need to store for their customers.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-002": {"name": "Use an external ID with cross-account roles to access customer accounts","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "An external ID allows the user that is assuming the role to assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances. The primary function of the external ID is to address and prevent the confused deputy problem.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-003": {"name": "Deprecate any historical use of customer-provided IAM credentials","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If your application provides legacy support for the use of static IAM credentials for cross-account access, the application's user interface and customer documentation must make it clear that this method is deprecated. Existing customers should be encouraged to switch to cross-account role based-access, and collection of credentials should be disabled for new customers.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-004": {"name": "Use a value you generate (not something provided by the customer) for the external ID","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "When configuring cross-account access using IAM roles, you must use a value you generate for the external ID, instead of one provided by the customer, to ensure the integrity of the cross-account role configuration. A partner-generated external ID ensures that malicious parties cannot impersonate a customer's configuration and enforces uniqueness and format consistency across all customers. If you are not generating an external ID today we recommend implementing a process that generates a random unique value (such as a Universally Unique Identifier) for the external ID that a customer uses to set up a cross-account role.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-005": {"name": "Ensure that all external IDs are unique.","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "The external IDs used must be unique across all customers. Re-using external IDs for different customers does not solve the confused deputy problem and runs the risk of customer A being able to view data of customer B by using the role ARN and the external ID of customer B. To resolve this, we recommend implementing a process that ensures a random unique value, such as a Universally Unique Identifier, is generated for the external ID that a customer would use to setup a cross account role.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-006": {"name": "Provide read-only access to external ID to customers","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Customers must not be able to set or influence external IDs. When the external ID is editable, it is possible for one customer to impersonate the configuration of another. For example, when the external ID is editable, customer A can create a cross account role setup using customer B’s role ARN and external ID, granting customer A access to customer B’s data. Remediation of this item involves making the external ID a view-only field, ensuring that the external ID cannot be changed to impersonate the setup of another customer.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"CAA-007": {"name": "Provide guidance or an automated setup mechanism (for example, an AWS CloudFormation template) for creating cross-account roles with the minimum required privileges","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "The policy created for cross-account access in customer accounts must follow the principle of least privilege. The AWS Partner must provide a role-policy document or an automated setup mechanism (for example, an AWS CloudFormation template) for the customers to use to ensure that the roles are created with minimum required privileges. For more information, refer to the AWS Partner Network (APN) blog posts.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-001": {"name": "Enable multi-factor authentication (MFA) for all Human Identities with AWS access","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "You must require any human identities to authenticate using MFA before accessing your AWS accounts. Typically, this means enabling MFA within your corporate identity provider. If you have existing legacy IAM users you must enable MFA for console access for those principals as well. Enabling MFA for IAM users provides an additional layer of security. With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone). Please note that machine identities do not require MFA.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"IAM-002": {"name": "Monitor and secure static AWS Identity and Access Management (IAM) credentials","checks": {"guardduty_is_enabled": "PASS","iam_user_accesskey_unused": null,"iam_rotate_access_key_90_days": null,"guardduty_no_high_severity_findings": "FAIL","iam_user_with_temporary_credentials": null},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Use temporary IAM credentials retrieved by assuming a role whenever possible. In cases where it is infeasible to use IAM roles, implement the following controls to reduce the risk these credentials are misused: Rotate IAM access keys regularly (recommended at least every 90 days). Maintain an inventory of all static keys and where they are used and remove unused access keys. Implement monitoring of AWS CloudTrail logs to detect anomalous activity or other potential misuse (e.g. using AWS GuardDuty.) Define a runbook or SOP for revoking credentials in the event you detect misuse.","checks_status": {"fail": 1,"pass": 1,"total": 5,"manual": 0}},"IAM-003": {"name": "Use strong password policy","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Enforce a strong password policy, and educate users to avoid common or re-used passwords. For IAM users, you can create a password policy for your account on the Account Settings page of the IAM console. You can use the password policy to define password requirements, such as minimum length and whether it requires non-alphabetic characters, and so on. For more information, see Setting an Account Password Policy for IAM users.","checks_status": {"fail": 0,"pass": 0,"total": 7,"manual": 0}},"IAM-004": {"name": "Create individual identities (no shared credentials) for anyone who needs AWS access","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Create individual entities and give unique security credentials and permissions to each user accessing your account. With individual entities and no shared credentials, you can audit the activity of each user.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-005": {"name": "Use IAM roles and its temporary security credentials to provide access to third parties.","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Do not provision IAM users and share those credentials with people outside of your organization. Any external services that need to make AWS API calls against your account (for example, a monitoring solution that accesses your account's AWS CloudWatch metrics) must use a cross-account role. For more information, refer to Providing access to AWS accounts owned by third parties.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-006": {"name": "Grant least privilege access","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "You must follow the standard security advice of granting least privilege. Grant only the access that identities require by allowing access to specific actions on specific AWS resources under specific conditions. Rely on groups and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, when a developer is removed from the group, access for the developer is revoked everywhere that group was used for access control, without requiring any changes to the access policies.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"IAM-007": {"name": "Manage access based on life cycle","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Integrate access controls with operator and application lifecycle and your centralized federation provider and IAM. For example, remove a user’s access when they leave the organization or change roles.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-008": {"name": "Audit identities quarterly","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Auditing the identities that are configured in your identity provider and IAM helps ensure that only authorized identities have access to your workload. For example, remove people that leave the organization, and remove cross-account roles that are no longer required. Have a process in place to periodically audit permissions to the services accessed by an IAM entity. This helps you identify the policies you needto modify to remove any unused permissions. For more information, see Refining permissions in AWS using last accessed information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-009": {"name": "Do not embed credentials in application code","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Ensure that all credentials used by your applications (for example, IAM access keys and database passwords) are never included in your application's source code or committed to source control in any way.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-001": {"name": "Define a Recovery Point Objective (RPO)","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "To confirm that your backup process meets your recovery time objectives (RTO) and recovery point objectives (RPO), run a recovery test on a regular schedule and after making significant changes to your cloud environment. For more information, refer to Getting Started - Backup and Restore with AWS.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-002": {"name": "Establish a Recovery Time Objective (RTO)","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Define an RTO that meets your organization’s needs and expectations. RTO is the maximum acceptable delay your organization will accept between the interruption and restoration of service.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-004": {"name": "Resiliency Testing","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Test resiliency to ensure that RTO and RPO are met, both periodically (minimum every 12 months) and after major updates. The resiliency test must include accidental data loss, instance failures, and Availability Zone (AZ) failures. At least one resilience test that meets RTO and RPO requirements must be completed prior to FTR approval. You can use AWS Resilience Hub to test and verify your workloads to see if it meets its resilience target. AWS Resilience Hub works with AWS Fault Injection Service (AWS FIS) , a chaos engineering service, to provide fault-injection simulations of real-world failures to validate the application recovers within the resilience targets you defined. AWS Resilience Hub also provides API operations for you to integrate its resilience assessment and testing into your CI/CD pipelines for ongoing resilience validation. Including resilience validation in CI/CD pipelines helps make sure that changes to the workload’s underlying infrastructure don't compromise resilience.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-005": {"name": "Communicate customer responsibilities for resilience","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Clearly define your customers’ responsibility for backup, recovery, and availability. At a minimum, your product documentation or customer agreements should cover the following: Responsibility the customer has for backing up the data stored in your solution. Instructions for backing up data or configuring optional features in your product for data protection, if applicable. Options customers have for configuring the availability of your product.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-006": {"name": "Architect your product to meet availability targets and uptime service level agreements (SLAs)","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If you publish or privately agree to availability targets or uptime SLAs, ensure that your architecture and operational processes are designed to support them. Additionally, provide clear guidance to customers on any configuration required to achieve the targets or SLAs.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"RES-007": {"name": "Define a customer communication plan for outages","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Establish a plan for communicating information about system outages to your customers both during and after incidents. Your communication should not include any data that was provided by AWS under a non-disclosure agreement (NDA).","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SUP-001": {"name": "Subscribe to the AWS Business Support tier (or higher) for all production AWS accounts or have an action plan to handle issues which require help from AWS Support","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Partner-hosted FTR requirements","Service": null,"SubGroup": null,"SubSection": null}],"description": "It is recommended that you subscribe to the AWS Business Support tier or higher (including AWS Partner-Led Support) for all of your AWS production accounts. For more information, refer to Compare AWS Support Plans. If you don't have premium support, you must have an action plan to handle issues which require help from AWS Support. AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster. AWS Business Support provides additional benefits including access to AWS Trusted Advisor and AWS Personal Health Dashboard and faster response times.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ACOM-001": {"name": "Configure AWS account contacts","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If an account is not managed by AWS Organizations, alternate account contacts help AWS get in contact with the appropriate personnel if needed. Configure the account’s alternate contacts to point to a group rather than an individual. For example, create separate email distribution lists for billing, operations, and security and configure these as Billing, Security, and Operations contacts in each active AWS account. This ensures that multiple people will receive AWS notifications and be able to respond, even if someone is on vacation, changes roles, or leaves the company.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ACOM-002": {"name": "Set account contact information including the root user email address to email addresses and phone numbers owned by your company","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Using company owned email addresses and phone numbers for contact information enables you to access them even if the individuals whom they belong to are no longer with your organization","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"HOST-001": {"name": "Confirm your hosting model","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Partner-hosted FTR requirements","Service": null,"SubGroup": null,"SubSection": null}],"description": "To use this FTR checklist you must host all critical application components on AWS. You may use external providers for edge services such as content delivery networks (CDNs) or domain name system (DNS), or corporate identity providers. If you are using any edge services outside AWS, please specify them in the self-assessment.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-0010": {"name": "Store secrets securely.","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Encrypt all secrets in transit and at rest, define fine-grained access controls that only allow access to specific identities, and log access to secrets in an audit log. We recommend you use a purpose-built secret management service such as AWS Secrets Manager, AWS Systems Manager Parameter Store, or an AWS Partner solution, but internally developed solutions that meet these requirements are also acceptable.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-0011": {"name": "Encrypt all end user/customer credentials and hash passwords at rest.","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If you are storing end user/customer credentials in a database that you manage, encrypt credentials at rest and hash passwords. As an alternative, AWS recommends using a user-identity synchronization service, such as Amazon Cognito or an equivalent AWS Partner solution.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"IAM-0012": {"name": "Use temporary credentials","checks": {"iam_root_mfa_enabled": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_administrator_access_with_mfa": null,"iam_role_administratoraccess_policy": null,"iam_user_mfa_enabled_console_access": null,"iam_user_with_temporary_credentials": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_role_cross_account_readonlyaccess_policy": null,"iam_role_cross_service_confused_deputy_prevention": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Use temporary security credentials to access AWS resources. For machine identities within AWS (for example, Amazon Elastic Compute Cloud (Amazon EC2) instances or AWS Lambda functions), always use IAM roles to acquire temporary security credentials. For machine identities running outside of AWS, use IAM Roles Anywhere or securely store static AWS access keys that are only used to assume an IAM role.For human identities, use AWS IAM Identity Center or other identity federation solutions where possible. If you must use static AWS access keys for human users, require MFA for all access, including the AWS Management Console, and AWS Command Line Interface (AWS CLI).","checks_status": {"fail": 0,"pass": 0,"total": 13,"manual": 0}},"RCVP-001": {"name": "Establish a process to ensure that all required compliance standards are met","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "If you advertise that your product meets specific compliance standards, you must have an internal process for ensuring compliance. Examples of compliance standards include Payment Card Industry Data Security Standard (PCI DSS) PCI DSS, Federal Risk and Authorization Management Program (FedRAMP)FedRAMP, and U.S. Health Insurance Portability and Accountability Act (HIPAA)HIPAA. Applicable compliance standards are determined by various factors, such as what types of data the solution stores or transmits and which geographic regions the solution supports.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SDAT-001": {"name": "Identify sensitive data (for example, Personally Identifiable Information (PII) and Protected Health Information (PHI))","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Data classification enables you to determine which data needs to be protected and how. Based on the workload and the data it processes, identify the data that is not common public knowledge.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SDAT-002": {"name": "Encrypt all sensitive data at rest","checks": {"athena_workgroup_encryption": null,"efs_encryption_at_rest_enabled": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Encryption maintains the confidentiality of sensitive data even when it gets stolen or the network through which it is transmitted becomes compromised.","checks_status": {"fail": 3,"pass": 0,"total": 7,"manual": 0}},"SDAT-003": {"name": "Only use protocols with encryption when transmitting sensitive data outside of your VPC","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Encryption maintains data confidentiality even when the network through which it is transmitted becomes compromised.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"WAFR-001": {"name": "Conduct periodic architecture reviews (minimum once every year)","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Partner-hosted FTR requirements","Service": null,"SubGroup": null,"SubSection": null}],"description": "Conduct periodic architecture reviews of your production workload (at least once per year) using a documented architectural standard that includes AWS-specific best practices. If you have an internally defined standard for your AWS workloads, we recommend you use it for these reviews. If you do not have an internal standard, we recommend you use the AWS Well-Architected Framework.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"WAFR-002": {"name": "Review the AWS Shared Responsibility Models for Security and Resiliency","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Partner-hosted FTR requirements","Service": null,"SubGroup": null,"SubSection": null}],"description": "Review the AWS Shared Responsibility Model for Security and the AWS Shared Responsibility Model for Resiliency. Ensure that your product’s architecture and operational processes address the customer responsibilities defined in these models. We recommend you to use AWS Resilience Hub to ensure your workload resiliency posture meets your targets and to provide you with operational procedures you may use to address the customer responsibilities.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"NETSEC-001": {"name": "Implement the least permissive rules for all Amazon EC2 security groups","checks": {"ec2_ami_public": null,"ec2_instance_public_ip": "FAIL","ec2_securitygroup_not_used": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "All Amazon EC2 security groups should restrict access to the greatest degree possible. At a minimum, do the following: Ensure that no security groups allow ingress from 0.0.0.0/0 to port 22 or 3389 (CIS 5.2) Ensure that the default security group of every VPC restricts all traffic (CIS 5.3/Security Control EC2.2)","checks_status": {"fail": 3,"pass": 16,"total": 20,"manual": 0}},"NETSEC-002": {"name": "Restrict resources in public subnets","checks": {"vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","vpc_endpoint_connections_trust_boundaries": "FAIL","workspaces_vpc_2private_1public_subnets_nat": null,"vpc_endpoint_services_allowed_principals_trust_boundaries": null},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Do not place resources in public subnets of your VPC unless they must receive network traffic from public sources. Public subnets are subnets associated with a route table that has a route to an internet gateway.","checks_status": {"fail": 3,"pass": 0,"total": 5,"manual": 0}},"SECOPS-001": {"name": "Perform vulnerability management","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","guardduty_no_high_severity_findings": "FAIL","accessanalyzer_enabled_without_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Architectural and Operational Controls","Service": null,"SubGroup": null,"SubSection": null}],"description": "Define a mechanism and frequency to scan and patch for vulnerabilities in your dependencies, and in your operating systems to help protect against new threats. Scan and patch your dependencies, and your operating systems on a defined schedule. Software vulnerability management is essential to keeping your system secure from threat actors. Embedding vulnerability assessments early into your continuous integration/continuous delivery (CI/CD) pipeline allows you to prioritize remediation of any security vulnerabilities detected. The solution you need to achieve this varies according to the AWS services that you are consuming. To check for vulnerabilities in software running in Amazon EC2 instances, you can add Amazon Inspector to your pipeline to cause your build to fail if Inspector detects vulnerabilities. You can also use open source products such as OWASP Dependency-Check, Snyk, OpenVAS, package managers and AWS Partner tools for vulnerability management.","checks_status": {"fail": 4,"pass": 0,"total": 4,"manual": 0}}},"requirements_passed": 6,"requirements_failed": 7,"requirements_manual": 32,"total_requirements": 45,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "1491ce35-3d2b-4cf6-a56d-b18b391d5623","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "nist_800_171_revision_2_aws","framework": "NIST-800-171-Revision-2","version": "","description": "The cybersecurity controls within NIST 800-171 safeguard CUI in the IT networks of government contractors and subcontractors. It defines the practices and procedures that government contractors must adhere to when their networks process or store CUI. NIST 800-171 only applies to those parts of a contractor’s network where CUI is present.","region": "eu-west-1","requirements": {"3_1_1": {"name": "3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"eks_cluster_not_publicly_accessible": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_1","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.","checks_status": {"fail": 3,"pass": 7,"total": 28,"manual": 0}},"3_1_2": {"name": "3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"eks_cluster_not_publicly_accessible": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_2","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).","checks_status": {"fail": 3,"pass": 7,"total": 28,"manual": 0}},"3_1_3": {"name": "3.1.3 Control the flow of CUI in accordance with approved authorizations","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"eks_cluster_not_publicly_accessible": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_3","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"3_1_4": {"name": "3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_1_4","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"3_1_5": {"name": "3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_1_5","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"3_1_6": {"name": "3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_1_6","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_1_7": {"name": "3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_1_7","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_3_1": {"name": "3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_1","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making.","checks_status": {"fail": 7,"pass": 4,"total": 14,"manual": 0}},"3_3_2": {"name": "3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions","checks": {"guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_2","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).","checks_status": {"fail": 3,"pass": 3,"total": 9,"manual": 0}},"3_3_3": {"name": "3.3.3 Review and update logged events","checks": {"vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_3","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient.","checks_status": {"fail": 4,"pass": 2,"total": 9,"manual": 0}},"3_3_4": {"name": "3.3.4 Alert in the event of an audit logging process failure","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_3_4","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"3_3_5": {"name": "3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_5","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"3_3_8": {"name": "3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion","checks": {"s3_bucket_public_access": null,"s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_3_8","Section": "3.3 Audit and Accountability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements.","checks_status": {"fail": 4,"pass": 2,"total": 8,"manual": 0}},"3_4_1": {"name": "3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles","checks": {"ec2_elastic_ip_unassigned": "FAIL","elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","cloudtrail_multi_region_enabled": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_1","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location.","checks_status": {"fail": 6,"pass": 1,"total": 7,"manual": 0}},"3_4_2": {"name": "3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_2","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"3_4_6": {"name": "3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities","checks": {"iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"ec2_instance_managed_by_ssm": "FAIL","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"redshift_cluster_public_access": null,"ssm_managed_compliant_patching": "FAIL","s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_6","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.","checks_status": {"fail": 3,"pass": 3,"total": 15,"manual": 0}},"3_4_7": {"name": "3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_7","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"3_4_9": {"name": "3.4.9 Control and monitor user-installed software","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_4_9","Section": "3.4 Configuration Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved 'app stores.' Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"3_5_2": {"name": "3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems","checks": {"iam_root_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_2","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"3_5_3": {"name": "3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_3","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_5_5": {"name": "3.5.5 Prevent reuse of identifiers for a defined period","checks": {"iam_password_policy_reuse_24": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_5","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"3_5_6": {"name": "3.5.6 Disable identifiers after a defined period of inactivity","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_user_console_access_unused": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_6","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_5_7": {"name": "3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_7","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.","checks_status": {"fail": 0,"pass": 0,"total": 9,"manual": 0}},"3_5_8": {"name": "3.5.8 Prohibit password reuse for a specified number of generations","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_user_console_access_unused": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_5_8","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Password lifetime restrictions do not apply to temporary passwords.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"3_6_1": {"name": "3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_6_1","Section": "3.6 Incident Response","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required.","checks_status": {"fail": 6,"pass": 4,"total": 14,"manual": 0}},"3_6_2": {"name": "3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_6_2","Section": "3.6 Incident Response","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.","checks_status": {"fail": 6,"pass": 4,"total": 14,"manual": 0}},"3_11_2": {"name": "3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_11_2","Section": "3.11 Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"3_11_3": {"name": "3.11.3 Remediate vulnerabilities in accordance with risk assessments","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_11_3","Section": "3.11 Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"3_12_4": {"name": "3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_12_4","Section": "3.12 Assessment, Authorization, and Monitoring","Service": "aws","SubGroup": null,"SubSection": null}],"description": "System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization.","checks_status": {"fail": 2,"pass": 3,"total": 9,"manual": 0}},"3_13_1": {"name": "3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems","checks": {"elb_ssl_listeners": "FAIL","elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","elbv2_waf_acl_attached": "FAIL","rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_1","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.","checks_status": {"fail": 10,"pass": 8,"total": 23,"manual": 0}},"3_13_2": {"name": "3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems","checks": {"rds_instance_multi_az": "FAIL","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","dynamodb_tables_pitr_enabled": null,"awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"rds_instance_integration_cloudwatch_logs": "FAIL","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_2","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions.","checks_status": {"fail": 7,"pass": 8,"total": 23,"manual": 0}},"3_13_3": {"name": "3.13.3 Separate user functionality from system management functionality","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_13_3","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"3_13_4": {"name": "3.13.4 Prevent unauthorized and unintended information transfer via shared system resources","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_13_4","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3_13_5": {"name": "3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks","checks": {"elb_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_5","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.","checks_status": {"fail": 6,"pass": 6,"total": 20,"manual": 0}},"3_13_6": {"name": "3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_6","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"3_13_8": {"name": "3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_8","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"3_14_1": {"name": "3.14.1 Identify, report, and correct system flaws in a timely manner","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_14_1","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"3_14_2": {"name": "3.14.2 Provide protection from malicious code at designated locations within organizational systems","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_14_2","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended.","checks_status": {"fail": 2,"pass": 2,"total": 5,"manual": 0}},"3_14_3": {"name": "3.14.3 Monitor system security alerts and advisories and take action in response","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_14_3","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"3_14_4": {"name": "3.14.4 Update malicious code protection mechanisms when new releases are available","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "3_14_4","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3_14_6": {"name": "3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_14_6","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.","checks_status": {"fail": 5,"pass": 4,"total": 12,"manual": 0}},"3_14_7": {"name": "3.14.7 Identify unauthorized use of organizational systems","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_14_7","Section": "3.14 System and Information integrity","Service": "aws","SubGroup": null,"SubSection": null}],"description": "System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.","checks_status": {"fail": 5,"pass": 4,"total": 12,"manual": 0}},"3_1_12": {"name": "3.1.12 Monitor and control remote access sessions","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_12","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","checks_status": {"fail": 4,"pass": 4,"total": 11,"manual": 0}},"3_1_13": {"name": "3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_13","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"3_1_14": {"name": "3.1.14 Route remote access via managed access control points","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_14","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.","checks_status": {"fail": 3,"pass": 5,"total": 14,"manual": 0}},"3_1_20": {"name": "3.1.20 Verify and control/limit connections to and use of external systems","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_1_20","Section": "3.1 Access Control","Service": "aws","SubGroup": null,"SubSection": null}],"description": "External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization's direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered 'external' to that system.","checks_status": {"fail": 2,"pass": 1,"total": 5,"manual": 0}},"3_5_10": {"name": "3.5.10 Store and transmit only cryptographically-protected passwords","checks": {"ec2_ebs_volume_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_5_10","Section": "3.5 Identification and Authentication","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords.","checks_status": {"fail": 2,"pass": 3,"total": 6,"manual": 0}},"3_13_11": {"name": "3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","acm_certificates_expiration_check": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_11","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography.","checks_status": {"fail": 6,"pass": 3,"total": 12,"manual": 0}},"3_13_15": {"name": "3.13.15 Protect the authenticity of communications sessions","checks": {"elb_ssl_listeners": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_15","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3_13_16": {"name": "3.13.16 Protect the confidentiality of CUI at rest","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "3_13_16","Section": "3.13 System and Communications Protection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}}},"requirements_passed": 14,"requirements_failed": 35,"requirements_manual": 1,"total_requirements": 50,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "168b9e98-d0d8-47a8-b53a-32097ec095ac","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "nist_800_53_revision_4_aws","framework": "NIST-800-53-Revision-4","version": "","description": "NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. The controls defined in this standard are customizable and address a diverse set of security and privacy requirements.","region": "eu-west-1","requirements": {"ac_2": {"name": "Account Management (AC-2)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations.","checks_status": {"fail": 3,"pass": 3,"total": 18,"manual": 0}},"ac_3": {"name": "Access Enforcement (AC-3)","checks": {"iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","checks_status": {"fail": 0,"pass": 3,"total": 14,"manual": 0}},"ac_4": {"name": "Information Flow Enforcement (AC-4)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.","checks_status": {"fail": 3,"pass": 7,"total": 17,"manual": 0}},"ac_5": {"name": "Separation Of Duties (AC-5)","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_5","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_6": {"name": "Least Privilege (AC-6)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_6","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.","checks_status": {"fail": 1,"pass": 5,"total": 18,"manual": 0}},"au_2": {"name": "Event Logging (AU-2)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_2","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3": {"name": "Content of Audit Records (AU-3)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_9": {"name": "Protection of Audit Information (AU-9)","checks": {"cloudtrail_kms_encryption_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"ca_7": {"name": "Continuous Monitoring (CA-7)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_7","Section": "Security Assessment And Authorization (CA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Continuously monitor configuration management processes. Determine security impact, environment and operational risks.","checks_status": {"fail": 2,"pass": 3,"total": 9,"manual": 0}},"cm_2": {"name": "Baseline Configuration (CM-2)","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","cloudtrail_multi_region_enabled": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.","checks_status": {"fail": 5,"pass": 1,"total": 6,"manual": 0}},"cm_7": {"name": "Least Functionality (CM-7)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_7","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cp_9": {"name": "Information System Backup (CP-9)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","dynamodb_tables_pitr_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations.","checks_status": {"fail": 1,"pass": 1,"total": 4,"manual": 0}},"ia_2": {"name": "Identification and Authentication (Organizational users) (IA-2)","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ra_5": {"name": "Vulnerability Scanning (RA-5)","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra_5","Section": "Risk Assessment (RA)","Service": "guardduty","SubGroup": null,"SubSection": null}],"description": "Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"sa_3": {"name": "System Development Life Cycle (SA-3)","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_3","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_2": {"name": "Application Partitioning (SC-2)","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_2","Section": "System and Communications Protection (SC)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "The information system separates user functionality (including user interface services) from information system management functionality.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"sc_4": {"name": "Information In Shared Resources (SC-4)","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_4","Section": "System and Communications Protection (SC)","Service": "ebs","SubGroup": null,"SubSection": null}],"description": "The information system prevents unauthorized and unintended information transfer via shared system resources.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"sc_5": {"name": "Denial Of Service Protection (SC-5)","checks": {"rds_instance_multi_az": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"sc_7": {"name": "Boundary Protection (SC-7)","checks": {"elb_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.","checks_status": {"fail": 6,"pass": 6,"total": 20,"manual": 0}},"sc_8": {"name": "Transmission Confidentiality And Integrity (SC-8)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si_4": {"name": "Information System Monitoring (SI-4)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].","checks_status": {"fail": 3,"pass": 3,"total": 10,"manual": 0}},"si_7": {"name": "Software, Firmware, and Information Integrity (SI-7)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ac_21": {"name": "Information Sharing (AC-21)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_21","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Facilitate information sharing. Enable authorized users to grant access to partners.","checks_status": {"fail": 1,"pass": 4,"total": 11,"manual": 0}},"au_11": {"name": "Audit Record Retention (AU-11)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_11","Section": "Audit and Accountability (AU)","Service": "cloudwatch","SubGroup": null,"SubSection": null}],"description": "The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_12": {"name": "Audit Generation (AU-12)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"cp_10": {"name": "Information System Recovery And Reconstitution (CP-10)","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_10","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.","checks_status": {"fail": 4,"pass": 1,"total": 7,"manual": 0}},"sa_10": {"name": "Developer Configuration Management (SA-10)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_10","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].","checks_status": {"fail": 2,"pass": 2,"total": 4,"manual": 0}},"sc_12": {"name": "Cryptographic Key Establishment And Management (SC-12)","checks": {"kms_cmk_rotation_enabled": null,"acm_certificates_expiration_check": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_12","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"sc_13": {"name": "Cryptographic Protection (SC-13)","checks": {"dynamodb_tables_kms_cmk_encryption_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_13","Section": "System and Communications Protection (SC)","Service": "dynamodb","SubGroup": null,"SubSection": null}],"description": "The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_23": {"name": "Session Authenticity (SC-23)","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_23","Section": "System and Communications Protection (SC)","Service": "elb","SubGroup": null,"SubSection": null}],"description": "The information system protects the authenticity of communications sessions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"sc_28": {"name": "Protection Of Information At Rest (SC-28)","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_28","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].","checks_status": {"fail": 5,"pass": 3,"total": 12,"manual": 0}},"si_12": {"name": "Information Handling and Retention (SI-12)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_12","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.","checks_status": {"fail": 3,"pass": 1,"total": 6,"manual": 0}},"ac_2_1": {"name": "AC-2(1) Automated System Account Management","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.","checks_status": {"fail": 0,"pass": 2,"total": 6,"manual": 0}},"ac_2_3": {"name": "AC-2(3) Disable Inactive Accounts","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The information system automatically disables inactive accounts after 90 days for user accounts.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ac_2_4": {"name": "AC-2(4) Automated Audit Actions","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].","checks_status": {"fail": 2,"pass": 3,"total": 11,"manual": 0}},"au_6_1": {"name": "AU-6(1) Process Integration","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Review, Analysis And Reporting (AU-6)"}],"description": "The organization employs automated mechanisms to integrate audit review, analysis,and reporting processes to support organizational processes for investigation and response to suspicious activities.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"au_6_3": {"name": "AU-6(3) Correlate Audit Repositories","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Review, Analysis And Reporting (AU-6)"}],"description": "The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"au_7_1": {"name": "AU-7(1) Automatic Processing","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_7_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"au_9_2": {"name": "AU-9(2) Audit Backup On Separate Physical Systems / Components","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "au_9_2","Section": "Audit and Accountability (AU)","Service": "s3","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cm_8_1": {"name": "CM-8(1) Updates During Installation / Removals","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_1","Section": "Configuration Management (CM)","Service": "ec2","SubGroup": null,"SubSection": "Information System Component Inventory (CM-8)"}],"description": "The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cm_8_3": {"name": "CM-8(3) Automated Unauthorized Component Detection","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_3","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Information System Component Inventory (CM-8)"}],"description": "The organization employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system and takes actions (disables network access by such components, isolates the components etc) when unauthorized components are detected.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"ia_2_1": {"name": "IA-2(1) Network Access To Privileged Accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_1","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "The information system implements multi-factor authentication for network access to privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_2_2": {"name": "IA-2(2) Network Access To Non-Privileged Accounts","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "The information system implements multifactor authentication for network access to non-privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ia_5_1": {"name": "IA-5(1) Password-Based Authentication","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_1","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_4": {"name": "IA-5(4) Automated Support For Password Strength Determination","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_4","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_7": {"name": "IA-5(7) No Embedded Unencrypted Static Authenticators","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_7","Section": "Identification and Authentication (IA)","Service": "codebuild","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ir_4_1": {"name": "IR-4(1) Automated Incident Handling Processes","checks": {"guardduty_no_high_severity_findings": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir_4_1","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": "Incident Handling (IR-4)"}],"description": "The organization employs automated mechanisms to support the incident handling process.","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"ir_6_1": {"name": "IR-6(1) Automated Reporting","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir_6_1","Section": "Incident Response (IR)","Service": "guardduty","SubGroup": null,"SubSection": "Incident Reporting (IR-6)"}],"description": "The organization employs automated mechanisms to assist in the reporting of security incidents.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ir_7_1": {"name": "IR-7(1) Automation Support For Availability Of Information / Support","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir_7_1","Section": "Incident Response (IR)","Service": "guardduty","SubGroup": null,"SubSection": "Incident Response Assistance (IR-7)"}],"description": "The organization employs automated mechanisms to increase the availability of incident response-related information and support.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_7_3": {"name": "SC-7(3) Access Points","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_3","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "The organization limits the number of external network connections to the information system.","checks_status": {"fail": 3,"pass": 6,"total": 16,"manual": 0}},"sc_8_1": {"name": "SC-8(1) Cryptographic Or Alternate Physical Protection","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si_2_2": {"name": "SI-2(2) Automates Flaw Remediation Status","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_2","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si_4_1": {"name": "SI-4(1) System-Wide Intrusion Detection System","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_1","Section": "System and Information Integrity (SI)","Service": "guardduty","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_2": {"name": "SI-4(2) Automated Tools For Real-Time Analysis","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_2","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization employs automated tools to support near real-time analysis of events.","checks_status": {"fail": 1,"pass": 3,"total": 8,"manual": 0}},"si_4_4": {"name": "SI-4(4) Inbound and Outbound Communications Traffic","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_4","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"si_4_5": {"name": "SI-4(5) System-Generated Alerts","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_5","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"si_7_1": {"name": "SI-7(1) Integrity Checks","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_1","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "The information system performs an integrity check of security relevant events at least monthly.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ac_17_1": {"name": "AC-17(1) Automated Monitoring/Control","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_17_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system monitors and controls remote access methods.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ac_17_2": {"name": "AC-17(2) Protection Of Confidentiality/Integrity Using Encryption","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.","checks_status": {"fail": 2,"pass": 1,"total": 3,"manual": 0}},"ac_17_3": {"name": "AC-17(3) Managed Access Control Points","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_17_3","Section": "Access Control (AC)","Service": "vpc","SubGroup": null,"SubSection": null}],"description": "The information system routes all remote accesses through organization-defined managed network access control points.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ac_2_12": {"name": "AC-2(12) Account Monitoring","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_12","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ac_6_10": {"name": "AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_6_10","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_2_11": {"name": "IA-2(11) Remote Access - Separate Device","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_11","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"si_4_16": {"name": "SI-4(16) Correlate Monitoring Information","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_16","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization correlates information from monitoring tools employed throughout the information system.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}}},"requirements_passed": 18,"requirements_failed": 41,"requirements_manual": 5,"total_requirements": 64,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "1c8c75df-34ec-48f2-b6e2-5dba27d9b734","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "kisa_isms_p_2023_aws","framework": "KISA-ISMS-P","version": "2023","description": "The ISMS-P certification, established by KISA (Korea Internet & Security Agency), is a system where an independent certification body evaluates whether a company or organization's information security and privacy protection measures comply with certification standards, and grants certification. This helps organizations improve public trust in their services and respond effectively to increasingly complex cyber threats. The ISMS-P framework also provides comprehensive guidelines for systematically establishing, implementing, and managing information security and privacy protection.","region": "eu-west-1","requirements": {"1.1.1": {"name": "Executive Participation","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.1 Executive Participation","Subdomain": "1.1. Management System","AuditEvidence": ["Information protection and personal information protection reporting system (e.g., communication plan)","Minutes of the Information Protection and Personal Information Protection Committee","Information protection and personal information protection policies/guidelines (including executive approval records)","Information protection plans and internal management plans (including executive approval records)","Information protection and personal information protection organization chart"],"AuditChecklist": ["Is there documentation outlining the responsibilities and roles of executives to ensure their participation in the establishment and operation of the information protection and personal information protection management system?","Is there a reporting, review, and approval process in place to ensure that executives actively participate in decision-making regarding information protection and personal information protection activities?"],"NonComplianceCases": ["Case 1: Although it is stated in the information protection and personal information protection policy to report the status of information protection and personal information protection to the executives on a quarterly basis, no such reports have been made for an extended period.","Case 2: In performing major information protection activities (e.g., risk assessment, determining risk acceptance levels, reviewing information protection measures and implementation plans, reviewing the results of information protection measures, security audits, etc.), executives or those authorized by the executives did not participate in decision-making or there was no evidence of their involvement."],"RelatedRegulations": []}],"description": "The CEO must establish and operate a reporting and decision-making system to ensure executive participation in the establishment and operation of the information protection and personal information protection management system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.2": {"name": "Designation of Chief Officers","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.2 Designation of Chief Officers","Subdomain": "1.1. Management System","AuditEvidence": ["Documents related to the appointment of the CISO and CPO (e.g., personnel orders, personnel records)","Information protection and personal information protection organization chart","Information protection and personal information protection policies/guidelines","Job descriptions (roles and responsibilities of the CISO and CPO)","Records of CISO reports","Internal management plans (regarding the appointment of the CPO)"],"AuditChecklist": ["Has the CEO officially designated a chief officer responsible for overseeing information protection and personal information protection?","Are the CISO and CPO appointed at an executive level with authority to allocate resources such as budget and personnel, and do they meet the qualifications required by relevant laws?"],"NonComplianceCases": ["Case 1: Failure to appoint and report a CISO as required under the Information and Communications Network Act, even though the organization is obligated to do so.","Case 2: Appointing a person without substantial authority and status as the CPO, making it difficult to believe that they are responsible for overseeing personal information processing.","Case 3: Although the organization chart specifies the CISO and CPO, the formal appointment process, such as issuing personnel orders, was not followed.","Case 4: Although the entity is subject to ISMS certification and had over 5 trillion won in assets at the end of the previous year, the CISO also holds the position of CIO, in violation of the ISMS requirements."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures), Article 31 (Designation of a Personal Information Protection Officer)","Information and Communications Network Act, Article 45-3 (Designation of a Chief Information Security Officer, etc.)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The CEO must appoint a Chief Information Security Officer (CISO) responsible for information protection and a Chief Privacy Officer (CPO) responsible for personal information protection, both at an executive level with authority to allocate resources such as budget and personnel.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.3": {"name": "Organization Structure","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.3 Organization Structure","Subdomain": "1.1. Management System","AuditEvidence": ["Information protection and personal information protection committee regulations/minutes","Information protection and personal information protection working group regulations/minutes","Information protection and personal information protection organization chart","Internal management plan","Job descriptions"],"AuditChecklist": ["Has the organization established and operated a working group with expertise to support the work of the CISO and CPO and systematically implement the organization's information protection and personal information protection activities?","Has the organization established and operated a committee that can review, approve, and make decisions on important information protection and personal information protection matters across the organization?","Has the organization established and operated a working group composed of information protection and personal information protection officers and department-level personnel for enterprise-wide information protection and personal information protection activities?"],"NonComplianceCases": ["Case 1: The Information Protection and Personal Information Protection Committee was established, but it consists only of department heads without the inclusion of executives, making it difficult to make decisions on the organization's key information and personal information protection matters.","Case 2: Although a working group for information protection and personal information protection was established, including heads of departments that handle important information and personal data, it has not been active for an extended period.","Case 3: Although the Information Protection and Personal Information Protection Committee was convened, major matters such as the annual information protection and personal information protection plan, training plan, budget, and personnel were not reviewed or decided upon.","Case 4: Although an Information Protection Committee was established for deliberation and decision-making on information protection and personal information protection matters, only the operations and IT security departments participated, without the involvement of departments responsible for personal information protection, leaving personal information protection matters undecided."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The CEO must establish and operate a working group to effectively implement information protection and personal information protection, a committee that can review and approve key matters related to information protection and personal information protection across the organization, and a consultative body consisting of department-level information protection and personal information protection officers for enterprise-wide protection activities.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.4": {"name": "Scope Setting","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.4 Scope Setting","Subdomain": "1.1. Management System","AuditEvidence": ["Scope definition document for information protection and personal information protection management system","List of information assets and personal information","Document list","Service flowchart","Personal information flowchart","Organization-wide organizational chart","System and network configuration diagram"],"AuditChecklist": ["Has the organization set the scope of the management system to include key assets that may affect core services and personal information processing?","If there are exceptions within the defined scope, are clear reasons documented, and are consultations with relevant stakeholders and approvals from responsible parties recorded and managed?","Is the organization maintaining documentation that includes the major services, operational status, and systems, allowing for clear verification of the scope of the information protection and personal information protection management system?"],"NonComplianceCases": ["Case 1: The development and test systems, external staff, PCs, and test devices related to the development work for information systems and personal information processing systems were omitted from the management system's scope.","Case 2: Key organizations (personnel) in departments and business units that play critical roles in decision-making for services or businesses within the scope of the information protection and personal information protection management system were not included in the certification scope.","Case 3: The development and test systems, developer PCs, test devices, and development organizations related to the development work for information systems and personal information processing systems were omitted from the management system's scope."],"RelatedRegulations": []}],"description": "The organization must set the scope of the management system by considering its core services and the current state of personal information processing, and document the related services, personal information processing tasks, organizations, assets, and physical locations.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.5": {"name": "Policy Establishment","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.5 Policy Establishment","Subdomain": "1.1. Management System","AuditEvidence": ["Information protection and personal information protection policies/guidelines/procedures (including records of new/revised versions)","Meeting minutes of stakeholder reviews of newly established/revised information protection and personal information protection policies/guidelines/procedures","Internal management plans for personal information","Notifications of new/revised information protection and personal information protection policies/guidelines (via groupware, intranet, etc.)","Minutes of the Information Protection and Personal Information Protection Committee"],"AuditChecklist": ["Has the organization established a top-level information protection and personal information protection policy that serves as the foundation for all information protection and personal information protection activities?","Has the organization established detailed guidelines, procedures, and manuals specifying the methods, processes, and frequencies required to implement the information protection and personal information protection policies?","Are the information protection and personal information protection policies and implementation documents approved by the CEO or by someone delegated by the CEO when newly established or revised?","Are the latest versions of the information protection and personal information protection policies and implementation documents provided to relevant employees in an easily understandable format?"],"NonComplianceCases": ["Case 1: Although internal regulations stipulate that revisions to the information protection and personal information protection policies must be approved by the Information Protection and Personal Information Protection Committee, recent revisions were made solely based on the approval of the CISO and CPO without presenting the revisions to the committee.","Case 2: The information protection and personal information protection policies and guidelines were recently revised, but these changes were not communicated to relevant departments and employees, leading some departments to continue operating based on outdated guidelines.","Case 3: The information protection and personal information protection policies and guidelines are managed solely by the security department and are not made available for employees to access through bulletin boards or documents."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The organization must establish and document information protection and personal information protection policies and implementation documents, clearly stating the organization's information protection and personal information protection guidelines and direction. These policies and implementation documents must be approved by the executive management and communicated in an understandable form to employees and relevant parties.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.6": {"name": "Resource Allocation","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.1.6 Resource Allocation","Subdomain": "1.1. Management System","AuditEvidence": ["Annual action plan for information protection and personal information protection activities (including budget and personnel plans)","Reports on the results of information protection and personal information protection activities","Records of investments in information protection and personal information protection","Information protection and personal information protection organization chart"],"AuditChecklist": ["Has the organization secured personnel with expertise in the fields of information protection and personal information protection?","Has the organization evaluated and allocated the necessary resources, including budget and personnel, for the effective implementation and continuous operation of the information protection and personal information protection management system?","Has the organization established and implemented an annual detailed action plan for information protection and personal information protection, and conducted audits, analyses, and evaluations of the results?"],"NonComplianceCases": ["Case 1: The organization assembled an information protection and personal information protection team, but the team consisted only of personnel without expertise in information protection or IT, resulting in inadequate security staffing.","Case 2: The CEO failed to allocate sufficient resources, such as budget and security solutions, for implementing the technical and managerial safeguards required for personal information processing systems.","Case 3: After obtaining certification, the organization significantly reduced personnel and budget support, reassigned existing staff to other departments, and repurposed part of the budget for other uses."],"RelatedRegulations": []}],"description": "The CEO must allocate the necessary resources, including budget and personnel with expertise in the fields of information protection and personal information protection, for the effective implementation and continuous operation of the management system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.1": {"name": "Identification of Information Assets","checks": {"macie_is_enabled": "PASS","resourceexplorer2_indexes_found": "PASS","config_recorder_all_regions_enabled": null,"organizations_account_part_of_organizations": null,"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.2.1 Identification of Information Assets","Subdomain": "1.2. Risk Management","AuditEvidence": ["Information asset and personal information asset classification criteria","Information asset and personal information asset list (from asset management system screen)","Information asset and personal information security levels","Asset audit details","Risk analysis report (including asset identification)"],"AuditChecklist": ["Has the organization established classification criteria for information assets and identified all assets within the scope of the information protection and personal information protection management system, maintaining them in a list?","For the identified information assets, does the organization determine their importance by considering legal requirements and their impact on operations, and assign security levels?","Does the organization regularly review the status of information assets to keep the list up-to-date?"],"NonComplianceCases": ["Case 1: The list of assets within the scope of the information protection and personal information protection management system omits internal information leakage control systems, such as print security, document encryption, and USB media control, which are used to manage PCs handling important information and personal information.","Case 2: Personal information provided by third parties within the scope of the information protection and personal information protection management system has not been identified as an asset.","Case 3: The asset classification criteria in the internal guidelines and the classification criteria in the asset management register are inconsistent.","Case 4: Although on-premises assets have been identified, assets related to externally entrusted IT services (web hosting, server hosting, cloud, etc.) have been omitted (only for assets within the certification scope).","Case 5: The backup server storing unique identification information and other personal data has been classified with a low confidentiality rating, raising concerns about the reasonableness and reliability of the importance assessment."],"RelatedRegulations": []}],"description": "Organizations must establish classification criteria for information assets according to the characteristics of their operations, identify and classify all information assets within the scope of the management system, assess their importance, and maintain an up-to-date list.","checks_status": {"fail": 0,"pass": 2,"total": 5,"manual": 0}},"1.2.2": {"name": "Status and Flow Analysis","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.2.2 Status and Flow Analysis","Subdomain": "1.2. Risk Management","AuditEvidence": ["Information service status table","Information service workflow charts and process maps","Personal information processing status table (for ISMS-P certification)","Personal information flowcharts (for ISMS-P certification)"],"AuditChecklist": ["Has the organization identified and documented the status and workflows of information services across all areas of the management system?","Has the organization identified and documented the status of personal information processing within the scope of the management system, and mapped out personal information flows in flowcharts?","Does the organization regularly review procedures and workflows in response to changes in services, operations, and information assets, and keep the flowcharts and related documents up-to-date?"],"NonComplianceCases": ["Case 1: There are no documents outlining the workflows and procedures for major services within the scope of the management system.","Case 2: The personal information flowchart contains significant discrepancies from the actual personal information flow, or important personal information flows are missing.","Case 3: After the initial creation of the personal information flowchart, it has not been updated to reflect changes in the personal information flow."],"RelatedRegulations": []}],"description": "Organizations must analyze the status of information services and personal information processing across all areas of the management system, document the procedures and workflows, and review them regularly to maintain their accuracy.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.3": {"name": "Risk Assessment","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.2.3 Risk Assessment","Subdomain": "1.2. Risk Management","AuditEvidence": ["Risk management guidelines","Risk management manuals/guides","Risk management plan","Risk assessment report","Minutes of the Information Protection and Personal Information Protection Committee","Minutes of the Information Protection and Personal Information Protection Working Group","Information asset and personal information asset list","Information service and personal information flowcharts"],"AuditChecklist": ["Has the organization defined methods for identifying and assessing risks that could arise from various aspects, depending on the characteristics of the organization or service?","Does the organization annually develop a risk management plan that specifies the personnel, timeline, targets, methods, and budget for risk management activities?","Does the organization conduct regular or ad-hoc risk assessments at least once a year according to the risk management plan?","Has the organization established an acceptable target risk level and identified risks that exceed that level?","Are the results of risk identification and assessment reported to the executives?"],"NonComplianceCases": ["Case 1: The risk management plan specifies the risk assessment period and the targets and methods for risk management, but lacks details on the personnel and budget required for execution.","Case 2: While a risk assessment was conducted in the previous year, no risk assessment was conducted this year due to a lack of changes in assets.","Case 3: The organization conducted risk identification and assessment according to the risk management plan, but failed to assess the risks of important information assets within the scope, or failed to assess compliance with legal requirements related to information protection.","Case 4: The organization identified and assessed risks and set an acceptable target risk level according to the risk management plan, but did not report and seek approval from the executives (e.g., the Chief Information Security Officer).","Case 5: The method defined in the internal guidelines for risk assessment differs from the method actually used.","Case 6: The organization failed to identify and assess risks in the administrative and physical areas related to the information protection management system, and used only the results of technical vulnerability assessments as the risk assessment outcome.","Case 7: The organization set the acceptable target risk level (DoA) unreasonably high, designating risks that required action as acceptable risks, even though these risks were significant and required immediate or short-term action."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Organizations must collect threat information by analyzing internal and external environments, select a risk assessment method suitable for the organization, conduct a risk assessment at least once a year across all areas of the management system, and manage acceptable risks with the approval of the executives.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.4": {"name": "Selection of Protective Measures","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.2.4 Selection of Protective Measures","Subdomain": "1.2. Risk Management","AuditEvidence": ["Information protection and personal information protection implementation plans/risk management plans","Information protection and personal information protection measures","Information protection and personal information protection master plan","Records of management reports and approvals for the information protection and personal information protection implementation plan"],"AuditChecklist": ["Has the organization developed risk treatment strategies (e.g., risk reduction, avoidance, transfer, acceptance) and selected protective measures to address the identified risks?","Has the organization established and reported to management an implementation plan that includes priority, schedule, responsible department/personnel, and budget for the protective measures?"],"NonComplianceCases": ["Case 1: Although an implementation plan for the information protection and personal information protection measures was established, it was not reported to the CISO and CPO.","Case 2: Some risk mitigation actions that were required were missing from the implementation plan.","Case 3: Mandatory legal requirements and risks with high security vulnerabilities were accepted without additional protective measures, instead of being addressed by a risk treatment plan.","Case 4: The rationale and validity for risk acceptance were insufficient, and some risks that could have been addressed immediately or in the short term due to urgency or ease of implementation were classified under long-term plans without specific justification."],"RelatedRegulations": []}],"description": "Based on the results of the risk assessment, appropriate protective measures must be selected to address the identified risks, and an implementation plan including the priority, schedule, responsible department/personnel, and budget for the protective measures must be established and approved by management.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.1": {"name": "Implementation of Protective Measures","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.3.1 Implementation of Protective Measures","Subdomain": "1.3. Operation of the Management System","AuditEvidence": ["Information protection and personal information protection implementation plans/risk management plans","Information protection and personal information protection measures","Information protection and personal information protection implementation progress reports (including reports to management)","Information protection and personal information protection implementation completion reports (including reports to management)","Information protection and personal information protection operating statements"],"AuditChecklist": ["Are the protective measures effectively implemented according to the implementation plan, and are the implementation results reported to management to verify their accuracy and effectiveness?","Has the organization created and documented detailed operating statements recording the implementation and operation status of protective measures according to the certification standards of the management system?"],"NonComplianceCases": ["Case 1: The results of the completion of the information protection and personal information protection measures were not reported to the CISO and CPO.","Case 2: The risk action implementation result report indicated 'completed,' but related risks still existed, or the accuracy and effectiveness of the implementation results were not verified.","Case 3: Risks classified as medium- to long-term in the previous year's information protection measures implementation plan were not implemented in the current year, or the results were not reviewed and verified by management.","Case 4: The actual operating status described in the operating statements did not match reality, and related documents, approvals, and meeting minutes mentioned in the operating statements did not exist.","Case 5: Although the implementation results were reported to the CISO and CPO, some incomplete items were not followed up with reasons and corrective actions."],"RelatedRegulations": []}],"description": "The selected protective measures must be effectively implemented according to the implementation plan, and management must verify the accuracy and effectiveness of the implementation results.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.2": {"name": "Sharing of Protective Measures","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.3.2 Sharing of Protective Measures","Subdomain": "1.3. Operation of the Management System","AuditEvidence": ["List of operating or implementing departments for each protective measure","Evidence of internal sharing of information protection and personal information protection plans (e.g., notices, training materials, shared documents)"],"AuditChecklist": ["Has the organization clearly identified the departments and personnel responsible for the operation or implementation of the protective measures?","Has the organization shared or provided training to the departments and personnel responsible for the operation or implementation of the protective measures?"],"NonComplianceCases": ["Case 1: Although protective measures were developed and implemented, the relevant information was not sufficiently shared or provided through training, so the departments or personnel responsible for the actual operation or implementation were unaware of the details."],"RelatedRegulations": []}],"description": "The departments and personnel responsible for the actual operation or implementation of the protective measures must be identified, and the related information must be shared and provided through training to ensure continuous operation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.3": {"name": "Operation Status Management","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.3.3 Operation Status Management","Subdomain": "1.3. Operation of the Management System","AuditEvidence": ["Annual plan for information protection and personal information protection","Operation status report for information protection and personal information protection","Results of inspections on the implementation of information protection and personal information protection activities"],"AuditChecklist": ["Are information protection and personal information protection activities that need to be performed periodically or continuously for the operation of the management system documented and managed?","Does management periodically review the effectiveness of the operation of the management system and manage it accordingly?"],"NonComplianceCases": ["Case 1: Failure to document activities that are required to be performed periodically or continuously as part of the operation of the information protection and personal information protection management system.","Case 2: Although documentation of the operational status of the information protection and personal information protection management system has been completed, periodic reviews have not been conducted, resulting in the omission of some required monthly and quarterly activities, and some activities have not been verified for implementation."],"RelatedRegulations": ["Personal Information Protection Act, Article 31 (Designation of a Personal Information Protection Officer)","Information and Communications Network Act, Article 45-3 (Designation of a Chief Information Security Officer, etc.)"]}],"description": "According to the management system established by the organization, operational activities that must be performed continuously or periodically must be recorded and managed in a way that allows identification and tracking, and management must regularly review the effectiveness of operational activities and manage them accordingly.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.1": {"name": "Review of Legal Requirements Compliance","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.4.1 Review of Legal Requirements Compliance","Subdomain": "1.4. Inspection and Improvement of the Management System","AuditEvidence": ["Records of legal compliance reviews","Records of reviews and revisions of information protection and personal information protection policies and guidelines","Comparison tables of revised policies and guidelines","Internal sharing documents of legal revisions","Proof of personal information liability insurance or equivalent guarantees (e.g., cyber insurance contracts)","Information protection disclosure records"],"AuditChecklist": ["Is the organization regularly identifying and maintaining up-to-date legal requirements related to information protection and personal information protection?","Is the organization conducting regular reviews of compliance with legal requirements at least once a year?"],"NonComplianceCases": ["Case 1: Although the Information and Communications Network Act and Personal Information Protection Act were recently revised, the organization did not review the impact of the changes on the organization, and as a result, the policy documents, implementation documents, and legal compliance checklists were not updated, leading to inconsistencies between the documents and the law.","Case 2: Although legal requirements that the organization must comply with were amended, the organization failed to conduct legal compliance reviews for an extended period.","Case 3: Inadequate legal compliance reviews resulted in numerous violations of the Personal Information Protection Act and other regulations.","Case 4: The organization was subject to the Personal Information Liability Compensation Guarantee system under the Personal Information Protection Act but failed to recognize this, resulting in non-compliance with insurance or reserve requirements. In cases where insurance was obtained, the organization failed to meet the minimum coverage requirements based on the number of users and revenue.","Case 5: Although the organization was required by law to disclose information protection status, it failed to do so within the legally mandated timeframe.","Case 6: The organization used a mobile app to receive personal location information from a location-based service provider, but failed to report its location-based service business.","Case 7: A foreign personal information controller without a domestic address or business office, whose personal information of domestic subjects stored and managed in the previous three months averaged over one million persons per day, failed to appoint a domestic representative in writing as required."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The organization must regularly identify and reflect legal requirements related to information protection and personal information protection and continuously review whether compliance is being maintained.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.2": {"name": "Management System Audit","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.4.2 Management System Audit","Subdomain": "1.4. Inspection and Improvement of the Management System","AuditEvidence": ["Management system audit plan (internal audit plan, internal inspection plan)","Management system audit report","Minutes of the Information Protection and Personal Information Protection Committee"],"AuditChecklist": ["Has the organization established a management system audit plan that includes the criteria, scope, frequency, and qualifications for audit personnel to audit the management system's effectiveness in accordance with legal requirements and established policies?","Has the organization conducted audits at least once a year with personnel who have independence, objectivity, and expertise, and reported any identified issues to management?"],"NonComplianceCases": ["Case 1: The audit team included personnel from the IT department, which was also the subject of the audit, compromising the independence of the audit.","Case 2: Although a management system audit was conducted this year, the audit scope was limited to certain areas, failing to cover the full scope of the information protection and personal information protection management system.","Case 3: The management system audit team was composed solely of internal staff and external consultants who participated in the development of the management system, compromising the independence of the audit."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The organization must audit its management system at least once a year with a team of personnel who possess independence and expertise, to ensure the system is operating effectively in accordance with internal policies and legal requirements, and report any identified issues to management.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.3": {"name": "Management System Improvement","checks": {},"status": "PASS","attributes": [{"Domain": "1. Establishment and Operation of the Management System","Section": "1.4.3 Management System Improvement","Subdomain": "1.4. Management System Inspection and Improvement","AuditEvidence": ["Management system inspection result reports","Management system inspection action plans and implementation result reports","Preventive measures","Effectiveness measurement indicators and results (including reports to management)"],"AuditChecklist": ["Are the root causes of the issues identified during legal compliance reviews and management system inspections analyzed, and are preventive and improvement measures established and implemented?","Are there criteria and procedures in place to verify the accuracy and effectiveness of preventive and improvement results?"],"NonComplianceCases": ["Case 1: The same issues in the operation of the information protection and personal information protection management system, identified during internal inspections, are repeated each time.","Case 2: Although internal regulations require the analysis of root causes and the establishment of preventive measures for issues identified during internal inspections, recent internal inspections failed to include root cause analysis and preventive measures.","Case 3: Preventive measures for the issues in the management system were established, and key performance indicators (KPIs) were developed for periodic measurement, but the results were not reported to management for a long period.","Case 4: Action plans were not established or the completion of actions was not confirmed for issues identified during management system inspections."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "The root causes of the issues identified during legal compliance reviews and management system inspections must be analyzed, and preventive measures must be established and implemented. The management must confirm the accuracy and effectiveness of the improvement results.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.1": {"name": "Policy Maintenance","checks": {},"status": "PASS","attributes": [{"Domain": "2. Control Measures Requirements","Section": "2.1.1 Policy Maintenance","Subdomain": "2.1. Policies, Organization, and Asset Management","AuditEvidence": ["Information protection and personal information protection policies and implementation documents (e.g., guidelines, procedures, manuals)","Results of regular and ad hoc validity reviews of policies and guidelines","Meeting minutes and circulation records with relevant departments regarding policies and guidelines","Revision history of policies and guidelines"],"AuditChecklist": ["Has the organization established and implemented a procedure for regularly reviewing the validity of information protection and personal information protection policies and implementation documents?","When there are significant changes in the internal and external environment, are the impacts on information protection and personal information protection policies and implementation documents reviewed and revised as necessary?","Are stakeholders consulted when revising information protection and personal information protection policies and implementation documents?","Is there a system in place to track the revision history of information protection and personal information protection policies and implementation documents?"],"NonComplianceCases": ["Case 1: There is inconsistency between password setting rules in guidelines and procedures.","Case 2: Information protection activities (e.g., training, encryption, backup) have different targets, frequencies, levels, and methods described in internal regulations, guidelines, and procedures, leading to inconsistency.","Case 3: A new database access control solution was introduced to effectively record and manage access and operation logs for the database, but internal security guidelines such as those for security systems and database security management have not been updated to reflect these new controls.","Case 4: Although the personal information protection policy was revised, the policy implementation date was not specified, and information such as the author, creation date, and approval date were missing from the relevant policy.","Case 5: Although significant changes occurred in laws and regulations related to personal information protection, these changes were not reviewed or reflected in the personal information protection policy and implementation documents."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Information protection and personal information protection policies and implementation documents must be periodically reviewed and, if necessary, revised in response to changes in laws and regulations, policies of higher organizations and related agencies, and changes in the internal and external environment. These changes must be documented and tracked.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.2": {"name": "Organization Maintenance","checks": {},"status": "PASS","attributes": [{"Domain": "2. Control Measures Requirements","Section": "2.1.2 Organization Maintenance","Subdomain": "2.1. Policies, Organization, and Asset Management","AuditEvidence": ["Information protection and personal information protection organization chart","Job descriptions for the information protection and personal information protection organization","Assignment tables for information protection and personal information protection roles","Information protection and personal information protection policies/guidelines and internal management plans","Information protection and personal information protection communication management plans","Records of communication activities (e.g., monthly/weekly reports, internal notices)","Communication channels (e.g., information protection portal, bulletin boards)"],"AuditChecklist": ["Are the roles and responsibilities of those responsible for and involved in information protection and personal information protection clearly defined?","Has the organization established a system for evaluating the activities of those responsible for and involved in information protection and personal information protection?","Has the organization established and implemented systems and procedures for communication between the information protection and personal information protection organization and its members?"],"NonComplianceCases": ["Case 1: Although the roles and responsibilities of the CISO, CPO, and related personnel are defined in internal guidelines and job descriptions, they do not align with the actual operating status.","Case 2: There are no goals, criteria, or performance indicators in place for the periodic evaluation of the activities of the CISO and related personnel.","Case 3: Although internal guidelines require departments to set KPIs related to information protection for the information protection officers in each department to be reflected in performance evaluations, no information protection-related KPIs were set for any of the departmental information protection officers.","Case 4: Although the CISO and CPO are designated, the roles and responsibilities required by law are not specifically defined in internal guidelines or job descriptions."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures), Article 31 (Designation of a Personal Information Protection Officer)","Information and Communications Network Act, Article 45-3 (Designation of a Chief Information Security Officer, etc.)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Roles and responsibilities related to information protection and personal information protection must be assigned to all members of the organization, and systems must be established for evaluating these activities and for communication between members and departments.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.3": {"name": "Management of Information Assets","checks": {"macie_is_enabled": "PASS","resourceexplorer2_indexes_found": "PASS","config_recorder_all_regions_enabled": null,"account_maintain_current_contact_details": null,"organizations_account_part_of_organizations": null,"organizations_tags_policies_enabled_and_attached": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null,"account_maintain_different_contact_details_to_security_billing_and_operations": null},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.1.3 Management of Information Assets","Subdomain": "2.1. Policy, Organization, Asset Management","AuditEvidence": ["List of information assets (designation of responsible persons and managers)","Handling procedures for information assets (documents, information systems, etc.)","Information asset management system screen","Security classification indicators for information assets"],"AuditChecklist": ["Are handling procedures (creation, introduction, storage, use, disposal) and protection measures defined and implemented according to the security classification of information assets?","Have responsible persons and managers been designated for identified information assets?"],"NonComplianceCases": ["Case 1: Although internal guidelines require security classification to be indicated on documents, this has not been followed.","Case 2: Responsible persons and managers for information assets have not been identified, or the asset list has not been updated, leading to changes in responsible personnel due to resignations, transfers, etc., not being reflected.","Case 3: Although security classifications were assigned to identified information assets after evaluating their importance, handling procedures based on the security classification were not defined."],"RelatedRegulations": []}],"description": "The procedures and protection measures for handling information assets according to their purpose and importance must be established and implemented, and the responsibilities for each asset must be clearly defined and managed.","checks_status": {"fail": 0,"pass": 2,"total": 9,"manual": 0}},"2.2.1": {"name": "Designation and Management of Key Personnel","checks": {"iam_support_role_created": null,"organizations_delegated_administrators": null,"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.2.1 Designation and Management of Key Personnel","Subdomain": "2.2. Personnel Security","AuditEvidence": ["Criteria for key duties","List of key personnel","List of personal information handlers","Account and authority management ledger for key information systems and personal information processing systems","Management status of key personnel (e.g., training results, security pledges)"],"AuditChecklist": ["Are the criteria for key duties, such as handling personal information and important information or accessing key systems, clearly defined?","Are employees and external personnel performing key duties designated as key personnel, and is the list kept up-to-date?","Are personnel handling personal information designated as personal information handlers, and is the list kept up-to-date?","Is the designation of key personnel and personal information handlers minimized based on business needs, and are management plans established and implemented?"],"NonComplianceCases": ["Case 1: Although a list of key personnel (e.g., personal information handlers, secret information managers) has been created, some employees who handle large volumes of personal information (e.g., DBAs, DLP managers) were omitted.","Case 2: Although the list of key personnel and personal information handlers is being managed, it has not been updated, including resigned employees and newly hired personnel.","Case 3: Personal information handler privileges were granted collectively to entire departments, leading to personnel without the need to handle personal information being excessively designated as personal information handlers.","Case 4: Although internal guidelines require approval from the security team and the signing of security pledges when granting key personnel privileges, many key personnel were registered without following this process."],"RelatedRegulations": ["Personal Information Protection Act, Article 28 (Supervision of Personal Information Handlers), Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Criteria and management plans for key duties, such as handling personal information and important information or accessing key systems, must be established, and the number of key personnel must be minimized and their list kept up-to-date.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"2.2.2": {"name": "Separation of Duties","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.2.2 Separation of Duties","Subdomain": "2.2. Personnel Security","AuditEvidence": ["Guidelines on the separation of duties (e.g., personnel security guidelines)","Job descriptions (e.g., system operation/management, development/operation)","Status of supplementary controls when duties are not separated"],"AuditChecklist": ["Are criteria for the separation of duties established and applied to prevent potential harm from the misuse or abuse of authority?","If separation of duties is difficult, have supplementary controls such as mutual review between personnel, regular monitoring and approval of changes by senior management, and ensuring accountability been established?"],"NonComplianceCases": ["Case 1: Although the organization has sufficient size and personnel to enable separation of duties, the established internal separation of duties criteria were not followed due to operational convenience.","Case 2: Although the organization received approval from senior management to combine development and operation duties due to the organization's characteristics, supplementary control measures such as mutual review between personnel, regular monitoring and review of changes by senior management, and ensuring accountability were not established."],"RelatedRegulations": []}],"description": "Criteria for the separation of duties must be established and applied to prevent potential harm from the misuse or abuse of authority. If separation of duties is unavoidable, supplementary measures must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.3": {"name": "Security Pledge","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.2.3 Security Pledge","Subdomain": "2.2. Human Security","AuditEvidence": ["Security and personal information protection pledge (for employees and external personnel)","Confidentiality agreement (for resigned employees)"],"AuditChecklist": ["When hiring new personnel, is there a signed security and personal information protection agreement that specifies their responsibilities?","If temporary or external personnel are granted access to information assets, is there a signed agreement outlining their responsibilities for information protection and confidentiality?","Upon the resignation of an employee, is a separate confidentiality agreement obtained?","Are security, personal information protection, and confidentiality agreements stored safely and managed in a way that they can be easily retrieved when necessary?"],"NonComplianceCases": ["Case 1: While it is stipulated that new hires must sign a security pledge, some recently hired employees have not completed the pledge.","Case 2: Although employees sign a security pledge, external personnel with direct access to information systems have not signed such an agreement.","Case 3: Submitted security and personal information protection pledges are poorly managed, with documents left accessible on desks where unauthorized personnel can access them.","Case 4: Although personal information handlers have signed security pledges, the content only covers confidentiality and does not include specific responsibilities related to personal information protection."],"RelatedRegulations": []}],"description": "Employees, temporary staff, or external personnel handling information assets or granted access must sign a security and confidentiality agreement in accordance with internal policies.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.4": {"name": "Awareness and Training","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.2.4 Awareness and Training","Subdomain": "2.2. Human Security","AuditEvidence": ["Information protection and personal information protection training plan","Training result report","General and job-specific training materials","List of training attendees"],"AuditChecklist": ["Is an annual training plan approved by management, detailing the timing, duration, target audience, content, and method of information protection and personal information protection training?","Are all employees and external personnel within the scope of the management system provided with regular training at least once per year, and are additional training sessions provided when there are significant changes in relevant laws and regulations?","Is information protection and personal information protection training provided to new hires and external personnel before they begin their duties?","Are IT, information protection, and personal information protection staff receiving specialized training to enhance their job-specific expertise?","Are training records maintained, and is the effectiveness of the training evaluated and reflected in future training plans?"],"NonComplianceCases": ["Case 1: Although an annual information protection and personal information protection training plan was established and implemented last year, no such plan was established for the current year without a valid reason.","Case 2: The annual information protection and personal information protection training plan includes the frequency and target audience but lacks details such as schedule, content, and method.","Case 3: Although the annual training plan includes general personal information awareness training for all employees, it does not include job-specific training for those responsible for personal information protection, such as the personal information protection officer.","Case 4: Upon reviewing the training plan and result reports, it was found that certain external contractors (e.g., cleaning staff and security guards who have access to critical facilities within the certification scope) were not included in the training.","Case 5: Although information protection and personal information protection training was conducted, some records (e.g., training materials, attendance lists, evaluation surveys, result reports) were not retained.","Case 6: There is no system in place to identify employees who did not complete the required training or to provide make-up sessions for them (e.g., additional training, online courses)."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Limitation on the Processing of Personal Information by Outsourcing), Article 28 (Supervision of Personal Information Handlers), Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans)"]}],"description": "Organizations must establish and operate an annual awareness and training plan to ensure that employees and related external personnel understand the organization's management system and policies and acquire the necessary job-specific expertise. The effectiveness of this plan must be evaluated and reflected in future plans.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.5": {"name": "Management of Resignation and Job Changes","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.2.5 Management of Resignation and Job Changes","Subdomain": "2.2. Human Security","AuditEvidence": ["Procedures for resignation and job changes","Asset (account) return management ledger upon resignation","Security checklists and inspection records for resigned employees"],"AuditChecklist": ["Are personnel changes (e.g., resignation, job changes, department transfers, leave of absence) shared among HR, information protection, personal information protection, and IT system operations departments?","Are procedures in place and implemented to promptly return information assets, revoke or adjust access rights, and confirm results when an employee (including temporary staff and external contractors) resigns or changes roles?"],"NonComplianceCases": ["Case 1: Accounts and access rights for personnel no longer handling personal information due to job changes remain active in the personal information processing system.","Case 2: No records of asset returns or access rights revocation procedures were found for recently resigned key personnel and personal information handlers.","Case 3: While asset returns are properly managed for resigned employees, the security check and resignation confirmation forms required by HR regulations are not being completed.","Case 4: Although access rights to personal information processing systems were revoked promptly upon the resignation of personal information handlers, access rights to systems like physical access control and VPN were not revoked in a timely manner."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "Procedures must be established and managed for the return of assets, the revocation or adjustment of accounts and access rights, and confirmation of results when there is a resignation, job change, or leave of absence, involving departments such as HR, information protection, personal information protection, and IT.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.6": {"name": "Actions in Case of Security Violations","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.2.6 Actions in Case of Security Violations","Subdomain": "2.2. Human Security","AuditEvidence": ["HR regulations (disciplinary measures for violations of information protection and personal information protection regulations)","Records of disciplinary actions for violations of information protection and personal information protection guidelines","Incident case studies (company-wide notices, training materials)"],"AuditChecklist": ["Has the organization established disciplinary measures for employees and relevant external parties in case of violations of information protection and personal information protection responsibilities and obligations under laws, regulations, and internal policies?","When violations of information protection and personal information protection are detected, are actions taken in accordance with internal procedures?"],"NonComplianceCases": ["Case 1: No disciplinary measures or procedures are included in internal regulations for handling violations of information protection and personal information protection regulations.","Case 2: Although warning messages are sent to those who violate policies detected by security systems (e.g., DLP, database access control system, internal information leakage control system), follow-up actions such as explanations, additional investigations, or disciplinary actions are not carried out in accordance with internal regulations."],"RelatedRegulations": []}],"description": "In the event that employees or relevant external parties violate laws, regulations, or internal policies, the organization must establish and implement procedures to take appropriate actions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.1": {"name": "Management of External Parties","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.3.1 Management of External Parties","Subdomain": "2.3. External Security","AuditEvidence": ["List of outsourced services and external facilities/services","Outsourcing contracts","Risk analysis reports and protective measures","Outsourcing security management guidelines, checklists, etc."],"AuditChecklist": ["Has the organization identified the status of outsourcing and the use of external facilities and services within the scope of the management system?","Has the organization identified the legal requirements and risks associated with outsourcing and the use of external facilities and services, and established appropriate protective measures?"],"NonComplianceCases": ["Case 1: Although the organization manages a list of outsourced services and external facilities/services as required by internal regulations, the list is outdated and does not reflect changes made to vendors several months ago.","Case 2: The organization has migrated some personal information processing systems to external cloud services within the scope of the management system, but no identification or risk assessment has been performed."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Processing of Personal Information by Outsourcing)","Information and Communications Network Act, Article 50-3 (Entrustment of the Transmission of Commercial Information for Profit)"]}],"description": "When outsourcing part of the work (e.g., handling personal information, information protection, operating or developing information systems) or using external facilities or services (e.g., data centers, cloud services, application services), the organization must identify the current status, understand the legal requirements and risks arising from external organizations or services, and establish appropriate protective measures.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.2": {"name": "Security in Contracts with External Parties","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.3.2 Security in Contracts with External Parties","Subdomain": "2.3. External Security","AuditEvidence": ["Outsourcing contracts","Information protection and personal information protection agreements (agreements, annexes)","Internal guidelines on outsourcing","RFPs (Requests for Proposals), evaluation forms related to the selection of outsourcing vendors"],"AuditChecklist": ["When selecting external services or outsourcing vendors related to the handling of important information and personal information, does the organization follow procedures to consider the vendors' capabilities in information protection and personal information protection?","Has the organization identified the information protection and personal information protection requirements associated with the use of external services and outsourcing, and specified them in contracts or agreements?","When outsourcing the development of information systems and personal information processing systems, has the organization specified the information protection and personal information protection requirements that must be followed during development in the contract?"],"NonComplianceCases": ["Case 1: No outsourcing contract exists for external vendors performing IT operations, development, or personal information processing tasks.","Case 2: The outsourcing contract with an external vendor handling personal information does not include some items required by the Personal Information Protection Act (e.g., management and supervision provisions).","Case 3: Although infrastructure operation and part of personal information processing tasks are outsourced to external vendors, the contract does not specify security requirements related to the nature of the outsourced work, but only includes general provisions on confidentiality and liability for damages."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Processing of Personal Information by Outsourcing)"]}],"description": "When using external services or outsourcing work to external parties, the organization must identify the information protection and personal information protection requirements and specify them in contracts or agreements.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.3": {"name": "External Party Security Implementation Management","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.3.3 External Party Security Implementation Management","Subdomain": "2.3. External Party Security","AuditEvidence": ["Security inspection results for external parties and contractors","Training details for external parties and contractors (training outcomes, attendee list, training materials, etc.)","Personal information outsourcing contract","Evidence of consent for re-outsourcing of personal information processing tasks"],"AuditChecklist": ["Are periodic inspections or audits conducted to ensure external parties comply with information protection and personal information protection requirements specified in contracts, agreements, and internal policies?","When issues are identified during inspections or audits of external parties, are improvement plans established and implemented?","If a contractor entrusted with personal information processing re-outsources related tasks to a third party, does the contractor obtain the principal's consent?"],"NonComplianceCases": ["Case 1: Failure to regularly conduct security inspections of external contractors who perform IT development and operations tasks on-site.","Case 2: Sending a notification to contractors entrusted with personal information processing to conduct security training, but failing to verify whether the training has been conducted.","Case 3: Allowing contractors to perform their own security inspections and report the results, without a verification process to ensure the inspections were properly conducted, thus undermining the reliability of the inspection results.","Case 4: Allowing contractors to re-outsource personal information processing tasks to a third party without the principal's consent.","Case 5: Failure to supervise contractors entrusted with transmitting commercial information for profit."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Outsourcing of Personal Information Processing)","Information and Communications Network Act, Article 50-3 (Outsourcing of the Transmission of Commercial Information for Profit)"]}],"description": "Security measures specified in contracts, agreements, and internal policies must be regularly inspected or audited to ensure external parties comply with information protection and personal information protection requirements.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.4": {"name": "Security for External Party Contract Changes and Expiry","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.3.4 Security for External Party Contract Changes and Expiry","Subdomain": "2.3. External Party Security","AuditEvidence": ["Information protection and personal information protection agreements","Confidentiality agreements","Information and personal information destruction agreements","Internal policies and guidelines related to the termination of external party contracts"],"AuditChecklist": ["Has the organization established and implemented security measures to ensure the return of information assets, deletion of information system access accounts, and the acquisition of confidentiality agreements in accordance with official procedures when an external party contract expires, a task is completed, or there is a personnel change?","When an external party contract expires, has the organization established and implemented procedures to confirm whether the external party holds any sensitive or personal information related to the outsourced task, and to retrieve or destroy such information?"],"NonComplianceCases": ["Case 1: Failure to delete accounts and permissions for external parties after their contract has expired, allowing access to certain information systems.","Case 2: During an outsourcing project, failure to take appropriate measures for some contractors who were replaced or whose contracts expired, including failing to obtain security agreements as required by internal regulations.","Case 3: After terminating a contract with a contractor entrusted with personal information processing, failure to verify whether the contractor destroyed any personal information they held."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Outsourcing of Personal Information Processing)","Information and Communications Network Act, Article 50-3 (Outsourcing of the Transmission of Commercial Information for Profit)"]}],"description": "When an external party contract expires, the task is completed, or there is a personnel change, security measures such as returning provided information assets, deleting information system access accounts, destroying sensitive information, and obtaining confidentiality agreements for acquired information must be implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.1": {"name": "Designation of Protected Zones","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.4.1 Designation of Protected Zones","Subdomain": "2.4. Physical Security","AuditEvidence": ["Physical security guidelines (criteria for designating protected zones)","List of designated protected zones","Protected zone signage","List of protection measures for each zone"],"AuditChecklist": ["Has the organization established criteria for designating physical protection zones such as controlled areas, restricted areas, and reception areas to protect personal and sensitive information, documents, storage media, key facilities, and systems from physical and environmental threats?","Has the organization designated physical protection zones in accordance with the criteria and established and implemented protection measures for each zone?"],"NonComplianceCases": ["Case 1: Although internal physical security guidelines state that areas where personal information is stored and processed must be designated as controlled zones, certain document storage rooms containing membership application forms were omitted from the list of controlled zones.","Case 2: Internal physical security guidelines require that controlled zones be marked with specific signs, but some controlled zones do not have the required signage."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures)"]}],"description": "To protect personal and sensitive information, documents, storage media, key facilities, and systems from physical and environmental threats, physical protection zones such as controlled areas, restricted areas, and reception areas must be designated, and protection measures for each zone must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.2": {"name": "Access Control","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.4.2 Access Control","Subdomain": "2.4. Physical Security","AuditEvidence": ["Access logbook and entry logs","Access registration application form and approval records","Entry record review report","Access control system management screen (status of registered personnel, etc.)"],"AuditChecklist": ["Is access to protected areas controlled so that only authorized personnel are allowed to enter according to access procedures?","Are entry records for internal and external personnel for each protected area retained for a certain period, and are entry records and access permissions reviewed periodically?"],"NonComplianceCases": ["Case 1: Although control areas are defined, protective measures are established, and employees with access are managed, the entry records are not reviewed periodically, resulting in many inactive personnel (due to retirement, transfer, etc.) having long periods of no entry.","Case 2: Although access control devices are installed in controlled areas such as data centers and document storage rooms, they are left open for extended periods without valid reasons or approval.","Case 3: Some external partner employees are excessively granted all-area access cards for unrestricted entry."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures)"]}],"description": "Access to protected areas must be restricted to authorized personnel only, and entry and access logs should be reviewed periodically to ensure accountability.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.3": {"name": "Information System Protection","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.4.3 Information System Protection","Subdomain": "2.4. Physical Security","AuditEvidence": ["Data processing facility diagram","Information system layout","Asset list"],"AuditChecklist": ["Are information systems placed in separated locations based on their importance, usage, and characteristics?","Are there measures in place to easily verify the actual physical location of the information systems?","Are power and communication cables protected from physical damage and electrical interference from external sources?"],"NonComplianceCases": ["Case 1: The system layout is not updated to reflect the latest changes, making it difficult to quickly identify the information system that has experienced a failure.","Case 2: Many cables are tangled and not properly organized on the server room floor or in racks, increasing the risk of failure due to electrical interference, damage, leakage, or negligence."],"RelatedRegulations": []}],"description": "Information systems should be arranged considering their importance and characteristics to reduce environmental threats, harmful factors, and unauthorized access, and communication and power cables should be protected from damage.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.4": {"name": "Operation of Protective Facilities","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.4.4 Operation of Protective Facilities","Subdomain": "2.4. Physical Security","AuditEvidence": ["Physical security guidelines (related to protective facilities)","Data center facility status and inspection checklist","IDC outsourcing contract, SLA, etc."],"AuditChecklist": ["Are necessary facilities established and operational procedures set up based on the importance and characteristics of each protected area to prevent disasters such as fire, flood, and power failure caused by human error or natural disasters?","If operating outsourced integrated data centers (IDC), are physical security requirements included in the contract, and is the operational status periodically reviewed?"],"NonComplianceCases": ["Case 1: In some protected areas, such as the main office data center, the required protective facilities specified in internal guidelines are not installed.","Case 2: Although protective facilities such as UPS and fire suppression systems are in place in the data center, operational and inspection standards for the related facilities are not established.","Case 3: Although temperature and humidity control devices were installed in the data center according to operational guidelines, insufficient capacity means that the standard temperature and humidity levels are not maintained, increasing the risk of failure."],"RelatedRegulations": ["Information and Communications Network Act, Article 46 (Protection of Integrated Data Centers)","Guidelines for the Protection of Integrated Data Centers","Fire Facility Installation and Management Act, Article 12 (Management of Fire Protection Facilities in Specific Fire Protection Objects), Article 16 (Management of Evacuation Facilities, Fire Zones, and Fire Protection Facilities)"]}],"description": "Based on the importance and characteristics of the information systems located in protected areas, protective facilities such as temperature and humidity control, fire detection, firefighting equipment, leak detection, UPS, emergency generators, and dual power lines should be established and operated according to operational procedures.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.5": {"name": "Operations in Secure Zones","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.4.5 Operations in Secure Zones","Subdomain": "2.4. Physical Security","AuditEvidence": ["Operation request forms, operation logs","Entry logs for controlled areas","Records of review of entry and operation logs for controlled areas"],"AuditChecklist": ["When operations within secure zones, such as the introduction and maintenance of information systems, are required, are formal procedures for application and execution of such operations established and implemented?","Are the records of operations within secure zones periodically reviewed to confirm that the operations were carried out in accordance with the control procedures?"],"NonComplianceCases": ["Case 1: The entry log of the data center shows the presence of external maintenance personnel, but there is no record of an operation request or approval for work within the secure zone (i.e., entry and work in the secure zone were carried out without an operation request as required by internal regulations).","Case 2: Although internal regulations state that the records of operations within secure zones must be reviewed at least once per quarter, the review of such records has not been conducted for a long period without a valid reason."],"RelatedRegulations": []}],"description": "Procedures to prevent unauthorized actions and abuse of privileges within secure zones must be established and implemented, and the records of operations should be periodically reviewed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.6": {"name": "Device Control for Inbound and Outbound","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.4.6 Device Control for Inbound and Outbound","Subdomain": "2.4. Physical Security","AuditEvidence": ["Inbound and outbound application forms for secure zones","Inbound and outbound management logs","Results of the review of inbound and outbound records"],"AuditChecklist": ["Are control procedures established and implemented to prevent security incidents such as information leakage and malware infection when information systems, mobile devices, storage media, etc., are brought into or taken out of secure zones?","Are records maintained and managed in accordance with the inbound and outbound control procedures, and is the compliance with the procedures periodically checked by reviewing the history of inbound and outbound activities?"],"NonComplianceCases": ["Case 1: Although control procedures for the inbound and outbound of mobile computing devices are established, there is no control over the movement of such devices within the controlled area, allowing both internal and external personnel with access to the controlled area to use mobile computing devices without restriction.","Case 2: Although internal guidelines state that inbound and outbound details of IT equipment must be recorded in the operation plan and signed by the person responsible for management, many signatures of responsible managers are missing from the records."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures)"]}],"description": "Procedures to control the inbound and outbound movement of information systems, mobile devices, storage media, etc., within secure zones must be established, implemented, and periodically reviewed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.7": {"name": "Work Environment Security","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.4.7 Work Environment Security","Subdomain": "2.4. Physical Security","AuditEvidence": ["Security inspection reports for offices and shared spaces","Security inspection checklists for offices and shared spaces","Actions taken for non-compliance (e.g., training, rewards and penalties)","Current status of protection measures for printed and copied materials"],"AuditChecklist": ["Are protection measures established and implemented for shared facilities and office equipment such as document storage, shared PCs, multifunction printers, file servers, etc.?","Are protection measures established and implemented to prevent the exposure or leakage of personal and sensitive information through individual work environments such as work PCs, desks, drawers, etc.?","Are appropriate protection measures in place to ensure the safe handling of printed or copied materials containing personal information, such as paper documents?","Is compliance with information protection requirements in both individual and shared work environments periodically reviewed?"],"NonComplianceCases": ["Case 1: Although the internal management plan for personal information specifies that regular security inspections (e.g., clean desk policies) must be conducted, no such inspections have been carried out.","Case 2: Documents containing personal information, such as membership application forms, are stored in an office cabinet without a lock.","Case 3: Employee computers do not have screen savers or passwords set, and important documents have been left on vacationing employees' desks for an extended period.","Case 4: No protection measures are in place for shared PCs installed in shared office spaces such as meeting rooms, resulting in personal information files being stored unencrypted, or security updates not applied, or antivirus software not installed, leaving the systems vulnerable."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures), Article 12 (Safety Measures for Printing and Copying)"]}],"description": "Protection measures such as clean desk policies and regular inspections must be established and implemented to prevent unauthorized exposure or leakage of personal and sensitive information through shared office equipment (e.g., document storage, shared PCs, multifunction printers, file servers) and individual work environments (e.g., work PCs, desks).","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.5.1": {"name": "User Account Management","checks": {"iam_user_accesskey_unused": null,"iam_securityaudit_role_created": null,"iam_user_console_access_unused": null,"iam_policy_no_full_access_to_kms": null,"iam_role_administratoraccess_policy": null,"iam_user_administrator_access_policy": null,"organizations_scp_check_deny_regions": null,"iam_group_administrator_access_policy": null,"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_full_access_to_kms": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_policy_attached_only_to_group_or_roles": null,"cognito_user_pool_self_registration_disabled": null,"iam_role_cross_account_readonlyaccess_policy": null,"iam_inline_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_inline_policy_no_full_access_to_cloudtrail": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.5.1 User Account Management","Subdomain": "2.5. Authentication and Access Management","AuditEvidence": ["User account and access request forms","User account and access management log or screen","Access classification table for information systems and personal information processing systems","Lists of users, administrators, and personal information handlers for each information system and personal information processing system"],"AuditChecklist": ["Has the organization established and implemented formal procedures for registering, changing, and deleting user accounts and access rights to information systems, personal information, and critical information?","When creating and registering user accounts and access rights to information systems, personal information, and critical information, is access limited to the minimum necessary for each job based on the job-specific access classification system?","When granting users accounts and access rights, are they made fully aware that they are responsible for the security of those accounts?"],"NonComplianceCases": ["Case 1: User registration, termination, and approval procedures for accounts and permissions for users and personal information handlers were processed through verbal requests, email, etc., without proper approval and handling records.","Case 2: A personal information handler shared their account with an unauthorized individual for backup purposes during vacations, business trips, or other absences without going through official procedures.","Case 3: Users of information systems or personal information processing systems were granted excessive permissions, allowing access to unnecessary information or personal data."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "To control unauthorized access to information systems, personal information, and critical information, organizations must establish and implement procedures for user registration, termination, and granting, changing, or revoking access rights, ensuring that access rights are granted only to the minimum necessary for work purposes. Additionally, when registering or granting user rights, it must be made clear to users that they are responsible for the security of their accounts.","checks_status": {"fail": 0,"pass": 0,"total": 22,"manual": 0}},"2.5.2": {"name": "User Identification","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.5.2 User Identification","Subdomain": "2.5. Authentication and Access Management","AuditEvidence": ["Login screen for information systems and personal information processing systems","Lists of administrators, users, and personal information handlers for information systems and personal information processing systems","Records of approvals for exceptions"],"AuditChecklist": ["Are unique identifiers assigned to users and personal information handlers in information systems and personal information processing systems, and is the use of easily guessable identifiers restricted?","If the same identifier is shared by multiple users for unavoidable reasons, has the justification been reviewed and have supplementary measures such as approval from the responsible party been established?"],"NonComplianceCases": ["Case 1: The account status of information systems (servers, networks, firewalls, DBMS, etc.) shows that default administrator accounts provided by the manufacturer are still in use, despite being technically modifiable.","Case 2: Developers are sharing personal information processing system accounts for common use without any justification or approval from responsible parties.","Case 3: External personnel maintaining information systems are using operational accounts like personal accounts without going through the required approval procedures."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "User accounts must be assigned unique identifiers that distinguish each user individually, and the use of easily guessable identifiers must be restricted. If the same identifier is shared by multiple users, the reason and justification must be reviewed, supplementary measures such as approval from a responsible party must be established, and accountability must be ensured.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.5.3": {"name": "User Authentication","checks": {"iam_root_mfa_enabled": null,"iam_user_accesskey_unused": null,"iam_check_saml_providers_sts": null,"cognito_user_pool_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_two_active_access_key": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null,"iam_user_with_temporary_credentials": null,"apigatewayv2_api_authorizers_enabled": "FAIL","iam_user_no_setup_initial_access_key": null,"apigateway_restapi_authorizers_enabled": "PASS","rds_cluster_iam_authentication_enabled": "FAIL","rds_instance_iam_authentication_enabled": "FAIL","kafka_cluster_unrestricted_access_disabled": null,"cognito_identity_pool_guest_access_disabled": "FAIL","cognito_user_pool_advanced_security_enabled": null,"cognito_user_pool_self_registration_disabled": null,"directoryservice_supported_mfa_radius_enabled": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cognito_user_pool_client_token_revocation_enabled": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"opensearch_service_domains_internal_user_database_enabled": null,"cognito_user_pool_blocks_potential_malicious_sign_in_attempts": null,"opensearch_service_domains_use_cognito_authentication_for_kibana": null,"cognito_user_pool_blocks_compromised_credentials_sign_in_attempts": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.5.3 User Authentication","Subdomain": "2.5. Authentication and Authorization Management","AuditEvidence": ["Login screen for information systems and personal information processing systems","Login attempt limitation setting screen","Login failure message screen","Procedures for external access (e.g., external access request forms, list of external accessors)"],"AuditChecklist": ["Is access to information systems and personal information processing systems controlled through secure user authentication procedures, login attempt limitations, and warnings for illegal login attempts?","When accessing personal information processing systems from outside via a communication network, are secure authentication methods or secure access measures applied in accordance with legal requirements?"],"NonComplianceCases": ["Case 1: When a personal information handler accesses a personal information processing system through the public external internet, secure authentication methods are not applied, and authentication is done only through ID and password.","Case 2: In the login process for information systems and personal information processing systems, detailed messages are displayed about whether the ID exists or the password is incorrect, and there is no limit on login failure attempts."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights), Article 6 (Access Control)"]}],"description": "User access to information systems, personal information, and critical information must be secured through safe authentication procedures and, if necessary, enhanced authentication methods. In addition, access control measures such as limiting login attempts and issuing warnings for illegal login attempts must be established and implemented.","checks_status": {"fail": 4,"pass": 1,"total": 29,"manual": 0}},"2.5.4": {"name": "Password Management","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null,"cognito_user_pool_password_policy_number": null,"cognito_user_pool_password_policy_symbol": null,"cognito_user_pool_password_policy_lowercase": null,"cognito_user_pool_password_policy_uppercase": null,"cognito_user_pool_temporary_password_expiration": null,"cognito_user_pool_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.5.4 Password Management","Subdomain": "2.5. Authentication and Authorization Management","AuditEvidence": ["Password setting screens for web pages, information systems, and personal information processing systems","Password management policies and procedures"],"AuditChecklist": ["Are procedures for managing and creating secure user passwords for information systems established and implemented?","Are password creation rules established and enforced to ensure that users can use secure passwords?","Are authentication methods for personal information handlers and users securely applied and managed?"],"NonComplianceCases": ["Case 1: Although password creation rules are set in policies and guidelines related to information protection and personal information protection, some information systems and personal information processing systems use passwords that differ from internal guidelines.","Case 2: Internal regulations state that when passwords are reset, temporary passwords must be assigned and forced to be changed, but in practice, temporary passwords are being used without change.","Case 3: Although internal regulations require users and personal information handlers to change their passwords periodically, passwords are being used without change."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "Procedures for managing passwords used by users of information systems, as well as customers and members, must be established and implemented, taking into account legal requirements and external threats.","checks_status": {"fail": 0,"pass": 0,"total": 13,"manual": 0}},"2.5.5": {"name": "Management of Special Accounts and Privileges","checks": {"iam_avoid_root_usage": null,"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_support_role_created": null,"rds_cluster_default_admin": "FAIL","rds_instance_default_admin": "FAIL","ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"organizations_delegated_administrators": null,"cloudwatch_log_metric_filter_root_usage": null,"sagemaker_notebook_instance_root_access_disabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.5.5 Management of Special Accounts and Privileges","Subdomain": "2.5. Authentication and Privilege Management","AuditEvidence": ["Guidelines related to special privileges","Records of special privilege requests and approvals","List of special privilege holders","Records of special privilege reviews"],"AuditChecklist": ["Is there a formal privilege request and approval process established and implemented to ensure that special privileges, such as administrative privileges, are only granted to a minimal number of people?","Is there a control procedure established and implemented to identify and manage accounts and privileges granted for special purposes in a separate list?"],"NonComplianceCases": ["Case 1: The approval history for granting administrator and special privileges in the information system and personal information processing system is not documented or does not match the special privileges list.","Case 2: Internal regulations require that personal information administrators and special privilege holders be documented and managed in a list, but the list is not maintained or some special privileges, such as security system administrators, are not identified or managed.","Case 3: A maintenance special account for visiting maintenance once a quarter remains active at all times without a time limit on usage.","Case 4: Regular reviews of administrator and special privilege usage are not conducted, and some individuals retain special privileges even after their roles have changed."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "Accounts and privileges used for special purposes, such as managing information systems, personal information, and important information, should be granted minimally, separately identified, and controlled.","checks_status": {"fail": 2,"pass": 1,"total": 11,"manual": 0}},"2.5.6": {"name": "Review of Access Rights","checks": {"accessanalyzer_enabled": "PASS","cloudtrail_insights_exist": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.5.6 Review of Access Rights","Subdomain": "2.5. Authentication and Privilege Management","AuditEvidence": ["Access rights review standards and procedures","History of access rights reviews","Access rights review reports and follow-up action records"],"AuditChecklist": ["Are the histories of account and access right creation, registration, granting, use, modification, and deletion for information systems, personal information, and important information being recorded?","Are standards, review subjects, review methods, and periodic review schedules established to regularly review the appropriateness of user accounts and access rights to information systems, personal information, and important information?","When issues such as excessive access rights, failure to follow access right granting procedures, or misuse of access rights are identified in the review results, are appropriate response procedures established and implemented?"],"NonComplianceCases": ["Case 1: The methods, review periods, reporting structure, and misuse criteria related to access rights reviews are not clearly defined in the relevant guidelines, leading to irregular performance of access rights reviews.","Case 2: Although internal policies and guidelines require locking (deactivating) or deleting long-unused accounts, some accounts that have not been accessed for more than six months remain active (indicating that the access rights review was not thoroughly conducted, failing to identify these accounts).","Case 3: During the access rights review, cases of excessive privileges or suspected misuse were identified, but no detailed investigation, internal reporting, or follow-up actions were taken."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights)"]}],"description": "The registration, use, and deletion of user accounts accessing information systems, personal information, and important information, as well as the history of granting, changing, and deleting access rights, should be recorded and periodically reviewed to ensure their appropriateness.","checks_status": {"fail": 2,"pass": 1,"total": 14,"manual": 0}},"2.6.1": {"name": "Network Access","checks": {"ec2_ami_public": null,"elb_internet_facing": "FAIL","ec2_elastic_ip_shodan": null,"elbv2_internet_facing": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","kafka_cluster_is_public": null,"s3_bucket_acl_prohibited": "FAIL","apigateway_restapi_public": "FAIL","lightsail_database_public": null,"lightsail_instance_public": null,"ec2_securitygroup_not_used": "FAIL","elbv2_listeners_underneath": "PASS","networkfirewall_in_all_vpc": "FAIL","s3_bucket_public_write_acl": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","ssm_documents_set_as_public": "PASS","awslambda_function_url_public": null,"dms_instance_no_public_access": null,"rds_instance_no_public_access": "PASS","emr_cluster_publicly_accesible": null,"redshift_cluster_public_access": null,"neptune_cluster_public_snapshot": null,"eks_cluster_private_nodes_enabled": null,"awslambda_function_url_cors_policy": null,"documentdb_cluster_public_snapshot": null,"eks_cluster_network_policy_enabled": null,"neptune_cluster_uses_public_subnet": null,"sns_topics_not_publicly_accessible": "PASS","sqs_queues_not_publicly_accessible": "PASS","vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","eks_cluster_not_publicly_accessible": null,"glacier_vaults_policy_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_access_point_public_access_block": "PASS","s3_bucket_level_public_access_block": "PASS","iam_user_administrator_access_policy": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"iam_group_administrator_access_policy": null,"s3_account_level_public_access_blocks": null,"apigateway_restapi_authorizers_enabled": "PASS","elasticache_cluster_uses_public_subnet": "PASS","rds_instance_iam_authentication_enabled": "FAIL","appstream_fleet_maximum_session_duration": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ecr_repositories_not_publicly_accessible": "PASS","emr_cluster_account_public_block_enabled": "PASS","sagemaker_models_vpc_settings_configured": null,"apigateway_restapi_public_with_authorizer": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","vpc_endpoint_connections_trust_boundaries": "FAIL","appstream_fleet_session_disconnect_timeout": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_instance_port_ldap_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","kafka_cluster_unrestricted_access_disabled": null,"sagemaker_models_network_isolation_enabled": null,"cognito_identity_pool_guest_access_disabled": "FAIL","ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","workspaces_vpc_2private_1public_subnets_nat": null,"ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_transitgateway_auto_accept_vpc_attachments": null,"appstream_fleet_session_idle_disconnect_timeout": null,"ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","rds_instance_event_subscription_security_groups": "FAIL","sagemaker_training_jobs_vpc_settings_configured": null,"vpc_peering_routing_tables_with_least_privilege": "PASS","appstream_fleet_default_internet_access_disabled": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","cloudfront_distributions_geo_restrictions_enabled": null,"sagemaker_training_jobs_network_isolation_enabled": null,"opensearch_service_domains_not_publicly_accessible": null,"sagemaker_notebook_instance_vpc_settings_configured": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","vpc_endpoint_services_allowed_principals_trust_boundaries": null,"ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","cognito_user_pool_blocks_potential_malicious_sign_in_attempts": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Control Measures","Section": "2.6.1 Network Access","Subdomain": "2.6. Access Control","AuditEvidence": ["Network diagram","IP management ledger","Information asset list","Firewall rules"],"AuditChecklist": ["Has the organization identified all access paths to its network and ensured that internal networks are controlled so that only authorized users can access them according to the access control policy?","Has the organization physically or logically segmented the network based on services, user groups, information asset importance, and legal requirements, and applied access control between different network segments?","Has the organization established IP address allocation standards for each network segment, and applied measures such as assigning private IPs to systems like database servers that do not require external connections?","Has the organization implemented protective measures for communication paths when connecting networks between physically separated locations, such as IDCs, branches, and agents?"],"NonComplianceCases": ["Case 1: The network configuration and interviews revealed that data transmission and reception between external sites and the servers located in the IDC are being processed through the general internet line, rather than using VPN or dedicated lines as specified in internal regulations.","Case 2: The IP addresses of some important servers, such as database servers located in the internal network, were set to public IPs instead of private IPs as per internal regulations, and network access blocking was not applied.","Case 3: Although a server farm was established, access from the internal network to the server farm was excessively allowed due to insufficient network access control settings.","Case 4: The network provided to external parties (e.g., external developers, visitors) was not separated from the internal business network without appropriate controls.","Case 5: Contrary to internal regulations, the organization's network could be accessed and used simply by connecting a network cable without applying protective measures such as MAC address authentication and mandatory security software installation."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "In order to control unauthorized access to the network, management procedures such as IP management and device authentication must be established and implemented. Network segmentation (DMZ, server farm, DB zone, development zone, etc.) and access controls must be applied according to the business purpose and importance.","checks_status": {"fail": 17,"pass": 54,"total": 112,"manual": 0}},"2.6.2": {"name": "Access to Information Systems","checks": {"ec2_elastic_ip_shodan": null,"ec2_instance_public_ip": "FAIL","ec2_elastic_ip_unassigned": "FAIL","lightsail_instance_public": null,"lightsail_static_ip_unused": null,"ec2_instance_managed_by_ssm": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protection Requirements","Section": "2.6.2 Access to Information Systems","Subdomain": "2.6. Access Control","AuditEvidence": ["List of operating system accounts of information systems","Server security settings","Server access control policy (e.g., SecureOS management screen)","Server and network configuration diagram","Information asset list"],"AuditChecklist": ["Have users, access locations, and access means allowed to access operating systems (OS) of information systems such as servers, network systems, and security systems been defined and controlled?","Is the system automatically disconnected when there is no work processed after accessing the information system for a certain period?","Are services unrelated to the purpose of using the information system removed?","Are information systems that provide key services operated on independent servers?"],"NonComplianceCases": ["Case 1: When a server administrator accesses a Windows server located in the IDC from the office using terminal services, session timeout settings are not configured, allowing the session to remain open for a long period without any activity.","Case 2: Due to improper restrictions on server-to-server access, a user authorized to access a particular server can access other unauthorized servers via that server.","Case 3: Unsafe access protocols (e.g., telnet, ftp) are being used without valid reasons or compensatory measures, and unnecessary services and ports are open.","Case 4: Although the access control policy requires all access to servers to go through a server access control system, bypass routes exist that allow access to servers without going through the system."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "The users, access restriction methods, and secure access means for accessing information systems such as servers and network systems must be defined and controlled.","checks_status": {"fail": 8,"pass": 13,"total": 24,"manual": 0}},"2.6.3": {"name": "Access to Applications","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Requirements","Section": "2.6.3 Access to Applications","Subdomain": "2.6. Access Control","AuditEvidence": ["Application access rights classification system","Application account and rights management screen","Application user and administrator screens (e.g., personal information viewing, etc.)","Application session time and concurrent session restriction settings","Application administrator access log monitoring details","Information asset list","Personal information processing system's personal information viewing and search screens","Personal information masking standards","Personal information masking application screen"],"AuditChecklist": ["Are access rights to applications granted differentially based on the user's tasks to control access to sensitive information?","Are sessions automatically disconnected after a certain period of inactivity, and is the number of simultaneous sessions per user restricted?","Is access to administrator-exclusive applications (e.g., admin web pages, admin consoles) restricted to unauthorized users?","Are criteria established and applied to ensure consistency in protection measures for limiting the display of personal and sensitive information?","Are applications implemented and operated to minimize unnecessary exposure (e.g., viewing, screen display, printing, downloading) of personal and sensitive information?"],"NonComplianceCases": ["Case 1: There is a flaw in the authorization control function of certain personal information processing screens in the application, allowing users without permission to view personal information.","Case 2: The administrator page of the application is open to the public internet without secure authentication methods applied.","Case 3: Session timeouts or concurrent logins for the same user account are not restricted without valid reasons.","Case 4: When personal information is downloaded through the application, the file contains excessive unnecessary information such as resident registration numbers.","Case 5: The application excessively allows 'like' searches, allowing all users to retrieve all customer information by searching only for a surname, even beyond their work scope.","Case 6: Due to the lack of criteria for limiting the display of personal information or failure to adhere to them, different masking standards are applied to the same personal information items on different screens of the personal information processing system.","Case 7: Although personal information is masked on the screen of the personal information processing system, unmasked personal information is exposed by viewing the web browser source."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights), Article 6 (Access Control), Article 12 (Safety Measures for Printing and Copying)"]}],"description": "Access rights to applications must be restricted according to the user's tasks and the importance of the accessed information, and criteria should be established to minimize exposure of unnecessary or sensitive information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.6.4": {"name": "Database Access","checks": {"accessanalyzer_enabled": "PASS","lightsail_database_public": null,"rds_snapshots_public_access": "PASS","dms_instance_no_public_access": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"neptune_cluster_public_snapshot": null,"rds_instance_transport_encrypted": "FAIL","documentdb_cluster_public_snapshot": null,"neptune_cluster_uses_public_subnet": null,"vpc_subnet_separate_private_public": "FAIL","dynamodb_table_cross_account_access": null,"rds_cluster_iam_authentication_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","rds_instance_iam_authentication_enabled": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","neptune_cluster_iam_authentication_enabled": null,"ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","opensearch_service_domains_not_publicly_accessible": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_internal_user_database_enabled": null,"ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","opensearch_service_domains_use_cognito_authentication_for_kibana": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.6.4 Database Access","Subdomain": "2.6. Access Control","AuditEvidence": ["Database status (e.g., tables, columns)","List of database user accounts and permissions","Database access control policy (e.g., database access control system management screen)","Network diagram (e.g., database zone)","Information asset list"],"AuditChecklist": ["Are you identifying the information stored and managed in the database, such as the table list?","Are you clearly identifying the applications, information systems (servers), and users that need access to information in the database and controlling access according to the access control policy?"],"NonComplianceCases": ["Case 1: A database that stores and processes a large amount of personal information is operated on the same physical server as a web application accessible via the Internet, without separating them.","Case 2: Developers and operators share accounts used by the application to access the production database.","Case 3: Although internal regulations require database access rights to be restricted by object, access rights to the database are granted uniformly to administrators, even those who do not need access to personal information tables.","Case 4: A database access control solution has been implemented, but access to the database is not properly restricted by IP address, allowing users to bypass the access control solution.","Case 5: The table status of a database storing personal information has not been identified, resulting in the unnecessary retention of personal information in temporary tables that have not been deleted."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 5 (Management of Access Rights), Article 6 (Access Control)"]}],"description": "Identify the information stored and managed in the database, such as the table list, and establish and implement access control policies according to the importance of the information and the type of applications and users.","checks_status": {"fail": 6,"pass": 19,"total": 37,"manual": 0}},"2.6.5": {"name": "Wireless Network Access","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.6.5 Wireless Network Access","Subdomain": "2.6. Access Control","AuditEvidence": ["Network diagram","AP security settings history","Inspection records of unauthorized wireless networks","Wireless network usage application and approval records"],"AuditChecklist": ["When using a wireless network for business purposes, are you establishing and implementing protection measures such as authentication and encryption of transmitted and received data to ensure the security of the wireless AP and network segment?","Have you established and implemented procedures for applying for and terminating access to ensure that only authorized employees can use the wireless network?","Have you established and implemented protection measures against unauthorized wireless networks, such as detecting and blocking AD Hoc connections and unauthorized wireless APs within the organization?"],"NonComplianceCases": ["Case 1: The wireless network segments for external users and internal users are the same, allowing external users to access the internal network without separate control via the wireless network.","Case 2: Although the encryption function for information transmission and reception was enabled when configuring the wireless AP, it was set in an insecure manner.","Case 3: A wireless AP connected to the internal network for business purposes has security settings that are insufficient, such as exposure of the administrator password (using the default password) and lack of access control."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "When using a wireless network, wireless network protection measures such as user authentication, encryption of transmitted and received data, and AP control must be applied. In addition, protection measures must be established and implemented to prevent unauthorized wireless network access, such as AD Hoc connections and the use of unauthorized APs.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.6.6": {"name": "Remote Access Control","checks": {"vpc_flow_logs_enabled": "FAIL","networkfirewall_in_all_vpc": "FAIL","cognito_user_pool_mfa_enabled": null,"iam_user_console_access_unused": null,"vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","iam_user_mfa_enabled_console_access": null,"workspaces_volume_encryption_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","appstream_fleet_maximum_session_duration": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","appstream_fleet_session_disconnect_timeout": null,"ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","cognito_identity_pool_guest_access_disabled": "FAIL","workspaces_vpc_2private_1public_subnets_nat": null,"cognito_user_pool_self_registration_disabled": null,"appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"ec2_client_vpn_endpoint_connection_logging_enabled": null,"cloudwatch_log_metric_filter_authentication_failures": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.6.6 Remote Access Control","Subdomain": "2.6. Access Control","AuditEvidence": ["Remote access application form (e.g., VPN)","VPN account list","VPN access control policy settings","IP management log","Remote access control settings (server settings, security system settings, etc.)","Designation and management of management terminals","Network diagram"],"AuditChecklist": ["Is remote operation of information systems through external networks such as the internet prohibited in principle, and are compensatory measures in place if allowed for unavoidable reasons such as incident response?","Is access through remote operation of information systems allowed only for specific devices when done through internal networks?","Are protective measures established and implemented to prevent security incidents such as data breaches and hacking during remote work, such as telecommuting, remote collaboration, and smart work?","Are the devices used for remote access to personal information processing systems for management, operation, development, and security purposes designated as management terminals, and are safety measures such as prohibiting unauthorized operations and use for purposes other than those intended being applied?"],"NonComplianceCases": ["Case 1: Although internal regulations state that remote access to the system is prohibited in principle and, when allowed, access is restricted through IP-based access control, remote desktop connections and SSH access to the system are not limited by IP addresses, allowing access from any PC.","Case 2: A VPN has been established for remote management, but it is always available without usage approval or access period restrictions.","Case 3: Work-related mobile apps have been installed on personal smart devices for external workers, but appropriate protective measures (e.g., antivirus, encryption, wiping in case of loss or theft) to prevent personal information leaks are not being applied.","Case 4: VPN access for external users is not limited by network segments and information systems, allowing excessive access to the entire internal network and information systems for authenticated remote users."],"RelatedRegulations": ["Personal Information Protection Act Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information Article 6 (Access Control)"]}],"description": "Managing information systems and handling personal information outside of protected areas is, in principle, prohibited. However, if remote access is allowed for unavoidable reasons such as telecommuting, incident response, or remote collaboration, protective measures must be established and implemented, including approval from responsible personnel, designation of access devices, setting access scope and duration, enhanced authentication, encrypted communication, and securing access devices (e.g., antivirus, patches).","checks_status": {"fail": 8,"pass": 5,"total": 26,"manual": 0}},"2.6.7": {"name": "Internet Access Control","checks": {"ec2_elastic_ip_shodan": null,"vpc_flow_logs_enabled": "FAIL","ec2_instance_public_ip": "FAIL","ec2_elastic_ip_unassigned": "FAIL","networkfirewall_in_all_vpc": "FAIL","vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","workspaces_volume_encryption_enabled": null,"route53_dangling_ip_subdomain_takeover": null,"appstream_fleet_maximum_session_duration": null,"appstream_fleet_session_disconnect_timeout": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"workspaces_vpc_2private_1public_subnets_nat": null,"ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.6.7 Internet Access Control","Subdomain": "2.6. Access Control","AuditEvidence": ["Policy for blocking non-work-related sites (e.g., P2P) (management screen of non-work-related site blocking system)","Internet access monitoring history","List of individuals subject to internet access restriction measures","Procedures and records for data transfer between networks (e.g., application and approval records)","Network diagram"],"AuditChecklist": ["Is there an established and implemented policy to control internet access for work PCs used for key duties and personal information handling terminals?","Is unnecessary external internet access from key information systems (e.g., database servers) being controlled?","Are internet access restrictions being applied in a secure manner for individuals who are required by law to have their internet access restricted?"],"NonComplianceCases": ["Case 1: Internet access restriction measures were applied according to the Personal Information Protection Act, but the restriction was not applied to some individuals with the authority to set access rights for personal information processing systems.","Case 2: Although internet access restriction measures were applied as required under the Personal Information Protection Act, it was possible to bypass the restriction by accessing the system through another server, allowing the download and deletion of personal information.","Case 3: Some servers located in the DMZ and internal network were unnecessarily able to access the internet directly.","Case 4: Although a physical network separation system was applied between internet PCs and internal work PCs, and a data transfer system was established, there was no approval process for data transfers, and there was no periodic review of the data transfer records.","Case 5: Internal regulations require that individuals handling personal information obtain approval from a responsible person before accessing P2P or web hard drive sites, and access is only permitted for a specific period, but there are numerous cases of exceptions being made without going through the approval process."],"RelatedRegulations": ["Personal Information Protection Act Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information Article 6 (Access Control)"]}],"description": "To prevent information leaks, malware infections, and intrusions into the internal network through the internet, policies must be established and implemented to restrict internet access or services (e.g., P2P, web hard drives, messengers) on key information systems, devices handling sensitive duties, and terminals processing personal information.","checks_status": {"fail": 6,"pass": 1,"total": 19,"manual": 0}},"2.7.1": {"name": "Application of Encryption Policy","checks": {"elb_ssl_listeners": "FAIL","backup_vaults_exist": null,"elbv2_ssl_listeners": "FAIL","ssm_document_secrets": "PASS","backup_vaults_encrypted": "PASS","rds_snapshots_encrypted": "FAIL","elb_insecure_ssl_ciphers": "PASS","s3_bucket_kms_encryption": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","athena_workgroup_encryption": null,"ec2_ebs_snapshots_encrypted": "FAIL","s3_bucket_default_encryption": "PASS","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","rds_instance_transport_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","neptune_cluster_storage_encrypted": null,"s3_bucket_secure_transport_policy": "FAIL","documentdb_cluster_storage_encrypted": null,"workspaces_volume_encryption_enabled": null,"awslambda_function_no_secrets_in_code": "PASS","glue_database_connections_ssl_enabled": null,"athena_workgroup_enforce_configuration": null,"cloudfront_distributions_https_enabled": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudformation_stack_outputs_find_secrets": "PASS","codebuild_project_no_secrets_in_variables": "PASS","kafka_cluster_encryption_at_rest_uses_cmk": null,"sns_subscription_not_using_http_endpoints": "PASS","sns_topics_kms_encryption_at_rest_enabled": "FAIL","sqs_queues_server_side_encryption_enabled": "PASS","awslambda_function_no_secrets_in_variables": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"glue_etl_jobs_amazon_s3_encryption_enabled": "PASS","acm_certificates_with_secure_key_algorithms": "PASS","cloudwatch_log_group_kms_encryption_enabled": "FAIL","ecs_task_definitions_no_environment_secrets": "PASS","kafka_cluster_in_transit_encryption_enabled": null,"storagegateway_fileshare_encryption_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","glue_etl_jobs_job_bookmark_encryption_enabled": "FAIL","glue_data_catalogs_metadata_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"kafka_cluster_mutual_tls_authentication_enabled": null,"directoryservice_radius_server_security_protocol": null,"glue_development_endpoints_s3_encryption_enabled": null,"glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","autoscaling_find_secrets_ec2_launch_configuration": "PASS","eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"elasticache_redis_cluster_rest_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"cloudfront_distributions_field_level_encryption_enabled": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"elasticache_redis_cluster_in_transit_encryption_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"sagemaker_training_jobs_intercontainer_encryption_enabled": null,"glue_data_catalogs_connection_passwords_encryption_enabled": "FAIL","glue_development_endpoints_job_bookmark_encryption_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"glue_development_endpoints_cloudwatch_logs_encryption_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.7.1 Application of Encryption Policy","Subdomain": "2.7. Application of Encryption","AuditEvidence": ["Encryption control policy (targets, methods, algorithms, etc.)","Encryption application status (during storage and transmission)","Risk analysis results (if encryption is not applied to unique identifiers other than resident registration numbers in the internal network)","Encryption solution management screen"],"AuditChecklist": ["Has an encryption policy been established that includes encryption targets, encryption strength, and encryption usage in consideration of legal requirements for the protection of personal and important information?","Is encryption applied to personal and important information during storage, transmission, and transfer according to the encryption policy?"],"NonComplianceCases": ["Case 1: Internal policies and guidelines do not properly specify encryption targets, encryption strength, encryption methods during storage and transmission, or the roles and responsibilities of those responsible for encryption, considering legal requirements.","Case 2: The company applied incorrect regulations during the creation of its encryption policy, leading to non-compliance with legal encryption requirements (e.g., storing user account numbers without encryption).","Case 3: Although one-way encryption was applied to the passwords of both personal information handlers and data subjects, an insecure MD5 algorithm was used.","Case 4: Although a security server was applied to an internet shopping mall in accordance with relevant laws and internal regulations, encryption was missing in some sections where users' personal information is transmitted (e.g., viewing or modifying member information, password retrieval, password changes).","Case 5: Passwords for accessing information systems, authentication keys, and other values were stored in plaintext in system configuration files and source code."],"RelatedRegulations": ["Personal Information Protection Act, Article 24-2 (Restrictions on Processing of Resident Registration Numbers), Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 7 (Encryption of Personal Information)"]}],"description": "To protect personal and important information, encryption policies that reflect legal requirements, such as encryption targets, encryption strength, and encryption usage policies, must be established. Encryption must be applied during the storage, transmission, and transfer of personal and important information.","checks_status": {"fail": 18,"pass": 19,"total": 66,"manual": 0}},"2.7.2": {"name": "Cryptographic Key Management","checks": {"kms_cmk_are_used": null,"kms_cmk_rotation_enabled": null,"kms_key_not_publicly_accessible": null,"kms_cmk_not_deleted_unintentionally": null,"rds_instance_certificate_expiration": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","acm_certificates_transparency_logs_enabled": "PASS","directoryservice_ldap_certificate_expiration": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.7.2 Cryptographic Key Management","Subdomain": "2.7. Application of Encryption","AuditEvidence": ["Cryptographic Key Management Policy","Cryptographic Key Management Log and System Screens"],"AuditChecklist": ["Are procedures for the generation, use, storage, distribution, modification, recovery, and destruction of cryptographic keys established and implemented?","Are cryptographic keys securely stored in a separate location to ensure they can be recovered if necessary, and is access to the use of cryptographic keys minimized?"],"NonComplianceCases": ["Case 1: If encryption policies do not specify procedures and methods for managing cryptographic keys, leading to varying levels and methods of cryptographic key management among personnel, resulting in vulnerabilities.","Case 2: Internal regulations require the generation of encryption keys under the approval of a responsible person when encrypting important information, and to maintain a key management log, but some keys are either missing or outdated in the log.","Case 3: The encryption key applied in the development system is the same as the one applied in the production system, making it easy to decrypt actual data through the development system."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 7 (Encryption of Personal Information)"]}],"description": "Establish and implement management procedures for the secure generation, use, storage, distribution, and destruction of cryptographic keys, and prepare recovery methods if necessary.","checks_status": {"fail": 1,"pass": 2,"total": 9,"manual": 0}},"2.8.1": {"name": "Definition of Security Requirements","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","accessanalyzer_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","codebuild_project_no_secrets_in_variables": "PASS","codebuild_project_user_controlled_buildspec": "PASS","wellarchitected_workload_no_high_or_medium_risks": "FAIL","codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.8.1 Definition of Security Requirements","Subdomain": "2.8. Security for Information System Introduction and Development","AuditEvidence": ["Information System Acquisition Standards and Procedures","RFP (Request for Proposal) and Purchase Contracts for Information System Introduction","Development Outputs (Project Execution Plans, Requirements Definition, Screen Design, Security Architecture Design, Test Plans, etc.)","Secure Coding Standards"],"AuditChecklist": ["When introducing, developing, or modifying an information system, are procedures for reviewing the validity of information protection and personal information protection aspects and for acquisition established and implemented?","When introducing, developing, or modifying an information system, are security requirements, including legal requirements and the latest vulnerabilities, clearly defined and reflected from the design stage?","Are coding standards for secure implementation of the information system established and applied?"],"NonComplianceCases": ["Case 1: Lack of established security verification standards and procedures prior to acquiring an information system.","Case 2: Internal regulations require the review of the security impact and the operating environment when introducing a new system, but recent acquisitions of some information systems lacked detailed standards and plans, and therefore, no security review was conducted during the acquisition.","Case 3: Internal development guidelines do not define key security requirements related to development (authentication and encryption, security logging, etc.).","Case 4: In the 'Development Standards Definition Document', user passwords are to be encrypted using insecure algorithms (MD5, SHA1), resulting in failure to comply with relevant legal requirements."],"RelatedRegulations": []}],"description": "When introducing, developing, or modifying information systems, security requirements such as legal requirements related to information protection and personal information protection, the latest security vulnerabilities, and secure coding methods must be defined and applied.","checks_status": {"fail": 7,"pass": 7,"total": 16,"manual": 0}},"2.8.2": {"name": "Review and Testing of Security Requirements","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","accessanalyzer_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null,"guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","codebuild_project_no_secrets_in_variables": "PASS","codebuild_project_user_controlled_buildspec": "PASS","wellarchitected_workload_no_high_or_medium_risks": "FAIL","codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.8.2 Review and Testing of Security Requirements","Subdomain": "2.8. Security for Information System Introduction and Development","AuditEvidence": ["Information System Acceptance Test Results","Requirements Traceability Matrix","Test Plans, Test Results","Vulnerability Assessment Results","Personal Information Impact Assessment Report","Confirmation of Implementation of Corrective Actions for Personal Information Impact Assessment"],"AuditChecklist": ["When introducing, developing, or modifying an information system, are tests conducted to verify whether the security requirements defined during the analysis and design stages have been effectively applied?","Are vulnerability assessments conducted to confirm that the information system has been securely developed according to secure coding standards?","Are procedures established and implemented to ensure that issues identified during testing and vulnerability assessments are promptly addressed through corrective action plans and follow-up checks?","For public institutions, are impact assessments conducted during the analysis and design stages when developing or modifying personal information processing systems, as required by relevant laws, and are the results reflected during development and modification?"],"NonComplianceCases": ["Case 1: Failure to test security requirements defined in internal guidelines and documents after implementing an information system.","Case 2: In the application program test scenario and technical vulnerability checklist, important validation items such as input validation checks were omitted.","Case 3: Failure to assess whether known technical vulnerabilities exist during implementation or testing, or failure to address identified vulnerabilities without valid reasons or approval.","Case 4: A public institution failed to conduct an impact assessment when developing a personal information file or personal information processing system subject to an impact assessment requirement, such as processing unique identifiers of more than 50,000 data subjects.","Case 5: A public institution failed to submit the impact assessment report to the Personal Information Protection Commission within two months after receiving the report from the impact assessment agency.","Case 6: Internal guidelines require reviewing the security and impact on the operating environment when introducing a new system (e.g., vulnerability assessments), but recent acquisitions of some information systems lacked security reviews during the acceptance process."],"RelatedRegulations": ["Personal Information Protection Act, Article 33 (Personal Information Impact Assessment)","Notification on Personal Information Impact Assessment"]}],"description": "To verify that an information system has been introduced or implemented according to predefined security requirements, review standards and procedures must be established and implemented to check compliance with legal requirements, the latest security vulnerabilities, secure coding implementation, and personal information impact assessment, and corrective measures must be taken for any identified issues.","checks_status": {"fail": 10,"pass": 7,"total": 19,"manual": 0}},"2.8.3": {"name": "Separation of Test and Production Environments","checks": {"codebuild_project_user_controlled_buildspec": "PASS"},"status": "PASS","attributes": [{"Domain": "2. Security Requirements for Protection Measures","Section": "2.8.3 Separation of Test and Production Environments","Subdomain": "2.8. Security for Information System Introduction and Development","AuditEvidence": ["Network diagrams (including test environment configuration)","Current application of access control between the production environment and the development/test environment"],"AuditChecklist": ["Are development and test systems separated from the production system?","If separation of development and production environments is difficult due to unavoidable reasons, have security measures such as mutual review, monitoring by supervisors, approval for changes, and ensuring accountability been implemented?"],"NonComplianceCases": ["Case 1: Source code changes are being made directly in the production environment without a separate development environment or proper approval.","Case 2: Although it is unavoidable to operate the development and production systems without separation, records of mutual review or monitoring are missing.","Case 3: Although a separate development system is in place, access from the development environment to the production environment is not controlled, allowing developers unnecessary access to the production system through the development system."],"RelatedRegulations": []}],"description": "Development and test systems must, in principle, be separated from production systems to reduce the risk of unauthorized access and changes to the production system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.8.4": {"name": "Test Data Security","checks": {"codebuild_project_no_secrets_in_variables": "PASS"},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.8.4 Test Data Security","Subdomain": "2.8. Security in Information System Introduction and Development","AuditEvidence": ["Test data status","Test data generation rules","If operational data was used in a test environment, the approval history"],"AuditChecklist": ["Is the use of actual operational data restricted during the development and testing of information systems?","If it is inevitable to use operational data in a test environment, are control procedures such as approval by the responsible person, monitoring of access and leakage, and deletion of data after testing established and implemented?"],"NonComplianceCases": ["Case 1: There are no specific standards and procedures established for generating test data for use on the development server.","Case 2: Operational data is being used as test data without proper processing and without approval from the responsible person for a valid reason.","Case 3: Although operational data was approved in advance for use as test data for unavoidable reasons, the same level of access control as the operational database is not applied to the test database.","Case 4: After using operational data for testing purposes, the data was not deleted from the test database even though the testing was completed."],"RelatedRegulations": []}],"description": "In order to prevent the leakage of operational data during system testing, procedures for the creation, use, management, disposal, and technical protection measures of test data must be established and implemented.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.8.5": {"name": "Source Program Management","checks": {"ecr_repositories_not_publicly_accessible": "PASS","codeartifact_packages_external_public_publishing_disabled": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.8.5 Source Program Management","Subdomain": "2.8. Security in Information System Introduction and Development","AuditEvidence": ["Status of configuration management systems such as SVN (e.g., list of authorized personnel)","History of changes to the source program"],"AuditChecklist": ["Have procedures been established and implemented to control access to source programs by unauthorized persons?","Is the source program stored safely in a non-operational environment for emergencies such as system failures?","Is the history of changes to the source program being managed?"],"NonComplianceCases": ["Case 1: There is no separate backup or configuration management system for source programs, and previous versions of the source code are stored on the operational server or developer's PC without approval or history management.","Case 2: A configuration management system has been established, but access control, access and change history for the system or the source code stored in the system are not properly managed.","Case 3: The internal regulations require version control of source programs through a configuration management system, but the latest version of the source program is only stored on the developer's PC, and no separate backup is performed."],"RelatedRegulations": []}],"description": "Source programs must be managed so that only authorized users can access them, and it is a principle that they should not be stored in the operational environment.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.8.6": {"name": "Transition to Operational Environment","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.8.6 Transition to Operational Environment","Subdomain": "2.8. Security in Information System Introduction and Development","AuditEvidence": ["Transition procedures","Transition records (requests, approvals, tests, transitions, etc.)"],"AuditChecklist": ["Have control procedures been established and implemented to safely transition newly introduced, developed, or modified systems to the operational environment?","Are contingency plans in place to address issues that may arise during the transition to the operational environment?","Are only the files necessary for service execution installed in the operational environment?"],"NonComplianceCases": ["Case 1: There are no procedures in place to review and approve the transition of developed or modified source programs to the operational environment.","Case 2: Unnecessary files (source code, distribution modules, backups, development-related documents, manuals, etc.) exist in the operational server.","Case 3: The internal guidelines require the preparation of change request and result documents for safe transition and recovery during transitions to the operational environment, but such documents are not available.","Case 4: The internal guidelines require internal review and approval before distributing mobile apps to the app market, but developers are bypassing these procedures and distributing the apps directly."],"RelatedRegulations": []}],"description": "When transitioning newly introduced, developed, or modified systems to the operational environment, the process must be controlled, and the executable code must be run according to test and user acceptance procedures.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.9.1": {"name": "Change Management","checks": {"codebuild_project_older_90_days": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.9.1 Change Management","Subdomain": "2.9. System and Service Operations Management","AuditEvidence": ["Change management procedures","Change management records (requests, approvals, change details, etc.)","Impact analysis results of changes"],"AuditChecklist": ["Have procedures been established and implemented for changes to assets related to information systems (hardware, operating systems, commercial software packages, etc.)?","Are the performance and security impacts analyzed before making changes to information system-related assets?"],"NonComplianceCases": ["Case 1: A recent change to the DMZ section for redundancy was made, but there is no evidence of performing and approving the security risk and performance evaluation that may occur after the change.","Case 2: A recent network change was made, but the review and notification were not sufficiently carried out, so the changes were not properly reflected in the network diagram or some access control systems (e.g., firewalls, database access control systems) ACLs.","Case 3: Although a change management system was established to analyze and discuss the impact on performance and security when information systems are introduced or changed, changes can still be made outside the system, and related changes are not properly reviewed."],"RelatedRegulations": []}],"description": "Procedures must be established and implemented to manage all changes to assets related to information systems, and the impact on system performance and security must be analyzed before changes are made.","checks_status": {"fail": 2,"pass": 0,"total": 14,"manual": 0}},"2.9.2": {"name": "Performance and Fault Management","checks": {"rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","elbv2_is_in_multiple_az": "PASS","s3_bucket_no_mfa_delete": "FAIL","vpc_subnet_different_az": "PASS","neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"rds_cluster_backtrack_enabled": null,"cloudtrail_multi_region_enabled": "PASS","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_cross_region_replication": "FAIL","trustedadvisor_errors_and_warnings": null,"config_recorder_all_regions_enabled": null,"kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"networkfirewall_deletion_protection": null,"rds_instance_certificate_expiration": "PASS","route53_domains_transferlock_enabled": null,"cloudtrail_bucket_requires_mfa_delete": null,"elb_cross_zone_load_balancing_enabled": "PASS","documentdb_cluster_deletion_protection": null,"documentdb_cluster_cloudwatch_log_export": null,"ec2_instance_detailed_monitoring_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","iam_no_expired_server_certificates_stored": null,"kafka_cluster_enhanced_monitoring_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null,"directoryservice_ldap_certificate_expiration": null,"cognito_user_pool_deletion_protection_enabled": null,"trustedadvisor_premium_support_plan_subscribed": null,"directoryservice_directory_monitor_notifications": null,"cloudformation_stacks_termination_protection_enabled": "FAIL","cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.9.2 Performance and Fault Management","Subdomain": "2.9. System and Service Operations Management","AuditEvidence": ["Procedures for performance and capacity monitoring","Evidence of performance and capacity monitoring (e.g., internal reporting results)","Fault response procedures","Fault response report"],"AuditChecklist": ["Have procedures been established and implemented to continuously monitor performance and capacity to ensure the availability of information systems?","Are response procedures in place and implemented to address cases where the performance and capacity requirements (thresholds) of the information system are exceeded?","Have procedures been established and implemented to immediately recognize and respond to information system faults?","Are procedures in place to record and manage actions taken in response to faults through fault response reports?","For serious faults, are measures being taken to prevent recurrence through cause analysis?"],"NonComplianceCases": ["Case 1: Failure to define requirements (e.g., thresholds) for managing performance and capacity for each target, or the absence of records in regular inspection reports, making it difficult to assess the current status.","Case 2: Performance or capacity standards were exceeded, but no related reviews or follow-up measures were taken or implemented.","Case 3: Fault response procedures for IT equipment have been established, but internal and external environmental changes such as network configuration or vendor changes are not adequately reflected.","Case 4: Inconsistencies exist between fault handling procedures and fault type-specific response methods, or there is a lack of rationale for estimating response times, making swift, accurate, and systematic responses difficult."],"RelatedRegulations": []}],"description": "To ensure the availability of information systems, performance and capacity requirements must be defined, and the status must be continuously monitored. Procedures for detecting, recording, analyzing, recovering, and reporting in response to faults must be established and managed effectively.","checks_status": {"fail": 11,"pass": 6,"total": 39,"manual": 0}},"2.9.3": {"name": "Backup and Recovery Management","checks": {"ec2_ami_public": null,"backup_plans_exist": "PASS","backup_vaults_exist": null,"backup_vaults_encrypted": "PASS","ec2_ebs_public_snapshot": "PASS","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"backup_reportplans_exist": null,"s3_bucket_kms_encryption": "FAIL","s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"ec2_ebs_snapshots_encrypted": "FAIL","rds_instance_backup_enabled": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","rds_cluster_backtrack_enabled": null,"neptune_cluster_backup_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","neptune_cluster_public_snapshot": null,"documentdb_cluster_backup_enabled": null,"documentdb_cluster_public_snapshot": null,"rds_cluster_copy_tags_to_snapshots": "FAIL","s3_bucket_cross_region_replication": "FAIL","rds_instance_copy_tags_to_snapshots": null,"redshift_cluster_automated_snapshot": null,"s3_access_point_public_access_block": "PASS","s3_bucket_policy_public_write_access": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","elasticache_redis_cluster_backup_enabled": null,"ecr_repositories_lifecycle_policy_enabled": "FAIL","directoryservice_directory_snapshots_limit": null,"ec2_ebs_snapshot_account_block_public_access": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.9.3 Backup and Recovery Management","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Backup and recovery procedures","Recovery test results","Disaster recovery backup status"],"AuditChecklist": ["Have backup and recovery procedures been established and implemented, including targets, frequency, methods, and procedures?","Is regular recovery testing conducted to verify the completeness and accuracy of the backed-up information and the adequacy of the recovery procedures?","For backup media containing critical information, is the media stored in physically separate locations to address disaster recovery?"],"NonComplianceCases": ["Case 1: Backup and recovery procedures, including targets, frequency, methods, and procedures, have not been established.","Case 2: Although a backup policy is in place, information required to be stored for a long period (6 months, 3 years, 5 years, etc.) according to legal requirements is not being stored according to the backup policy.","Case 3: Some systems (e.g., security system policies and logs) that are required to be separately backed up according to higher-level or internal guidelines are not being backed up.","Case 4: Although higher-level or internal guidelines stipulate that recovery tests for backup media should be conducted periodically, recovery tests have not been performed for an extended period."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 11 (Safety Measures for Disaster Recovery)"]}],"description": "To maintain the availability and data integrity of the information system, procedures must be established and implemented regarding the backup targets, frequency, methods, storage locations, retention periods, and disaster recovery. Additionally, management must ensure timely recovery in case of incidents.","checks_status": {"fail": 11,"pass": 8,"total": 37,"manual": 0}},"2.9.4": {"name": "Log and Access Record Management","checks": {"macie_is_enabled": "PASS","elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_ebs_public_snapshot": "PASS","eventbridge_bus_exposed": "PASS","rds_snapshots_encrypted": "FAIL","s3_bucket_public_access": null,"s3_bucket_kms_encryption": "FAIL","cloudtrail_insights_exist": null,"s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"ec2_ebs_snapshots_encrypted": "FAIL","ec2_instance_managed_by_ssm": "FAIL","efs_not_publicly_accessible": "FAIL","guardduty_centrally_managed": "FAIL","rds_snapshots_public_access": "PASS","s3_bucket_default_encryption": "PASS","wafv2_webacl_logging_enabled": "FAIL","iam_securityaudit_role_created": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","config_recorder_all_regions_enabled": null,"s3_access_point_public_access_block": "PASS","s3_bucket_level_public_access_block": "PASS","eventbridge_bus_cross_account_access": "FAIL","s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"apigatewayv2_api_access_logging_enabled": "FAIL","cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"s3_bucket_server_access_logging_enabled": "FAIL","cloudfront_distributions_logging_enabled": null,"documentdb_cluster_cloudwatch_log_export": null,"ec2_instance_detailed_monitoring_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_cross_account_sharing_disabled": null,"kafka_cluster_enhanced_monitoring_enabled": null,"acm_certificates_transparency_logs_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"eks_control_plane_logging_all_types_enabled": null,"ec2_ebs_snapshot_account_block_public_access": null,"iam_inline_policy_no_full_access_to_cloudtrail": null,"trustedadvisor_premium_support_plan_subscribed": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"directoryservice_directory_monitor_notifications": null,"eventbridge_schema_registry_cross_account_access": "FAIL","glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"directoryservice_directory_log_forwarding_enabled": null,"ec2_client_vpn_endpoint_connection_logging_enabled": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","cloudwatch_log_metric_filter_authentication_failures": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"route53_public_hosted_zones_cloudwatch_logging_enabled": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","glue_development_endpoints_cloudwatch_logs_encryption_enabled": null,"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled": "PASS","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.9.4 Log and Access Record Management","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Log management procedures","Log record details","Access control records for log storage devices","Access records of personal information"],"AuditChecklist": ["Has the organization established log management procedures for information systems such as servers, applications, security systems, and network systems, and is it generating and storing the necessary logs accordingly?","Are log records of information systems securely stored to prevent tampering, theft, or loss, and is access to the log records minimized?","Are access records for personal information processing systems securely stored for a specified period in accordance with legal requirements, including all necessary items?"],"NonComplianceCases": ["Case 1: The detailed criteria and procedures for log recording, retention periods, review frequency, and responsible personnel have not been established.","Case 2: The maximum size for critical logs such as security event logs, application, and service logs (for Windows Server 2008 or later) is not sufficiently configured, resulting in logs not being recorded and retained for the period specified by internal standards.","Case 3: The log records of important Linux/UNIX servers are not separately backed up or adequately protected, allowing users to arbitrarily delete command execution histories and access logs.","Case 4: Upon reviewing access records for the personal information processing system, while the account, access time, and IP address of the user were logged, details about the data subject information handled and the tasks performed (e.g., view, modify, delete, download) were not recorded.","Case 5: The capacity of the log server is insufficient, leaving only two months of access records for the personal information processing system.","Case 6: A personal information processing system handling personal information of 100,000 data subjects is only retaining access logs for one year."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 8 (Retention and Inspection of Access Records)"]}],"description": "The organization must define the types of logs, retention periods, and retention methods for user access records, system logs, and privilege grant records for information systems such as servers, applications, security systems, and network systems, and must securely retain and manage them to prevent tampering, theft, or loss.","checks_status": {"fail": 25,"pass": 15,"total": 81,"manual": 0}},"2.9.5": {"name": "Log and Access Record Inspection","checks": {"cloudtrail_insights_exist": null,"inspector2_active_findings_exist": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","cloudtrail_threat_detection_enumeration": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Control Requirements","Section": "2.9.5 Log and Access Record Inspection","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Log review and monitoring procedures","Log review and monitoring results (review details, reports, etc.)","Access record inspection details for personal information","Criteria and results for verifying reasons for personal information downloads","Evidence of responses to detected anomalies"],"AuditChecklist": ["Are there established log review and monitoring procedures, including the frequency, targets, and methods for detecting errors, misuse (unauthorized access, excessive queries, etc.), fraud, and other anomalies in the information system?","Are the results of log reviews and monitoring reported to the responsible person, and are responses taken following procedures when anomalies are detected?","Are access records of the personal information processing system regularly inspected according to the periods specified in relevant laws?"],"NonComplianceCases": ["Case 1: Monitoring and alert policies (criteria) for abnormal access (e.g., early morning access on holidays, access via bypass routes) or abnormal behaviors (e.g., large-scale data queries or continuous small data queries) on information systems processing important information have not been established.","Case 2: Although periodic inspection/monitoring criteria for access and usage are established in internal guidelines or systems, there is no record of actual review of abnormal access or behavior.","Case 3: The personal information processor sets the inspection frequency of access records for personal information processing systems to once per quarter.","Case 4: The internal management plan for the personal information processor sets criteria for verifying reasons when more than 1,000 items of personal information are downloaded, but the reasons are not verified when such downloads occur."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 8 (Retention and Inspection of Access Records)"]}],"description": "To ensure normal use of the information system and prevent misuse (unauthorized access, excessive queries, etc.) by users, log review criteria for access and usage must be established and inspected periodically, and post-event actions must be taken promptly if issues arise.","checks_status": {"fail": 6,"pass": 0,"total": 26,"manual": 0}},"2.9.6": {"name": "Time Synchronization","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Control Requirements","Section": "2.9.6 Time Synchronization","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Time synchronization settings","Evidence of time synchronization for key systems"],"AuditChecklist": ["Is the system time synchronized with the standard time?","Is regular inspection conducted to ensure that time synchronization is functioning properly?"],"NonComplianceCases": ["Case 1: The time of some critical systems (e.g., security systems, CCTV, etc.) is not synchronized with the standard time, and regular inspections for synchronization are not being conducted.","Case 2: Although internal NTP servers are configured for time synchronization, some systems are not synchronized, and there has been no cause analysis or response."],"RelatedRegulations": []}],"description": "To ensure the accuracy of logs and access records and provide reliable log analysis, the system time must be synchronized with a standard time and regularly maintained.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.9.7": {"name": "Reuse and Disposal of Information Assets","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Control Requirements","Section": "2.9.7 Reuse and Disposal of Information Assets","Subdomain": "2.9. System and Service Operation Management","AuditEvidence": ["Procedures for the disposal and reuse of information assets","Storage media management ledger","Evidence of the disposal of information assets and storage media","Disposal-related outsourcing contracts for information assets and storage media"],"AuditChecklist": ["Are secure reuse and disposal procedures for information assets established and implemented?","When reusing or disposing of information assets and storage media, are personal and critical information processed to be irrecoverable?","If information assets and storage media are disposed of internally, are the disposal records maintained in a management ledger along with evidence of disposal?","If disposal is outsourced to an external company, are disposal procedures specified in the contract and is the complete disposal confirmed?","Are measures in place to protect data on storage media during maintenance, repairs, or replacements of systems and PCs?"],"NonComplianceCases": ["Case 1: Although the policy and procedure require the complete deletion of data using a data deletion program when reusing PCs used by personal information handlers, in practice, PCs are reused without complete deletion or are only formatted before reuse, indicating that procedures are not being followed.","Case 2: Although storage media are disposed of through an external company, the contract lacks details on secure disposal procedures and protective measures, and there is no verification or supervision of the disposal process or evidence of compliance.","Case 3: Instead of recording the serial numbers of disposed HDDs, the system names are recorded, or the disposal ledger is not maintained, making it impossible to verify the disposal history and traceability.","Case 4: Discarded hard disks are left unsecured in an area without locks, and the data has not been fully deleted."],"RelatedRegulations": ["Personal Information Protection Act, Article 21 (Destruction of Personal Information)","Standards for Ensuring the Safety of Personal Information, Article 13 (Destruction of Personal Information)"]}],"description": "To prevent the recovery or regeneration of personal and critical information during the reuse and disposal process, secure reuse and disposal procedures for information assets must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.1": {"name": "Collection and Use of Personal Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.1.1 Collection and Use of Personal Information","Subdomain": "3.1. Protection Measures during Personal Information Collection","AuditEvidence": ["Online personal information collection forms (e.g., website sign-up screens, mobile app registration screens, event participation forms)","Offline personal information collection forms (e.g., membership application forms)","Records of personal information collection consent (e.g., member databases)","Records of legal guardian consent","Privacy policy"],"AuditChecklist": ["When collecting personal information, is it collected in accordance with lawful requirements such as obtaining the data subject’s consent, complying with legal obligations, or concluding and fulfilling contracts?","When obtaining consent from the data subject for the collection of personal information, are the method and timing of obtaining consent appropriate?","When obtaining consent from the data subject for the collection of personal information, are the relevant details clearly communicated, and are significant points required by law highlighted in a way that is easy to understand?","When collecting, using, or providing personal information from children under the age of 14, are necessary details notified to their legal representatives, and is consent obtained?","When obtaining the consent of a legal representative, is only the minimum necessary personal information collected, and are procedures and methods in place to verify the qualifications of the legal representative?","When notifying children under the age of 14 about matters related to the processing of their personal information, are the notifications presented in a format and language that is clear and easy to understand?","Are records of consent obtained from data subjects and legal representatives being retained?","For personal information that can be processed without the consent of the data subject, are the relevant items and legal basis for processing disclosed in the privacy policy or communicated to the data subject separately from the personal information processed with consent?","When personal information is used for additional purposes without the consent of the data subject, are criteria established and implemented to assess the relevance to the original purpose, predictability, impact on the data subject, and safety measures? If additional usage continues to occur, are these criteria disclosed in the privacy policy and regularly reviewed?"],"NonComplianceCases": ["Case 1: A personal information processor subject to the Personal Information Protection Act failed to include the 'right to refuse consent and the consequences of refusal' in the notifications when obtaining consent to collect personal information.","Case 2: During the process of obtaining consent for the collection of personal information, the items of personal information to be collected were not specified in detail, and were instead described in general terms like 'etc.'","Case 3: On a shopping mall website, personal information necessary for membership registration was collected alongside payment and delivery information required for future purchases, even though such information was not necessary at the time of registration.","Case 4: Personal information (e.g., name, email, phone number) was collected through Q&A boards without obtaining the data subject's consent.","Case 5: Personal information of children under the age of 14 was collected without obtaining the consent of their legal guardians.","Case 6: Although the service was not intended for children under 14, some members were under 14 because the website did not check birthdates during registration, allowing them to register without legal guardian consent.","Case 7: The procedure for verifying the authenticity of the legal representative was insufficient, allowing individuals who were not legal guardians to provide consent.","Case 8: Personal information (e.g., name, phone number) of legal guardians was collected for the purpose of obtaining their consent to collect personal information from children under the age of 14, but the consent of the legal guardian was not confirmed for an extended period, and the information was retained without being destroyed.","Case 9: Personal information of children under 14 was collected based on the consent of their legal guardians, but records of this consent were not maintained, making it impossible to verify the details related to legal guardian consent (e.g., legal guardian’s name, time of consent)."],"RelatedRegulations": ["Personal Information Protection Act, Article 15 (Collection and Use of Personal Information), Article 22 (Methods for Obtaining Consent), Article 22-2 (Protection of Personal Information of Children)","Notice on the Processing of Personal Information"]}],"description": "Personal information must be collected and used lawfully and fairly. When collecting personal information based on the consent of the data subject, such consent must be obtained through legal means. Additionally, when collecting personal information from children under the age of 14, consent must be obtained from their legal representative, and it must be verified that such consent was given by the legal representative.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.2": {"name": "Restrictions on the Collection of Personal Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.1.2 Restrictions on the Collection of Personal Information","Subdomain": "3.1. Protection Measures during Personal Information Collection","AuditEvidence": ["Online personal information collection forms (e.g., website sign-up screens, event participation forms)","Offline personal information collection forms (e.g., membership application forms)","Privacy policy"],"AuditChecklist": ["When collecting personal information, is only the minimum amount of information necessary for the intended purpose being collected?","When collecting personal information based on the data subject’s consent, is the data subject clearly informed that they can refuse to consent to the collection of additional personal information beyond the minimum required?","Is the data subject not denied goods or services for refusing to consent to the collection of additional personal information beyond the minimum necessary for the intended purpose?"],"NonComplianceCases": ["Case 1: Although personal information was being collected based on the fulfillment of a contract, excessive personal information not essential to the fulfillment of the contract was being collected.","Case 2: During the process of obtaining consent from the data subject for optional information, the data subject was not explicitly informed that they could refuse to provide such information.","Case 3: Although the sign-up form distinguished between required and optional information, the data subject was not clearly informed that they could complete registration without providing optional information (e.g., there was no indication on the personal information entry form of which fields were required and which were optional).","Case 4: On the website registration page, the data subject was unable to proceed or complete registration if they refused to provide optional information or consent to optional matters.","Case 5: During the hiring process, excessive personal information unrelated to the job position (e.g., family details) was collected."],"RelatedRegulations": ["Personal Information Protection Act, Article 16 (Restrictions on the Collection of Personal Information), Article 22 (Methods for Obtaining Consent)"]}],"description": "When collecting personal information, only the minimum amount of personal information necessary for the intended purpose may be collected, and the data subject must not be denied the provision of goods or services for refusing to consent to optional matters.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.3": {"name": "Restrictions on the Processing of Resident Registration Numbers","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.1.3 Restrictions on the Processing of Resident Registration Numbers","Subdomain": "3.1. Protection Measures during Personal Information Collection","AuditEvidence": ["Personal information collection forms (e.g., website sign-up screens, event participation forms, membership application forms)","Online personal information collection forms (alternative registration methods for identity verification)","Evidence of legal grounds for processing resident registration numbers","Privacy policy"],"AuditChecklist": ["Are resident registration numbers only processed when there is a clear legal basis?","Is the legal provision that forms the basis for the collection of resident registration numbers clearly identified?","When processing resident registration numbers under a legal basis, does the organization provide a method for data subjects to register without using their resident registration number during the membership registration process on an internet website?"],"NonComplianceCases": ["Case 1: Resident registration numbers were collected for simple membership management purposes, such as identity verification, during website sign-up based on the data subject's consent.","Case 2: Resident registration numbers were collected based on provisions in enforcement rules or local ordinances.","Case 3: The last 6 digits of the resident registration number were collected for identity verification, such as during password recovery, without any legal basis.","Case 4: Resident registration numbers were collected from job applicants during the hiring process without a legal basis.","Case 5: Resident registration numbers were collected during customer service inquiries at a call center for identity verification purposes.","Case 6: Even when there was a legal basis for the collection of resident registration numbers, alternative registration methods were not provided during the membership registration process on the website, and resident registration numbers were required for identity verification and membership registration."],"RelatedRegulations": ["Personal Information Protection Act, Article 24-2 (Restrictions on the Processing of Resident Registration Numbers)","Information and Communications Network Act, Article 23-2 (Restrictions on the Use of Resident Registration Numbers)"]}],"description": "Resident registration numbers may not be collected, used, or processed unless there is a legal basis for doing so. Even when the processing of resident registration numbers is permitted, alternative methods must be provided, such as through an internet website.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.4": {"name": "Restriction on Processing of Sensitive and Unique Identifying Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Personal Information Processing Requirements","Section": "3.1.4 Restriction on Processing of Sensitive and Unique Identifying Information","Subdomain": "3.1. Protection Measures for Personal Information Collection","AuditEvidence": ["Online personal information collection forms (e.g., membership sign-up pages, event participation forms)","Offline personal information collection forms (e.g., membership application forms)","Privacy policy"],"AuditChecklist": ["Is sensitive information processed only with the separate consent of the data subject or when legally required?","Is unique identifying information (excluding resident registration numbers) processed only with the separate consent of the data subject or when there is a specific legal basis?","If there is a risk of invasion of privacy due to the disclosure of sensitive information during the provision of goods or services, is the data subject clearly informed of the possibility of such disclosure and how to opt for non-disclosure before the provision of goods or services?"],"NonComplianceCases": ["Case 1: Collecting sensitive information such as disability status for discounts or benefits for disabled individuals, and obtaining blanket consent for all personal information items.","Case 2: Collecting foreign registration numbers only from foreigners during membership registration, and obtaining blanket consent for all personal information items.","Case 3: When obtaining separate consent for the collection of sensitive or unique identifying information, failing to inform or incorrectly informing the data subject about the four key points that must be disclosed (e.g., the right to refuse consent and the consequences of refusal)."],"RelatedRegulations": ["Personal Information Protection Act, Article 23 (Restrictions on Processing of Sensitive Information), Article 24 (Restrictions on Processing of Unique Identifying Information)"]}],"description": "In order to process sensitive information and unique identifying information (excluding resident registration numbers), separate consent from the data subject must be obtained unless the processing is specifically required or permitted by law.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.5": {"name": "Indirect Collection of Personal Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Personal Information Processing Requirements","Section": "3.1.5 Indirect Collection of Personal Information","Subdomain": "3.1. Protection Measures for Personal Information Collection","AuditEvidence": ["Contracts related to the provision of personal information (agreements with providers)","Records of notifications to data subjects about the source of personal information","Privacy policy"],"AuditChecklist": ["When receiving personal information from a third party, is it clearly stated in the contract that the responsibility for obtaining consent for the collection of personal information lies with the party providing the information?","When collecting personal information from public media or places, is the collection limited to the scope recognized as having the data subject's consent, based on common societal standards?","Even for personal information collected or generated through automated collection devices during the process of providing services, is the principle of minimum collection applied?","When personal information is collected from a source other than the data subject and the data subject requests it, is the required information immediately provided to the data subject?","When personal information collected from a source other than the data subject meets legal requirements in terms of type or scale, is the required information provided to the data subject?","Is there a record of informing the data subject about the source of personal information, and is this record maintained until the personal information is destroyed?"],"NonComplianceCases": ["Case 1: In the case of collecting personal information published on websites or social media, there is no procedure for handling requests from data subjects about the source of the information.","Case 2: Personal information provided by another business entity was received based on consent for the provision of personal information under Article 17(1)(1) of the Personal Information Protection Act, but the data subjects were not notified within three months (note: this applies to cases where the recipient handles the personal information of more than 50,000 data subjects, sensitive information, or unique identifying information, or processes personal information of over 1 million data subjects).","Case 3: The data subject was informed about the source of the personal information as required by law, but some mandatory notification items were omitted, such as the purpose of processing or the right to withdraw consent.","Case 4: The data subject was informed about the source of the personal information, but the record of this notification was not maintained until the personal information was destroyed, in violation of legal obligations."],"RelatedRegulations": ["Personal Information Protection Act, Article 16 (Restrictions on the Collection of Personal Information), Article 19 (Restrictions on Use and Provision of Personal Information Provided by a Third Party), Article 20 (Notification of the Source, Purpose, etc. of Indirectly Collected Personal Information)"]}],"description": "When collecting personal information from sources other than the data subject or when receiving personal information from a third party, only the minimum amount of personal information necessary for the task should be collected or received. If there is a legal basis or at the request of the data subject, the source of the personal information, the purpose of processing, and the right to request a suspension of processing must be disclosed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.6": {"name": "Installation and Operation of Video Information Processing Devices","checks": {},"status": "PASS","attributes": [{"Domain": "3. Personal Information Processing Requirements","Section": "3.1.6 Installation and Operation of Video Information Processing Devices","Subdomain": "3.1. Protection Measures for Personal Information Collection","AuditEvidence": ["Status of video information processing device operation","Signs for video information processing devices","Video information processing device operation and management policies","Management screens for video information processing devices (e.g., account/permission details, video retention periods)","Contracts with operators of video information processing devices and inspection records"],"AuditChecklist": ["When installing and operating fixed video information processing devices in public places, is it reviewed whether the installation meets legal requirements?","If public institutions install and operate fixed video information processing devices in public places, are public hearings or explanation sessions held to gather opinions from relevant experts and stakeholders, as required by law?","When installing and operating fixed video information processing devices, are necessary measures taken, such as installing signs to ensure the data subject can easily recognize the presence of the devices?","When operating mobile video information processing devices in public places for business purposes, is it reviewed whether the operation meets legal requirements?","When operating mobile video information processing devices in public places for business purposes, is the fact that the video is being recorded indicated and informed to the public through lights, sounds, or signs?","Is there an operation and management policy in place for the safe management of video information processing devices and the video information they record, and is it being implemented?","Is the retention period for video information set, and is the information destroyed without delay after the retention period expires?","When outsourcing the operation of video information processing devices, are the related procedures and requirements reflected in the contract?"],"NonComplianceCases": ["Case 1: The wording on the signs for video information processing devices is incomplete, or there is no established and implemented policy for the operation and management of video information processing devices.","Case 2: Although there is a policy for the operation and management of video information processing devices, the policy is not followed, such as failing to comply with the retention period or failing to implement access control and logging as described in the policy.","Case 3: The operation of video information processing devices is outsourced, but the legal requirements, such as inspection of the video information management status and provisions regarding liability for damages, are not reflected in the contract.","Case 4: The operation of video information processing devices is outsourced, but the signs for the devices do not include the name and contact information of the contractor."],"RelatedRegulations": ["Personal Information Protection Act, Article 25 (Restrictions on the Installation and Operation of Fixed Video Information Processing Devices), Article 25-2 (Restrictions on the Operation of Mobile Video Information Processing Devices)"]}],"description": "When installing and operating fixed video information processing devices in public places or operating mobile video information processing devices in public places for business purposes, legal requirements must be followed according to the purpose and location of the installation, and appropriate protection measures must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.7": {"name": "Collection and Use of Personal Information for Marketing Purposes","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.1.7 Collection and Use of Personal Information for Marketing Purposes","Subdomain": "3.1. Protection Measures When Collecting Personal Information","AuditEvidence": ["Online personal information collection forms (e.g., website membership sign-up, mobile app sign-up, event participation)","Offline personal information collection forms (e.g., membership application forms)","Marketing consent records","Records of consent for receiving advertising information and confirmation of consent","Administrator screen for advertising information transmission systems (e.g., email, SMS, app push notifications)","Advertising information transmission content","Personal information processing policy"],"AuditChecklist": ["When obtaining consent from data subjects to process personal information for the purpose of promoting or recommending goods or services, is the data subject clearly informed, and is separate consent obtained?","When sending advertising information for profit using electronic transmission media, is the recipient's explicit prior consent obtained, and is the consent reconfirmed every two years?","When a recipient indicates refusal or withdraws prior consent for receiving advertising information for profit, is the transmission of such advertising information stopped?","When sending advertising information for profit, is the sender's name, method for opting out, etc., clearly stated, and are such messages not sent during nighttime hours?"],"NonComplianceCases": ["Case 1: When collecting personal information for 'promotion and marketing' purposes, the purpose is vaguely explained (e.g., 'providing additional services', 'providing partner services') or blanket consent is obtained without distinguishing between different purposes.","Case 2: Even after a user has expressed refusal to receive advertising push notifications via a mobile app, such notifications are sent due to a program error.","Case 3: The option to receive advertising information via text messages or email is pre-selected by default on the online sign-up page.","Case 4: The recipient's consent for receiving advertising information is not reconfirmed every two years.","Case 5: When sending advertising information for profit via email, the subject line does not begin with '(Advertisement)'."],"RelatedRegulations": ["Personal Information Protection Act, Article 22 (Method of Obtaining Consent)","Information and Communications Network Act, Article 50 (Restrictions on Transmission of Advertising Information)"]}],"description": "When collecting and using personal information for marketing purposes, such as promoting goods or services, sales recommendations, or sending advertising information, the purpose must be clearly communicated to the data subject, and their consent must be obtained.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.1": {"name": "Management of Personal Information Status","checks": {"macie_is_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL"},"status": "FAIL","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.1 Management of Personal Information Status","Subdomain": "3.2. Protection Measures When Retaining and Using Personal Information","AuditEvidence": ["Personal information status table","Personal information flowchart","Registration status of personal information files","Personal information file management ledger","Personal information processing policy-related personal information files","Personal information files related to investigations under the Punishment of Tax Offenses Act and the Customs Act","Personal information files for one-time operations deemed to have a low need for continuous management as determined by Presidential Decree","Personal information files for simple tasks such as attending meetings, sending documents or materials, and financial settlements, which have a low need for continuous management","Personal information files processed temporarily for public health or public safety emergencies","Other personal information files collected for one-time tasks that are not stored or recorded","Personal information files classified as confidential under other laws","Personal information files collected or requested for analysis related to national security","Personal video information files processed via video information processing devices","Personal information files retained by financial institutions for handling financial transactions under the Real Name Financial Transactions and Guarantee of Secrecy Act"],"AuditChecklist": ["Is the status of collected and retained personal information, including the items, volume, purpose and method of processing, and retention period, regularly managed?","When a public institution operates or modifies personal information files, are the relevant matters registered with the head of the relevant agency as required by law?","Does the public institution disclose the status of personal information files in the personal information processing policy?"],"NonComplianceCases": ["Case 1: Although personal information files are managed through the website's personal information file registration menu, some personal information files related to website services are missing from the personal information processing policy.","Case 2: Although two months have passed since a new personal information file was created, it has not been registered with the Personal Information Protection Commission.","Case 3: The content of personal information files registered and disclosed with the Personal Information Protection Commission (e.g., items of personal information collected) does not match the actual status of personal information files being processed.","Case 4: A public institution has not registered personal information files with the Personal Information Protection Commission, even though the files do not qualify for exceptions such as employee personal information files or personal information files collected under the Statistics Act."],"RelatedRegulations": ["Personal Information Protection Act, Article 32 (Registration and Disclosure of Personal Information Files)"]}],"description": "The items, volume, purpose and method of processing, and retention period of collected and retained personal information must be regularly managed. In the case of public institutions, such information must be registered with the head of the relevant agency as stipulated by law.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"3.2.2": {"name": "Personal Information Quality Assurance","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.2 Personal Information Quality Assurance","Subdomain": "3.2. Protection Measures for Retention and Use of Personal Information","AuditEvidence": ["Form for data subjects to modify/update their personal information (online, offline)","Procedures to maintain the up-to-date status of personal information"],"AuditChecklist": ["Are procedures and methods in place to maintain personal information in an accurate and up-to-date state?","Is there a method provided for data subjects to ensure the accuracy, completeness, and up-to-dateness of their personal information?"],"NonComplianceCases": ["Case 1: Although an identity verification process is implemented when changing member information through the website, the identity verification process is insufficient when changing member information via customer service, making unauthorized changes possible.","Case 2: While an online method is provided for online members to change their personal information, no such method is provided for offline members."],"RelatedRegulations": ["Personal Information Protection Act, Article 3 (Principles of Personal Information Protection)"]}],"description": "Collected personal information must be managed to ensure its accuracy, completeness, and up-to-dateness within the scope necessary for the processing purpose, and procedures must be provided to data subjects to manage their information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.3": {"name": "Protection of User Device Access","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.3 Protection of User Device Access","Subdomain": "3.2. Protection Measures for Retention and Use of Personal Information","AuditEvidence": ["App access rights consent screen","App access rights settings"],"AuditChecklist": ["When accessing information stored on the user's mobile device or functions installed on the device, are users clearly informed and their consent obtained?","Is it ensured that services are not denied if users do not consent to access rights that are not essential for the service?","Are methods provided for users to consent to or withdraw access rights on their mobile devices?"],"NonComplianceCases": ["Case 1: A smartphone app requests excessive access to personal information areas such as contacts, photos, and messages, even though such access is unnecessary for the service.","Case 2: A service provider's smartphone app accesses information stored on the smartphone and installed functions without notifying the user and obtaining their consent.","Case 3: Consent is obtained for app access rights by informing users that optional permissions are required as essential permissions.","Case 4: A smartphone app supports Android versions below 6.0, where individual consent for access rights is not possible, making it impossible for users to reject optional access rights."],"RelatedRegulations": ["Information and Communications Network Act, Article 22-2 (Consent for Access Rights)"]}],"description": "When accessing information stored on the user's mobile device or functions installed on the mobile device, it is necessary to notify the user clearly and obtain their consent.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.4": {"name": "Use and Provision of Personal Information Beyond Purpose","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.4 Use and Provision of Personal Information Beyond Purpose","Subdomain": "3.2. Protection Measures for Retention and Use of Personal Information","AuditEvidence": ["Records of personal information use and provision beyond the original purpose (including related evidence such as requests)","Log of personal information use and provision beyond the original purpose (for public institutions)","Records of publication in the official gazette or on the website (for public institutions)","Guidelines for handling information provision requests","Official documents requesting information provision and records of personal information provision"],"AuditChecklist": ["Is personal information used or provided only within the scope of the purpose consented to by the data subject at the time of collection or as permitted by law?","When receiving personal information from a personal information processor, is the information used or provided only within the scope of the purpose for which it was provided?","If personal information is used or provided beyond the scope of the purpose of collection or the purpose for which it was received from a personal information processor, is additional consent obtained from the data subject or limited to cases with a legal basis?","When providing personal information to a third party for purposes beyond the original purpose, is the recipient required to take necessary actions to restrict the use of personal information and ensure safety?","When public institutions use or provide personal information beyond the original purpose, are the legal basis, purpose, and scope published in the official gazette or on the internet?","When public institutions use or provide personal information beyond the original purpose, is there a record of such use or provision and are procedures in place for managing it?"],"NonComplianceCases": ["Case 1: Personal information collected for product delivery is used for telemarketing of other company products without prior consent.","Case 2: Personal information collected for customer satisfaction surveys or sweepstakes entries is used for advertising other promotional events without consent.","Case 3: A public institution provides personal information to another institution for purposes outside the scope of the original purpose based on legal grounds but does not publish the information in the official gazette or on the internet.","Case 4: A public institution provides personal information to a police department for criminal investigation purposes but fails to record the details in the log of personal information use and provision beyond the original purpose."],"RelatedRegulations": ["Personal Information Protection Act, Article 18 (Restriction on the Use and Provision of Personal Information Beyond the Original Purpose), Article 19 (Restriction on Use and Provision by Recipients of Personal Information)"]}],"description": "Personal information must only be used or provided within the scope notified and consented to by the data subject at the time of collection or as permitted by law. If personal information is to be used or provided beyond this scope, additional consent must be obtained from the data subject or the legality must be verified, and appropriate protective measures must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.5": {"name": "Processing of Pseudonymized Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.2.5 Processing of Pseudonymized Information","Subdomain": "3.2. Protection Measures for Retention and Use of Personal Information","AuditEvidence": ["Procedures and results of the adequacy review of pseudonymization/anonymization","Records of pseudonymized information processing","Privacy policy (regarding the use and provision of pseudonymized information)"],"AuditChecklist": ["When processing pseudonymized information, are procedures established for purpose limitation, pseudonymization methods and standards, adequacy review, prohibition of re-identification, and actions in case of re-identification?","When using or providing pseudonymized personal information, is the information pseudonymized to a level where individuals cannot be identified without using or combining additional information?","When combining pseudonymized information with that of other personal information processors, is the combination conducted through a specialized agency or data professional organization?","When processing pseudonymized information, are technical, administrative, and physical measures taken to ensure safety, such as deleting or separately storing additional information and keeping records?","Is the processing period for pseudonymized information set to an appropriate period considering the processing purpose, and is the information destroyed without delay when that period expires?","When anonymizing personal information, is the information anonymized to a level where individuals cannot be identified even with the use of additional information, considering the time, cost, and technology available?"],"NonComplianceCases": ["Case 1: When processing pseudonymized information for statistical purposes or scientific research without obtaining consent from data subjects, records of the pseudonymization process were not kept, or the privacy policy was not updated to include relevant information.","Case 2: Additional information was not stored separately from pseudonymized information in the same database, or access rights to both sets of information were not appropriately segregated.","Case 3: Although pseudonymized personal information was used, the pseudonymization process was not sufficient, making it possible to identify individuals by combining the information with other data without using additional information.","Case 4: Personal information was anonymized for generating test data or for public release, but due to outliers or other factors, it was still possible to identify individuals, indicating that the anonymization process was not sufficient."],"RelatedRegulations": ["Personal Information Protection Act, Article 2 (Definitions), Article 28-2 (Processing of Pseudonymized Information), Article 28-3 (Restrictions on Combining Pseudonymized Information), Article 28-4 (Obligations for the Safe Processing of Pseudonymized Information), Article 28-5 (Prohibition of Re-identification in Processing Pseudonymized Information), Article 28-7 (Scope of Application), Article 58-2 (Exemptions)"]}],"description": "When processing pseudonymized information, legal requirements such as purpose limitation, combination restrictions, safety measures, and prohibition obligations must be met, and procedures must be established and implemented to ensure an appropriate level of pseudonymization.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.1": {"name": "Provision of Personal Information to Third Parties","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.3.1 Provision of Personal Information to Third Parties","Subdomain": "3.3. Protective Measures When Providing Personal Information","AuditEvidence": ["Forms related to the provision of personal information to third parties online (e.g., membership registration page, consent for third-party provision on websites)","Forms related to the provision of personal information to third parties offline (e.g., membership application forms, consent forms for third-party provision)","Records of third-party provisions","Privacy policy"],"AuditChecklist": ["When providing personal information to third parties, are legal requirements such as consent from the data subject or compliance with legal obligations clearly identified and followed?","When obtaining consent from the data subject for the provision of personal information to third parties, are the related matters clearly communicated, and is consent legally obtained by distinguishing it from other consents?","When obtaining consent from the data subject for the provision of personal information to third parties, are important matters clearly indicated and made easily understandable as required by law?","When providing personal information to third parties, is the information limited to the minimum necessary for the intended purpose?","When providing personal information to third parties, is it done through secure procedures and methods, and is the provision recorded and stored?","When allowing third parties to access personal information, is control implemented in accordance with protection procedures to securely protect the personal information?","When providing additional personal information without the data subject's consent, are criteria for determining the relevance to the original purpose of collection, predictability, potential harm, and safety measures established and followed? If such provisions continue, are these criteria disclosed in the privacy policy and periodically reviewed?"],"NonComplianceCases": ["Case 1: When obtaining consent from the data subject for the provision of personal information to third parties, some necessary information (e.g., the right to refuse consent, the items provided) was omitted.","Case 2: In the process of providing personal information to third parties, personal information from data subjects who did not consent was provided due to improper verification of consent.","Case 3: When obtaining consent for the provision of personal information, the recipient was not specifically identified and was vaguely referred to as ʻ~ etc.ʼ in the consent.","Case 4: Although third-party provision consent was optional during the membership registration process, if the data subject did not agree to third-party provision, the registration process could not be completed.","Case 5: An excessive amount of personal information was provided beyond what was necessary for the recipient's purpose of use."],"RelatedRegulations": ["Personal Information Protection Act, Article 17 (Provision of Personal Information), Article 22 (Methods of Obtaining Consent)","Notification on the Methods of Processing Personal Information"]}],"description": "When providing personal information to third parties, there must be a legal basis or consent from the data subject, and protection measures must be established and implemented to securely protect personal information during the process of providing access to third parties.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.2": {"name": "Outsourcing of Personal Information Processing","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.3.2 Outsourcing of Personal Information Processing","Subdomain": "3.3. Protective Measures When Providing Personal Information","AuditEvidence": ["Privacy policy (disclosing details related to the outsourcing of personal information processing)","Personal information collection forms","Contracts for outsourcing personal information processing","Records of notifications to data subjects regarding outsourced tasks related to promoting or selling goods or services"],"AuditChecklist": ["When outsourcing personal information processing tasks (including sub-outsourcing) to third parties, are the details of the outsourced tasks and the trustees regularly updated and disclosed on the website?","When outsourcing tasks related to promoting or selling goods or services, is the data subject notified of the details of the outsourced tasks and the trustees through methods such as written notice, email, or text messages?"],"NonComplianceCases": ["Case 1: Although the details of the outsourcing of personal information processing tasks were disclosed on the website's privacy policy, some trustees and the details of the outsourced tasks were missing.","Case 2: When outsourcing tasks related to promoting or selling goods or services, the details of the outsourced tasks and trustees were not notified to the data subject through written methods, and instead, the information was disclosed only in the privacy policy.","Case 3: After terminating a contract with an existing trustee for personal information processing, the new trustee was not promptly reflected in the privacy policy.","Case 4: Although the trustee sub-outsourced the personal information processing tasks to a third party, the sub-outsourcing details were not disclosed on the website."],"RelatedRegulations": ["Personal Information Protection Act, Article 26 (Restrictions on the Processing of Personal Information by Outsourcing)"]}],"description": "When outsourcing personal information processing tasks to third parties, the details of the outsourced tasks and the trustee must be disclosed. Additionally, if the task involves promoting or selling goods or services, the details of the outsourced task and the trustee must be notified to the data subject.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.3": {"name": "Transfer of Personal Information Due to Business Transfers","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.3.3 Transfer of Personal Information Due to Business Transfers","Subdomain": "3.3. Protective Measures When Providing Personal Information","AuditEvidence": ["Records of notifications to data subjects regarding the transfer of personal information (during business transfers)","Privacy policy"],"AuditChecklist": ["When transferring personal information to another party due to the transfer or merger of all or part of the business, are the necessary matters communicated to the data subjects in advance?","When receiving personal information, does the recipient notify the data subjects without delay regarding the fact that personal information has been received and other necessary matters, if legally required?","Does the recipient of the personal information use the information only for its original purpose at the time of transfer, or provide it to third parties in compliance with the original purpose?"],"NonComplianceCases": ["Case 1: When receiving personal information through business acquisition, the data subjects were not notified of the transfer of personal information, even though the data provider failed to notify them of the transfer.","Case 2: When receiving personal information through business acquisition or merger, no procedures or methods were provided to allow data subjects to opt-out of the transfer, nor were such options communicated to the data subjects."],"RelatedRegulations": ["Personal Information Protection Act, Article 27 (Restrictions on the Transfer of Personal Information Due to Business Transfers)"]}],"description": "When transferring or receiving personal information due to business transfers or mergers, appropriate protection measures such as notifying the data subjects must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.4": {"name": "Transfer of Personal Information Abroad","checks": {"s3_bucket_cross_region_replication": "FAIL"},"status": "FAIL","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.3.4 Transfer of Personal Information Abroad","Subdomain": "3.3. Protection Measures When Providing Personal Information","AuditEvidence": ["Consent form for personal information transfer abroad","Contract related to personal information transfer abroad","Privacy policy","Notification or disclosure records regarding outsourcing or storage of personal information abroad"],"AuditChecklist": ["When transferring personal information abroad, has the data subject been fully informed of all notification requirements and obtained separate consent, or complied with certification or recognition, as required by law?","When informing the data subject about the outsourcing or storage of personal information abroad for the purpose of contract execution, are all necessary details included and communicated appropriately?","Has a contract for the transfer of personal information abroad been established, including compliance with personal information protection laws?","Are necessary measures being taken to protect personal information when transferring it abroad?"],"NonComplianceCases": ["Case 1: Personal information was provided to a foreign company during processing, but separate consent for the transfer of personal information abroad was not obtained, even though the conditions for consent exemption (such as certification or recognition by the recipient country) were not met.","Case 2: While using foreign cloud services (foreign regions) for outsourcing and storing personal information, the relevant details, such as the destination country and transfer method, were not disclosed in the privacy policy or communicated to the data subject.","Case 3: While obtaining consent for the transfer of personal information abroad, only the name of the recipient (company name) was disclosed, and the destination country was not properly notified."],"RelatedRegulations": ["Personal Information Protection Act, Articles 28-8 (Transfer of Personal Information Abroad), 28-9 (Order to Suspend Transfer of Personal Information Abroad), 28-10 (Reciprocity), 28-11 (Applicable Provisions)","Regulations on the Operation of Personal Information Transfer Abroad"]}],"description": "When transferring personal information abroad, appropriate protective measures such as obtaining consent and disclosing relevant details about the transfer must be established and implemented.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.4.1": {"name": "Destruction of Personal Information","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.4.1 Destruction of Personal Information","Subdomain": "3.4. Protection Measures When Destroying Personal Information","AuditEvidence": ["Regulations regarding the retention period and destruction of personal information","Destruction results (e.g., from member databases)","Personal information destruction management records"],"AuditChecklist": ["Has an internal policy been established regarding the retention period and destruction of personal information?","Is personal information being destroyed without delay when the processing purpose is achieved or the retention period has expired?","Is personal information destroyed using safe methods that prevent recovery or reconstruction?","Are records kept of the destruction of personal information and managed properly?"],"NonComplianceCases": ["Case 1: When a member withdraws or the purpose of retention is achieved, personal information was destroyed from the member database, but not from associated systems (CRM, DW) where duplicate personal information was stored.","Case 2: Personal information collected during a specific event was not destroyed or no destruction policy was established, even after the event ended.","Case 3: Personal information collected through a call center (such as call logs, recordings) is retained for three years under the Electronic Commerce Act, but the information was not destroyed even after three years had passed.","Case 4: Due to technical limitations, such as using blockchain, it was not possible to completely destroy personal information, so it was anonymized instead. However, the anonymization process was not done properly, allowing partial re-identification of personal information."],"RelatedRegulations": ["Personal Information Protection Act, Article 21 (Destruction of Personal Information)","Standards for Ensuring the Safety of Personal Information, Article 13 (Destruction of Personal Information)"]}],"description": "The organization must establish an internal policy regarding retention periods and destruction of personal information. When the retention period has expired or the purpose of processing has been achieved, personal information must be destroyed without delay using methods that ensure safety and completeness.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.4.2": {"name": "Measures When Retaining Personal Information After Purpose Is Achieved","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.4.2 Measures When Retaining Personal Information After Purpose Is Achieved","Subdomain": "3.4. Protection Measures When Destroying Personal Information","AuditEvidence": ["Regulations regarding the retention period and destruction of personal information","Current status of separated databases (table structure, etc.)","Access permissions for separated databases"],"AuditChecklist": ["When personal information is retained beyond the retention period or after the processing purpose has been achieved, in accordance with relevant laws, is it limited to the minimum necessary period and only the minimum necessary information?","When personal information is retained beyond the retention period or after the processing purpose has been achieved, is it stored separately from other personal information?","Is personal information that is stored separately processed only within the scope allowed by law?","Is access to separately stored personal information limited to the minimum number of personnel?"],"NonComplianceCases": ["Case 1: Information from withdrawn members was not destroyed but kept for a certain period under the Electronic Commerce Act, with only the flag value changed, and stored in the same table as other member information.","Case 2: Records related to consumer complaints and disputes were kept for five years instead of the required three years, due to misinterpretation of legal requirements.","Case 3: Although a separate database was set up, access permissions were not appropriately configured, allowing personnel who did not require access to view the separated database.","Case 4: Information from withdrawn members was stored separately in accordance with the Electronic Commerce Act, but excessive optional information was also stored, even though there was no legal obligation to do so."],"RelatedRegulations": ["Personal Information Protection Act, Article 21 (Destruction of Personal Information)"]}],"description": "If personal information is retained beyond the retention period or after the purpose of processing has been achieved, as permitted by relevant laws, it must be limited to the minimum necessary items and stored separately from other personal information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.1": {"name": "Disclosure of Privacy Policy","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.5.1 Disclosure of Privacy Policy","Subdomain": "3.5. Protection of Data Subject's Rights","AuditEvidence": ["Privacy policy","Records of privacy policy amendments (e.g., board notices)"],"AuditChecklist": ["Is the privacy policy written in clear and easy-to-understand language, covering all the contents required by law?","Is the privacy policy continuously updated and made easily accessible to data subjects via the internet or other means?","When the privacy policy is updated, are the reasons for the changes and the contents of the changes promptly notified, and can the data subjects easily recognize the changes at any time?"],"NonComplianceCases": ["Case 1: The privacy policy discloses information about the collection and provision of personal information, but the actual details differ from what is being collected and provided.","Case 2: Changes such as the replacement of the privacy officer or changes in subcontractors have occurred, but these changes have not been reflected in the privacy policy.","Case 3: The privacy policy is disclosed, but it is labeled 'Privacy Protection Policy' instead of 'Privacy Policy,' and its visibility is not enhanced with larger font sizes or color to make it easy for data subjects to find.","Case 4: Several amendments have been made to the privacy policy, but older versions of the policy are not made available for review.","Case 5: Although personal information is retained in compliance with laws such as the Electronic Commerce Act and the Commercial Act, the legal grounds for retention and the retained personal information items are not disclosed in the privacy policy."],"RelatedRegulations": ["Personal Information Protection Act, Article 30 (Establishment and Disclosure of Privacy Policy), Article 30-2 (Evaluation and Improvement Recommendations for Privacy Policy)"]}],"description": "A privacy policy must be established to include all necessary information, such as the purpose of personal information processing, in a way that is easy for data subjects to understand. The policy must be disclosed through appropriate methods so that data subjects can easily access it at any time, and it must be continuously updated.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.2": {"name": "Guaranteeing Data Subject's Rights","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.5.2 Guaranteeing Data Subject's Rights","Subdomain": "3.5. Protection of Data Subject's Rights","AuditEvidence": ["Privacy policy","Procedures and forms for handling Requests for Access, etc.","Records of actions taken in response to Requests for Access, etc.","Procedures for member withdrawal and consent withdrawal"],"AuditChecklist": ["Are procedures in place to ensure that data subjects or their representatives can exercise their rights (hereinafter referred to as 'Requests for Access, etc.') to access, rectify, delete, or suspend the processing of their personal information in a way that is not more difficult than the process used for collecting it?","When data subjects or their representatives submit Requests for Access, etc., are the necessary measures taken within the required time frame?","When data subjects withdraw their consent to the collection, use, or provision of their personal information, are the collected personal information and associated data promptly deleted or otherwise handled appropriately?","Are appropriate procedures in place to allow data subjects to object to the actions taken regarding their Requests for Access, etc., and are they informed of these procedures?","Are records kept of data subjects' Requests for Access, etc., and the resulting actions?","When the rights of others, such as privacy or honor, are violated on information networks, does the organization have procedures for the affected individuals to request the deletion of the information from service providers, and are these procedures being implemented?"],"NonComplianceCases": ["Case 1: The method for requesting access, rectification, deletion, or suspension of personal information is not disclosed in a way that data subjects can easily find.","Case 2: There has been no response to access requests for personal information within 10 days, without any valid reason.","Case 3: Records of actions taken in response to personal information access requests are not maintained.","Case 4: Access notifications are being sent without verifying whether the requester is the data subject or their legitimate representative.","Case 5: There has been a failure to respond to rectification or deletion requests within 10 days.","Case 6: It was easy to sign up online as a member, but to withdraw membership, additional documents such as ID must be submitted, or in-person visits are required."],"RelatedRegulations": ["Personal Information Protection Act, Article 34-2 (Deletion or Blocking of Exposed Personal Information), Article 35 (Access to Personal Information), Article 35-2 (Right to Data Portability), Article 36 (Rectification or Deletion of Personal Information), Article 37 (Suspension of Processing, etc.), Article 37-2 (Right of Data Subjects to Contest Automated Decisions), Article 38 (Methods and Procedures for Exercising Rights)","Information and Communications Network Act, Article 44 (Protection of Rights in Information Networks), Article 44-2 (Request for Deletion of Information, etc.), Article 44-3 (Temporary Measures)"]}],"description": "Procedures must be established and implemented to ensure that data subjects can easily exercise their rights, such as requesting access, rectification, deletion, suspension of processing, objection, or withdrawal of consent, through simpler processes than those used for collecting their information. When a request is received, it must be processed without delay, and records must be kept. Measures such as deletion requests and temporary actions must be taken to prevent the distribution of information that infringes on the rights of others, such as invasion of privacy or defamation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.3": {"name": "Notification to Data Subjects","checks": {},"status": "PASS","attributes": [{"Domain": "3. Requirements for Each Stage of Personal Information Processing","Section": "3.5.3 Notification to Data Subjects","Subdomain": "3.5. Protection of Data Subject's Rights","AuditEvidence": ["Records of notifications regarding the use and provision of personal information","Forms and wording used for notifications regarding the use and provision of personal information"],"AuditChecklist": ["If the organization is legally obligated to do so, does it periodically notify data subjects of the use and provision of their personal information, or provide them with access to an information system where they can review such details?","Do the notification items regarding the use and provision of personal information include all legally required elements?"],"NonComplianceCases": ["Case 1: Although the organization is required to notify data subjects of the use and provision of their personal information, no notifications have been sent during the year despite being obligated due to handling personal information of more than 1 million people on a daily average for the past three months at the end of the previous year.","Case 2: Instead of directly notifying individual data subjects, notifications about the use and provision of personal information were made through simple pop-ups or general announcements on the website."],"RelatedRegulations": ["Personal Information Protection Act, Article 20-2 (Notification of Use and Provision of Personal Information)"]}],"description": "The organization must identify matters that must be notified to data subjects, such as the use and provision of personal information, and periodically inform the data subjects of these matters.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.1": {"name": "Security System Operation","checks": {"kms_cmk_are_used": null,"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","elbv2_waf_acl_attached": "FAIL","kms_cmk_rotation_enabled": null,"ec2_securitygroup_not_used": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","ssm_managed_compliant_patching": "FAIL","kms_key_not_publicly_accessible": null,"ssmincidents_enabled_with_plans": null,"inspector2_active_findings_exist": "FAIL","cloudfront_distributions_using_waf": null,"cognito_user_pool_waf_acl_attached": null,"trustedadvisor_errors_and_warnings": null,"apigateway_restapi_waf_acl_attached": "FAIL","config_recorder_all_regions_enabled": null,"guardduty_no_high_severity_findings": "FAIL","ec2_securitygroup_from_launch_wizard": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","organizations_delegated_administrators": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_instance_port_ldap_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","shield_advanced_protection_in_global_accelerators": null,"ec2_instance_internet_facing_with_instance_profile": "FAIL","shield_advanced_protection_in_route53_hosted_zones": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_authentication_failures": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.10.1 Security System Operation","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Security system configuration","Network configuration","Security system operational procedures","Firewall policies","Firewall policy setup/modification request forms","Exception list for the security system","Management screens for each security system (firewall, IPS, server access control, DLP, DRM, etc.)","Security system policy review history"],"AuditChecklist": ["Has the organization established and implemented operational procedures for the security systems in use?","Is access to the security system administrators limited to a minimum, and is unauthorized access strictly controlled?","Has the organization established and implemented formal procedures for registering, modifying, and deleting policies for each security system?","Are exception policies for the security system managed according to procedures, and are users of exception policies managed with the minimum privileges?","Is the validity of the policies set on the security system periodically reviewed?","Has the organization installed and operated security systems that perform functions specified by law to prevent illegal access and data leakage in personal information processing systems?"],"NonComplianceCases": ["Case 1: Regular reviews of the security policies for the intrusion prevention system were not conducted, resulting in unnecessary or excessively permissive policies.","Case 2: There are no procedures or criteria for applying, modifying, or deleting security policies, or such procedures exist but are not followed.","Case 3: The assignment and supervision of administrators for the security system were not properly implemented.","Case 4: Although internal guidelines stipulate that the information security officer must record and maintain the history of security policy changes for the security system, the policy management ledger was not periodically maintained, or the policies recorded in the ledger did not match those actually applied in the operating system."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "For each type of security system, an administrator must be designated, and operational procedures such as updating to the latest policies, modifying rule sets, and monitoring events must be established and implemented. The status of policy application for each security system must be managed.","checks_status": {"fail": 16,"pass": 39,"total": 75,"manual": 0}},"2.10.2": {"name": "Cloud Security","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measure Requirements","Section": "2.10.2 Cloud Security","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Cloud service-related contracts and SLA","Cloud service risk analysis results","Cloud service security control policies","Cloud service administrator privilege assignment status","Cloud service architecture diagram","Cloud service security setting status","Cloud service security setting appropriateness review history"],"AuditChecklist": ["Is the responsibility and role for information protection and personal information protection clearly defined with the cloud service provider, and is it reflected in contracts (such as SLA)?","Are security risks based on the service type evaluated when using cloud services, and are security control policies established and implemented, including security configurations and setting standards, security setting changes and approval procedures, secure connection methods, and authority systems to prevent unauthorized access and configuration errors?","Are administrator privileges for cloud services granted minimally according to roles, and are enhanced protection measures such as strengthened authentication, encryption, access control, and audit logs applied to prevent unauthorized access and abuse of privileges?","Is the monitoring of cloud service security setting changes and operation status conducted, and is the appropriateness of these settings reviewed regularly?"],"NonComplianceCases": ["Case 1: The cloud service contract does not include responsibilities and roles related to security.","Case 2: Employees without a business need have been excessively granted permissions to change the security settings of the cloud service.","Case 3: Internal guidelines require security officer approval when changing access control rules in the private network of the cloud, but many access control rules were registered or changed without following the approval procedure.","Case 4: Due to security setting errors in the cloud service, internal log files were exposed to the internet."],"RelatedRegulations": []}],"description": "When using cloud services, protection measures must be established and implemented for administrator access and security settings to prevent unauthorized access and configuration errors that could lead to the leakage or exposure of critical information and personal data, depending on the service type (SaaS, PaaS, IaaS, etc.).","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.3": {"name": "Public Server Security","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","ssm_document_secrets": "PASS","elbv2_waf_acl_attached": "FAIL","elb_insecure_ssl_ciphers": "PASS","apigateway_restapi_public": "FAIL","lightsail_database_public": null,"lightsail_instance_public": null,"elbv2_insecure_ssl_ciphers": "PASS","lightsail_static_ip_unused": null,"networkfirewall_in_all_vpc": "FAIL","ec2_instance_imdsv2_enabled": "PASS","elbv2_desync_mitigation_mode": "FAIL","awslambda_function_inside_vpc": "FAIL","awslambda_function_url_public": null,"ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","ssm_managed_compliant_patching": "FAIL","inspector2_active_findings_exist": "FAIL","acm_certificates_expiration_check": "PASS","awslambda_function_url_cors_policy": null,"cloudfront_distributions_using_waf": null,"vpc_subnet_separate_private_public": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","apigatewayv2_api_authorizers_enabled": "FAIL","awslambda_function_no_secrets_in_code": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","apigateway_restapi_authorizers_enabled": "PASS","cloudfront_distributions_https_enabled": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","apigateway_restapi_public_with_authorizer": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","awslambda_function_no_secrets_in_variables": "PASS","awslambda_function_not_publicly_accessible": "PASS","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","route53_domains_privacy_protection_enabled": null,"ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","apigateway_restapi_client_certificate_enabled": "FAIL","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","kafka_cluster_mutual_tls_authentication_enabled": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","autoscaling_find_secrets_ec2_launch_configuration": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","cloudfront_distributions_using_deprecated_ssl_protocols": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protective Measure Requirements","Section": "2.10.3 Public Server Security","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Network diagram","Website information disclosure procedures and history (e.g., requests, approvals, posting history)","Inspection history of personal and sensitive information exposure"],"AuditChecklist": ["Are protective measures established and implemented for the operation of public servers?","Are public servers installed in a DMZ separated from internal networks and protected by security systems such as firewalls?","When posting or storing personal or sensitive information on public servers, are approval and posting procedures, including obtaining approval from the responsible person, established and followed?","Does the organization regularly check whether sensitive information is being exposed through websites and web servers, and if exposure is detected, are measures taken immediately to block it?"],"NonComplianceCases": ["Case 1: Due to vulnerabilities in publicly exposed websites, unauthorized individuals were able to access others' personal information through Google search.","Case 2: Although internal regulations require approval procedures before posting personal information on websites, there were multiple cases where personal information was posted without following these procedures.","Case 3: In web applications such as bulletin boards, it was possible to arbitrarily modify or delete posts made by others, or view password-protected posts."],"RelatedRegulations": []}],"description": "For servers exposed to external networks, protective measures must be established and implemented, including separating them from internal networks, conducting vulnerability assessments, access control, authentication, and establishing procedures for information collection, storage, and disclosure.","checks_status": {"fail": 19,"pass": 47,"total": 76,"manual": 0}},"2.10.4": {"name": "Security for Electronic Transactions and FinTech","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.10.4 Security for Electronic Transactions and FinTech","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Protection measures for electronic transaction and FinTech services","Security review results for payment system integration"],"AuditChecklist": ["Are protection measures established and implemented to ensure the safety and reliability of transactions when providing electronic transaction and FinTech services?","Are protection measures established and implemented to protect transmitted information when integrating with external systems, such as payment systems, and is the security of the integration checked?"],"NonComplianceCases": ["Case 1: While a contract was made with a payment service provider and integration was established, all payment-related information was transmitted in plain text through a specific URL without appropriate authentication or access restrictions.","Case 2: Although the external payment system was connected via a dedicated network, internal business systems were not properly controlled by firewalls or other security measures.","Case 3: Although internal guidelines required a security review by the information protection team before integrating external FinTech services, the review was skipped due to scheduling reasons when integrating a new FinTech service."],"RelatedRegulations": []}],"description": "When providing electronic transaction and FinTech services, protection measures such as authentication and encryption must be established to prevent data leakage, data tampering, or fraud. The security of external systems, such as payment systems, must be checked when integrated.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.5": {"name": "Secure Information Transmission","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","elb_insecure_ssl_ciphers": "PASS","elbv2_insecure_ssl_ciphers": "PASS","rds_instance_transport_encrypted": "FAIL","s3_bucket_secure_transport_policy": "FAIL","glue_database_connections_ssl_enabled": null,"cloudfront_distributions_https_enabled": null,"sns_subscription_not_using_http_endpoints": "PASS","kafka_cluster_in_transit_encryption_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","kafka_cluster_mutual_tls_authentication_enabled": null,"directoryservice_radius_server_security_protocol": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"elasticache_redis_cluster_in_transit_encryption_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.10.5 Secure Information Transmission","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Information transmission agreement or contract","Technical standards for information transmission","System diagrams and interface definitions related to information transmission"],"AuditChecklist": ["Has a secure transmission policy been established when transmitting personal and critical information to external organizations?","When exchanging personal and critical information between organizations for business purposes, are agreements and protection measures for secure transmission established and implemented?"],"NonComplianceCases": ["Case 1: Although a dedicated network or VPN is applied when integrating with external organizations, there is inadequate management of the timing, method, responsible person, transmitted information, and legal basis for each integration.","Case 2: There is a lack of implementation of security reviews, security standards, and action plans for using weak encryption algorithms (e.g., DES, 3DES) or decrypting during intermediate transmission stages."],"RelatedRegulations": []}],"description": "When transmitting personal or critical information to other organizations, a secure transmission policy must be established, and agreements must be made between organizations regarding management responsibilities, transmission methods, and technical protection measures for personal and critical information.","checks_status": {"fail": 5,"pass": 3,"total": 17,"manual": 0}},"2.10.6": {"name": "Security for Business Devices","checks": {"workspaces_volume_encryption_enabled": null,"appstream_fleet_maximum_session_duration": null,"appstream_fleet_session_disconnect_timeout": null,"workspaces_vpc_2private_1public_subnets_nat": null,"appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measure Requirements","Section": "2.10.6 Security for Business Devices","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Security control guidelines and procedures for business devices","Registration status of business devices","Security settings for business devices","Authentication and approval history for business devices","Security check status for business devices"],"AuditChecklist": ["Are security control policies, such as device authentication, approval, access scope, and security settings, established and implemented for devices used for business purposes, such as PCs, laptops, virtual PCs, and tablets?","Are policies established and implemented to prevent the leakage of personal and critical information through business devices by prohibiting the use of file-sharing programs, limiting shared settings, and controlling wireless network usage?","Are security measures applied to prevent the leakage of personal and critical information in case of loss or theft of business mobile devices?","Is the appropriateness of access control measures for business devices periodically reviewed?"],"NonComplianceCases": ["Case 1: Although laptops and tablet PCs are used for business purposes, there are no policies established for device approval, usage scope, approval procedures, or authentication methods.","Case 2: The security management guidelines for mobile devices prohibit the use of mobile devices for business purposes unless specifically approved, but unapproved mobile devices are still being used to access internal information systems.","Case 3: Personal and critical information is handled on mobile devices, but security measures such as password protection are not applied to prevent leaks due to loss or theft.","Case 4: Although internal regulations prohibit the use of shared folders on business devices, periodic checks are not conducted, resulting in excessive use of shared folders on many business devices."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "When connecting devices such as PCs and mobile devices to the network for business purposes, access control measures such as device authentication, approval, access scope, and security settings must be established and periodically checked.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"2.10.7": {"name": "Management of Removable Media","checks": {},"status": "PASS","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.10.7 Management of Removable Media","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Policy on blocking removable media (USB, CD, etc.)","Removable media management log","Inspection records of removable media status"],"AuditChecklist": ["Are policies and procedures established and implemented for handling (use), storage, disposal, and reuse of removable media such as external hard drives, USB memory, and CDs?","Is the status of ownership, use, and management of removable media periodically checked?","Is the use of removable media restricted in controlled areas, such as key information systems or important restricted areas?","Are measures in place to prevent the infection of malware and the leakage of important information through removable media?","Are removable media containing personal or important information stored in a secure location with locking mechanisms?"],"NonComplianceCases": ["Case 1: Although there is a policy restricting the use of removable media in controlled areas like server rooms, several cases were found where removable media was used without following the exception approval process, and periodic inspections of the removable media management status were not conducted, resulting in inadequate updates to the management log.","Case 2: Removable media containing personal information was not stored in a secure location with locking mechanisms and was left unattended in office drawers.","Case 3: Although a solution to control removable media was implemented, some users were granted write access without appropriate approval procedures.","Case 4: Some common PCs and IT equipment in the server room allowed writing to standard USB memory devices, but controls such as media import and usage restrictions, usage history records, and reviews were not applied."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 10 (Physical Safety Measures)"]}],"description": "Procedures must be established and implemented to prevent the leakage of personal or important information or infection by malware through removable media. Removable media containing personal or important information must be stored in a secure location.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.8": {"name": "Patch Management","checks": {"ssm_managed_compliant_patching": "FAIL","kafka_cluster_uses_latest_version": null,"ec2_instance_account_imdsv2_enabled": null,"redshift_cluster_automatic_upgrades": null,"eks_cluster_uses_a_supported_version": null,"ec2_instance_older_than_specific_days": "FAIL","rds_instance_deprecated_engine_version": "PASS","rds_cluster_minor_version_upgrade_enabled": "PASS","dms_instance_minor_version_upgrade_enabled": null,"rds_instance_minor_version_upgrade_enabled": "PASS","awslambda_function_using_supported_runtimes": "FAIL","elasticache_redis_cluster_auto_minor_version_upgrades": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"opensearch_service_domains_updated_to_the_latest_service_software_version": null},"status": "FAIL","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.10.8 Patch Management","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Patch management policies and procedures","Patch status of each system","Impact analysis results related to patch application"],"AuditChecklist": ["Are patch management policies and procedures for operating systems (OS) and software established and implemented according to the characteristics and importance of each asset, such as servers, network systems, security systems, and PCs?","Are the patch status of installed OS and software on key servers, network systems, and security systems periodically managed?","If applying the latest patches to address vulnerabilities is difficult due to service impact, are alternative measures implemented?","Is the application of patches via public internet access restricted for key servers, network systems, and security systems?","When using a patch management system, are sufficient protection measures, such as access control, established?"],"NonComplianceCases": ["Case 1: In some systems, OS patches were not applied for a long period without valid reasons or approval from the responsible personnel.","Case 2: Some systems were using OS versions that were no longer supported (EOS), but no response plans or alternative measures were in place.","Case 3: Although the latest patches were applied to commercial software and OS, there were no procedures or personnel assigned to confirm and apply the latest patches for open-source programs (e.g., OpenSSL, OpenSSH, Apache), resulting in the lack of application of the latest security patches."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 9 (Prevention of Malware, etc.)"]}],"description": "To prevent security incidents due to vulnerabilities in software, operating systems, or security systems, the latest patches must be applied. However, if the application of the latest patches is difficult due to service impact considerations, alternative measures must be implemented.","checks_status": {"fail": 3,"pass": 3,"total": 14,"manual": 0}},"2.10.9": {"name": "Malware Control","checks": {},"status": "PASS","attributes": [{"Domain": "2. Security Control Requirements","Section": "2.10.9 Malware Control","Subdomain": "2.10. System and Service Security Management","AuditEvidence": ["Guidelines, procedures, and manuals for malware response","Antivirus program installation status","Antivirus program configuration screens","Malware response history (e.g., response reports)"],"AuditChecklist": ["Are protection measures established and implemented to protect information systems and business terminals from malware such as viruses, worms, Trojans, and ransomware?","Are prevention and detection activities for the latest malware continuously performed using security programs such as antivirus software?","Are security programs such as antivirus software kept up to date, and are emergency security updates performed when necessary?","Are procedures for response, such as minimizing the spread of malware and mitigating damage, established and implemented when malware infections are discovered?"],"NonComplianceCases": ["Case 1: Some PCs and servers do not have antivirus software installed, or the antivirus engine has not been updated to the latest version for a long time.","Case 2: Although users can change the antivirus program settings (e.g., real-time scanning, scheduled scanning, update settings) at their discretion, no additional protection measures were established to address this.","Case 3: Insufficient protection measures, such as access control, were in place for the central antivirus management system, leading to the possibility of security incidents through the central management system, or no integrity verification of the antivirus pattern was performed, making it possible for malware to spread through malicious users.","Case 4: Although multiple malware infections were confirmed on some internal network PCs and servers, there was no confirmation of the infection status, infection routes, cause analysis, or resulting actions."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 9 (Prevention of Malware, etc.)"]}],"description": "To protect personal and important information, information systems, and business terminals from malware such as viruses, worms, Trojans, and ransomware, prevention, detection, and response measures must be established and implemented.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.11.1": {"name": "Establishment of Incident Prevention and Response System","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.11.1 Establishment of Incident Prevention and Response System","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Incident response guidelines/procedures/manual","Incident response organization chart and emergency contact list","Security monitoring service contract (SLA, etc.)"],"AuditChecklist": ["Has the organization established procedures and systems to prevent security breaches and personal information leaks and to respond quickly and effectively when incidents occur?","If the organization is operating an incident response system through an external institution, such as a security monitoring service, are the details of the incident response procedures reflected in the contract?","Has the organization established a cooperative system with external experts, specialized companies, or institutions for monitoring, responding to, and handling security incidents?"],"NonComplianceCases": ["Case 1: Failure to clearly define the incident response organization and procedures for responding to security breaches.","Case 2: Although internal guidelines and procedures specify incident response steps for different phases (before, during, after detection, recovery, reporting, etc.), some or all of the response and recovery procedures for specific incident types and severity levels are not established.","Case 3: Failure to keep the incident response organization chart and emergency contact list up to date, or the roles and responsibilities of each team member are not clearly defined.","Case 4: Errors or outdated information in the contact details for external agencies responsible for incident reporting, notification, and cooperation, or failure to keep some agency details current.","Case 5: When outsourcing incident detection and response to an external security monitoring company or related institution, failure to clearly define the roles and responsibilities for both parties in the contract or SLA.","Case 6: Although incident response procedures are in place, they do not meet the legal requirements for reporting and notifying personal data breaches, such as criteria and timing."],"RelatedRegulations": ["Personal Information Protection Act, Article 34 (Notification and Reporting of Personal Information Leaks, etc.)","Information and Communications Network Act, Article 48-3 (Reporting of Security Incidents), Article 48-4 (Analysis of Causes of Security Incidents, etc.)"]}],"description": "To prevent incidents such as security breaches and personal information leaks, and to respond quickly and effectively in the event of an incident, the organization must establish procedures for detecting, responding to, analyzing, and sharing internal and external intrusion attempts. In addition, the organization must establish a cooperative system with relevant external institutions and experts.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.11.2": {"name": "Vulnerability Inspection and Remediation","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_document_secrets": "PASS","inspector2_is_enabled": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_centrally_managed": "FAIL","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","inspector2_active_findings_exist": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","awslambda_function_no_secrets_in_code": "PASS","cloudwatch_log_group_no_secrets_in_logs": "FAIL","ecr_registry_scan_images_on_push_enabled": "PASS","cloudformation_stack_outputs_find_secrets": "PASS","codebuild_project_no_secrets_in_variables": "PASS","awslambda_function_no_secrets_in_variables": "PASS","ecs_task_definitions_no_environment_secrets": "PASS","ecr_repositories_scan_images_on_push_enabled": "FAIL","trustedadvisor_premium_support_plan_subscribed": null,"autoscaling_find_secrets_ec2_launch_configuration": "PASS","ecr_repositories_scan_vulnerabilities_in_latest_image": null,"codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. Protective Measures Requirements","Section": "2.11.2 Vulnerability Inspection and Remediation","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Vulnerability inspection plan","Vulnerability inspection report (for web, mobile apps, servers, network systems, security systems, DBMS, etc.)","Vulnerability inspection records","Vulnerability remediation plan","Vulnerability remediation completion report","Penetration testing plan/results report"],"AuditChecklist": ["Has the organization established and implemented procedures for conducting regular vulnerability inspections of information systems?","Are actions taken to address identified vulnerabilities, and are the results reported to the responsible authorities?","Does the organization continuously monitor for new security vulnerabilities and assess their impact on the information systems, taking appropriate actions?","Is a record of vulnerability inspections maintained, and are protective measures implemented to address recurring vulnerabilities identified in previous years?"],"NonComplianceCases": ["Case 1: Although internal regulations require annual technical vulnerability inspections for major systems, some major systems were excluded from the inspection.","Case 2: Failure to implement corrective actions for identified vulnerabilities, or failure to provide justification and approval records for vulnerabilities that cannot be addressed promptly."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 4 (Establishment, Implementation, and Inspection of Internal Management Plans), Article 6 (Access Control)"]}],"description": "Regular vulnerability inspections must be conducted to verify whether information systems have exposed vulnerabilities, and any identified vulnerabilities must be promptly addressed. In addition, the organization must continuously monitor for new security vulnerabilities, assess their impact on the information systems, and take necessary actions.","checks_status": {"fail": 6,"pass": 14,"total": 23,"manual": 0}},"2.11.3": {"name": "Abnormal Behavior Analysis and Monitoring","checks": {"securityhub_enabled": "PASS","fms_policy_compliant": null,"vpc_flow_logs_enabled": "FAIL","cloudtrail_insights_exist": null,"networkfirewall_in_all_vpc": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","cloudtrail_threat_detection_enumeration": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.11.3 Abnormal Behavior Analysis and Monitoring","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Status of abnormal behavior analysis and monitoring","Evidence of responses taken when abnormal behaviors were detected"],"AuditChecklist": ["Is the organization collecting, analyzing, and monitoring network traffic, data flows, and event logs from major information systems, applications, networks, and security systems to detect abnormal behaviors such as intrusion attempts, personal information leakage attempts, or fraudulent activities?","Has the organization defined criteria and thresholds to determine abnormal behaviors, and is follow-up action, such as the determination and investigation of abnormal activities, taken in a timely manner?"],"NonComplianceCases": ["Case 1: Failure to establish a real-time or regular monitoring system and procedures to detect intrusion attempts on servers, networks, databases, and security systems from external sources.","Case 2: Although the organization has outsourced monitoring tasks to an external security monitoring agency, there is no record of reviewing the reports provided by the agency, and the organization does not have its own monitoring system for systems excluded from the outsourced service.","Case 3: Although abnormal traffic exceeding internally defined thresholds has been continuously detected, no response measures have been taken."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 6 (Access Control)"]}],"description": "To quickly detect and respond to intrusion attempts, personal information leakage attempts, and fraudulent activities from internal or external sources, the organization must collect and analyze network and data flows. Post-monitoring and inspection actions must be timely.","checks_status": {"fail": 6,"pass": 1,"total": 28,"manual": 0}},"2.11.4": {"name": "Incident Response Training and Improvement","checks": {"ssmincidents_enabled_with_plans": null},"status": "PASS","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.11.4 Incident Response Training and Improvement","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Simulation training plan for responding to security and personal information leakage incidents","Simulation training result reports for responding to security and personal information leakage incidents","Incident response procedures"],"AuditChecklist": ["Has the organization established a simulation training plan for responding to security incidents and personal information leakage incidents, and are such training exercises conducted at least once a year?","Is the organization reflecting the results of security incident and personal information leakage incident training to improve its response system?"],"NonComplianceCases": ["Case 1: Failure to conduct simulation training or provide related training plans and result reports.","Case 2: Although an annual simulation training plan for security incidents was established, it was not conducted within the planned period without valid reason or approval.","Case 3: Simulation training was conducted, but it was not performed according to the procedures and forms defined in the internal guidelines."],"RelatedRegulations": []}],"description": "The organization must conduct at least one simulation training per year based on scenarios to ensure that employees and stakeholders are familiar with the procedures for responding to security incidents and personal information leakage incidents. The response system must be improved based on the training results.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"2.11.5": {"name": "Incident Response and Recovery","checks": {},"status": "PASS","attributes": [{"Domain": "2. Protection Measures Requirements","Section": "2.11.5 Incident Response and Recovery","Subdomain": "2.11. Incident Prevention and Response","AuditEvidence": ["Incident response procedures","Incident response reports","Incident management logs","Personal information leakage reports","Emergency contact list"],"AuditChecklist": ["When signs of or actual incidents of security breaches or personal information leakage are detected, is the organization responding and reporting promptly according to the defined incident response procedures?","Is the organization notifying data subjects and reporting to relevant authorities as required by law in case of a personal information breach?","After the incident is resolved, is the organization analyzing the cause, reporting the results, and sharing them with relevant departments and personnel?","Is the organization utilizing the information obtained from incident analysis to establish preventive measures to prevent similar incidents from recurring, and if necessary, modifying its incident response procedures?"],"NonComplianceCases": ["Case 1: Although internal incident response guidelines require that security incidents be reported to the internal information protection committee and relevant departments, the department in charge responded to the incident independently without reporting to the information protection committee or relevant departments.","Case 2: Although a service outage suspected to be caused by a DDoS attack occurred recently, the organization did not analyze the cause or establish preventive measures.","Case 3: Although a personal information leakage incident occurred due to external hacking, notification and reporting were not made within 72 hours, citing the small number of affected personal information records as the reason.","Case 4: Although personal information of more than 1,000 individuals was leaked due to an employee's mistake on the company website, the affected data subjects were not notified."],"RelatedRegulations": ["Personal Information Protection Act, Article 34 (Notification and Reporting of Personal Information Leakage)","Information and Communications Network Act, Article 48-3 (Reporting of Security Incidents), Article 48-4 (Analysis of Causes of Security Incidents)"]}],"description": "When signs of or actual incidents of security breaches or personal information leakage are detected, the organization must comply with legal notification and reporting obligations, respond and recover promptly according to established procedures, and analyze the incident to establish preventive measures to reflect in the response system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.12.1": {"name": "Safety Measures for Disaster Preparedness","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","s3_bucket_object_lock": "FAIL","vpc_different_regions": null,"efs_have_backup_enabled": "FAIL","elbv2_is_in_multiple_az": "PASS","vpc_subnet_different_az": "PASS","backup_reportplans_exist": null,"neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","documentdb_cluster_backup_enabled": null,"s3_bucket_cross_region_replication": "FAIL","kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"redshift_cluster_automated_snapshot": null,"elb_cross_zone_load_balancing_enabled": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","documentdb_cluster_cloudwatch_log_export": null,"elasticache_redis_cluster_backup_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protective Measure Requirements","Section": "2.12.1 Safety Measures for Disaster Preparedness","Subdomain": "2.12. Disaster Recovery","AuditEvidence": ["IT disaster recovery guidelines/procedures","IT disaster recovery plans (including RTO and RPO definitions)","Emergency contact list","Crisis response manual for personal information processing systems"],"AuditChecklist": ["Has the organization identified IT disaster types that could threaten the continuity of core services (businesses) and analyzed the expected scale of damage and impact on operations to identify core IT services (businesses) and systems?","Has the organization defined recovery time objectives (RTO) and recovery point objectives (RPO) based on the importance and characteristics of core IT services and systems?","Has the organization established and implemented disaster recovery plans, including recovery strategies, emergency recovery teams, emergency contact networks, and recovery procedures, to ensure the continuity of core services and systems during disasters?"],"NonComplianceCases": ["Case 1: The IT disaster recovery procedures lack critical details such as the definition of IT disaster recovery teams and roles, emergency contact systems, and recovery procedures and methods.","Case 2: Although a backup center has been established to ensure the continuity of information systems and minimize damage during emergencies, the relevant policies do not include disaster recovery procedures using the backup center, making disaster recovery tests and actual recovery efforts ineffective.","Case 3: Recovery time objectives for some critical systems related to service operations have not been defined, and appropriate recovery strategies are not in place.","Case 4: The disaster recovery guidelines do not define the recovery priorities, RTO, or RPO for IT services or systems.","Case 5: Unrealistic recovery objectives have been set, either too high or too low, and the RPO and backup policies (e.g., targets, frequency) are not appropriately linked, making it difficult to ensure the effectiveness of recovery."],"RelatedRegulations": ["Personal Information Protection Act, Article 29 (Obligation to Take Safety Measures)","Standards for Ensuring the Safety of Personal Information, Article 11 (Safety Measures for Disaster Preparedness)"]}],"description": "Identify types of disasters that could threaten the operational continuity of the organization's core services and systems, such as natural disasters, communication or power failures, and hacking. Analyze the expected scale of damage and impact for each type, define the recovery time objective (RTO) and recovery point objective (RPO), and establish a disaster recovery system including recovery strategies, emergency recovery teams, emergency contact networks, and recovery procedures.","checks_status": {"fail": 14,"pass": 5,"total": 33,"manual": 0}},"2.12.2": {"name": "Disaster Recovery Testing and Improvement","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","s3_bucket_object_lock": "FAIL","vpc_different_regions": null,"efs_have_backup_enabled": "FAIL","elbv2_is_in_multiple_az": "PASS","vpc_subnet_different_az": "PASS","backup_reportplans_exist": null,"neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","documentdb_cluster_backup_enabled": null,"s3_bucket_cross_region_replication": "FAIL","kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"redshift_cluster_automated_snapshot": null,"elb_cross_zone_load_balancing_enabled": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","documentdb_cluster_cloudwatch_log_export": null,"elasticache_redis_cluster_backup_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. Protective Measure Requirements","Section": "2.12.2 Disaster Recovery Testing and Improvement","Subdomain": "2.12. Disaster Recovery","AuditEvidence": ["IT disaster recovery procedures","IT disaster recovery test plans","IT disaster recovery test results"],"AuditChecklist": ["Has the organization established and implemented disaster recovery test plans to evaluate the effectiveness of the established IT disaster recovery system?","Are the disaster recovery strategies and plans regularly reviewed and supplemented to reflect test results, changes in the information system environment, and legal requirements?"],"NonComplianceCases": ["Case 1: Disaster recovery drills were not planned or conducted, and the related plans and result reports are not available.","Case 2: Although a disaster recovery drill plan was established, it was not conducted as planned or approved, and the related result reports are missing.","Case 3: Disaster recovery drills were conducted, but they did not follow the procedures and forms outlined in the internal guidelines, making it difficult to evaluate the adequacy and effectiveness of the disaster recovery procedures."],"RelatedRegulations": []}],"description": "Regularly test the adequacy of the disaster recovery strategies and plans, and supplement the recovery strategies and plans based on test results, changes in the information system environment, and legal requirements.","checks_status": {"fail": 14,"pass": 5,"total": 33,"manual": 0}}},"requirements_passed": 10,"requirements_failed": 27,"requirements_manual": 64,"total_requirements": 101,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "23a633ec-caa6-4021-809a-a247c6f177e6","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "nist_csf_1.1_aws","framework": "NIST-CSF","version": "1.1","description": "The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of sector or size. The NIST Cybersecurity Framework consists of three primary components: the framework core, the profiles, and the implementation tiers. The framework core contains desired cybersecurity activities and outcomes organized into 23 categories that cover the breadth of cybersecurity objectives for an organization. The profiles contain an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources using the desired outcomes of the framework core. The implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework core.","region": "eu-west-1","requirements": {"ac_1": {"name": "PR.AC-1","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_1","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.","checks_status": {"fail": 1,"pass": 0,"total": 9,"manual": 0}},"ac_3": {"name": "PR.AC-3","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"iam_root_hardware_mfa_enabled": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Remote access is managed.","checks_status": {"fail": 3,"pass": 6,"total": 20,"manual": 0}},"ac_4": {"name": "PR.AC-4","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_4","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"ac_5": {"name": "PR.AC-5","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_5","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Network integrity is protected (e.g., network segregation, network segmentation).","checks_status": {"fail": 3,"pass": 7,"total": 17,"manual": 0}},"ac_6": {"name": "PR.AC-6","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_6","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Identities are proofed and bound to credentials and asserted in interactions.","checks_status": {"fail": 1,"pass": 1,"total": 4,"manual": 0}},"ac_7": {"name": "PR.AC-7","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_7","Section": "Protect (PR)","Service": "iam","SubGroup": null,"SubSection": "Identity Management and Access Control (PR.AC)"}],"description": "Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ae_1": {"name": "DE.AE-1","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ae_1","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "A baseline of network operations and expected data flows for users and systems is established and managed.","checks_status": {"fail": 7,"pass": 3,"total": 13,"manual": 0}},"ae_2": {"name": "DE.AE-2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ae_2","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "Detected events are analyzed to understand attack targets and methods.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ae_3": {"name": "DE.AE-3","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ae_3","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "Event data are collected and correlated from multiple sources and sensors.","checks_status": {"fail": 5,"pass": 2,"total": 11,"manual": 0}},"ae_4": {"name": "DE.AE-4","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ae_4","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "Impact of events is determined.","checks_status": {"fail": 4,"pass": 3,"total": 10,"manual": 0}},"ae_5": {"name": "DE.AE-5","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ae_5","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Anomalies and Events (DE.AE)"}],"description": "Incident alert thresholds are established.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"am_1": {"name": "ID.AM-1","checks": {"ec2_instance_managed_by_ssm": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "am_1","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Physical devices and systems within the organization are inventoried.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"am_2": {"name": "ID.AM-2","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "am_2","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Software platforms and applications within the organization are inventoried.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"am_3": {"name": "ID.AM-3","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "am_3","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Organizational communication and data flows are mapped.","checks_status": {"fail": 4,"pass": 2,"total": 8,"manual": 0}},"am_5": {"name": "ID.AM-5","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "am_5","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"am_6": {"name": "ID.AM-6","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "am_6","Section": "Identify (ID)","Service": "iam","SubGroup": null,"SubSection": "Asset Management (ID.AM)"}],"description": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"an_2": {"name": "RS.AN-2","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "an_2","Section": "Respond (RS)","Service": "guardduty","SubGroup": null,"SubSection": "Analysis (RS.AN)"}],"description": "The impact of the incident is understood.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"be_5": {"name": "ID.BE-5","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "be_5","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Business Environment (ID.BE)"}],"description": "Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"cm_1": {"name": "DE.CM-1","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_1","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "The network is monitored to detect potential cybersecurity events.","checks_status": {"fail": 4,"pass": 4,"total": 11,"manual": 0}},"cm_2": {"name": "DE.CM-2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "The physical environment is monitored to detect potential cybersecurity events.","checks_status": {"fail": 2,"pass": 3,"total": 20,"manual": 0}},"cm_3": {"name": "DE.CM-3","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_3","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "Personnel activity is monitored to detect potential cybersecurity events.","checks_status": {"fail": 1,"pass": 3,"total": 7,"manual": 0}},"cm_4": {"name": "DE.CM-4","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "cm_4","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "Malicious code is detected.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"cm_5": {"name": "DE.CM-5","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_5","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "Unauthorized mobile code is detected.","checks_status": {"fail": 3,"pass": 3,"total": 10,"manual": 0}},"cm_6": {"name": "DE.CM-6","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_6","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "External service provider activity is monitored to detect potential cybersecurity events.","checks_status": {"fail": 1,"pass": 3,"total": 7,"manual": 0}},"cm_7": {"name": "DE.CM-7","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_7","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Security Continuous Monitoring (DE.CM)"}],"description": "Monitoring for unauthorized personnel, connections, devices, and software is performed.","checks_status": {"fail": 4,"pass": 4,"total": 11,"manual": 0}},"cp_4": {"name": "DE.DP-4","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_4","Section": "Detect (DE)","Service": "aws","SubGroup": null,"SubSection": "Detection Processes (DE.DP)"}],"description": "Event detection information is communicated.","checks_status": {"fail": 3,"pass": 3,"total": 10,"manual": 0}},"cp_5": {"name": "DE.DP-5","checks": {"ec2_instance_imdsv2_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "cp_5","Section": "Detect (DE)","Service": "ec2","SubGroup": null,"SubSection": "Detection Processes (DE.DP)"}],"description": "Detection processes are continuously improved.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ds_1": {"name": "PR.DS-1","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_1","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Data-at-rest is protected.","checks_status": {"fail": 5,"pass": 2,"total": 9,"manual": 0}},"ds_2": {"name": "PR.DS-2","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_2","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Data-in-transit is protected.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"ds_3": {"name": "PR.DS-3","checks": {"ec2_elastic_ip_unassigned": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_3","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Assets are formally managed throughout removal, transfers, and disposition.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ds_4": {"name": "PR.DS-4","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_4","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Adequate capacity to ensure availability is maintained.","checks_status": {"fail": 4,"pass": 1,"total": 5,"manual": 0}},"ds_5": {"name": "PR.DS-5","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","s3_bucket_policy_public_write_access": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"s3_account_level_public_access_blocks": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_5","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Protections against data leaks are implemented.","checks_status": {"fail": 4,"pass": 7,"total": 19,"manual": 0}},"ds_6": {"name": "PR.DS-6","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_6","Section": "Protect (PR)","Service": "cloudtrail","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Integrity checking mechanisms are used to verify software, firmware, and information integrity.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ds_7": {"name": "PR.DS-7","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_7","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "The development and testing environment(s) are separate from the production environment.","checks_status": {"fail": 5,"pass": 1,"total": 6,"manual": 0}},"ds_8": {"name": "PR.DS-8","checks": {"securityhub_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ds_8","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Data Security (PR.DS)"}],"description": "Integrity checking mechanisms are used to verify hardware integrity.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"ip_1": {"name": "PR.IP-1","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_1","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ip_2": {"name": "PR.IP-2","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_2","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "A System Development Life Cycle to manage systems is implemented.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ip_3": {"name": "PR.IP-3","checks": {"elbv2_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_3","Section": "Protect (PR)","Service": "elb","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Configuration change control processes are in place.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ip_4": {"name": "PR.IP-4","checks": {"rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_4","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Backups of information are conducted, maintained, and tested periodically.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"ip_7": {"name": "PR.IP-7","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "ip_7","Section": "Protect (PR)","Service": "ec2","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Protection processes are improved.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ip_8": {"name": "PR.IP-8","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"eks_cluster_not_publicly_accessible": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_8","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Effectiveness of protection technologies is shared.","checks_status": {"fail": 1,"pass": 4,"total": 13,"manual": 0}},"ip_9": {"name": "PR.IP-9","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_9","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.","checks_status": {"fail": 4,"pass": 1,"total": 10,"manual": 0}},"ma_2": {"name": "PR.MA-2","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ma_2","Section": "Protect (PR)","Service": "cloudtrail","SubGroup": null,"SubSection": "Maintenance (PR.MA)"}],"description": "Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"mi_3": {"name": "RS.MI-3","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "mi_3","Section": "Respond (RS)","Service": "guardduty","SubGroup": null,"SubSection": "Mitigation (RS.MI)"}],"description": "Newly identified vulnerabilities are mitigated or documented as accepted risks.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"pt_1": {"name": "PR.PT-1","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pt_1","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Protective Technology (PR.PT)"}],"description": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.","checks_status": {"fail": 5,"pass": 2,"total": 8,"manual": 0}},"pt_3": {"name": "PR.PT-3","checks": {"iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "pt_3","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Protective Technology (PR.PT)"}],"description": "The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.","checks_status": {"fail": 0,"pass": 3,"total": 11,"manual": 0}},"pt_4": {"name": "PR.PT-4","checks": {"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pt_4","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Protective Technology (PR.PT)"}],"description": "Communications and control networks are protected.","checks_status": {"fail": 1,"pass": 3,"total": 6,"manual": 0}},"pt_5": {"name": "PR.PT-5","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pt_5","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Protective Technology (PR.PT)"}],"description": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"ra_1": {"name": "ID.RA-1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra_1","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Risk Assessment (ID.RA)"}],"description": "Asset vulnerabilities are identified and documented.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"ra_2": {"name": "ID.RA-2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_2","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Risk Assessment (ID.RA)"}],"description": "Cyber threat intelligence is received from information sharing forums and sources.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ra_3": {"name": "ID.RA-3","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_3","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Risk Assessment (ID.RA)"}],"description": "Threats, both internal and external, are identified and documented.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ra_5": {"name": "ID.RA-5","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra_5","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Risk Assessment (ID.RA)"}],"description": "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.","checks_status": {"fail": 2,"pass": 3,"total": 20,"manual": 0}},"rp_1": {"name": "RS.RP-1","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "rp_1","Section": "Respond (RS)","Service": "aws","SubGroup": null,"SubSection": "Response Planning (RS.RP)"}],"description": "Response plan is executed during or after an incident.","checks_status": {"fail": 4,"pass": 1,"total": 11,"manual": 0}},"sc_4": {"name": "ID.SC-4","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_4","Section": "Identify (ID)","Service": "aws","SubGroup": null,"SubSection": "Supply Chain Risk Management (ID.SC)"}],"description": "Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.","checks_status": {"fail": 2,"pass": 3,"total": 16,"manual": 0}},"ip_12": {"name": "PR.IP-12","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ip_12","Section": "Protect (PR)","Service": "aws","SubGroup": null,"SubSection": "Information Protection Processes and Procedures (PR.IP)"}],"description": "A vulnerability management plan is developed and implemented.","checks_status": {"fail": 2,"pass": 0,"total": 4,"manual": 0}}},"requirements_passed": 11,"requirements_failed": 42,"requirements_manual": 3,"total_requirements": 56,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "23ef3629-e1cd-4f16-af98-ab0daaff257e","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "fedramp_low_revision_4_aws","framework": "FedRAMP-Low-Revision-4","version": "","description": "The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011. It provides a cost-effective, risk-based approach for the adoption and use of cloud services by the U.S. federal government. FedRAMP empowers federal agencies to use modern cloud technologies, with an emphasis on the security and protection of federal information.","region": "eu-west-1","requirements": {"ac-2": {"name": "Account Management (AC-2)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","iam_user_mfa_enabled_console_access": null,"cloudtrail_s3_dataevents_read_enabled": null,"iam_password_policy_minimum_length_14": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"iam_aws_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations.","checks_status": {"fail": 3,"pass": 4,"total": 26,"manual": 0}},"ac-3": {"name": "Account Management (AC-3)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","checks_status": {"fail": 1,"pass": 6,"total": 20,"manual": 0}},"au-2": {"name": "Audit Events (AU-2)","checks": {"elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-2","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents","checks_status": {"fail": 5,"pass": 2,"total": 11,"manual": 0}},"au-9": {"name": "Protection of Audit Information (AU-9)","checks": {"s3_bucket_object_versioning": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-9","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion.","checks_status": {"fail": 4,"pass": 0,"total": 4,"manual": 0}},"ca-7": {"name": "Continuous Monitoring (CA-7)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca-7","Section": "Security Assessment And Authorization (CA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Continuously monitor configuration management processes. Determine security impact, environment and operational risks.","checks_status": {"fail": 2,"pass": 4,"total": 11,"manual": 0}},"cm-2": {"name": "Baseline Configuration (CM-2)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"elbv2_deletion_protection": "FAIL","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"ssm_managed_compliant_patching": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.","checks_status": {"fail": 7,"pass": 6,"total": 21,"manual": 0}},"cm-8": {"name": "Information System Component Inventory (CM-8)","checks": {"guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-8","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"cp-9": {"name": "Information System Backup (CP-9)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp-9","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations.","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"ia-2": {"name": "Identification and Authentication (Organizational users) (IA-2)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-2","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"ir-4": {"name": "Incident Handling (IR-4)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir-4","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery, coordinates incident handling activities with contingency planning activities and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"sa-3": {"name": "System Development Life Cycle (SA-3)","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa-3","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc-5": {"name": "Denial Of Service Protection (SC-5)","checks": {"guardduty_is_enabled": "PASS","rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].","checks_status": {"fail": 4,"pass": 2,"total": 8,"manual": 0}},"sc-7": {"name": "Boundary Protection (SC-7)","checks": {"elb_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-7","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.","checks_status": {"fail": 6,"pass": 6,"total": 21,"manual": 0}},"ac-17": {"name": "Remote Access (AC-17)","checks": {"elb_ssl_listeners": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-17","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems.","checks_status": {"fail": 5,"pass": 9,"total": 21,"manual": 0}},"au-11": {"name": "Audit Record Retention (AU-11)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-11","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cp-10": {"name": "Information System Recovery And Reconstitution (CP-10)","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp-10","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.","checks_status": {"fail": 4,"pass": 1,"total": 9,"manual": 0}},"sc-12": {"name": "Cryptographic Key Establishment And Management (SC-12)","checks": {"kms_cmk_rotation_enabled": null,"acm_certificates_expiration_check": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc-12","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"sc-13": {"name": "Use of Cryptography (SC-13)","checks": {"s3_bucket_default_encryption": "PASS","sns_topics_kms_encryption_at_rest_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-13","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","checks_status": {"fail": 1,"pass": 1,"total": 4,"manual": 0}}},"requirements_passed": 2,"requirements_failed": 16,"requirements_manual": 0,"total_requirements": 18,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "2d3bdafb-2503-4e04-a107-bdda7c4163ba","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_audit_manager_control_tower_guardrails_aws","framework": "AWS-Audit-Manager-Control-Tower-Guardrails","version": "","description": "AWS Control Tower is a management and governance service that you can use to navigate through the setup process and governance requirements that are involved in creating a multi-account AWS environment.","region": "eu-west-1","requirements": {"1.0.1": {"name": "Disallow launch of EC2 instance types that are not EBS-optimized","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "1.0.1","Section": "EBS checks","Service": "ebs","SubGroup": null,"SubSection": null}],"description": "Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.0.2": {"name": "Disallow EBS volumes that are unattached to an EC2 instance","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "1.0.2","Section": "EBS checks","Service": "ebs","SubGroup": null,"SubSection": null}],"description": "Checks whether EBS volumes are attached to EC2 instances","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.0.3": {"name": "Enable encryption for EBS volumes attached to EC2 instances","checks": {"ec2_ebs_default_encryption": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "1.0.3","Section": "EBS checks","Service": "ebs","SubGroup": null,"SubSection": null}],"description": "Checks whether EBS volumes that are in an attached state are encrypted","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.0.1": {"name": "Disallow internet connection through RDP","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "2.0.1","Section": "Disallow Internet Connection","Service": "vpc","SubGroup": null,"SubSection": null}],"description": "Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.0.2": {"name": "Disallow internet connection through SSH","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "2.0.2","Section": "Disallow Internet Connection","Service": "vpc","SubGroup": null,"SubSection": null}],"description": "Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.0.1": {"name": "Disallow access to IAM users without MFA","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3.0.1","Section": "Multi-Factor Authentication","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.0.2": {"name": "Disallow console access to IAM users without MFA","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3.0.2","Section": "Multi-Factor Authentication","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.0.3": {"name": "Enable MFA for the root user","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "3.0.3","Section": "Multi-Factor Authentication","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.0.1": {"name": "Disallow public access to RDS database instances","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.0.1","Section": "Disallow Public Access","Service": "rds","SubGroup": null,"SubSection": null}],"description": "Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"4.0.2": {"name": "Disallow public access to RDS database snapshots","checks": {"rds_snapshots_public_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.0.2","Section": "Disallow Public Access","Service": "rds","SubGroup": null,"SubSection": null}],"description": "Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"4.1.1": {"name": "Disallow public read access to S3 buckets","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.1.1","Section": "Disallow Public Access","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Checks that your S3 buckets do not allow public read access.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"4.1.2": {"name": "Disallow public write access to S3 buckets","checks": {"s3_bucket_policy_public_write_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.1.2","Section": "Disallow Public Access","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Checks that your S3 buckets do not allow public write access.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"5.0.1": {"name": "Disallow RDS database instances that are not storage encrypted ","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "5.0.1","Section": "Disallow Instances","Service": "rds","SubGroup": null,"SubSection": null}],"description": "Checks whether storage encryption is enabled for your RDS DB instances.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.1.1": {"name": "Disallow S3 buckets that are not versioning enabled","checks": {"s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "5.1.1","Section": "Disallow Instances","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Checks whether versioning is enabled for your S3 buckets.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 10,"requirements_failed": 2,"requirements_manual": 2,"total_requirements": 14,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "3477e5c1-467e-4fb1-9b4b-1c2bc8fcd03e","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "pci_3.2.1_aws","framework": "PCI","version": "3.2.1","description": "The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard. It's administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). This includes, but isn't limited to, merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.","region": "eu-west-1","requirements": {"cw": {"name": "CloudWatch","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "cw","Section": null,"Service": "cloudwatch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudWatch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"s3": {"name": "S3","checks": {"s3_bucket_public_access": null,"s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "s3","Section": null,"Service": "s3","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS S3 resources and options.","checks_status": {"fail": 1,"pass": 2,"total": 5,"manual": 0}},"dms": {"name": "DMS","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "dms","Section": null,"Service": "dms","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS DMS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ec2": {"name": "EC2","checks": {"vpc_flow_logs_enabled": "FAIL","ec2_ebs_public_snapshot": "PASS","ec2_elastic_ip_unassigned": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ec2","Section": null,"Service": "ec2","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring EC2 resources and options.","checks_status": {"fail": 3,"pass": 3,"total": 6,"manual": 0}},"iam": {"name": "IAM","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "iam","Section": null,"Service": "iam","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS IAM resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 15,"manual": 0}},"kms": {"name": "KMS","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "kms","Section": null,"Service": "kms","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS KMS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"rds": {"name": "RDS","checks": {"rds_snapshots_public_access": "PASS","rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "rds","Section": null,"Service": "rds","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS RDS resources and options.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ssm": {"name": "SSM","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ssm","Section": null,"Service": "ssm","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS SSM resources and options.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"elbv2": {"name": "ELBV2","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "elbv2","Section": null,"Service": "elbv2","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elastic Load Balancer resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"config": {"name": "Config","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "config","Section": null,"Service": "config","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Config.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"lambda": {"name": "Lambda","checks": {"awslambda_function_url_public": null,"awslambda_function_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "lambda","Section": null,"Service": "lambda","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Lambda resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"redshift": {"name": "Redshift","checks": {"redshift_cluster_public_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "redshift","Section": null,"Service": "redshift","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Redshift resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"codebuild": {"name": "CodeBuild","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "codebuild","Section": null,"Service": "codebuild","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CodeBuild resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"guardduty": {"name": "GuardDuty","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "guardduty","Section": null,"Service": "guardduty","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS GuardDuty resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sagemaker": {"name": "SageMaker","checks": {"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sagemaker","Section": null,"Service": "sagemaker","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Sagemaker resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cloudtrail": {"name": "CloudTrail","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cloudtrail","Section": null,"Service": "cloudtrail","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudTrail resources and options.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"opensearch": {"name": "OpenSearch","checks": {"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "opensearch","Section": null,"Service": "opensearch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring OpenSearch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"autoscaling": {"name": "Auto Scaling","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "autoscaling","Section": null,"Service": "autoscaling","SubGroup": null,"SubSection": null}],"description": "This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elasticsearch": {"name": "Elasticsearch","checks": {"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "elasticsearch","Section": null,"Service": "elasticsearch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elasticsearch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 11,"requirements_failed": 4,"requirements_manual": 4,"total_requirements": 19,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "34f5d2fe-fe37-4143-81ce-fdf21d9a9826","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "gxp_eu_annex_11_aws","framework": "GxP-EU-Annex-11","version": "","description": "The GxP EU Annex 11 framework is the European equivalent to the FDA 21 CFR part 11 framework in the United States. This annex applies to all forms of computerized systems that are used as part of Good Manufacturing Practices (GMP) regulated activities. A computerized system is a set of software and hardware components that together fulfill certain functionalities. The application should be validated and IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control, or quality assurance. There should be no increase in the overall risk of the process.","region": "eu-west-1","requirements": {"5-data": {"name": "5 Data","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "5-data","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Computerised systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.","checks_status": {"fail": 2,"pass": 1,"total": 8,"manual": 0}},"17-archiving": {"name": "17 Archiving","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "17-archiving","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested.","checks_status": {"fail": 2,"pass": 1,"total": 9,"manual": 0}},"9-audit-trails": {"name": "9 Audit Trails","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "9-audit-trails","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated 'audit trail'). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1-risk-management": {"name": "1 Risk Management","checks": {"securityhub_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "1-risk-management","Section": "General","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"16-business-continuity": {"name": "16 Business Continuity","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "16-business-continuity","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested.","checks_status": {"fail": 2,"pass": 1,"total": 9,"manual": 0}},"7.2-data-storage-backups": {"name": "7.2 Data Storage - Backups","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "7.2-data-storage-backups","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.","checks_status": {"fail": 2,"pass": 1,"total": 8,"manual": 0}},"12.4-security-audit-trail": {"name": "12.4 Security - Audit Trail","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "12.4-security-audit-trail","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"8.2-printouts-data-changes": {"name": "8.2 Printouts - Data Changes","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "8.2-printouts-data-changes","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"4.8-validation-data-transfer": {"name": "4.8 Validation - Data Transfer","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "4.8-validation-data-transfer","Section": "Project Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process.","checks_status": {"fail": 2,"pass": 1,"total": 9,"manual": 0}},"4.5-validation-development-quality": {"name": "4.5 Validation - Development Quality","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.5-validation-development-quality","Section": "Project Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6-validation-quality-performance": {"name": "4.6 Validation - Quality and Performance","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.6-validation-quality-performance","Section": "Project Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"7.1-data-storage-damage-protection": {"name": "7.1 Data Storage - Damage Protection","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","redshift_cluster_automated_snapshot": null,"sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "7.1-data-storage-damage-protection","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period.","checks_status": {"fail": 6,"pass": 4,"total": 22,"manual": 0}},"10-change-and-configuration-management": {"name": "10 Change and Configuration Management","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "10-change-and-configuration-management","Section": "Operational Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2-validation-documentation-change-control": {"name": "4.2 Validation - Documentation Change Control","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "4.2-validation-documentation-change-control","Section": "Project Phase","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}}},"requirements_passed": 8,"requirements_failed": 6,"requirements_manual": 0,"total_requirements": 14,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "376854be-93cd-44ab-a070-1e996b24184d","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cis_1.5_aws","framework": "CIS","version": "1.5","description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.","region": "eu-west-1","requirements": {"1.1": {"name": "1.1","checks": {"account_maintain_current_contact_details": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info","Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.","DefaultValue": null,"AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, review and verify the current details. 4. Under `Contact Information`, review and verify the current details.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.","RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. 4. Next to the field that you need to update, choose `Edit`. 5. After you have entered your changes, choose `Save changes`. 6. After you have made your changes, choose `Done`. 7. To edit your contact information, under `Contact Information`, choose `Edit`. 8. For the fields that you want to change, type your updated information, and then choose `Update`.","AdditionalInformation": ""}],"description": "Maintain current contact details","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.2": {"name": "1.2","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if security contact information is present:**From Console:**1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.","RemediationProcedure": "Perform the following to establish security contact information:**From Console:**1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.","AdditionalInformation": ""}],"description": "Ensure security contact information is registered","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.3": {"name": "1.3","checks": {"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS account as the 'root' user 2. On the top right you will see the __ 3. Click on the __ 4. From the drop-down menu Click `My Account`5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.","RemediationProcedure": "**From Console:**1. Login to the AWS Account as the 'root' user 2. Click on the __ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`6. Click on each `Question` - From the drop-down select an appropriate question- Click on the `Answer` section- Enter an appropriate answer - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location","AdditionalInformation": ""}],"description": "Ensure security questions are registered in the AWS account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.4": {"name": "1.4","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/","Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .**From Command Line:**Run the following command: ```aws iam get-account-summary | grep \"AccountAccessKeysPresent\"``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.","RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys**From Console:**1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on __ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active- Click on `Make Inactive` - (Temporarily disable Key - may be needed again)- Click `Delete` - (Deleted keys cannot be recovered)","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region."}],"description": "Ensure no 'root' user account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.5": {"name": "1.5","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `mfa_active` field is set to `TRUE` .**From Command Line:**1. Run the following command: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.When you are finished, the virtual MFA device starts generating one-time passwords.In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions."}],"description": "Ensure MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.6": {"name": "1.6","checks": {"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:1. Run the following command to determine if the 'root' account has MFA setup: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ```The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```aws iam list-virtual-mfa-devices``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation: `\"SerialNumber\": \"arn:aws:iam::__:mfa/root-account-mfa-device\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.","RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.Remediation for this recommendation is not available through AWS CLI.","AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions."}],"description": "Ensure hardware MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.7": {"name": "1.7","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html","Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.**From Command Line:**Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '' ```Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.","RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.","AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user."}],"description": "Eliminate use of the 'root' user for administrative and daily tasks","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.8": {"name": "1.8","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.**From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"**From Command Line:** ```aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy requires minimum length of 14 or greater","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.9": {"name": "1.9","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24**From Command Line:** ``` aws iam get-account-password-policy``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24` **From Command Line:** ```aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy prevents password reuse","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.1": {"name": "3.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events","Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane- You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`**From Command Line:** ```aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true```` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name  ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`","ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html","AssessmentStatus": "Automated","RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated onAWS global services- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account","RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented- Click `Add new trail` - Enter a trail name in the `Trail name` box- Set the `Apply trail to all regions` option to `Yes` - Specify an S3 bucket name in the `S3 bucket` box- Click `Create`4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.**From Command Line:** ``` aws cloudtrail create-trail --name  --bucket-name  --is-multi-region-trailaws cloudtrail update-trail --name  --is-multi-region-trail ```Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.","AdditionalInformation": ""}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.2": {"name": "3.2","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.","DefaultValue": null,"AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled` **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.","RemediationProcedure": "Perform the following to enable log file validation on a given trail:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`7. Click `Save changes` **From Command Line:** ``` aws cloudtrail update-trail --name  --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn  --start-time  --end-time  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail log file validation is enabled","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.3": {"name": "3.3","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html","Description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails`3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties`6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.`9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 2. Ensure the `AllUsers` principal is not granted privileges to that `` : ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that ``: ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 4. Get the S3 Bucket Policy ```aws s3api get-bucket-policy --bucket ``` 5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.","RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User`6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.","AdditionalInformation": ""}],"description": "Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.4": {"name": "3.4","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html","Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Under `Trails` , click on the CloudTrail you wish to evaluate 3. Under the `CloudWatch Logs` section. 4. Ensure a `CloudWatch Logs` log group is configured and listed. 5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.**From Command Line:**1. Run the following command to get a listing of existing trails: ```aws cloudtrail describe-trails ``` 2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property. 3. Using the noted value of the `Name` property, run the following command: ```aws cloudtrail get-trail-status --name  ``` 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.If the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.","ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.","RemediationProcedure": "Perform the following to establish the prescribed state:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Select the `Trail` the needs to be updated. 3. Scroll down to `CloudWatch Logs` 4. Click `Edit` 5. Under `CloudWatch Logs` click the box `Enabled` 6. Under `Log Group` pick new or select an existing log group 7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group. 8. Under `IAM Role` pick new or select an existing. 9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role. 10. Click `Save changes.**From Command Line:** ``` aws cloudtrail update-trail --name  --cloudwatch-logs-log-group-arn  --cloudwatch-logs-role-arn  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail trails are integrated with CloudWatch Logs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.5": {"name": "3.5","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html","Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.","DefaultValue": null,"AuditProcedure": "Process to evaluate AWS Config configuration per region**From Console:**1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.- Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.**From Command Line:**1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])Sample Output:``` {\"ConfigurationRecorders\": [{\"recordingGroup\": {\"allSupported\": true,\"resourceTypes\": [],\"includeGlobalResourceTypes\": true},\"roleARN\": \"arn:aws:iam:::role/service-role/\",\"name\": \"default\"}] } ```3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`","ImpactStatement": "It is recommended AWS Config be enabled in all regions.","AssessmentStatus": "Automated","RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.","RemediationProcedure": "To implement AWS Config configuration:**From Console:**1. Select the region you want to focus on in the top right of the console 2. Click `Services`3. Click `Config`4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account**From Command Line:**1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name  ```","AdditionalInformation": ""}],"description": "Ensure AWS Config is enabled in all regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.6": {"name": "3.6","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html","Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.","DefaultValue": null,"AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `` _ click on `Logging`8. Ensure `Enabled` is checked.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket  ``` Ensure command does not returns empty output.Sample Output for a bucket with logging enabled:``` {\"LoggingEnabled\": {\"TargetPrefix\": \"\",\"TargetBucket\": \"\"} } ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.","RemediationProcedure": "Perform the following to enable S3 bucket logging:**From Console:**1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:`  click on `Logging`5. Configure bucket logging- Click on the `Enabled` checkbox- Select Target Bucket from list- Enter a Target Prefix 6. Click `Save`.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region  --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``: ``` {\"LoggingEnabled\": {\"TargetBucket\": \"\",\"TargetPrefix\": \"\",\"TargetGrants\": [{\"Grantee\": {\"Type\": \"AmazonCustomerByEmail\",\"EmailAddress\": \"\"},\"Permission\": \"FULL_CONTROL\"}]}} ``` 3. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket  --bucket-logging-status file:// ```","AdditionalInformation": ""}],"description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.7": {"name": "3.7","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html","Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.**From Command Line:**1. Run the following command: ```aws cloudtrail describe-trails``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.","ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.","AssessmentStatus": "Automated","RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.","RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`6. Select an existing CMK from the `KMS key Id` drop-down menu- Note: Ensure the CMK is located in the same region as the S3 bucket- Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes` **From Command Line:** ``` aws cloudtrail update-trail --name  --kms-id  aws kms put-key-policy --key-id  --policy  ```","AdditionalInformation": "3 statements which need to be added to the CMK policy:1\\. Enable Cloudtrail to describe CMK properties ``` 
{\"Sid\": \"Allow CloudTrail access\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:DescribeKey\",\"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` 
{\"Sid\": \"Allow CloudTrail to encrypt logs\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:GenerateDataKey*\",\"Resource\": \"*\",\"Condition\": {\"StringLike\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": [\"arn:aws:cloudtrail:*:aws-account-id:trail/*\"]}} } ``` 3\\. Granting decrypt permissions ``` 
{\"Sid\": \"Enable CloudTrail log decrypt permissions\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"arn:aws:iam::aws-account-id:user/username\"},\"Action\": \"kms:Decrypt\",\"Resource\": \"*\",\"Condition\": {\"Null\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"}} } ```"}],"description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.8": {"name": "3.8","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final","Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the `General configuration` panel open the tab `Key rotation` 5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"**From Command Line:**1. Run the following command to get a list of all keys and their associated `KeyIds````aws kms list-keys ``` 2. For each key, note the KeyId and run the following command ``` describe-key --key-id  ``` 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command ```aws kms get-key-rotation-status --key-id  ``` 4. Ensure `KeyRotationEnabled` is set to `true` 5. Repeat steps 2 - 4 for all remaining CMKs","ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.","AssessmentStatus": "Automated","RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` . 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the \"General configuration\" panel open the tab \"Key rotation\" 5. Check the \"Automatically rotate this KMS key every year.\" checkbox**From Command Line:**1. Run the following command to enable key rotation: ```aws kms enable-key-rotation --key-id  ```","AdditionalInformation": ""}],"description": "Ensure rotation for customer created symmetric CMKs is enabled","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.9": {"name": "3.9","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html","Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.**From Command Line:**1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region  --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.","ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.","RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`9. Click `Create Log Flow`10. Click on `CloudWatch Logs Group` **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.**From Command Line:**1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"test\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\"Action\": \"sts:AssumeRole\"}] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\":[\"logs:CreateLogGroup\",\"logs:CreateLogStream\",\"logs:DescribeLogGroups\",\"logs:DescribeLogStreams\",\"logs:PutLogEvents\",\"logs:GetLogEvents\",\"logs:FilterLogEvents\"],\"Resource\": \"*\"}] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name  --assume-role-policy-document file://role_policy_document.json``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name  --policy-document file://iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name  ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region  ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids  --traffic-type REJECT --log-group-name  --deliver-logs-permission-arn  ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.","AdditionalInformation": ""}],"description": "Ensure VPC flow logging is enabled in all VPCs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"4.1": {"name": "4.1","checks": {"cloudwatch_log_metric_filter_unauthorized_api_calls": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with \"Name\":` note ``- From value associated with \"CloudWatchLogsLogGroupArn\" note Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this `` that you captured in step 1:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```4. Note the \"filterName\" `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.","AssessmentStatus": "Automated","RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for unauthorized API calls","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2": {"name": "4.2","checks": {"cloudwatch_log_metric_filter_sign_in_without_mfa": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all `CloudTrails`:``` aws cloudtrail describe-trails ```- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region `CloudTrail` is active``` aws cloudtrail get-trail-status --name  ```Ensure in the output that `IsLogging` is set to `TRUE`- Ensure identified Multi-region 'Cloudtrail' captures all Management Events``` aws cloudtrail get-event-selectors --trail-name  ```Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `` taken from audit step 1.Use Command: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account."}],"description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.3": {"name": "4.3","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**- ensures that activities from all regions (used as well as unused) are monitored- ensures that activities on all supported global services are monitored- ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for usage of 'root' account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.4": {"name": "4.4","checks": {"cloudwatch_log_metric_filter_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for IAM policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.5": {"name": "4.5","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6": {"name": "4.6","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.7": {"name": "4.7","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.8": {"name": "4.8","checks": {"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for S3 bucket policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.9": {"name": "4.9","checks": {"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Config configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"5.1": {"name": "5.1","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison","Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "**From Console:**Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "**From Console:**Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Click `Edit inbound rules`- Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule- Click `Save`","AdditionalInformation": ""}],"description": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"5.2": {"name": "5.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.3": {"name": "5.3","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the ::/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.4": {"name": "5.4","checks": {"ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group","Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:Security Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules existSecurity Group Members1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'","ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.","AssessmentStatus": "Automated","RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.","RemediationProcedure": "Security Group MembersPerform the following to implement the prescribed state:1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security groupSecurity Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rulesRecommended:IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"","AdditionalInformation": ""}],"description": "Ensure the default security group of every VPC restricts all traffic","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.5": {"name": "5.5","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html","Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.","DefaultValue": null,"AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.**From Command Line:**1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a __ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.","RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.**From Command Line:**1. For each __ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id  --destination-cidr-block  ```2. Create a new compliant route: ``` aws ec2 create-route --route-table-id  --destination-cidr-block  --vpc-peering-connection-id  ```","AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table."}],"description": "Ensure routing tables for VPC peering are \"least access\"","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.10": {"name": "1.10","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users","Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:**From Console:**1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8``` 2. The output of this command will produce a table similar to the following: ```user,password_enabled,mfa_activeelise,false,falsebrandon,true,truerakesh,false,falsehelene,false,falseparas,true,trueanitha,false,false``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`","ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to enable MFA:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords.8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.9. Click `Assign MFA`.","AdditionalInformation": "**Forced IAM User Self-Service Remediation**Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts."}],"description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.11": {"name": "1.11","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html","Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_dateelise,false,true,2015-04-16T15:14:00+00:00,false,N/Abrandon,true,true,N/A,false,N/Arakesh,false,false,N/A,false,N/Ahelene,false,true,2015-11-18T17:47:00+00:00,false,N/Aparas,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.","RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:**From Console:**1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. As an Administrator - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User- Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.**From Command Line:** ``` aws iam delete-access-key --access-key-id  --user-name  ```","AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\""}],"description": "Do not setup access keys during initial user setup for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.12": {"name": "1.12","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if unused credentials exist:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`8. Check and ensure that `Console last sign-in` is less than 45 days ago.**Note** - `Never` means the user has never logged in.9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.**From Command Line:****Download Credential Report:**1. Run the following commands: ```aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^' ```**Ensure unused credentials do not exist:**2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.","RemediationProcedure": "**From Console:**Perform the following to manage Unused Password (IAM user console access)1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`9. Under Console Access select `Disable` 10.Click `Apply`Perform the following to deactivate Access Keys:1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select any access keys that are over 45 days old and that have been used and - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and - Click the X to `Delete`","AdditionalInformation": " is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days."}],"description": "Ensure credentials unused for 45 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.13": {"name": "1.13","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.**From Command Line:**1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name  ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.- Repeat steps no. 2 and 3 for each IAM user in your AWS account.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.**From Command Line:**1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user**Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id  --status Inactive --user-name  ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name  ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.","AdditionalInformation": ""}],"description": "Ensure there is only one active access key available for any single IAM user","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.14": {"name": "1.14","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.**From Command Line:**``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.","RemediationProcedure": "Perform the following to rotate access keys:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`4. As an Administrator - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User- Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`7. Update programmatic call with new Access Key credentials**From Command Line:**1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```At this point, the user has two active access keys.2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```","AdditionalInformation": ""}],"description": "Ensure access keys are rotated every 90 days or less","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.15": {"name": "1.15","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html","Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:1. Run the following to get a list of IAM users: ```aws iam list-users --query 'Users[*].UserName' --output text``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.","RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group` Perform the following to add a user to a given group:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`3. Select the group to add a user to 4. Click `Add Users To Group`5. Select the users to be added to the group 6. Click `Add Users` Perform the following to remove a direct association between a user and policy:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:- Select the user- Click on the `Permissions` tab- Expand `Permissions policies` - Click `X` for each policy; then click Detach or Remove (depending on policy type)","AdditionalInformation": ""}],"description": "Ensure IAM Users Receive Permissions Only Through Groups","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.16": {"name": "1.16","checks": {"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam","Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.","DefaultValue": null,"AuditProcedure": "Perform the following to determine what policies are created:**From Command Line:**1. Run the following to get a list of IAM policies: ```aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```aws iam get-policy-version --policy-arn  --version-id  ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.","RemediationProcedure": "**From Console:**Perform the following to detach the policy that has full administrative privileges:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first `Detach`5. Select all Users, Groups, Roles that have this policy attached 6. Click `Detach Policy`7. In the policy action menu, select `Detach` **From Command Line:**Perform the following to detach the policy that has full administrative privileges as found in the audit step:1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.```aws iam list-entities-for-policy --policy-arn  ``` 2. Detach the policy from all IAM Users: ```aws iam detach-user-policy --user-name  --policy-arn  ``` 3. Detach the policy from all IAM Groups: ```aws iam detach-group-policy --group-name  --policy-arn  ``` 4. Detach the policy from all IAM Roles: ```aws iam detach-role-policy --role-name  --policy-arn  ```","AdditionalInformation": ""}],"description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.17": {"name": "1.17","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html","Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.","DefaultValue": null,"AuditProcedure": "**From Command Line:**1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'If it returns empty refer to the remediation below.","ImpactStatement": "All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.","AssessmentStatus": "Automated","RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.","RemediationProcedure": "**From Command Line:**1. Create an IAM role for managing incidents with AWS:- Create a trust relationship policy document that allows  to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"\"},\"Action\": \"sts:AssumeRole\"}]} ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name  --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name  ```","AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account."}],"description": "Ensure a support role has been created to manage incidents with AWS Support","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.18": {"name": "1.18","checks": {"ec2_instance_profile_attached": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html","Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.","DefaultValue": null,"AuditProcedure": "Where an instance is associated with a Role:For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.Where an Instance Contains Embedded Credentials:- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.Where an Instance Application Contains Embedded Credentials:- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.","RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.","AdditionalInformation": ""}],"description": "Ensure IAM instance roles are used for AWS resource access from instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.19": {"name": "1.19","checks": {"iam_no_expired_server_certificates_stored": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html","Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.","DefaultValue": null,"AuditProcedure": "**From Console:**Getting the certificates expiration information via AWS Management Console is not currently supported.To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**Run list-server-certificates command to list all the IAM-stored server certificates:``` aws iam list-server-certificates ```The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):``` {\"ServerCertificateMetadataList\": [{\"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\"ServerCertificateName\": \"MyServerCertificate\",\"Expiration\": \"2018-07-10T23:59:59Z\",\"Path\": \"/\",\"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\"UploadDate\": \"2018-06-10T11:56:08Z\"}] } ```Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.","ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.","AssessmentStatus": "Automated","RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.","RemediationProcedure": "**From Console:**Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**To delete Expired Certificate run following command by replacing  with the name of the certificate to delete:``` aws iam delete-server-certificate --server-certificate-name  ```When the preceding command is successful, it does not return any output.","AdditionalInformation": ""}],"description": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.20": {"name": "1.20","checks": {"accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html","Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region**From Command Line:**1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`3. Repeat the steps above for each active region.If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.","RemediationProcedure": "**From Console:**Perform the following to enable IAM Access analyzer for IAM policies:1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.7. Choose `Create Analyzer`. 8. Repeat these step for each active region**From Command Line:**Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name  --type  ``` Repeat this command above for each active region.**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.","AdditionalInformation": ""}],"description": "Ensure that IAM Access analyzer is enabled for all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.21": {"name": "1.21","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "","Description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.","DefaultValue": null,"AuditProcedure": "For multi-account AWS environments with an external identity provider... 1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click `Services`4. Click `IAM`5. Click `Identity providers` 6. Verify the configurationThen..., determine all accounts that should not have local users present. For each account...1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are presentFor multi-account AWS environments implementing AWS Organizations without an external identity provider... 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are present","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.","RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.","AdditionalInformation": ""}],"description": "Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.10": {"name": "3.10","checks": {"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/` 2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine. 3. Review `General details` 4. Confirm that `Multi-region trail` is set to `Yes` 5. Scroll down to `Data events` 6. Confirm that it reads: Data events: S3 Bucket Name: All current and future S3 buckets Read: Enabled Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.**From Command Line:**1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions: ``` aws cloudtrail list-trails ``` 2. The command output will be a list of all the trail names to include. \"TrailARN\": \"arn:aws:cloudtrail:::trail/\", \"Name\": \"\", \"HomeRegion\": \"\" 3. Next run 'get-trail- command to determine Multi-region. ``` aws cloudtrail get-trail --name  --region  ``` 4. The command output should include: \"IsMultiRegionTrail\": true, 5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. \"Type\": \"AWS::S3::Object\",\"Values\": [\"arn:aws:s3\" 7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered. If Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled. 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.**From Command Line:**1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for write events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.11": {"name": "3.11","checks": {"cloudtrail_s3_dataevents_read_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.**From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region  --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.**From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for read events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.10": {"name": "4.10","checks": {"cloudwatch_log_metric_filter_security_group_changes": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"\" --filter-name \"\" --metric-transformations metricName= \"\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"\" ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"\" --protocol  --notification-endpoint \"\" ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"\" --metric-name \"\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"\" ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for security group changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.11": {"name": "4.11","checks": {"cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.12": {"name": "4.12","checks": {"cloudwatch_changes_to_network_gateways_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to network gateways","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.13": {"name": "4.13","checks": {"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for route table changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for route table changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.14": {"name": "4.14","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for VPC changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.15": {"name": "4.15","checks": {"cloudwatch_log_metric_filter_aws_organizations_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.","DefaultValue": null,"AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name  ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.2. Get a list of all associated metric filters for this : ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `` value associated with the filterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":``` \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name  ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": ""}],"description": "Ensure a log metric filter and alarm exists for AWS Organizations changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.16": {"name": "4.16","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-get-started.html:https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-api:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/enable-security-hub.html","Description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.","DefaultValue": null,"AuditProcedure": "The process to evaluate AWS Security Hub configuration per region **From Console:**1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/. 2. On the top right of the console, select the target Region. 3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region. 4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions. 5. Repeat steps 2 to 4 for each region.","ImpactStatement": "It is recommended AWS Security Hub be enabled in all regions. AWS Security Hub requires AWS Config to be enabled.","AssessmentStatus": "Automated","RationaleStatement": "AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.","RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.Enabling Security Hub**From Console:**1. Use the credentials of the IAM identity to sign in to the Security Hub console. 2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub. 3. On the welcome page, Security standards list the security standards that Security Hub supports. 4. Choose Enable Security Hub.**From Command Line:**1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`. ``` aws securityhub enable-security-hub --enable-default-standards ```2. To enable the security hub without the default standards, include `--no-enable-default-standards`. ``` aws securityhub enable-security-hub --no-enable-default-standards ```","AdditionalInformation": ""}],"description": "Ensure AWS Security Hub is enabled","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.1": {"name": "2.1.1","checks": {"s3_bucket_default_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html:https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources","Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select a Bucket. 3. Click on 'Properties'. 4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. Run command to list buckets ``` aws s3 ls ``` 2. For each bucket, run``` aws s3api get-bucket-encryption --bucket  ``` 3. Verify that either``` \"SSEAlgorithm\": \"AES256\" ```or``` \"SSEAlgorithm\": \"aws:kms\"```is displayed.","ImpactStatement": "Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select a Bucket. 3. Click on 'Properties'. 4. Click edit on `Default Encryption`. 5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 6. Click `Save` 7. Repeat for all the buckets in your AWS account lacking encryption.**From Command Line:**Run either``` aws s3api put-bucket-encryption --bucket  --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}' ```or``` aws s3api put-bucket-encryption --bucket  --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}' ```**Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.","AdditionalInformation": "S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does **not** encrypt objects previously stored within the bucket."}],"description": "Ensure all S3 buckets employ encryption-at-rest","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.2": {"name": "2.1.2","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html","Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.","DefaultValue": null,"AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{\"Sid\": ,\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}' ``` `` and `` will be specific to your account5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket  | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.**From Console** using AWS Policy Generator:1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` =  5. Generate Policy 6. Copy the text and add it to the Bucket Policy.**From Command Line:**1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket  --query Policy --output text > policy.json ```2. Modify the policy.json file by adding in this statement: ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket  --policy file://policy.json ```","AdditionalInformation": ""}],"description": "Ensure S3 Bucket Policy is set to deny HTTP requests","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.3": {"name": "2.1.3","checks": {"s3_bucket_no_mfa_delete": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html","Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","DefaultValue": null,"AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket**From Console:**1. Login to the S3 console at `https://console.aws.amazon.com/s3/`2. Click the `Check` box next to the Bucket name you want to confirm3. In the window under `Properties`4. Confirm that Versioning is `Enabled`5. Confirm that MFA Delete is `Enabled`**From Command Line:**1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```Output example: ```  EnabledEnabled ```If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.","RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.**From Command line:**1. Run the s3api put-bucket-versioning command``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```","AdditionalInformation": ""}],"description": "Ensure MFA Delete is enabled on S3 buckets","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.4": {"name": "2.1.4","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html","Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.","DefaultValue": null,"AuditProcedure": "Perform the following steps to determine if Macie is running:**From Console:** 1. Login to the Macie console at https://console.aws.amazon.com/macie/ 2. In the left hand pane click on By job under findings. 3. Confirm that you have a Job setup for your S3 BucketsWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.","ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.","AssessmentStatus": "Manual","RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.","RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie**From Console:**1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`2. Click `Get started`.3. Click `Enable Macie`.Setup a repository for sensitive data discovery results1. In the Left pane, under Settings, click `Discovery results`.2. Make sure `Create bucket` is selected.3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.4. Click on `Advanced`.5. Block all public access, make sure `Yes` is selected.6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.7. Click on `Save`Create a job to discover sensitive data1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.2. Select the `check box` for each bucket that you want Macie to analyze as part of the job3. Click `Create job`.3. Click `Quick create`.4. For the Name and description step, enter a name and, optionally, a description of the job.5. Then click `Next`.6. For the Review and create step, click `Submit`.Review your findings1. In the left pane, click `Findings`.2. To view the details of a specific finding, choose any field other than the check box for the finding.If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.","AdditionalInformation": ""}],"description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.5": {"name": "2.1.5","checks": {"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html","Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.","DefaultValue": null,"AuditProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket  ``` Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"BlockPublicAcls\": true,\"IgnorePublicAcls\": true,\"BlockPublicPolicy\": true,\"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.**If utilizing Block Public Access (account settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.**From Command Line:**To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id  --region `Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"IgnorePublicAcls\": true, \"BlockPublicPolicy\": true, \"BlockPublicAcls\": true, \"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.","ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.","AssessmentStatus": "Automated","RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.","RemediationProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket  --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```**If utilizing Block Public Access (account settings)****From Console:**If the output reads `true` for the separate configuration settings then it is set on the account.1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.**From Command Line:**To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id  ```","AdditionalInformation": ""}],"description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.2.1": {"name": "2.2.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.2. Elastic Compute Cloud (EC2)","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/","Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.**Note:** EBS volume encryption is configured per region.","ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.**Note:** EBS volume encryption is configured per region.","AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically."}],"description": "Ensure EBS Volume Encryption is Enabled in all Regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.1": {"name": "2.3.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/","Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region  --db-snapshot-identifier  --db-instance-identifier  ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region  ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region  --source-db-snapshot-identifier  --target-db-snapshot-identifier  --copy-tags --kms-key-id  ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region  --db-instance-identifier  --db-snapshot-identifier  ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ```","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for RDS Instances","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.3.2": {"name": "2.3.2","checks": {"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to examine. 4. Click on the `Maintenance and backups` panel. 5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status. - If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to update. 4. Click on the `Modify` button placed on the top right side. 5. On the `Modify DB Instance: ` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button. 6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime. 7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime: ``` aws rds modify-db-instance --region  --db-instance-identifier  --auto-minor-version-upgrade --apply-immediately ``` 4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value. 5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.","AdditionalInformation": ""}],"description": "Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.3": {"name": "2.3.3","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to examine. 4. Click `Instance Name` from the dashboard, Under `Connectivity and Security. 5. On the `Security`, check if the Publicly Accessible flag status is set to `Yes`, follow the below-mentioned steps to check database subnet access. - In the `networking` section, click the subnet link available under `Subnets` - The link will redirect you to the VPC Subnets page. - Select the subnet listed on the page and click the `Route Table` tab from the dashboard bottom panel. If the route table contains any entries with the destination `CIDR block set to 0.0.0.0/0` and with an `Internet Gateway` attached. - The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet. 6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region. 8. Change the AWS region from the navigation bar and repeat the audit process for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance `identifier`. 3. Run again `describe-db-instances` command using the `PubliclyAccessible` parameter as query filter to reveal the database instance Publicly Accessible flag status: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].PubliclyAccessible' ``` 4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to `Yes`. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access 5. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.Subnets[]' ``` - The command output should list the subnets available in the selected database subnet group. 6. Run `describe-route-tables` command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet: ``` aws ec2 describe-route-tables --region  --filters \"Name=association.subnet-id,Values=\" --query 'RouteTables[*].Routes[]' ``` - If the command returns the route table associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet. - Or - If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step 7. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.VpcId' ``` - The command output should show the VPC ID in the selected database subnet group 8. Now run `describe-route-tables` command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet: ``` aws ec2 describe-route-tables --region  --filters \"Name=vpc-id,Values=\" \"Name=association.main,Values=true\" --query 'RouteTables[*].Routes[]' ``` - The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to update. 4. Click `Modify` from the dashboard top menu. 5. On the Modify DB Instance panel, under the `Connectivity` section, click on `Additional connectivity configuration` and update the value for `Publicly Accessible` to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations: - Select the `Connectivity and security` tab, and click on the VPC attribute value inside the `Networking` section. - Select the `Details` tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. - On the Route table details page, select the Routes tab from the dashboard bottom panel and click on `Edit routes`. - On the Edit routes page, update the Destination of Target which is set to `igw-xxxxx` and click on `Save` routes. 6. On the Modify DB Instance panel Click on `Continue` and In the Scheduling of modifications section, perform one of the following actions based on your requirements: - Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window. - Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application. 7. Repeat steps 3 to 6 for each RDS instance available in the current region. 8. Change the AWS region from the navigation bar to repeat the process for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names identifiers, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run `modify-db-instance` command to modify the selected RDS instance configuration. Then use the following command to disable the `Publicly Accessible` flag for the selected RDS instances. This command use the apply-immediately flag. If you want `to avoid any downtime --no-apply-immediately flag can be used`: ``` aws rds modify-db-instance --region  --db-instance-identifier  --no-publicly-accessible --apply-immediately ``` 4. The command output should reveal the `PubliclyAccessible` configuration under pending values and should get applied at the specified time. 5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure. 6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region. 7. Change the AWS region by using the --region filter to repeat the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that public access is not given to RDS Instance","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.4.1": {"name": "2.4.1","checks": {"efs_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.4 Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/index.html#efs","Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).","DefaultValue": null,"AuditProcedure": "**From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard. 2. Select `File Systems` from the left navigation panel. 3. Each item on the list has a visible Encrypted field that displays data at rest encryption status. 4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.**From CLI:** 1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region: ``` aws efs describe-file-systems --region  --output table --query 'FileSystems[*].FileSystemId' ``` 2. The command output should return a table with the requested file system IDs. 3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters: ``` aws efs describe-file-systems --region  --file-system-id  --query 'FileSystems[*].Encrypted' ``` 4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.","RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.**Steps to create an EFS file system with data encrypted at rest:****From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard. 2. Select `File Systems` from the left navigation panel. 3. Click `Create File System` button from the dashboard top menu to start the file system setup process. 4. On the `Configure file system access` configuration page, perform the following actions. - Choose the right VPC from the VPC dropdown list. - Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets. - Click `Next step` to continue.5. Perform the following on the `Configure optional settings` page. - Create `tags` to describe your new file system. - Choose `performance mode` based on your requirements. - Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS. - Click `Next step` to continue.6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system. 7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. 9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.**From CLI:** 1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource): ``` aws efs describe-file-systems --region  --file-system-id  ``` 2. The command output should return the requested configuration information. 3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\". 4. Run create-file-system command using the unique token created at the previous step. ``` aws efs create-file-system --region  --creation-token  --performance-mode generalPurpose --encrypted ``` 5. The command output should return the new file system configuration metadata. 6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target: ``` aws efs create-mount-target --region  --file-system-id  --subnet-id  ``` 7. The command output should return the new mount target metadata. 8. Now you can mount your file system from an EC2 instance. 9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. ``` aws efs delete-file-system --region  --file-system-id  ``` 11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for EFS file systems","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 52,"requirements_failed": 11,"requirements_manual": 0,"total_requirements": 63,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "407c3a08-81aa-4d24-9aca-46a0904f4b1d","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_account_security_onboarding_aws","framework": "AWS-Account-Security-Onboarding","version": "","description": "Checklist when onboarding new AWS Accounts to existing AWS Organization.","region": "eu-west-1","requirements": {"S3 protection": {"name": "S3 protection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "S3","SubGroup": null,"SubSection": null}],"description": "Protection using S3","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"RDS protection": {"name": "RDS protection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Protection for RDS instances","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Block root user": {"name": "Block root user","checks": {"iam_avoid_root_usage": null,"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": "Apply existing SCPs based on OU placement"}],"description": "Block root user","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"Malware Scanning": {"name": "Malware Scanning","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Conducting a Comprehensive Scan for Malicious Software","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Threat Detection": {"name": "Threat Detection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Detection of Threats in your AWS environment","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Lambda protection": {"name": "Lambda protection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "Lambda","SubGroup": null,"SubSection": null}],"description": "Protection using Lambda","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Runtime protection": {"name": "Runtime protection","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Optional","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Brand new and in need of thorough testing.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Predefine IAM Roles": {"name": "Predefine IAM Roles","checks": {"iam_support_role_created": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "IAM","SubGroup": null,"SubSection": null}],"description": "Check if exists predefine IAM Roles","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"Block unused regions": {"name": "Block unused regions","checks": {"organizations_scp_check_deny_regions": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": "Apply existing SCPs based on OU placement"}],"description": "Block unsued regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"S3 Block Public Access": {"name": "S3 Block Public Access","checks": {"s3_bucket_public_access": null,"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "S3","SubGroup": null,"SubSection": null}],"description": "Block public access to S3 buckets","checks_status": {"fail": 0,"pass": 1,"total": 3,"manual": 0}},"Organization invitation": {"name": "Organization invitation","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "Organizations","SubGroup": null,"SubSection": null}],"description": "Check if organization invitation is enabled","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Additional managed rules": {"name": "Additional managed rules","checks": {},"status": "PASS","attributes": [{"Type": "Discuss","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Supplementary managed rules","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Blanket rate-based rules": {"name": "Blanket rate-based rules","checks": {},"status": "PASS","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Establishing rules based on a standardized, all-encompassing rate.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Restrict instances types": {"name": "Restrict instances types","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": "Apply existing SCPs based on OU placement"}],"description": "Restrict instances types","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alert on IAM user changes": {"name": "Alert on IAM user changes","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Alert on IAM user changes","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enabled security services": {"name": "Enabled security services","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "SecurityServices","SubGroup": null,"SubSection": null}],"description": "Check if security services are enabled","checks_status": {"fail": 0,"pass": 4,"total": 4,"manual": 0}},"Alert on blocked DNS query": {"name": "Alert on blocked DNS query","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Route53","SubGroup": null,"SubSection": "R53 DNS Resolver"}],"description": "Notify when a DNS query is obstructed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alert on each High finding": {"name": "Alert on each High finding","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Alerting","Service": "GuardDuty","SubGroup": null,"SubSection": "GuardDuty"}],"description": "Checks that GuardDuty is enabled and configured to send High findings to CloudWatch Events","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"Disable AMI public sharing": {"name": "Disable AMI public sharing","checks": {"ec2_ami_public": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "EC2","SubGroup": null,"SubSection": null}],"description": "Disable AMI public sharing","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Add custom SCPs if required": {"name": "Add custom SCPs if required","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": null}],"description": "Add custom SCPs if required","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Scoped-down rate-based rules": {"name": "Scoped-down rate-based rules","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Discuss","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Rate-based rules with a narrowed scope","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Global allow - and block-lists": {"name": "Global allow - and block-lists","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Establishing International Lists for Permissions and Restrictions","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Service-unique exclusion rules": {"name": "Service-unique exclusion rules","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Exclusion rules specific to the service provided.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Alert on snapshot manipulations": {"name": "Alert on snapshot manipulations","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Alert when a snapshot is manipulated","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"EKS protection (if EKS is used)": {"name": "EKS protection (if EKS is used)","checks": {},"status": "PASS","attributes": [{"Type": "Optional","ItemId": null,"Section": "Enable GuardDuty","Service": "EKS","SubGroup": null,"SubSection": null}],"description": "Enhanced Kubernetes Security (EKS) protection, if the Kubernetes service is employed.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Predefined set of managed rules": {"name": "Predefined set of managed rules","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "A pre-established collection of rules under management control.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Alerts based on rate-based rules": {"name": "Alerts based on rate-based rules","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "WAF","SubGroup": null,"SubSection": "WAF"}],"description": "Notifications triggered by rate-based regulations","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Use strictly AWS VPC DNS resolver": {"name": "Use strictly AWS VPC DNS resolver","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "R53 DNS Resolver Firewall","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Exclusively Employ Amazon Web Services (AWS) Virtual Private Cloud (VPC) DNS Resolver","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alert based on DDoSDetected metric": {"name": "Alert based on DDoSDetected metric","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Shield","SubGroup": null,"SubSection": "Shield"}],"description": "Generate an alert triggered by the detection of a DDoS attack based on the DDoSDetected metric.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable and configure AWS Inspector": {"name": "Enable and configure AWS Inspector","checks": {"inspector2_is_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Vulnerability Scanning","Service": "EC2","SubGroup": null,"SubSection": "EC2 used as servers"}],"description": "Enable and set up AWS Inspector.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"IDC integration, SSO configuration": {"name": "IDC integration, SSO configuration","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "IAM Identity Center","SubGroup": null,"SubSection": null}],"description": "Check if IDC integration and SSO configuration is enabled","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Send DNS Resolvers queries to SIEM": {"name": "Send DNS Resolvers queries to SIEM","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Logging","Service": "Logging","SubGroup": null,"SubSection": null}],"description": "Send DNS Resolvers queries to SIEM","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alerts on raised cost anomaly events": {"name": "Alerts on raised cost anomaly events","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Billing","SubGroup": null,"SubSection": "Cost Anomaly"}],"description": "Alert when cost anomaly events are raised","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable as part of Organization trail": {"name": "Enable as part of Organization trail","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_multi_region_enabled_logging_management_events": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "AWS Cloudtrail","Service": "CloudTrail","SubGroup": null,"SubSection": null}],"description": "Activate as a component of the Organization trail.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"Root user - distribution email + MFA": {"name": "Root user - distribution email + MFA","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "IAM","SubGroup": null,"SubSection": null}],"description": "Check if root user has distribution email and MFA enabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"Billing, emergency, security contacts": {"name": "Billing, emergency, security contacts","checks": {"account_maintain_current_contact_details": null,"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Deploy account from predefined IaC template","Service": "Billing","SubGroup": null,"SubSection": null}],"description": "Check if billing, emergency, security contacts are configured","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"Realert on inactivity in a set period": {"name": "Realert on inactivity in a set period","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "SecurityHub","SubGroup": null,"SubSection": "SecurityHub"}],"description": "Activate a re-alert system for detecting inactivity within a specified time frame.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Confirm that events are present in SIEM": {"name": "Confirm that events are present in SIEM","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Confirm that events are present in SIEM","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Create analyzers in each active regions": {"name": "Create analyzers in each active regions","checks": {"accessanalyzer_enabled": "PASS","accessanalyzer_enabled_without_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "IAM Access Analyzer","Service": "IAM Access Analyzer","SubGroup": null,"SubSection": null}],"description": "Establish analyzers within every active region.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Export metrics in centralized collector": {"name": "Export metrics in centralized collector","checks": {"wafv2_webacl_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "WAFv2","Service": "CloudWatch","SubGroup": null,"SubSection": null}],"description": "Exporting metrics to a centralized collector for comprehensive data aggregation.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"CFD + ALB + secret rotation architecture": {"name": "CFD + ALB + secret rotation architecture","checks": {"elbv2_waf_acl_attached": "FAIL","cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": "Deploy WAF setup for each public web service"}],"description": "Designing an Architecture for Computational Fluid Dynamics (CFD), Application Load Balancing (ALB), and Secret Rotation Integration","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"Critical alert on every root user activity": {"name": "Critical alert on every root user activity","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Send critical alert on every root user activity","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Consider enabling for critical buckets only": {"name": "Consider enabling for critical buckets only","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Macie","Service": "Macie","SubGroup": null,"SubSection": null}],"description": "Please contemplate activating this feature exclusively for essential or crucial buckets.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Alert on rise of ConsoleLoginFailures events": {"name": "Alert on rise of ConsoleLoginFailures events","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Alert on rise ConsoleLoginFailures events","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Send VPC Flow Logs (only DENYs) to S3 bucket": {"name": "Send VPC Flow Logs (only DENYs) to S3 bucket","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Logging","Service": "Logging","SubGroup": null,"SubSection": null}],"description": "Send VPC Flow Logs (only DENYs) to S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"Critical alert on cloudtrail settings changes": {"name": "Critical alert on cloudtrail settings changes","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Alerting","Service": "CloudTrail","SubGroup": null,"SubSection": "CloudTrail"}],"description": "Send critical alert on cloudtrail settings changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Scan images for vulnerability on upload to ECR": {"name": "Scan images for vulnerability on upload to ECR","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","ecr_registry_scan_images_on_push_enabled": "PASS","ecr_repositories_scan_images_on_push_enabled": "FAIL","ecr_repositories_scan_vulnerabilities_in_latest_image": null},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Vulnerability Scanning","Service": "ECR","SubGroup": null,"SubSection": "ECR used as docker images hub"}],"description": "Check uploaded images for vulnerabilities when adding them to the ECR (Elastic Container Registry).","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"Alert on critical vulnerabilities in AMIs/Images": {"name": "Alert on critical vulnerabilities in AMIs/Images","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Inspector","SubGroup": null,"SubSection": "Vulnerability Scanning"}],"description": "Notification regarding severe vulnerabilities detected in AMIs/Images.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Ban outbound DNS calls from all VPCs to ports 53": {"name": "Ban outbound DNS calls from all VPCs to ports 53","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "R53 DNS Resolver Firewall","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Prohibit all Virtual Private Clouds (VPCs) from initiating outbound DNS calls on port 53.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable/disable additional standards and controls": {"name": "Enable/disable additional standards and controls","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Implement SecurityHub Central Configuration across the organization.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Confirm that logs are present in S3 bucket and SIEM": {"name": "Confirm that logs are present in S3 bucket and SIEM","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "AWS Cloudtrail","Service": "CloudTrail","SubGroup": null,"SubSection": null}],"description": "Verify the existence of logs within both the S3 bucket and the SIEM system.","checks_status": {"fail": 1,"pass": 0,"total": 3,"manual": 0}},"Alerts based on (at least) each new CRITICAL finding": {"name": "Alerts based on (at least) each new CRITICAL finding","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "SecurityHub","SubGroup": null,"SubSection": "SecurityHub"}],"description": "Alerts triggered by every new CRITICAL finding, at a minimum.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Apply suppression filters to disable useless findings": {"name": "Apply suppression filters to disable useless findings","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Implementing suppression filters to deactivate non-essential detections.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Enable continuous recording for most of the resources": {"name": "Enable continuous recording for most of the resources","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS Config","Service": "Config","SubGroup": null,"SubSection": null}],"description": "Activate continuous recording for the majority of resources.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Adopt incident response guide and prepared battle card": {"name": "Adopt incident response guide and prepared battle card","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "Shield","SubGroup": null,"SubSection": "Shield"}],"description": "Utilize the incident response manual and have the battle card ready for use.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Confirm that records are present in central aggregator": {"name": "Confirm that records are present in central aggregator","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS Config","Service": "Config","SubGroup": null,"SubSection": null}],"description": "Confirm that records are present in central aggregator","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Configure R53 health checks for all protected resources": {"name": "Configure R53 health checks for all protected resources","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "WAFv2","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Establishing Amazon Route 53 (R53) health checks to monitor the well-being of all safeguarded resources.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Export scan results as metrics in centralized collector": {"name": "Export scan results as metrics in centralized collector","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Vulnerability Scanning","Service": "ECR","SubGroup": null,"SubSection": "ECR used as docker images hub"}],"description": "Generate metric data from scan results and store it in a centralized collector.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Include in process of incident response based on events": {"name": "Include in process of incident response based on events","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Incorporate within the procedural framework of incident response, taking into account the triggering events.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Apply SecurityHub Central Configuration for Organization": {"name": "Apply SecurityHub Central Configuration for Organization","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Apply SecurityHub Central Configuration for Organization","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Enable as part of central configuration for Organization": {"name": "Enable as part of central configuration for Organization","checks": {"guardduty_is_enabled": "PASS","guardduty_centrally_managed": "FAIL"},"status": "FAIL","attributes": [{"Type": "Must","ItemId": null,"Section": "Enable GuardDuty","Service": "GuardDuty","SubGroup": null,"SubSection": null}],"description": "Please verify the existence of records within the central aggregator.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"Deploy solution to alert on at least critical new findings": {"name": "Deploy solution to alert on at least critical new findings","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Implement a solution to trigger alerts for newly identified critical issues at minimum.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Apply managed domain name lists for Resolver in block mode)": {"name": "Apply managed domain name lists for Resolver in block mode)","checks": {"route53_domains_transferlock_enabled": null,"route53_domains_privacy_protection_enabled": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "R53 DNS Resolver Firewall","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Utilize managed domain name lists within Resolver to implement block mode.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"Block tampering with security-related settings and services": {"name": "Block tampering with security-related settings and services","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "SCPs","Service": "IAM","SubGroup": null,"SubSection": "Apply existing SCPs based on OU placement"}],"description": "Block tampering with security-related settings and services","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable Shield Advanced subscription for public facing account": {"name": "Enable Shield Advanced subscription for public facing account","checks": {"shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"shield_advanced_protection_in_internet_facing_load_balancers": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Shield Advanced","Service": "Shield Advanced","SubGroup": null,"SubSection": null}],"description": "Activate the Shield Advanced subscription for the publicly accessible account.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"Verify that events are present in SecurityHub aggregated view": {"name": "Verify that events are present in SecurityHub aggregated view","checks": {"securityhub_enabled": "PASS","accessanalyzer_enabled": "PASS","accessanalyzer_enabled_without_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "IAM Access Analyzer","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Confirm the presence of events within the aggregated view of SecurityHub.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"Configure sensitive fields redaction and send WAF logs to SIEM": {"name": "Configure sensitive fields redaction and send WAF logs to SIEM","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "WAFv2","Service": "WAFv2","SubGroup": null,"SubSection": null}],"description": "Configure the redaction of sensitive fields and transmit Web Application Firewall (WAF) logs to the Security Information and Event Management (SIEM) system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Confirm that findings are being visible in the aggregated view": {"name": "Confirm that findings are being visible in the aggregated view","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Please verify that the findings are visible when viewed in the aggregated perspective.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Send S3 access logs for critical buckets to separate S3 bucket": {"name": "Send S3 access logs for critical buckets to separate S3 bucket","checks": {"cloudtrail_s3_dataevents_write_enabled": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "Automated","ItemId": null,"Section": "Logging","Service": "Logging","SubGroup": null,"SubSection": null}],"description": "Send S3 access logs for critical buckets to separate S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"Consider periodic recording for some resources to optimize bill": {"name": "Consider periodic recording for some resources to optimize bill","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Enable AWS Config","Service": "Config","SubGroup": null,"SubSection": null}],"description": "Think about implementing scheduled monitoring for specific resources in order to maximize cost efficiency.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Create DDoS battle card with main info about protected services": {"name": "Create DDoS battle card with main info about protected services","checks": {"shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"shield_advanced_protection_in_internet_facing_load_balancers": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Shield Advanced","Service": "Shield Advanced","SubGroup": null,"SubSection": null}],"description": "Prepare a Detailed Distributed Denial of Service (DDoS) Battle Card Encompassing Key Information Regarding Safeguarded Services.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"Alerts based on high amount of blocked requests by managed rules": {"name": "Alerts based on high amount of blocked requests by managed rules","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "WAF","SubGroup": null,"SubSection": "WAF"}],"description": "Notifications triggered by a significant number of blocked requests as a result of managed rules.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Alerts based on aggregated findings with severity Medium and below": {"name": "Alerts based on aggregated findings with severity Medium and below","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Alerting","Service": "GuardDuty","SubGroup": null,"SubSection": "GuardDuty"}],"description": "Alert based on aggregated findings with severity Medium and below","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Create Cost Anomaly Detection monitors to alert spending anomalies": {"name": "Create Cost Anomaly Detection monitors to alert spending anomalies","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Budget Alarms","Service": "CloudWatch","SubGroup": null,"SubSection": "QA"}],"description": "Establish monitoring systems for cost anomaly detection to promptly notify about unusual spending patterns.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Enable Shield Advanced automatic application layer DDoS mitigation": {"name": "Enable Shield Advanced automatic application layer DDoS mitigation","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "WAFv2","Service": "Shield Advanced","SubGroup": null,"SubSection": null}],"description": "Activate automatic application layer Distributed Denial of Service (DDoS) mitigation within Shield Advanced.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Apply custom threat list for GuardDuty to alert on access to DoH servers": {"name": "Apply custom threat list for GuardDuty to alert on access to DoH servers","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "R53 DNS Resolver Firewall","Service": "Route53","SubGroup": null,"SubSection": null}],"description": "Implement a customized threat list within GuardDuty to generate alerts when there is access to Domain Name System over HTTPS (DoH) servers.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Configure Budgets Actions to stop services in cases of big unexpected spendings": {"name": "Configure Budgets Actions to stop services in cases of big unexpected spendings","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Budget Alarms","Service": "SNS","SubGroup": null,"SubSection": "QA"}],"description": "Set up Budgets Actions to halt services when significant unexpected expenses occur.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"Ensure that there are no critical (and considered critical) findings present in account": {"name": "Ensure that there are no critical (and considered critical) findings present in account","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Enable AWS SecurityHub","Service": "SecurityHub","SubGroup": null,"SubSection": null}],"description": "Make certain that there are no critical findings, whether deemed critical or not, within the account.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"Deploy solution to periodically rescan currently used images and report found vulnerabilities": {"name": "Deploy solution to periodically rescan currently used images and report found vulnerabilities","checks": {"ecr_repositories_scan_vulnerabilities_in_latest_image": null},"status": "PASS","attributes": [{"Type": "Automated","ItemId": null,"Section": "Vulnerability Scanning","Service": "ECR","SubGroup": null,"SubSection": "ECR used as docker images hub"}],"description": "Implement a solution to conduct regular scans on currently employed images and notify about any identified vulnerabilities.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"Establish ready-to-be-enabled pipelines to deliver ALB and CFD to SIEM to toggle in case of emergency and investigations": {"name": "Establish ready-to-be-enabled pipelines to deliver ALB and CFD to SIEM to toggle in case of emergency and investigations","checks": {},"status": "PASS","attributes": [{"Type": "Manual","ItemId": null,"Section": "Logging","Service": "Logging","SubGroup": null,"SubSection": null}],"description": "Establish ready-to-be-enabled pipelines to deliver ALB and CFD to SIEM to toggle in case of emergency and investigations","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}}},"requirements_passed": 26,"requirements_failed": 23,"requirements_manual": 34,"total_requirements": 83,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "623480b7-012a-4aab-b553-16d3b8898136","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "hipaa_aws","framework": "HIPAA","version": "","description": "The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that helps US workers to retain health insurance coverage when they change or lose jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.","region": "eu-west-1","requirements": {"164_312_b": {"name": "164.312(b) Audit controls","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_b","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.","checks_status": {"fail": 8,"pass": 4,"total": 16,"manual": 0}},"164_312_d": {"name": "164.312(d) Person or entity authentication","checks": {"iam_root_mfa_enabled": null,"iam_password_policy_reuse_24": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_312_d","Section": "164.312 Technical Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"164_308_a_8": {"name": "164.308(a)(8) Evaluation","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_8","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"164_312_a_1": {"name": "164.312(a)(1) Access control","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"awslambda_function_not_publicly_accessible": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_a_1","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).","checks_status": {"fail": 1,"pass": 5,"total": 16,"manual": 0}},"164_312_c_1": {"name": "164.312(c)(1) Integrity","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_c_1","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.","checks_status": {"fail": 4,"pass": 2,"total": 6,"manual": 0}},"164_312_c_2": {"name": "164.312(c)(2) Mechanism to authenticate electronic protected health information","checks": {"vpc_flow_logs_enabled": "FAIL","ec2_ebs_volume_encryption": "PASS","s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_c_2","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.","checks_status": {"fail": 5,"pass": 2,"total": 7,"manual": 0}},"164_312_e_1": {"name": "164.312(e)(1) Transmission security","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","cloudfront_distributions_https_enabled": null,"awslambda_function_not_publicly_accessible": "PASS","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_e_1","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.","checks_status": {"fail": 3,"pass": 3,"total": 9,"manual": 0}},"164_308_a_3_i": {"name": "164.308(a)(3)(i) Workforce security","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_3_i","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.","checks_status": {"fail": 1,"pass": 5,"total": 15,"manual": 0}},"164_308_a_4_i": {"name": "164.308(a)(4)(i) Information access management","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_4_i","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"164_308_a_6_i": {"name": "164.308(a)(6)(i) Security incident procedures","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_6_i","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures to address security incidents.","checks_status": {"fail": 0,"pass": 2,"total": 8,"manual": 0}},"164_308_a_7_i": {"name": "164.308(a)(7)(i) Contingency plan","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_7_i","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.","checks_status": {"fail": 3,"pass": 1,"total": 10,"manual": 0}},"164_312_a_2_i": {"name": "164.312(a)(2)(i) Unique user identification","checks": {"iam_no_root_access_key": null,"s3_bucket_public_access": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_312_a_2_i","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Assign a unique name and/or number for identifying and tracking user identity.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"164_312_e_2_i": {"name": "164.312(e)(2)(i) Integrity controls","checks": {"elb_ssl_listeners": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_e_2_i","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.","checks_status": {"fail": 4,"pass": 3,"total": 10,"manual": 0}},"164_308_a_6_ii": {"name": "164.308(a)(6)(ii) Response and reporting","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_log_metric_filter_root_usage": null,"s3_bucket_server_access_logging_enabled": "FAIL","cloudwatch_log_metric_filter_authentication_failures": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_6_ii","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.","checks_status": {"fail": 6,"pass": 4,"total": 15,"manual": 0}},"164_312_a_2_ii": {"name": "164.312(a)(2)(ii) Emergency access procedure","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_a_2_ii","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.","checks_status": {"fail": 2,"pass": 1,"total": 9,"manual": 0}},"164_312_a_2_iv": {"name": "164.312(a)(2)(iv) Encryption and decryption","checks": {"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_a_2_iv","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement a mechanism to encrypt and decrypt electronic protected health information.","checks_status": {"fail": 6,"pass": 3,"total": 19,"manual": 0}},"164_312_e_2_ii": {"name": "164.312(e)(2)(ii) Encryption","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_312_e_2_ii","Section": "164.312 Technical Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.","checks_status": {"fail": 7,"pass": 3,"total": 19,"manual": 0}},"164_308_a_1_ii_a": {"name": "164.308(a)(1)(ii)(A) Risk analysis","checks": {"guardduty_is_enabled": "PASS","config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_1_ii_a","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"164_308_a_1_ii_b": {"name": "164.308(a)(1)(ii)(B) Risk Management","checks": {"elb_ssl_listeners": "FAIL","rds_instance_multi_az": "FAIL","ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"ec2_ebs_volume_encryption": "PASS","elbv2_deletion_protection": "FAIL","ec2_ebs_default_encryption": "PASS","rds_instance_backup_enabled": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","awslambda_function_url_public": null,"efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","cloudwatch_log_group_kms_encryption_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_encryption_enabled": null,"iam_aws_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_1_ii_b","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a): Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.","checks_status": {"fail": 14,"pass": 9,"total": 39,"manual": 0}},"164_308_a_1_ii_d": {"name": "164.308(a)(1)(ii)(D) Information system activity review","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_1_ii_d","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.","checks_status": {"fail": 7,"pass": 4,"total": 15,"manual": 0}},"164_308_a_3_ii_a": {"name": "164.308(a)(3)(ii)(A) Authorization and/or supervision","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","iam_root_hardware_mfa_enabled": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","iam_user_mfa_enabled_console_access": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_3_ii_a","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.","checks_status": {"fail": 4,"pass": 4,"total": 16,"manual": 0}},"164_308_a_3_ii_b": {"name": "164.308(a)(3)(ii)(B) Workforce clearance procedure","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_3_ii_b","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"164_308_a_3_ii_c": {"name": "164.308(a)(3)(ii)(C) Termination procedures","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_3_ii_c","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b).","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"164_308_a_4_ii_a": {"name": "164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","rds_instance_backup_enabled": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"acm_certificates_expiration_check": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","redshift_cluster_automated_snapshot": null,"cloudfront_distributions_https_enabled": null,"rds_instance_integration_cloudwatch_logs": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_4_ii_a","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.","checks_status": {"fail": 7,"pass": 5,"total": 25,"manual": 0}},"164_308_a_4_ii_b": {"name": "164.308(a)(4)(ii)(B) Access authorization","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_4_ii_b","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures for granting access to electronic protected health information, As one illustrative example, through access to a workstation, transaction, program, process, or other mechanism.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"164_308_a_4_ii_c": {"name": "164.308(a)(4)(ii)(B) Access authorization","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_reuse_24": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_4_ii_c","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.","checks_status": {"fail": 1,"pass": 0,"total": 9,"manual": 0}},"164_308_a_5_ii_b": {"name": "164.308(a)(5)(ii)(B) Protection from malicious software","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_5_ii_b","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Procedures for guarding against, detecting, and reporting malicious software.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"164_308_a_5_ii_c": {"name": "164.308(a)(5)(ii)(C) Log-in monitoring","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_5_ii_c","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Procedures for monitoring log-in attempts and reporting discrepancies.","checks_status": {"fail": 0,"pass": 2,"total": 3,"manual": 0}},"164_308_a_5_ii_d": {"name": "164.308(a)(5)(ii)(D) Password management","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "164_308_a_5_ii_d","Section": "164.308 Administrative Safeguards","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Procedures for creating, changing, and safeguarding passwords.","checks_status": {"fail": 0,"pass": 0,"total": 9,"manual": 0}},"164_308_a_7_ii_a": {"name": "164.308(a)(7)(ii)(A) Data backup plan","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_7_ii_a","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.","checks_status": {"fail": 3,"pass": 1,"total": 10,"manual": 0}},"164_308_a_7_ii_b": {"name": "164.308(a)(7)(ii)(B) Disaster recovery plan","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_7_ii_b","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish (and implement as needed) procedures to restore any loss of data.","checks_status": {"fail": 3,"pass": 1,"total": 10,"manual": 0}},"164_308_a_7_ii_c": {"name": "164.308(a)(7)(ii)(C) Emergency mode operation plan","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "164_308_a_7_ii_c","Section": "164.308 Administrative Safeguards","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.","checks_status": {"fail": 3,"pass": 1,"total": 10,"manual": 0}}},"requirements_passed": 11,"requirements_failed": 21,"requirements_manual": 0,"total_requirements": 32,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "6a808cc7-3501-4085-98f9-e4a9fa251f4c","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "mitre_attack_aws","framework": "MITRE-ATTACK","version": "","description": "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.","region": "eu-west-1","requirements": {"T1040": {"name": "Network Sniffing","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"rds_instance_transport_encrypted": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL","config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"cloudfront_distributions_https_enabled": null,"iam_policy_allows_privilege_escalation": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudWatch uses TLS/SSL connections to communicate with other AWS resources which protects against network sniffing attacks. As a result, this mapping is given a score of Significant.","Category": "Protect","AWSService": "AWS CloudWatch"},{"Value": "Significant","Comment": "AWS RDS and AWS RDS Proxy support TLS/SSL connections to database instances which protects against network sniffing attacks. As a result, this mapping is given a score of Significant.","Category": "Protect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over untrusted networks which can prevent information from being gathered via network sniffing.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"},{"Value": "Partial","Comment": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: 'CA certificate expiring' ('CA_CERTIFICATE_EXPIRING_CHECK' in the CLI and API), 'CA certificate key quality' ('CA_CERTIFICATE_KEY_QUALITY_CHECK' in the CLI and API), and 'CA certificate revoked but device certificates still active' ('REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK' in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the 'UPDATE_CA_CERTIFICATE' mitigation action which can resolve them. 'Device certificate expiring' ('DEVICE_CERTIFICATE_EXPIRING_CHECK' in the CLI and API), 'Device certificate key quality' ('DEVICE_CERTIFICATE_KEY_QUALITY_CHECK' in the CLI and API), 'Device certificate shared' ('DEVICE_CERTIFICATE_SHARED_CHECK' in the CLI and API), and 'Revoked device certificate still active' ('REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK' in the CLI and API) can identify problems with IoT devices' certificates and support the 'UPDATE_DEVICE_CERTIFICATE' and 'ADD_THINGS_TO_THING_GROUP' mitigation actions which can resolve them. Coverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: 'acm-certificate-expiration-check' for nearly expired certificates in AWS Certificate Manager (ACM); 'alb-http-to-https-redirection-check' for Application Load Balancer (ALB) HTTP listeners; 'api-gw-ssl-enabled' for API Gateway REST API stages; 'cloudfront-custom-ssl-certificate', 'cloudfront-sni-enabled', and 'cloudfront-viewer-policy-https', for Amazon CloudFront distributions; 'elb-acm-certificate-required', 'elb-custom-security-policy-ssl-check', 'elb-predefined-security-policy-ssl-check', and 'elb-tls-https-listeners-only' for Elastic Load Balancing (ELB) Classic Load Balancer listeners; 'redshift-require-tls-ssl' for Amazon Redshift cluster connections to SQL clients; 's3-bucket-ssl-requests-only' for requests for S3 bucket contents; and 'elasticsearch-node-to-node-encryption-check' for Amazon ElasticSearch Service node-to-node communications. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that private traffic is routed securely and only within VPCs rather than on the public Internet: 'api-gw-endpoint-type-check' for Amazon API Gateway APIs, 'elasticsearch-in-vpc-only' for Amazon ElasticSearch Service domains, and 'redshift-enhanced-vpc-routing-enabled' for Amazon Redshift cluster traffic. All of these are run on configuration changes except 'alb-http-to-https-redirection-check' and 'elasticsearch-in-vpc-only', which are run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic and/or do not have access to traffic within the relevant VPCs, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"}],"description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.","checks_status": {"fail": 5,"pass": 1,"total": 17,"manual": 0}},"T1046": {"name": "Network Service Discovery","checks": {"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","elbv2_waf_acl_attached": "FAIL","networkfirewall_in_all_vpc": "FAIL","inspector2_active_findings_exist": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices to search their networks for other hosts and their running services, possibly to subsequently carry out lateral movement techniques: 'Destination IPs' ('aws:destination-ip-addresses') outside of expected IP address ranges may suggest that a device is communicating with unexpected devices. 'Bytes in' ('aws:all-bytes-in'), 'Bytes out' ('aws:all-bytes-out'), 'Packets in' ('aws:all-packets-in'), and 'Packets out' ('aws:all-packets-out') values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may traffic used to discover other hosts/services. 'Listening TCP ports' ('aws:listening-tcp-ports'), 'Listening TCP port count' ('aws:num-listening-tcp-ports'), 'Established TCP connections count' ('aws:num-established-tcp-connections'), 'Listening UDP ports' ('aws:listening-udp-ports'), and 'Listening UDP port count' ('aws:num-listening-udp-ports') values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols that may suggest scanning is taking place. Coverage factor is partial, since these metrics are limited to IoT device communication and detection is only based on network traffic, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Partial","Comment": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection. AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet. This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.","Category": "Protect","AWSService": "AWS Web Application Firewall"},{"Value": "Partial","Comment": "The following GuardDuty finding types reflect flagged events where there is an attempt to get a list of services running on a remote host. Recon:EC2/PortProbeEMRUnprotectedPort Recon:EC2/PortProbeUnprotectedPort Recon:EC2/Portscan Impact:EC2/PortSweep","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Partial","Comment": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial.","Category": "Protect","AWSService": "Amazon Inspector"},{"Value": "Significant","Comment": "VPC security groups and network access control lists (NACLs) can filter both internal and external network traffic and therefore, can mitigate unauthorized network service scanning.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.","checks_status": {"fail": 7,"pass": 16,"total": 23,"manual": 0}},"T1048": {"name": "Exfiltration Over Alternative Protocol","checks": {"guardduty_is_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Partial","Comment": "The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel. Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Partial","Comment": "This control provides partial coverage for this technique and all of its sub-techniques, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore provide mitigation of this technique. For environments where Internet access is required, these controls can be used to block known malicious addresses. Because this latter protection is limited to known malicious endpoints, it provides Partial coverage resulting in an overall Partial score.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.","checks_status": {"fail": 4,"pass": 16,"total": 20,"manual": 0}},"T1049": {"name": "System Network Connections Discovery","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1059": {"name": "Command and Scripting Interpreter","checks": {"elbv2_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet. This is given a score of Partial (instead of Minimal) because while it only protects against a subset of SubTechniques (3 out of 8), it does provide protections for command and scripting interpreters that do not have SubTechniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time.","Category": "Protect","AWSService": "AWS Web Application Firewall"}],"description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"T1069": {"name": "Permission Groups Discovery","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1074": {"name": "Data from Cloud Storage","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1078": {"name": "Valid Accounts","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_avoid_root_usage": null,"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"iam_user_two_active_access_key": null,"iam_policy_no_full_access_to_kms": null,"iam_administrator_access_with_mfa": null,"config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_user_no_setup_initial_access_key": null,"organizations_scp_check_deny_regions": null,"iam_password_policy_minimum_length_14": null,"iam_policy_allows_privilege_escalation": null,"organizations_delegated_administrators": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_no_expired_server_certificates_stored": null,"organizations_account_part_of_organizations": null,"iam_role_cross_account_readonlyaccess_policy": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "GuardDuty implements a finding that flags occurrences unattended behavior from an IAM User in the Account. PenTest:IAMUser/KaliLinux, PenTest:IAMUser/ParrotLinux, PenTest:IAMUser/PentooLinux, Policy:IAMUser/RootCredentialUsage, PrivilegeEscalation:IAMUser/AdministrativePermissions, UnauthorizedAccess:IAMUser/ConsoleLogin, UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B, UnauthorizedAccess:IAMUser/MaliciousIPCaller, UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/TorIPCaller, Policy:S3/AccountBlockPublicAccessDisabled, Policy:S3/BucketAnonymousAccessGranted, Policy:S3/BucketBlockPublicAccessDisabled, Policy:S3/BucketPublicAccessGranted, CredentialAccess:IAMUser/AnomalousBehavior, DefenseEvasion:IAMUser/AnomalousBehavior, Discovery:IAMUser/AnomalousBehavior, Exfiltration:IAMUser/AnomalousBehavior, Impact:IAMUser/AnomalousBehavior, Persistence:IAMUser/AnomalousBehavior, Recon:IAMUser/MaliciousIPCaller, Recon:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "This control provides detection capability for one of this technique's SubTechniques and some of its procedure examples resulting in an overall Partial protection score.","Category": "Detect","AWSService": "AWS IAM"},{"Value": "Partial","Comment": "This control provides protection capability for one of this technique's SubTechniques and some of its procedure examples resulting in an overall Partial protection score.","Category": "Protect","AWSService": "AWS IAM"},{"Value": "Partial","Comment": "This control provides protection capability for one of this technique's SubTechniques and some of its procedure examples resulting in an overall Partial protection score.","Category": "Protect","AWSService": "AWS Single Sign-On"},{"Value": "Minimal","Comment": "This control provides partial detection capability for one of this technique's SubTechniques and a few of its procedure examples resulting in an overall Minimal protection score.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Minimal","Comment": "This control provides partial protection for one of this technique's SubTechniques and a few of its procedure examples resulting in an overall Minimal protection score.","Category": "Protect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "This control may protect against malicious use of cloud accounts but may not mitigate exploitation of local, domain, or default accounts present within deployed resources.","Category": "Protect","AWSService": "AWS Organizations"},{"Value": "Minimal","Comment": "AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights. AWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity. AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS Security Hub provides these detections with the following checks. 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of root account 3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the root user. By monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that are being misused and are potentially compromised. This is scored as Minimal because it only supports a subset of the SubTechniques (1 of 4).","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Minimal","Comment": "This control provides partial protection for one of this technique's SubTechniques and a few of its procedure examples resulting in an overall Minimal protection score.","Category": "Protect","AWSService": "Amazon Cognito"}],"description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.[1] Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.","checks_status": {"fail": 0,"pass": 2,"total": 36,"manual": 0}},"T1082": {"name": "System Information Discovery","checks": {},"status": "PASS","attributes": [],"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1087": {"name": "Account Discovery","checks": {"organizations_account_part_of_organizations": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control may protect against cloud account discovery but does not mitigate against other forms of account discovery.","Category": "Protect","AWSService": "AWS Organizations"}],"description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1098": {"name": "Account Manipulation","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_avoid_root_usage": null,"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"iam_policy_no_full_access_to_kms": null,"iam_administrator_access_with_mfa": null,"config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Minimal","Comment": "This control may generate logs for creation and manipulation of accounts but the relevant security information would be handled by another security control.","Category": "Detect","AWSService": "AWS IAM"},{"Value": "Minimal","Comment": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check. 3.4 Ensure a log metric filter and alarm exist for IAM policy changes. This is scored as Minimal because it only supports a subset of the SubTechniques (1 of 4).","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Partial","Comment": "GuardDuty has a finding types that flag events where an adversary may have compromised an AWS IAM User. Finding Type: Persistence:IAMUser/AnomalousBehavior.","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.","checks_status": {"fail": 0,"pass": 2,"total": 16,"manual": 0}},"T1110": {"name": "Brute Force","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"inspector2_is_enabled": "FAIL","iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Significant","Comment": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS IAM"},{"Value": "Partial","Comment": "This control may not provide any mitigation against password cracking.","Category": "Protect","AWSService": "AWS Single Sign-On"},{"Value": "Significant","Comment": "Amazon Cognito's MFA capability provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.","Category": "Protect","AWSService": "Amazon Cognito"},{"Value": "Minimal","Comment": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures. This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.) and it only supports a subset of the sub-techniques (3 of 4). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances.","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Minimal","Comment": "Finding types such as UnauthorizedAccess:EC2/RDPBruteForce, UnauthorizedAccess:EC2/SSHBruteForce, Impact:EC2/WinRMBruteForce, and Stealth:IAMUser/PasswordPolicyChange can detect when an EC2 instance may be involved in a brute force attack aimed at obtaining passwords. Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include 'Disable password authentication over SSH', 'Configure password maximum age', 'Configure password minimum length', and 'Configure password complexity' all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.","Category": "Protect","AWSService": "Amazon Inspector"}],"description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.","checks_status": {"fail": 2,"pass": 2,"total": 19,"manual": 0}},"T1119": {"name": "Automated Collection","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","ec2_ebs_snapshots_encrypted": "FAIL","s3_bucket_default_encryption": "PASS","rds_instance_storage_encrypted": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Value": "Minimal","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that storage volumes are encrypted, which may mitigate adversary attempts to automate collection within cloud environments: 'ec2-ebs-encryption-by-default' which is run periodically and 'encrypted-volumes' which is run on configuration changes. Coverage factor is minimal for these rules, since they are specific to EBS volumes and will only prevent certain forms of collection since adversaries with access to mounted volumes may be able to decrypt their contents, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"}],"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools.","checks_status": {"fail": 2,"pass": 3,"total": 6,"manual": 0}},"T1136": {"name": "Create Account","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control provides partial coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"}],"description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1190": {"name": "Exploit Public-Facing Application","checks": {"drs_job_exist": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","rds_instance_backup_enabled": "PASS","inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null,"awslambda_function_not_publicly_accessible": "PASS","rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that a public-facing application or server is compromised, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that applications intended for internal use cannot be accessed externally for exploitation: 'api-gw-endpoint-type-check' can ensure that Amazon API Gateway APIs are private and can only be accessed from within VPCs, 'elasticsearch-in-vpc-only' can ensure that Amazon ElasticSearch Service (Amazon ES) domains are in the same VPC and the domain endpoint is not public, 'lambda-function-public-access-prohibited' can verify that AWS Lambda functions are not publicly available, and 'ec2-instance-no-public-ip' can verify whether EC2 instances have public IP addresses. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that insecure applications are not installed and installed packages are kept updated, reducing the likelihood of adversary exploitation: the 'ec2-managedinstance-applications-blacklisted' managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The 'ec2-managedinstance-platform-check' managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation. 'rds-automatic-minor-version-upgrade-enabled' can verify that Amazon RDS is being patched, and 'elastic-beanstalk-managed-updates-enabled' can verify that Elastic Beanstalk is being patched. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services that can be used to host public-facing applications and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation.","Category": "Protect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS RDS"},{"Value": "Minimal","Comment": "There is a GuardDuty finding type that captures when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable (e.g., IAM credentials associated with the resource). UnauthorizedAccess:EC2/MetadataDNSRebind - This finding type only detects MetadataDNSRebind and is more focused on the EC2 instance and not the application running on the instance itself resulting in Minimal coverage.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Partial","Comment": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities. This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Significant","Comment": "The AWS WAF protects public-facing applications against a range of vulnerabilities including those listed in the OWASP Top 10. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesKnownBadInputRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet. This is given a score of Significant because it protects against vulnerabilities across multiple operating systems (Windows, Linux, POSIX) and technologies (JavaScript, SQL, PHP, WordPress). Furthermore, it blocks the malicious content in near real-time.","Category": "Protect","AWSService": "AWS Web Application Firewall"},{"Value": "Partial","Comment": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for 'Enable Address Space Layout Randomization (ASLR)' and 'Enable Data Execution Prevention (DEP)' that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.","Category": "Protect","AWSService": "Amazon Inspector"}],"description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.","checks_status": {"fail": 5,"pass": 5,"total": 11,"manual": 0}},"T1199": {"name": "Trusted Relationship","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "VPC network access control lists (NACLs) can isolate portions of the network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.","checks_status": {"fail": 3,"pass": 15,"total": 18,"manual": 0}},"T1201": {"name": "Password Policy Discovery","checks": {"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Significant","Comment": "Ensure least privilege in IAM since password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"T1204": {"name": "User Execution","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "AWS Config"}],"description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1213": {"name": "Data from Information Repositories","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1485": {"name": "Data Destruction","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","s3_bucket_object_lock": "FAIL","efs_have_backup_enabled": "FAIL","s3_bucket_no_mfa_delete": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","config_recorder_all_regions_enabled": null,"s3_bucket_policy_public_write_access": "PASS","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include data destruction: 's3-bucket-blacklisted-actions-prohibited' checks whether bucket policies prohibit disallowed actions (including S3:DeleteObject) for principals from other AWS accounts, 's3-bucket-default-lock-enabled' checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and 's3-bucket-public-write-prohibited' checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of data destruction: 'aurora-mysql-backtracking-enabled' for data in Aurora MySQL; 'db-instance-backup-enabled' and 'rds-in-backup-plan' for Amazon Relational Database Service (RDS) data; 'dynamodb-in-backup-plan' and 'dynamodb-pitr-enabled' for Amazon DynamoDB table contents; 'ebs-in-backup-plan' for Elastic Block Store (EBS) volumes; 'efs-in-backup-plan' for Amazon Elastic File System (EFS) file systems; 'elasticache-redis-cluster-automatic-backup-check' for Amazon ElastiCache Redis cluster data; 'redshift-backup-enabled' and 'redshift-cluster-maintenancesettings-check' for Redshift; 's3-bucket-replication-enabled' and 's3-bucket-versioning-enabled' for S3 storage; and 'cloudfront-origin-failover-enabled' for CloudFront. The following AWS Config managed rules provide specific detections for configuration problems that should be fixed in order to prevent malicious deletion of specific data: 'elb-deletion-protection-enabled' for Elastic Block Store (EBS) volumes, and 'rds-cluster-deletion-protection-enabled' and 'rds-instance-deletion-protection-enabled' for RDS data. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against destruction, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has destroyed the database instance. RDS-EVENT-0003: The DB instance has been deleted RDS-EVENT-0041: A DB snapshot has been deleted. This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized deletion.","Category": "Detect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS RDS provides deletion protection which prevents any user from deleting a database instance. If applied, the setting may mitigate attempts to delete a database instance. As a result, this mapping is given a score of Significant.","Category": "Protect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS S3 may protect against data destruction through application of several best practices. Multi-factor authentication can be enabled for delete operations and for changing the versioning state of a bucket. Versioning can be enabled to revert objects to a previous state after malicious destruction or corruption. S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. In addition, S3 Cross Region Replication can be used to replicate S3 buckets to another AWS region for add protection.","Category": "Protect","AWSService": "AWS S3"},{"Value": "Minimal","Comment": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the scheduled destruction of Customer Master Keys (CMKs) which are critical for being able to decrypt data. AWS Security Hub provides this detection with the following check. Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs. This is scored as Minimal because CMKs only represent one type of data that could be destroyed by an adversary.","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Partial","Comment": "The following GuardDuty finding type flags events where adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Impact:S3/MaliciousIPCaller, Impact:IAMUser/AnomalousBehavior Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux.","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.[1][2][3][4][5][6] Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.","checks_status": {"fail": 6,"pass": 3,"total": 12,"manual": 0}},"T1486": {"name": "Data Encrypted for Impact","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","s3_bucket_object_lock": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"config_recorder_all_regions_enabled": null,"s3_bucket_policy_public_write_access": "PASS"},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious changes to data encryption within Amazon Simple Storage Service (S3) storage: 's3-bucket-blacklisted-actions-prohibited' checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, 's3-bucket-default-lock-enabled' checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and 's3-bucket-public-write-prohibited' checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious changes to data encryption: 'aurora-mysql-backtracking-enabled' for data in Aurora MySQL; 'db-instance-backup-enabled' and 'rds-in-backup-plan' for Amazon Relational Database Service (RDS) data; 'dynamodb-in-backup-plan' and 'dynamodb-pitr-enabled' for Amazon DynamoDB table contents; 'ebs-in-backup-plan' for Elastic Block Store (EBS) volumes; 'efs-in-backup-plan' for Amazon Elastic File System (EFS) file systems; 'elasticache-redis-cluster-automatic-backup-check' for Amazon ElastiCache Redis cluster data; 'redshift-backup-enabled' and 'redshift-cluster-maintenancesettings-check' for Redshift; 's3-bucket-replication-enabled' and 's3-bucket-versioning-enabled' for S3 storage; and 'cloudfront-origin-failover-enabled' for CloudFront. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against malicious encryption changes, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Significant","Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is encrypted by an adversary (e.g., ransomware), AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS RDS"},{"Value": "Partial","Comment": "The following GuardDuty finding type flags events where adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. Impact:S3/MaliciousIPCaller Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.","checks_status": {"fail": 4,"pass": 3,"total": 9,"manual": 0}},"T1490": {"name": "Inhibit System Recovery","checks": {"drs_job_exist": "FAIL","rds_instance_backup_enabled": "PASS"},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2).","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Partial","Comment": "AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery. RDS-EVENT-0028: Automatic backups for this DB instance have been disabled. This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups.","Category": "Detect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.","Category": "Respond","AWSService": "AWS RDS"}],"description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[1][2] This may deny access to available backups and recovery options.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"T1491": {"name": "Defacement","checks": {"drs_job_exist": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2).","Category": "Respond","AWSService": "AWS CloudEndure Disaster Recovery"},{"Value": "Significant","Comment": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "GuardDuty provides multiple finding types that flag malicious activity against resources. These findings focus on API calls that look suspicious and although they do not flag events such as Defacement specifically, it can be inferred that these findings can result in mitigating this technique's negative impact. With this assumption the score is capped at Partial.","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"T1496": {"name": "Resource Hijacking","checks": {"guardduty_is_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudwatch_log_metric_filter_root_usage": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Value": "Partial","Comment": "AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metrics (not an exhaustive list) could be used to detect if the usage of a resource has increased such as when an adversary hijacks a resource to perform intensive tasks. Linux/Mac OS ------------- cpu_time_active cpu_time_guest cpu_usage_active cpu_usage_guest disk_free disk_total disk_used ethtool_bw_in_allowance_exceeded ethtool_bw_out_allowance_exceeded ethtool_conntrack_allowance_exceeded mem_active mem_available_percent mem_free net_bytes_recv net_bytes_sent net_packets_sent net_packets_recv netstat_tcp_established netstat_tcp_listen processes_running processes_total swap_free swap_used. Containers ---------- CpuUtilized MemoryUtilized NetworkRxBytes NetworkTxBytes node_cpu_usage_total node_cpu_utilization node_filesystem_utilization node_memory_utilization. This mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized increase in resource utilization.","Category": "Detect","AWSService": "AWS CloudWatch"},{"Value": "Partial","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure alarms exist for spikes in resource utilization, which help to identify malicious use of resources within a cloud environment: 'cloudwatch-alarm-action-check', 'cloudwatch-alarm-resource-check', 'cloudwatch-alarm-settings-check', 'desired-instance-tenancy', 'desired-instance-type', 'dynamodb-autoscaling-enabled', 'dynamodb-throughput-limit-check', 'ec2-instance-detailed-monitoring-enabled', and 'rds-enhanced-monitoring-enabled'. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only detect resource hijacking that results in a change in utilization that is significant enough to trigger alarms, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices' resources to perform resource-intensive operations like mining cryptocurrency or performing denial of service attacks on other environments: 'Destination IPs' ('aws:destination-ip-addresses') outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. 'Bytes in' ('aws:all-bytes-in'), 'Bytes out' ('aws:all-bytes-out'), 'Packets in' ('aws:all-packets-in'), and 'Packets out' ('aws:all-packets-out') values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include traffic related to resource hijacking activities. 'Listening TCP ports' ('aws:listening-tcp-ports'), 'Listening TCP port count' ('aws:num-listening-tcp-ports'), 'Established TCP connections count' ('aws:num-established-tcp-connections'), 'Listening UDP ports' ('aws:listening-udp-ports'), and 'Listening UDP port count' ('aws:num-listening-udp-ports') values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols which may include traffic related to resource hijacking activities. Coverage factor is partial, since these metrics are limited to IoT device hijacking, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "The following GuardDuty finding types flag events where adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. CryptoCurrency:EC2/BitcoinTool.B CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/BitcoinDomainRequest.Reputation UnauthorizedAccess:EC2/TorRelay","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability.","checks_status": {"fail": 1,"pass": 1,"total": 18,"manual": 0}},"T1498": {"name": "Network Denial of Service","checks": {"guardduty_is_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","config_recorder_all_regions_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Minimal","Comment": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Minimal","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While AWS Network Firewall supports both all sub-techniques (2 of 2), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Significant","Comment": "AWS Shield is a service that protects against Distributed Denial of Service attacks. There are two tiers for this service Standard and Advanced. AWS Shield Standard defends against most common, frequently occurring network and transport (Layer 3 and 4 attacks) layer DDoS attacks that target your web site or applications. AWS Shield Advanced adds on to standard by providing additional detection and mitigation against large and sophisticated DDoS attacks. There is near real-time visibility into attacks. AWS Shield Advanced also comes with 24x7 access to the AWS DDoS Response Team (DRT).","Category": "Respond","AWSService": "AWS Shield"},{"Value": "Partial","Comment": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.","checks_status": {"fail": 4,"pass": 16,"total": 27,"manual": 0}},"T1499": {"name": "Endpoint Denial of Service","checks": {"networkfirewall_in_all_vpc": "FAIL","config_recorder_all_regions_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "AWS Shield is a service that protects against Distributed Denial of Service attacks. There are two tiers for this service Standard and Advanced. AWS Shield Standard defends against most common, frequently occurring network and transport (Layer 3 and 4 attacks) layer DDoS attacks that target your web site or applications. AWS Shield Advanced adds on to standard by providing additional detection and mitigation against large and sophisticated DDoS attacks. There is near real-time visibility into attacks. AWS Shield Advanced also comes with 24x7 access to the AWS DDoS Response Team (DRT).","Category": "Respond","AWSService": "AWS Shield"},{"Value": "Minimal","Comment": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because it only supports a subset of the sub-techniques (3 of 4) and because the source of the attack would have to be known before rules could be put in place to protect against it.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Minimal","Comment": "VPC security groups and network access control lists (NACLs) provides minimal protection for a majority of this control's sub-techniques and procedure examples resulting in an overall score of Minimal.","Category": "Protect","AWSService": "Amazon Virtual Private Cloud"}],"description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.","checks_status": {"fail": 4,"pass": 15,"total": 26,"manual": 0}},"T1518": {"name": "Software Discovery","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1525": {"name": "Implant Internal Image","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: 'approved-amis-by-id' and 'approved-amis-by-tag', both of which are run on configuration changes. This does not provide detection of the image implanting itself, but does provide detection for any subsequent use of images that are implanted and not present within the allow list, resulting in a score of Minimal.","Category": "Detect","AWSService": "AWS Config"}],"description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1526": {"name": "Cloud Service Discovery","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Value": "Partial","Comment": "GuardDuty has the following finding types to flag events where there is an attempt to discover information about resources on the account. Recon:IAMUser/MaliciousIPCaller Recon:IAMUser/MaliciousIPCaller.Custom Recon:IAMUser/TorIPCaller","Category": "Detect","AWSService": "Amazon GuardDuty"}],"description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"T1530": {"name": "Data from Cloud Storage","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","s3_bucket_public_access": null,"networkfirewall_in_all_vpc": "FAIL","efs_not_publicly_accessible": "FAIL","rds_snapshots_public_access": "PASS","s3_bucket_default_encryption": "PASS","rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","emr_cluster_publicly_accesible": null,"rds_instance_storage_encrypted": "FAIL","redshift_cluster_public_access": null,"rds_instance_transport_encrypted": "FAIL","config_recorder_all_regions_enabled": null,"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null,"sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"sagemaker_training_jobs_intercontainer_encryption_enabled": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Value": "Significant","Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage: 's3-account-level-public-access-blocks', 's3-bucket-level-public-access-prohibited', 's3-bucket-public-read-prohibited', 's3-bucket-policy-not-more-permissive', 'cloudfront-origin-access-identity-enabled', and 'cloudfront-default-root-object-configured' identify objects that are publicly available or subject to overly permissive access policies; 's3-bucket-blacklisted-actions-prohibited' checks whether bucket policies prohibit disallowed actions for principals from other AWS accounts; and 's3-bucket-policy-grantee-check' checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data from other AWS services: 'dms-replication-not-public' for AWS Database Migration Service; 'emr-master-no-public-ip' for Amazon Elastic MapReduce (EMR); 'rds-cluster-iam-authentication-enabled', 'rds-instance-iam-authentication-enabled', 'rds-instance-public-access-check' and 'rds-snapshots-public-prohibited' for Amazon Relational Database Service; 'redshift-cluster-public-access-check' for Amazon Redshift; and 'sagemaker-notebook-no-direct-internet-access' for SageMaker. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data are encrypted to prevent malicious access: 'dax-encryption-enabled', 'dynamodb-table-encrypted-kms', and 'dynamodb-table-encryption-enabled' for Amazon DynamoDB table contents; 'efs-encrypted-check' for Amazon Elastic File System (EFS) file systems; 'elasticsearch-encrypted-at-rest' for Elasticsearch Service (ES) domains; 'rds-snapshot-encrypted' and 'rds-storage-encrypted' for Amazon Relational Database Service; 's3-bucket-server-side-encryption-enabled' and 's3-default-encryption-kms' for S3 storage; 'sns-encrypted-kms' for Amazon Simple Notification Service (SNS); 'redshift-cluster-configuration-check' and 'redshift-cluster-kms-enabled' for Redshift clusters; 'sagemaker-endpoint-configuration-kms-key-configured' and 'sagemaker-notebook-instance-kms-key-configured' for SageMaker. These rules provide a wide range of coverage for many AWS services, especially those most significant to procedures for this technique, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Partial","Comment": "The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: 'Source IP' ('aws:source-ip-address') values outside of expected IP address ranges may suggest that a device has been stolen. 'Messages sent' ('aws:num-messages-sent'), 'Messages received' ('aws:num-messages-received'), and 'Message size' ('aws:message-byte-size') values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage. The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: 'Bytes in' ('aws:all-bytes-in'), 'Bytes out' ('aws:all-bytes-out'), 'Packets in' ('aws:all-packets-in'), and 'Packets out' ('aws:all-packets-out') values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage. Coverage factor is partial, since these metrics are limited to IoT device-based collection, resulting in an overall score of Partial.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Partial","Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where the AWS Network Firewall protects, the mapping is only given a score of Partial.","Category": "Protect","AWSService": "AWS Network Firewall"},{"Value": "Significant","Comment": "AWS RDS supports the encryption of the underlying storage for database instances, backups, read replicas, and snapshots using the AES-256 encryption algorithm. This can protect against an adversary from gaining access to a database instance in the event they get access to the underlying system where the database instance is hosted or to S3 where the backups are stored. Furthermore, with AWS RDS, there is a setting that specifies whether or not a database instances is publicly accessible. When public accessibility is turned off, the database instance will not be available outside the VPC in which it was created. As a result, this mapping is given a score of Significant.","Category": "Protect","AWSService": "AWS RDS"},{"Value": "Significant","Comment": "S3 provides full control of access via Identity and Access Management (IAM) policies and with its access control lists (ACLs). The S3 Block Public Access feature allows for policies limiting public access to Amazon S3 resources that are enforced regardless of how the resources are created or associated IAM policies. Server-side encryption can be enabled for data at rest and allows for use of S3-managed keys, AWS Key Management Service managed keys, or customer-provided keys.","Category": "Protect","AWSService": "AWS S3"},{"Value": "Partial","Comment": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to data in cloud storage. AWS Security Hub provides this detection with the following managed insight. S3 buckets with public write or read permissions. AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check. 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes. This is scored as Partial because it only detects when S3 buckets have public read or write access and doesn't detect improperly secured data in other storage types (e.g., DBs, NFS, etc.).","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Partial","Comment": "The following GuardDuty finding types flag events where adversaries may have access data objects from improperly secured cloud storage. UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "The following Macie findings can detect the collection of data from S3 buckets: Policy:IAMUser/S3BlockPublicAccessDisabled Policy:IAMUser/S3BucketEncryptionDisabled Policy:IAMUser/S3BucketPublic Policy:IAMUser/S3BucketReplicatedExternally Policy:IAMUser/S3BucketSharedExternally. This type of detection is limited to only the S3 storage type and not other storage types available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.","Category": "Detect","AWSService": "Amazon Macie"},{"Value": "Minimal","Comment": "The following Macie findings can protect against collection of sensitive data from S3 buckets: SensitiveData:S3Object/Credentials SensitiveData:S3Object/CustomIdentifier SensitiveData:S3Object/Financial SensitiveData:S3Object/Multiple SensitiveData:S3Object/Personal. The ability to discover this type of sensitive data stored in a bucket may lead to hardening steps or removing the data altogether which would prevent an adversary from being able to collect the data. This type of protection is limited to only the S3 storage type and not other storage types available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.","Category": "Protect","AWSService": "Amazon Macie"}],"description": "Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.[5][6][7] There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.","checks_status": {"fail": 6,"pass": 6,"total": 22,"manual": 0}},"T1535": {"name": "Unused/Unsupported Cloud Regions","checks": {"organizations_scp_check_deny_regions": null},"status": "PASS","attributes": [],"description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"T1537": {"name": "Transfer Data to Cloud Account","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "The following Macie findings can detect attempts to replicate data objects from a monitored bucket to an Amazon Web Services account that isn't part of your organization: Policy:IAMUser/S3BucketReplicatedExternally Policy:IAMUser/S3BucketSharedExternally. This type of detection is limited to only the S3 storage type and not other storage types available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.","Category": "Detect","AWSService": "Amazon Macie"}],"description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"T1538": {"name": "Cloud Service Dashboard","checks": {"iam_user_mfa_enabled_console_access": null,"organizations_account_part_of_organizations": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "This control may protect against cloud service dashboard abuse by segmenting accounts into separate organizational units and restricting dashboard access by least privilege.","Category": "Protect","AWSService": "AWS Organizations"},{"Value": "Significant","Comment": "The 'mfa-enabled-for-iam-console-access' managed rule checks whether multi-factor authentication is enabled for all AWS IAM users that use a console password, protecting against misuse of those accounts' dashboard access. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.","Category": "Protect","AWSService": "AWS Config"}],"description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"T1546": {"name": "Event Triggered Execution","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1550": {"name": "Use Alternate Authentication Material","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_console_access_unused": null,"iam_user_two_active_access_key": null,"iam_policy_no_full_access_to_kms": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null,"iam_user_no_setup_initial_access_key": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Minimal","Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.","checks_status": {"fail": 0,"pass": 0,"total": 17,"manual": 0}},"T1552": {"name": "Unsecured Credentials","checks": {"macie_is_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_document_secrets": "PASS","ec2_instance_imdsv2_enabled": "PASS","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","awslambda_function_no_secrets_in_code": "PASS","cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudformation_stack_outputs_find_secrets": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","awslambda_function_no_secrets_in_variables": "PASS","ecs_task_definitions_no_environment_secrets": "PASS","autoscaling_find_secrets_ec2_launch_configuration": "PASS","eks_cluster_kms_cmk_encryption_in_secrets_enabled": null},"status": "FAIL","attributes": [{"Value": "Minimal","Comment": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.","Category": "Protect","AWSService": "AWS CloudHSM"},{"Value": "Significant","Comment": "The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: 'codebuild-project-envvar-awscred-check' for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, 'codebuild-project-source-repo-url-check' for personal access tokens and/or credentials within source repository URLs. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: 'secretsmanager-rotation-enabled-check', 'secretsmanager-scheduled-rotation-success-check', 'secretsmanager-secret-periodic-rotation', and 'secretsmanager-using-cmk'. This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.","Category": "Protect","AWSService": "AWS Config"},{"Value": "Minimal","Comment": "This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Minimal","Comment": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.","Category": "Protect","AWSService": "AWS Key Management Service"},{"Value": "Partial","Comment": "This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.","Category": "Protect","AWSService": "AWS Secrets Manager"},{"Value": "Minimal","Comment": "This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Minimal","Comment": "Macie only provides detection for the Credentials in Files sub-technique of this technique and only for the S3 storage type resulting in Minimal coverage and an overall Minimal score.","Category": "Protect","AWSService": "Amazon Macie"}],"description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).","checks_status": {"fail": 2,"pass": 11,"total": 14,"manual": 0}},"T1556": {"name": "Modify Authentication Process","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "This control provides coverage for one of this technique's SubTechniques, resulting in an overall score of Partial. Enforce MFA in IAM Users.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"T1562": {"name": "Impair Defenses","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Value": "Minimal","Comment": "This control provides significant coverage for a minority of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "AWS Config"},{"Value": "Minimal","Comment": "This control provides partial coverage for a minority of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Detect","AWSService": "AWS IoT Device Defender"},{"Value": "Minimal","Comment": "This control provides partial coverage for a minority of this technique's SubTechniques, resulting in an overall score of Minimal.","Category": "Respond","AWSService": "AWS IoT Device Defender"}],"description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.","checks_status": {"fail": 2,"pass": 2,"total": 5,"manual": 0}},"T1578": {"name": "Modify Cloud Compute Infrastructure","checks": {"iam_policy_no_full_access_to_kms": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Significant","Comment": "Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege.","Category": "Protect","AWSService": "AWS IAM"}],"description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"T1580": {"name": "Cloud Infrastructure Discovery","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_policy_no_full_access_to_kms": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"organizations_account_part_of_organizations": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "This control may protect against cloud infrastructure discovery by segmenting accounts into separate organizational units and restricting infrastructure access by least privilege.","Category": "Protect","AWSService": "AWS Organizations"},{"Value": "Partial","Comment": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access as well as accessible EC2 instances that may result in an adversary learning about cloud infrastructure used by the organization. AWS Security Hub provides these detections with the following managed insights. S3 buckets with public write or read permissions EC2 instances that have ports accessible from the Internet EC2 instances that are open to the Internet. AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check. 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes. This is scored as Partial because S3 and EC2 only represent a subset of available cloud infrastructure components.","Category": "Detect","AWSService": "AWS Security Hub"},{"Value": "Partial","Comment": "The following GuardDuty finding types flag events that are linked to Discovery techniques and can be used to capture events where a malicious user may be searching through the account looking for available resources. The finding types are also used to flag certain signatures of running services to detect malicious user activities from commonly used pentest operating systems. Discovery:IAMUser/AnomalousBehavior Discovery:S3/MaliciousIPCaller Discovery:S3/MaliciousIPCaller.Custom Discovery:S3/TorIPCaller PenTest:IAMUser/KaliLinux PenTest:IAMUser/ParrotLinux PenTest:IAMUser/PentooLinux PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux.","Category": "Detect","AWSService": "Amazon GuardDuty"},{"Value": "Significant","Comment": "Limit IAM permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.","Category": "Protect","AWSService": "AWS IAM"}],"description": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.","checks_status": {"fail": 0,"pass": 2,"total": 10,"manual": 0}},"T1606": {"name": "Forge Web Credentials","checks": {"iam_policy_allows_privilege_escalation": null,"iam_no_custom_policy_permissive_role_assumption": null},"status": "PASS","attributes": [{"Value": "Partial","Comment": "Limit IAM permissions from calling the sts:GetFederationToken API unless explicitly required, in accordance with least privilege.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"T1614": {"name": "System Location Discovery","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1619": {"name": "Cloud Storage Object Discovery","checks": {"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Significant","Comment": "Restrict granting of permissions related to listing objects in AWS S3 Buckets to necessary accounts.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"T1621": {"name": "Multi-Factor Authentication Request Generation","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"T1648": {"name": "Serverless Execution","checks": {"iam_policy_no_full_access_to_kms": null,"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Value": "Significant","Comment": "Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them.","Category": "Protect","AWSService": "AWS IAM"}],"description": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"T1651": {"name": "Cloud Administration Command","checks": {},"status": "PASS","attributes": [],"description": "Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}}},"requirements_passed": 18,"requirements_failed": 18,"requirements_manual": 10,"total_requirements": 46,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "6e52644d-3557-4704-9cf6-e33e4c1a316b","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "ffiec_aws","framework": "FFIEC","version": "","description": "In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity maturity.","region": "eu-west-1","requirements": {"d1-g-it-b-1": {"name": "D1.G.IT.B.1","checks": {"ec2_elastic_ip_unassigned": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d1-g-it-b-1","Section": "Cyber Risk Management and Oversight (Domain 1)","Service": "aws","SubGroup": null,"SubSection": "Governance (G)"}],"description": "An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"d4-c-co-b-2": {"name": "D4.C.Co.B.2","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d4-c-co-b-2","Section": "External Dependency Management (Domain 4)","Service": "aws","SubGroup": null,"SubSection": "Connections (C)"}],"description": "The institution ensures that third-party connections are authorized.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"d1-rm-ra-b-2": {"name": "D1.RM.RA.B.2","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d1-rm-ra-b-2","Section": "Cyber Risk Management and Oversight (Domain 1)","Service": "aws","SubGroup": null,"SubSection": "Risk Management (RM)"}],"description": "The risk assessment identifies Internet- based systems and high-risk transactions that warrant additional authentication controls.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"d1-rm-rm-b-1": {"name": "D1.RM.Rm.B.1","checks": {"rds_instance_multi_az": "FAIL","rds_instance_backup_enabled": "PASS","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d1-rm-rm-b-1","Section": "Cyber Risk Management and Oversight (Domain 1)","Service": "aws","SubGroup": null,"SubSection": "Risk Management (RM)"}],"description": "An information security and business continuity risk management function(s) exists within the institution.","checks_status": {"fail": 1,"pass": 1,"total": 4,"manual": 0}},"d2-is-is-b-1": {"name": "D2.IS.Is.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d2-is-is-b-1","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Information Sharing (IS)"}],"description": "Information security threats are gathered and shared with applicable internal employees.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"d2-ma-ma-b-1": {"name": "D2.MA.Ma.B.1","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d2-ma-ma-b-1","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Monitoring and Analyzing (MA)"}],"description": "Information security threats are gathered and shared with applicable internal employees.","checks_status": {"fail": 7,"pass": 2,"total": 14,"manual": 0}},"d2-ma-ma-b-2": {"name": "D2.MA.Ma.B.2","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d2-ma-ma-b-2","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Monitoring and Analyzing (MA)"}],"description": "Computer event logs are used for investigations once an event has occurred.","checks_status": {"fail": 5,"pass": 2,"total": 12,"manual": 0}},"d2-ti-ti-b-1": {"name": "D2.TI.Ti.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d2-ti-ti-b-1","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Threat Intelligence (TI)"}],"description": "The institution belongs or subscribes to a threat and vulnerability information-sharing source(s) that provides information on threats (e.g., FS-ISAC, US- CERT).","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"d2-ti-ti-b-2": {"name": "D2.TI.Ti.B.2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d2-ti-ti-b-2","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Threat Intelligence (TI)"}],"description": "Threat information is used to monitor threats and vulnerabilities.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"d2-ti-ti-b-3": {"name": "D2.TI.Ti.B.3","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d2-ti-ti-b-3","Section": "Threat Intelligence and Collaboration (Domain 2)","Service": "aws","SubGroup": null,"SubSection": "Threat Intelligence (TI)"}],"description": "Threat information is used to enhance internal risk management and controls.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"d3-cc-pm-b-1": {"name": "D3.CC.PM.B.1","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-cc-pm-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Corrective Controls (CC)"}],"description": "A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"d3-cc-pm-b-3": {"name": "D3.CC.PM.B.3","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-cc-pm-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Corrective Controls (CC)"}],"description": "Patch management reports are reviewed and reflect missing security patches.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"d3-dc-an-b-1": {"name": "D3.DC.An.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "The institution is able to detect anomalous activities through monitoring across the environment.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"d3-dc-an-b-2": {"name": "D3.DC.An.B.2","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-2","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Customer transactions generating anomalous activity alerts are monitored and reviewed.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"d3-dc-an-b-3": {"name": "D3.DC.An.B.3","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Logs of physical and/or logical access are reviewed following events.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"d3-dc-an-b-4": {"name": "D3.DC.An.B.4","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-4","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Access to critical systems by third parties is monitored for unauthorized or unusual activity.","checks_status": {"fail": 6,"pass": 2,"total": 13,"manual": 0}},"d3-dc-an-b-5": {"name": "D3.DC.An.B.5","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-an-b-5","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Elevated privileges are monitored.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"d3-dc-ev-b-1": {"name": "D3.DC.Ev.B.1","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-ev-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "A normal network activity baseline is established.","checks_status": {"fail": 4,"pass": 2,"total": 10,"manual": 0}},"d3-dc-ev-b-2": {"name": "D3.DC.Ev.B.2","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-dc-ev-b-2","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"d3-dc-ev-b-3": {"name": "D3.DC.Ev.B.3","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-ev-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.","checks_status": {"fail": 1,"pass": 3,"total": 4,"manual": 0}},"d3-dc-th-b-1": {"name": "D3.DC.Th.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-dc-th-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Detective Controls (DC)"}],"description": "Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"d3-pc-am-b-1": {"name": "D3.PC.Am.B.1","checks": {"iam_no_root_access_key": null,"ec2_instance_profile_attached": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.","checks_status": {"fail": 0,"pass": 1,"total": 6,"manual": 0}},"d3-pc-am-b-2": {"name": "D3.PC.Am.B.2","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-2","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Employee access to systems and confidential data provides for separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"d3-pc-am-b-3": {"name": "D3.PC.Am.B.3","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_root_hardware_mfa_enabled": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"d3-pc-am-b-6": {"name": "D3.PC.Am.B.6","checks": {"iam_root_mfa_enabled": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-6","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Identification and authentication are required and managed for access to systems, applications, and hardware.","checks_status": {"fail": 0,"pass": 0,"total": 16,"manual": 0}},"d3-pc-am-b-7": {"name": "D3.PC.Am.B.7","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-7","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Access controls include password complexity and limits to password attempts and reuse.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"d3-pc-am-b-8": {"name": "D3.PC.Am.B.8","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-8","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "All default passwords and unnecessary default accounts are changed before system implementation.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"d3-pc-im-b-1": {"name": "D3.PC.Im.B.1","checks": {"ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","apigateway_restapi_waf_acl_attached": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Network perimeter defense tools (e.g., border router and firewall) are used.","checks_status": {"fail": 5,"pass": 7,"total": 20,"manual": 0}},"d3-pc-im-b-2": {"name": "D3.PC.Im.B.2","checks": {"elbv2_waf_acl_attached": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-2","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.","checks_status": {"fail": 4,"pass": 1,"total": 6,"manual": 0}},"d3-pc-im-b-3": {"name": "D3.PC.Im.B.3","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-3","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "All ports are monitored.","checks_status": {"fail": 4,"pass": 2,"total": 6,"manual": 0}},"d3-pc-im-b-5": {"name": "D3.PC.Im.B.5","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-5","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"d3-pc-im-b-6": {"name": "D3.PC.Im.B.6","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-6","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Ports, functions, protocols and services are prohibited if no longer needed for business purposes.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"d3-pc-im-b-7": {"name": "D3.PC.Im.B.7","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-im-b-7","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.","checks_status": {"fail": 1,"pass": 1,"total": 6,"manual": 0}},"d3-pc-se-b-1": {"name": "D3.PC.Se.B.1","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-se-b1","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"d5-dr-de-b-1": {"name": "D5.DR.De.B.1","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d5-dr-de-b-1","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Detection, Response, & Mitigation (DR)"}],"description": "Alert parameters are set for detecting information security incidents that prompt mitigating actions.","checks_status": {"fail": 0,"pass": 2,"total": 6,"manual": 0}},"d5-dr-de-b-2": {"name": "D5.DR.De.B.2","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "d5-dr-de-b-2","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Detection, Response, & Mitigation (DR)"}],"description": "System performance reports contain information that can be used as a risk indicator to detect information security incidents.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"d5-dr-de-b-3": {"name": "D5.DR.De.B.3","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d5-dr-de-b-3","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Detection, Response, & Mitigation (DR)"}],"description": "Tools and processes are in place to detect, alert, and trigger the incident response program.","checks_status": {"fail": 5,"pass": 3,"total": 16,"manual": 0}},"d5-er-es-b-4": {"name": "D5.ER.Es.B.4","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d5-er-es-b-4","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Escalation and Reporting (ER)"}],"description": "Incidents are classified, logged and tracked.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"d5-ir-pl-b-6": {"name": "D5.IR.Pl.B.6","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d5-ir-pl-b-6","Section": "Cyber Incident Management and Resilience (Domain 5)","Service": "aws","SubGroup": null,"SubSection": "Incident Resilience Planning & Strategy (IR)"}],"description": "The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident.","checks_status": {"fail": 5,"pass": 1,"total": 8,"manual": 0}},"d3-pc-am-b-10": {"name": "D3.PC.Am.B.10","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-10","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution's third party.)","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"d3-pc-am-b-12": {"name": "D3.PC.Am.B.12","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-12","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "All passwords are encrypted in storage and in transit.","checks_status": {"fail": 4,"pass": 3,"total": 10,"manual": 0}},"d3-pc-am-b-13": {"name": "D3.PC.Am.B.13","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-13","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Confidential data is encrypted when transmitted across public or untrusted networks (e.g., Internet).","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"d3-pc-am-b-15": {"name": "D3.PC.Am.B.15","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"s3_bucket_secure_transport_policy": "FAIL","iam_user_mfa_enabled_console_access": null,"apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-15","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication.","checks_status": {"fail": 2,"pass": 0,"total": 5,"manual": 0}},"d3-pc-am-b-16": {"name": "D3.PC.Am.B.16","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "d3-pc-am-b-16","Section": "Cybersecurity Controls (Domain 3)","Service": "aws","SubGroup": null,"SubSection": "Preventative Controls (PC)"}],"description": "Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}}},"requirements_passed": 13,"requirements_failed": 29,"requirements_manual": 2,"total_requirements": 44,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "7058bd2a-3241-4e0e-9773-9a0136d861bc","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cis_2.0_aws","framework": "CIS","version": "2.0","description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.","region": "eu-west-1","requirements": {"1.1": {"name": "1.1","checks": {"account_maintain_current_contact_details": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info","Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.","DefaultValue": null,"AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, review and verify the current details. 4. Under `Contact Information`, review and verify the current details.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.","RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. 4. Next to the field that you need to update, choose `Edit`. 5. After you have entered your changes, choose `Save changes`. 6. After you have made your changes, choose `Done`. 7. To edit your contact information, under `Contact Information`, choose `Edit`. 8. For the fields that you want to change, type your updated information, and then choose `Update`.","AdditionalInformation": ""}],"description": "Maintain current contact details","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.2": {"name": "1.2","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if security contact information is present:**From Console:**1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.","RemediationProcedure": "Perform the following to establish security contact information:**From Console:**1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.","AdditionalInformation": ""}],"description": "Ensure security contact information is registered","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.3": {"name": "1.3","checks": {"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS account as the 'root' user 2. On the top right you will see the __ 3. Click on the __ 4. From the drop-down menu Click `My Account`5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.","RemediationProcedure": "**From Console:**1. Login to the AWS Account as the 'root' user 2. Click on the __ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`6. Click on each `Question` - From the drop-down select an appropriate question- Click on the `Answer` section- Enter an appropriate answer - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location","AdditionalInformation": ""}],"description": "Ensure security questions are registered in the AWS account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.4": {"name": "1.4","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/","Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .**From Command Line:**Run the following command: ```aws iam get-account-summary | grep \"AccountAccessKeysPresent\"``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.","RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys**From Console:**1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on __ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active- Click on `Make Inactive` - (Temporarily disable Key - may be needed again)- Click `Delete` - (Deleted keys cannot be recovered)","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region."}],"description": "Ensure no 'root' user account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.5": {"name": "1.5","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `mfa_active` field is set to `TRUE` .**From Command Line:**1. Run the following command: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.When you are finished, the virtual MFA device starts generating one-time passwords.In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions."}],"description": "Ensure MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.6": {"name": "1.6","checks": {"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:1. Run the following command to determine if the 'root' account has MFA setup: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ```The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```aws iam list-virtual-mfa-devices``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation: `\"SerialNumber\": \"arn:aws:iam::__:mfa/root-account-mfa-device\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.","RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.Remediation for this recommendation is not available through AWS CLI.","AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions."}],"description": "Ensure hardware MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.7": {"name": "1.7","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html","Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.**From Command Line:**Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '' ```Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.","RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.","AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user."}],"description": "Eliminate use of the 'root' user for administrative and daily tasks","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.8": {"name": "1.8","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.**From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"**From Command Line:** ```aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy requires minimum length of 14 or greater","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.9": {"name": "1.9","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24**From Command Line:** ``` aws iam get-account-password-policy``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24` **From Command Line:** ```aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy prevents password reuse","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.1": {"name": "3.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events","Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane- You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`**From Command Line:** ```aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true```` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name  ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`","ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html","AssessmentStatus": "Automated","RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated onAWS global services- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account","RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented- Click `Add new trail` - Enter a trail name in the `Trail name` box- Set the `Apply trail to all regions` option to `Yes` - Specify an S3 bucket name in the `S3 bucket` box- Click `Create`4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.**From Command Line:** ``` aws cloudtrail create-trail --name  --bucket-name  --is-multi-region-trailaws cloudtrail update-trail --name  --is-multi-region-trail ```Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.","AdditionalInformation": ""}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.2": {"name": "3.2","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.","DefaultValue": null,"AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled` **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.","RemediationProcedure": "Perform the following to enable log file validation on a given trail:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`7. Click `Save changes` **From Command Line:** ``` aws cloudtrail update-trail --name  --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn  --start-time  --end-time  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail log file validation is enabled","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.3": {"name": "3.3","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html","Description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails`3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties`6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.`9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 2. Ensure the `AllUsers` principal is not granted privileges to that `` : ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that ``: ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 4. Get the S3 Bucket Policy ```aws s3api get-bucket-policy --bucket ``` 5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.","RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User`6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.","AdditionalInformation": ""}],"description": "Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.4": {"name": "3.4","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html","Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Under `Trails` , click on the CloudTrail you wish to evaluate 3. Under the `CloudWatch Logs` section. 4. Ensure a `CloudWatch Logs` log group is configured and listed. 5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.**From Command Line:**1. Run the following command to get a listing of existing trails: ```aws cloudtrail describe-trails ``` 2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property. 3. Using the noted value of the `Name` property, run the following command: ```aws cloudtrail get-trail-status --name  ``` 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.If the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.","ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.","RemediationProcedure": "Perform the following to establish the prescribed state:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Select the `Trail` the needs to be updated. 3. Scroll down to `CloudWatch Logs` 4. Click `Edit` 5. Under `CloudWatch Logs` click the box `Enabled` 6. Under `Log Group` pick new or select an existing log group 7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group. 8. Under `IAM Role` pick new or select an existing. 9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role. 10. Click `Save changes.**From Command Line:** ``` aws cloudtrail update-trail --name  --cloudwatch-logs-log-group-arn  --cloudwatch-logs-role-arn  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail trails are integrated with CloudWatch Logs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.5": {"name": "3.5","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html","Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.","DefaultValue": null,"AuditProcedure": "Process to evaluate AWS Config configuration per region**From Console:**1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.- Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.**From Command Line:**1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])Sample Output:``` {\"ConfigurationRecorders\": [{\"recordingGroup\": {\"allSupported\": true,\"resourceTypes\": [],\"includeGlobalResourceTypes\": true},\"roleARN\": \"arn:aws:iam:::role/service-role/\",\"name\": \"default\"}] } ```3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`","ImpactStatement": "It is recommended AWS Config be enabled in all regions.","AssessmentStatus": "Automated","RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.","RemediationProcedure": "To implement AWS Config configuration:**From Console:**1. Select the region you want to focus on in the top right of the console 2. Click `Services`3. Click `Config`4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account**From Command Line:**1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name  ```","AdditionalInformation": ""}],"description": "Ensure AWS Config is enabled in all regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.6": {"name": "3.6","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html","Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.","DefaultValue": null,"AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `` _ click on `Logging`8. Ensure `Enabled` is checked.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket  ``` Ensure command does not returns empty output.Sample Output for a bucket with logging enabled:``` {\"LoggingEnabled\": {\"TargetPrefix\": \"\",\"TargetBucket\": \"\"} } ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.","RemediationProcedure": "Perform the following to enable S3 bucket logging:**From Console:**1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:`  click on `Logging`5. Configure bucket logging- Click on the `Enabled` checkbox- Select Target Bucket from list- Enter a Target Prefix 6. Click `Save`.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region  --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``: ``` {\"LoggingEnabled\": {\"TargetBucket\": \"\",\"TargetPrefix\": \"\",\"TargetGrants\": [{\"Grantee\": {\"Type\": \"AmazonCustomerByEmail\",\"EmailAddress\": \"\"},\"Permission\": \"FULL_CONTROL\"}]}} ``` 3. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket  --bucket-logging-status file:// ```","AdditionalInformation": ""}],"description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.7": {"name": "3.7","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html","Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.**From Command Line:**1. Run the following command: ```aws cloudtrail describe-trails``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.","ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.","AssessmentStatus": "Automated","RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.","RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`6. Select an existing CMK from the `KMS key Id` drop-down menu- Note: Ensure the CMK is located in the same region as the S3 bucket- Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes` **From Command Line:** ``` aws cloudtrail update-trail --name  --kms-id  aws kms put-key-policy --key-id  --policy  ```","AdditionalInformation": "3 statements which need to be added to the CMK policy:1\\. Enable Cloudtrail to describe CMK properties ``` 
{\"Sid\": \"Allow CloudTrail access\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:DescribeKey\",\"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` 
{\"Sid\": \"Allow CloudTrail to encrypt logs\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:GenerateDataKey*\",\"Resource\": \"*\",\"Condition\": {\"StringLike\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": [\"arn:aws:cloudtrail:*:aws-account-id:trail/*\"]}} } ``` 3\\. Granting decrypt permissions ``` 
{\"Sid\": \"Enable CloudTrail log decrypt permissions\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"arn:aws:iam::aws-account-id:user/username\"},\"Action\": \"kms:Decrypt\",\"Resource\": \"*\",\"Condition\": {\"Null\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"}} } ```"}],"description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.8": {"name": "3.8","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final","Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the `General configuration` panel open the tab `Key rotation` 5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"**From Command Line:**1. Run the following command to get a list of all keys and their associated `KeyIds````aws kms list-keys ``` 2. For each key, note the KeyId and run the following command ``` describe-key --key-id  ``` 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command ```aws kms get-key-rotation-status --key-id  ``` 4. Ensure `KeyRotationEnabled` is set to `true` 5. Repeat steps 2 - 4 for all remaining CMKs","ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.","AssessmentStatus": "Automated","RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` . 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the \"General configuration\" panel open the tab \"Key rotation\" 5. Check the \"Automatically rotate this KMS key every year.\" checkbox**From Command Line:**1. Run the following command to enable key rotation: ```aws kms enable-key-rotation --key-id  ```","AdditionalInformation": ""}],"description": "Ensure rotation for customer created symmetric CMKs is enabled","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.9": {"name": "3.9","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html","Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.**From Command Line:**1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region  --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.","ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.","RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`9. Click `Create Log Flow`10. Click on `CloudWatch Logs Group` **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.**From Command Line:**1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"test\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\"Action\": \"sts:AssumeRole\"}] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\":[\"logs:CreateLogGroup\",\"logs:CreateLogStream\",\"logs:DescribeLogGroups\",\"logs:DescribeLogStreams\",\"logs:PutLogEvents\",\"logs:GetLogEvents\",\"logs:FilterLogEvents\"],\"Resource\": \"*\"}] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name  --assume-role-policy-document file://role_policy_document.json``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name  --policy-document file://iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name  ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region  ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids  --traffic-type REJECT --log-group-name  --deliver-logs-permission-arn  ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.","AdditionalInformation": ""}],"description": "Ensure VPC flow logging is enabled in all VPCs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"4.1": {"name": "4.1","checks": {"cloudwatch_log_metric_filter_unauthorized_api_calls": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with \"Name\":` note ``- From value associated with \"CloudWatchLogsLogGroupArn\" note Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this `` that you captured in step 1:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```4. Note the \"filterName\" `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.","AssessmentStatus": "Automated","RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for unauthorized API calls","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2": {"name": "4.2","checks": {"cloudwatch_log_metric_filter_sign_in_without_mfa": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all `CloudTrails`:``` aws cloudtrail describe-trails ```- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region `CloudTrail` is active``` aws cloudtrail get-trail-status --name  ```Ensure in the output that `IsLogging` is set to `TRUE`- Ensure identified Multi-region 'Cloudtrail' captures all Management Events``` aws cloudtrail get-event-selectors --trail-name  ```Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `` taken from audit step 1.Use Command: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account."}],"description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.3": {"name": "4.3","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**- ensures that activities from all regions (used as well as unused) are monitored- ensures that activities on all supported global services are monitored- ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for usage of 'root' account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.4": {"name": "4.4","checks": {"cloudwatch_log_metric_filter_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for IAM policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.5": {"name": "4.5","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6": {"name": "4.6","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.7": {"name": "4.7","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.8": {"name": "4.8","checks": {"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for S3 bucket policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.9": {"name": "4.9","checks": {"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Config configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"5.1": {"name": "5.1","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison","Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "**From Console:**Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "**From Console:**Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Click `Edit inbound rules`- Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule- Click `Save`","AdditionalInformation": ""}],"description": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"5.2": {"name": "5.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.3": {"name": "5.3","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the ::/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.4": {"name": "5.4","checks": {"ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group","Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:Security Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules existSecurity Group Members1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'","ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.","AssessmentStatus": "Automated","RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.","RemediationProcedure": "Security Group MembersPerform the following to implement the prescribed state:1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security groupSecurity Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rulesRecommended:IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"","AdditionalInformation": ""}],"description": "Ensure the default security group of every VPC restricts all traffic","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.5": {"name": "5.5","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html","Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.","DefaultValue": null,"AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.**From Command Line:**1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a __ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.","RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.**From Command Line:**1. For each __ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id  --destination-cidr-block  ```2. Create a new compliant route: ``` aws ec2 create-route --route-table-id  --destination-cidr-block  --vpc-peering-connection-id  ```","AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table."}],"description": "Ensure routing tables for VPC peering are \"least access\"","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"5.6": {"name": "5.6","checks": {"ec2_instance_imdsv2_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/:https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html","Description": "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).","DefaultValue": null,"AuditProcedure": "From Console:1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under the Instances menu, select Instances.3. For each Instance, select the instance, then choose Actions > Modify instance metadata options.4. If the Instance metadata service is enabled, verify whether IMDSv2 is set to required. From Command Line:1. Use the describe-instances CLI command2. Ensure for all ec2 instances that the metadata-options.http-tokens setting is set to required.3. Repeat for all active regions.```aws ec2 describe-instances --filters \"\"Name=metadata-options.http-tokens\",\"Values=optional\" \"\"Name=metadata-options.state\"\",\"\"Values=applied\"\" --query \"\"Reservations[*].Instances[*].\"\" ``` ","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security.","RemediationProcedure": "From Console:1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ 2. Under the Instances menu, select Instances.3. For each Instance, select the instance, then choose Actions > Modify instance metadata options.4. If the Instance metadata service is enabled, set IMDSv2 to Required. From Command Line:```aws ec2 modify-instance-metadata-options --instance-id  --http-tokens required``` ","AdditionalInformation": ""}],"description": "Ensure that EC2 Metadata Service only allows IMDSv2","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.10": {"name": "1.10","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users","Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:**From Console:**1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8``` 2. The output of this command will produce a table similar to the following: ```user,password_enabled,mfa_activeelise,false,falsebrandon,true,truerakesh,false,falsehelene,false,falseparas,true,trueanitha,false,false``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`","ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to enable MFA:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords.8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.9. Click `Assign MFA`.","AdditionalInformation": "**Forced IAM User Self-Service Remediation**Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts."}],"description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.11": {"name": "1.11","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html","Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_dateelise,false,true,2015-04-16T15:14:00+00:00,false,N/Abrandon,true,true,N/A,false,N/Arakesh,false,false,N/A,false,N/Ahelene,false,true,2015-11-18T17:47:00+00:00,false,N/Aparas,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.","RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:**From Console:**1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. As an Administrator - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User- Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.**From Command Line:** ``` aws iam delete-access-key --access-key-id  --user-name  ```","AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\""}],"description": "Do not setup access keys during initial user setup for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.12": {"name": "1.12","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if unused credentials exist:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`8. Check and ensure that `Console last sign-in` is less than 45 days ago.**Note** - `Never` means the user has never logged in.9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.**From Command Line:****Download Credential Report:**1. Run the following commands: ```aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^' ```**Ensure unused credentials do not exist:**2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.","RemediationProcedure": "**From Console:**Perform the following to manage Unused Password (IAM user console access)1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`9. Under Console Access select `Disable` 10.Click `Apply`Perform the following to deactivate Access Keys:1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select any access keys that are over 45 days old and that have been used and - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and - Click the X to `Delete`","AdditionalInformation": " is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days."}],"description": "Ensure credentials unused for 45 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.13": {"name": "1.13","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.**From Command Line:**1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name  ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.- Repeat steps no. 2 and 3 for each IAM user in your AWS account.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.**From Command Line:**1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user**Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id  --status Inactive --user-name  ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name  ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.","AdditionalInformation": ""}],"description": "Ensure there is only one active access key available for any single IAM user","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.14": {"name": "1.14","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.**From Command Line:**``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.","RemediationProcedure": "Perform the following to rotate access keys:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`4. As an Administrator - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User- Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`7. Update programmatic call with new Access Key credentials**From Command Line:**1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```At this point, the user has two active access keys.2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```","AdditionalInformation": ""}],"description": "Ensure access keys are rotated every 90 days or less","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.15": {"name": "1.15","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html","Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:1. Run the following to get a list of IAM users: ```aws iam list-users --query 'Users[*].UserName' --output text``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.","RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group` Perform the following to add a user to a given group:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`3. Select the group to add a user to 4. Click `Add Users To Group`5. Select the users to be added to the group 6. Click `Add Users` Perform the following to remove a direct association between a user and policy:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:- Select the user- Click on the `Permissions` tab- Expand `Permissions policies` - Click `X` for each policy; then click Detach or Remove (depending on policy type)","AdditionalInformation": ""}],"description": "Ensure IAM Users Receive Permissions Only Through Groups","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.16": {"name": "1.16","checks": {"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam","Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.","DefaultValue": null,"AuditProcedure": "Perform the following to determine what policies are created:**From Command Line:**1. Run the following to get a list of IAM policies: ```aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```aws iam get-policy-version --policy-arn  --version-id  ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.","RemediationProcedure": "**From Console:**Perform the following to detach the policy that has full administrative privileges:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first `Detach`5. Select all Users, Groups, Roles that have this policy attached 6. Click `Detach Policy`7. In the policy action menu, select `Detach` **From Command Line:**Perform the following to detach the policy that has full administrative privileges as found in the audit step:1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.```aws iam list-entities-for-policy --policy-arn  ``` 2. Detach the policy from all IAM Users: ```aws iam detach-user-policy --user-name  --policy-arn  ``` 3. Detach the policy from all IAM Groups: ```aws iam detach-group-policy --group-name  --policy-arn  ``` 4. Detach the policy from all IAM Roles: ```aws iam detach-role-policy --role-name  --policy-arn  ```","AdditionalInformation": ""}],"description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.17": {"name": "1.17","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html","Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.","DefaultValue": null,"AuditProcedure": "**From Command Line:**1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'If it returns empty refer to the remediation below.","ImpactStatement": "All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.","AssessmentStatus": "Automated","RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.","RemediationProcedure": "**From Command Line:**1. Create an IAM role for managing incidents with AWS:- Create a trust relationship policy document that allows  to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"\"},\"Action\": \"sts:AssumeRole\"}]} ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name  --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name  ```","AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account."}],"description": "Ensure a support role has been created to manage incidents with AWS Support","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.18": {"name": "1.18","checks": {"ec2_instance_profile_attached": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html","Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.","DefaultValue": null,"AuditProcedure": "Where an instance is associated with a Role:For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.Where an Instance Contains Embedded Credentials:- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.Where an Instance Application Contains Embedded Credentials:- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.","RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.","AdditionalInformation": ""}],"description": "Ensure IAM instance roles are used for AWS resource access from instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.19": {"name": "1.19","checks": {"iam_no_expired_server_certificates_stored": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html","Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.","DefaultValue": null,"AuditProcedure": "**From Console:**Getting the certificates expiration information via AWS Management Console is not currently supported.To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**Run list-server-certificates command to list all the IAM-stored server certificates:``` aws iam list-server-certificates ```The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):``` {\"ServerCertificateMetadataList\": [{\"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\"ServerCertificateName\": \"MyServerCertificate\",\"Expiration\": \"2018-07-10T23:59:59Z\",\"Path\": \"/\",\"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\"UploadDate\": \"2018-06-10T11:56:08Z\"}] } ```Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.","ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.","AssessmentStatus": "Automated","RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.","RemediationProcedure": "**From Console:**Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**To delete Expired Certificate run following command by replacing  with the name of the certificate to delete:``` aws iam delete-server-certificate --server-certificate-name  ```When the preceding command is successful, it does not return any output.","AdditionalInformation": ""}],"description": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.20": {"name": "1.20","checks": {"accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html","Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region**From Command Line:**1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`3. Repeat the steps above for each active region.If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.","RemediationProcedure": "**From Console:**Perform the following to enable IAM Access analyzer for IAM policies:1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.7. Choose `Create Analyzer`. 8. Repeat these step for each active region**From Command Line:**Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name  --type  ``` Repeat this command above for each active region.**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.","AdditionalInformation": ""}],"description": "Ensure that IAM Access analyzer is enabled for all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.21": {"name": "1.21","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "","Description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.","DefaultValue": null,"AuditProcedure": "For multi-account AWS environments with an external identity provider... 1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click `Services`4. Click `IAM`5. Click `Identity providers` 6. Verify the configurationThen..., determine all accounts that should not have local users present. For each account...1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are presentFor multi-account AWS environments implementing AWS Organizations without an external identity provider... 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are present","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.","RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.","AdditionalInformation": ""}],"description": "Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.22": {"name": "1.22","checks": {},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html","Description": "AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.","DefaultValue": null,"AuditProcedure": "**From Console** 1. Open the IAM console at https://console.aws.amazon.com/iam/2. In the left pane, select Policies3. Search for and select AWSCloudShellFullAccess4. On the Entities attached tab, ensure that there are no entities using this policy **From Command Line**1. List IAM policies, filter for the 'AWSCloudShellFullAccess' managed policy, and note the \"\"Arn\"\" element value:```aws iam list-policies --query \"\"Policies[?PolicyName == 'AWSCloudShellFullAccess']\"\"``` 2. Check if the 'AWSCloudShellFullAccess' policy is attached to any role: ```aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess```3. In Output, Ensure PolicyRoles returns empty. 'Example: Example: PolicyRoles: [ ]'If it does not return empty refer to the remediation below.Note: Keep in mind that other policies may grant access.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Access to this policy should be restricted as it presents a potential channel for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy which denies file transfer permissions.","RemediationProcedure": "**From Console**1. Open the IAM console at https://console.aws.amazon.com/iam/2. In the left pane, select Policies 3. Search for and select AWSCloudShellFullAccess4. On the Entities attached tab, for each item, check the box and select Detach","AdditionalInformation": ""}],"description": "Ensure access to AWSCloudShellFullAccess is restricted","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.10": {"name": "3.10","checks": {"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/` 2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine. 3. Review `General details` 4. Confirm that `Multi-region trail` is set to `Yes` 5. Scroll down to `Data events` 6. Confirm that it reads: Data events: S3 Bucket Name: All current and future S3 buckets Read: Enabled Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.**From Command Line:**1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions: ``` aws cloudtrail list-trails ``` 2. The command output will be a list of all the trail names to include. \"TrailARN\": \"arn:aws:cloudtrail:::trail/\", \"Name\": \"\", \"HomeRegion\": \"\" 3. Next run 'get-trail- command to determine Multi-region. ``` aws cloudtrail get-trail --name  --region  ``` 4. The command output should include: \"IsMultiRegionTrail\": true, 5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. \"Type\": \"AWS::S3::Object\",\"Values\": [\"arn:aws:s3\" 7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered. If Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled. 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.**From Command Line:**1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for write events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.11": {"name": "3.11","checks": {"cloudtrail_s3_dataevents_read_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.**From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region  --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.**From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for read events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.10": {"name": "4.10","checks": {"cloudwatch_log_metric_filter_security_group_changes": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"\" --filter-name \"\" --metric-transformations metricName= \"\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"\" ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"\" --protocol  --notification-endpoint \"\" ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"\" --metric-name \"\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"\" ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for security group changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.11": {"name": "4.11","checks": {"cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.12": {"name": "4.12","checks": {"cloudwatch_changes_to_network_gateways_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to network gateways","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.13": {"name": "4.13","checks": {"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for route table changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for route table changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.14": {"name": "4.14","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for VPC changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.15": {"name": "4.15","checks": {"cloudwatch_log_metric_filter_aws_organizations_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.","DefaultValue": null,"AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name  ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.2. Get a list of all associated metric filters for this : ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `` value associated with the filterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":``` \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name  ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": ""}],"description": "Ensure a log metric filter and alarm exists for AWS Organizations changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.16": {"name": "4.16","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-get-started.html:https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-api:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/enable-security-hub.html","Description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.","DefaultValue": null,"AuditProcedure": "The process to evaluate AWS Security Hub configuration per region **From Console:**1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/. 2. On the top right of the console, select the target Region. 3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region. 4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions. 5. Repeat steps 2 to 4 for each region.","ImpactStatement": "It is recommended AWS Security Hub be enabled in all regions. AWS Security Hub requires AWS Config to be enabled.","AssessmentStatus": "Automated","RationaleStatement": "AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.","RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.Enabling Security Hub**From Console:**1. Use the credentials of the IAM identity to sign in to the Security Hub console. 2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub. 3. On the welcome page, Security standards list the security standards that Security Hub supports. 4. Choose Enable Security Hub.**From Command Line:**1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`. ``` aws securityhub enable-security-hub --enable-default-standards ```2. To enable the security hub without the default standards, include `--no-enable-default-standards`. ``` aws securityhub enable-security-hub --no-enable-default-standards ```","AdditionalInformation": ""}],"description": "Ensure AWS Security Hub is enabled","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.1": {"name": "2.1.1","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html","Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.","DefaultValue": null,"AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{\"Sid\": ,\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}' ``` `` and `` will be specific to your account5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket  | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.**From Console** using AWS Policy Generator:1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` =  5. Generate Policy 6. Copy the text and add it to the Bucket Policy.**From Command Line:**1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket  --query Policy --output text > policy.json ```2. Modify the policy.json file by adding in this statement: ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket  --policy file://policy.json ```","AdditionalInformation": ""}],"description": "Ensure S3 Bucket Policy is set to deny HTTP requests","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.2": {"name": "2.1.2","checks": {"s3_bucket_no_mfa_delete": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html","Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","DefaultValue": null,"AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket**From Console:**1. Login to the S3 console at `https://console.aws.amazon.com/s3/`2. Click the `Check` box next to the Bucket name you want to confirm3. In the window under `Properties`4. Confirm that Versioning is `Enabled`5. Confirm that MFA Delete is `Enabled`**From Command Line:**1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```Output example: ```  EnabledEnabled ```If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.","RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.**From Command line:**1. Run the s3api put-bucket-versioning command``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```","AdditionalInformation": ""}],"description": "Ensure MFA Delete is enabled on S3 buckets","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.3": {"name": "2.1.3","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html","Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.","DefaultValue": null,"AuditProcedure": "Perform the following steps to determine if Macie is running:**From Console:** 1. Login to the Macie console at https://console.aws.amazon.com/macie/ 2. In the left hand pane click on By job under findings. 3. Confirm that you have a Job setup for your S3 BucketsWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.","ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.","AssessmentStatus": "Manual","RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.","RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie**From Console:**1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`2. Click `Get started`.3. Click `Enable Macie`.Setup a repository for sensitive data discovery results1. In the Left pane, under Settings, click `Discovery results`.2. Make sure `Create bucket` is selected.3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.4. Click on `Advanced`.5. Block all public access, make sure `Yes` is selected.6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.7. Click on `Save`Create a job to discover sensitive data1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.2. Select the `check box` for each bucket that you want Macie to analyze as part of the job3. Click `Create job`.3. Click `Quick create`.4. For the Name and description step, enter a name and, optionally, a description of the job.5. Then click `Next`.6. For the Review and create step, click `Submit`.Review your findings1. In the left pane, click `Findings`.2. To view the details of a specific finding, choose any field other than the check box for the finding.If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.","AdditionalInformation": ""}],"description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.4": {"name": "2.1.4","checks": {"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html","Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.","DefaultValue": null,"AuditProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket  ``` Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"BlockPublicAcls\": true,\"IgnorePublicAcls\": true,\"BlockPublicPolicy\": true,\"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.**If utilizing Block Public Access (account settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.**From Command Line:**To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id  --region `Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"IgnorePublicAcls\": true, \"BlockPublicPolicy\": true, \"BlockPublicAcls\": true, \"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.","ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.","AssessmentStatus": "Automated","RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.","RemediationProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket  --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```**If utilizing Block Public Access (account settings)****From Console:**If the output reads `true` for the separate configuration settings then it is set on the account.1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.**From Command Line:**To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id  ```","AdditionalInformation": ""}],"description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.2.1": {"name": "2.2.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.2. Elastic Compute Cloud (EC2)","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/","Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.**Note:** EBS volume encryption is configured per region.","ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.**Note:** EBS volume encryption is configured per region.","AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically."}],"description": "Ensure EBS Volume Encryption is Enabled in all Regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.1": {"name": "2.3.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/","Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region  --db-snapshot-identifier  --db-instance-identifier  ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region  ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region  --source-db-snapshot-identifier  --target-db-snapshot-identifier  --copy-tags --kms-key-id  ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region  --db-instance-identifier  --db-snapshot-identifier  ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ```","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for RDS Instances","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.3.2": {"name": "2.3.2","checks": {"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to examine. 4. Click on the `Maintenance and backups` panel. 5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status. - If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to update. 4. Click on the `Modify` button placed on the top right side. 5. On the `Modify DB Instance: ` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button. 6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime. 7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime: ``` aws rds modify-db-instance --region  --db-instance-identifier  --auto-minor-version-upgrade --apply-immediately ``` 4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value. 5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.","AdditionalInformation": ""}],"description": "Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.3": {"name": "2.3.3","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to examine. 4. Click `Instance Name` from the dashboard, Under `Connectivity and Security. 5. On the `Security`, check if the Publicly Accessible flag status is set to `Yes`, follow the below-mentioned steps to check database subnet access. - In the `networking` section, click the subnet link available under `Subnets` - The link will redirect you to the VPC Subnets page. - Select the subnet listed on the page and click the `Route Table` tab from the dashboard bottom panel. If the route table contains any entries with the destination `CIDR block set to 0.0.0.0/0` and with an `Internet Gateway` attached. - The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet. 6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region. 8. Change the AWS region from the navigation bar and repeat the audit process for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance `identifier`. 3. Run again `describe-db-instances` command using the `PubliclyAccessible` parameter as query filter to reveal the database instance Publicly Accessible flag status: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].PubliclyAccessible' ``` 4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to `Yes`. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access 5. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.Subnets[]' ``` - The command output should list the subnets available in the selected database subnet group. 6. Run `describe-route-tables` command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet: ``` aws ec2 describe-route-tables --region  --filters \"Name=association.subnet-id,Values=\" --query 'RouteTables[*].Routes[]' ``` - If the command returns the route table associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet. - Or - If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step 7. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.VpcId' ``` - The command output should show the VPC ID in the selected database subnet group 8. Now run `describe-route-tables` command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet: ``` aws ec2 describe-route-tables --region  --filters \"Name=vpc-id,Values=\" \"Name=association.main,Values=true\" --query 'RouteTables[*].Routes[]' ``` - The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to update. 4. Click `Modify` from the dashboard top menu. 5. On the Modify DB Instance panel, under the `Connectivity` section, click on `Additional connectivity configuration` and update the value for `Publicly Accessible` to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations: - Select the `Connectivity and security` tab, and click on the VPC attribute value inside the `Networking` section. - Select the `Details` tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. - On the Route table details page, select the Routes tab from the dashboard bottom panel and click on `Edit routes`. - On the Edit routes page, update the Destination of Target which is set to `igw-xxxxx` and click on `Save` routes. 6. On the Modify DB Instance panel Click on `Continue` and In the Scheduling of modifications section, perform one of the following actions based on your requirements: - Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window. - Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application. 7. Repeat steps 3 to 6 for each RDS instance available in the current region. 8. Change the AWS region from the navigation bar to repeat the process for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names identifiers, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run `modify-db-instance` command to modify the selected RDS instance configuration. Then use the following command to disable the `Publicly Accessible` flag for the selected RDS instances. This command use the apply-immediately flag. If you want `to avoid any downtime --no-apply-immediately flag can be used`: ``` aws rds modify-db-instance --region  --db-instance-identifier  --no-publicly-accessible --apply-immediately ``` 4. The command output should reveal the `PubliclyAccessible` configuration under pending values and should get applied at the specified time. 5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure. 6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region. 7. Change the AWS region by using the --region filter to repeat the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that public access is not given to RDS Instance","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.4.1": {"name": "2.4.1","checks": {"efs_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.4 Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/index.html#efs","Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).","DefaultValue": null,"AuditProcedure": "**From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard. 2. Select `File Systems` from the left navigation panel. 3. Each item on the list has a visible Encrypted field that displays data at rest encryption status. 4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.**From CLI:** 1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region: ``` aws efs describe-file-systems --region  --output table --query 'FileSystems[*].FileSystemId' ``` 2. The command output should return a table with the requested file system IDs. 3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters: ``` aws efs describe-file-systems --region  --file-system-id  --query 'FileSystems[*].Encrypted' ``` 4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.","RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.**Steps to create an EFS file system with data encrypted at rest:****From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard. 2. Select `File Systems` from the left navigation panel. 3. Click `Create File System` button from the dashboard top menu to start the file system setup process. 4. On the `Configure file system access` configuration page, perform the following actions. - Choose the right VPC from the VPC dropdown list. - Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets. - Click `Next step` to continue.5. Perform the following on the `Configure optional settings` page. - Create `tags` to describe your new file system. - Choose `performance mode` based on your requirements. - Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS. - Click `Next step` to continue.6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system. 7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. 9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.**From CLI:** 1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource): ``` aws efs describe-file-systems --region  --file-system-id  ``` 2. The command output should return the requested configuration information. 3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\". 4. Run create-file-system command using the unique token created at the previous step. ``` aws efs create-file-system --region  --creation-token  --performance-mode generalPurpose --encrypted ``` 5. The command output should return the new file system configuration metadata. 6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target: ``` aws efs create-mount-target --region  --file-system-id  --subnet-id  ``` 7. The command output should return the new mount target metadata. 8. Now you can mount your file system from an EC2 instance. 9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. ``` aws efs delete-file-system --region  --file-system-id  ``` 11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for EFS file systems","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 52,"requirements_failed": 11,"requirements_manual": 1,"total_requirements": 64,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "7aee25d8-9e9a-44e1-8e01-336bfd9d9582","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_well_architected_framework_reliability_pillar_aws","framework": "AWS-Well-Architected-Framework-Reliability-Pillar","version": "","description": "Best Practices for the AWS Well-Architected Framework Reliability Pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.","region": "eu-west-1","requirements": {"REL06-BP01": {"name": "REL06-BP01","checks": {"elb_logging_enabled": "FAIL","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","apigatewayv2_api_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled": "PASS"},"status": "FAIL","attributes": [{"Name": "REL06-BP01 Monitor all components for the workload (Generation)","Section": "Change management","SubSection": "Monitor workload resources","Description": "Monitor components and services of AWS workload effectifely, using tools like Amazon CloudWatch and AWS Health Dashboard. Define relevant metrics, set thresholds, and analyze metrics and logs for early detection of issues.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_monitor_aws_resources_monitor_resources.html#implementation-guidance","WellArchitectedPracticeId": "rel_monitor_aws_resources_monitor_resources","WellArchitectedQuestionId": "monitor-aws-resources"}],"description": "Monitor components and services of AWS workload effectifely, using tools like Amazon CloudWatch and AWS Health Dashboard. Define relevant metrics, set thresholds, and analyze metrics and logs for early detection of issues.","checks_status": {"fail": 5,"pass": 2,"total": 9,"manual": 0}},"REL09-BP03": {"name": "REL09-BP03","checks": {"rds_instance_backup_enabled": "PASS","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","cloudformation_stacks_termination_protection_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "REL09-BP03 Perform data backup automatically","Section": "Failure management","SubSection": "Backup up data","Description": "Configure backups to be taken automatically based on a periodic schedule informed by the Recovery Point Objective (RPO), or by changes in the dataset. Critical datasets with low data loss requirements need to be backed up automatically on a frequent basis, whereas less critical data where some loss is acceptable can be backed up less frequently.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_backing_up_data_automated_backups_data.html#implementation-guidance","WellArchitectedPracticeId": "rel_backing_up_data_automated_backups_data","WellArchitectedQuestionId": "backing-up-data"}],"description": "Configure backups to be taken automatically based on a periodic schedule informed by the Recovery Point Objective (RPO), or by changes in the dataset. Critical datasets with low data loss requirements need to be backed up automatically on a frequent basis, whereas less critical data where some loss is acceptable can be backed up less frequently.","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"REL10-BP01": {"name": "REL10-BP01","checks": {"rds_instance_multi_az": "FAIL"},"status": "FAIL","attributes": [{"Name": "REL10-BP01 Deploy the workload to multiple locations","Section": "Failure management","SubSection": "Use fault isolation to protect your workload","Description": "Distribute workload data and resources across multiple Availability Zones or, where necessary, across AWS Regions. These locations can be as diverse as required.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/use-fault-isolation-to-protect-your-workload.html#implementation-guidance.","WellArchitectedPracticeId": "rel_fault_isolation_multiaz_region_system","WellArchitectedQuestionId": "fault-isolation"}],"description": "Distribute workload data and resources across multiple Availability Zones or, where necessary, across AWS Regions. These locations can be as diverse as required.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 0,"requirements_failed": 3,"requirements_manual": 0,"total_requirements": 3,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "85c783d4-a01a-4297-b490-216e38ee144e","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "iso27001_2013_aws","framework": "ISO27001","version": "2013","description": "ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.","region": "eu-west-1","requirements": {"A.9.2": {"name": "User Access Management","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Category": "A.9 Access Control","Objetive_ID": "A.9.2","Check_Summary": "Ensure no root account access key exists","Objetive_Name": "User Access Management"}],"description": "Ensure no root account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"A.9.3": {"name": "User Responsibilities","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Category": "A.9 Access Control","Objetive_ID": "A.9.3","Check_Summary": "Ensure credentials unused for 90 days or greater are disabled","Objetive_Name": "User Responsibilities"}],"description": "Ensure credentials unused for 90 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"A.9.4": {"name": "System and Application Access Control","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Category": "A.9 Access Control","Objetive_ID": "A.9.4","Check_Summary": "Ensure no root account access key exists","Objetive_Name": "System and Application Access Control"}],"description": "Ensure no root account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"A.10.1": {"name": "Cryptographic Controls","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Category": "A.10 Cryptography","Objetive_ID": "A.10.1","Check_Summary": "Detect Customer Master Keys (CMKs) scheduled for deletion","Objetive_Name": "Cryptographic Controls"}],"description": "Detect Customer Master Keys (CMKs) scheduled for deletion","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"A.12.4": {"name": "Logging and Monitoring","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Category": "A.12 Operations Security","Objetive_ID": "A.12.4","Check_Summary": "Ensure CloudTrail is enabled in all regions","Objetive_Name": "Logging and Monitoring"}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"A.12.6": {"name": "Technical Vulnerability Management","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Category": "A.12 Operations Security","Objetive_ID": "A.12.6","Check_Summary": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible","Objetive_Name": "Technical Vulnerability Management"}],"description": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"A.13.1": {"name": "Network Security Management","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Category": "A.13 Communications Security","Objetive_ID": "A.13.1","Check_Summary": "Ensure RDS instances are not accessible to the world.","Objetive_Name": "Network Security Management"}],"description": "Ensure RDS instances are not accessible to the world.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}}},"requirements_passed": 79,"requirements_failed": 0,"requirements_manual": 0,"total_requirements": 79,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "86401f28-9311-42b9-ac06-a3cdcc9e5e39","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "soc2_aws","framework": "SOC2","version": "","description": "System and Organization Controls (SOC), defined by the American Institute of Certified Public Accountants (AICPA), is the name of a set of reports that's produced during an audit. It's intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories known as Trust Service Principles.","region": "eu-west-1","requirements": {"p_1_1": {"name": "P1.1 The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_1_1","Section": "P1.0 - Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy. Communicates to Data Subjects - Notice is provided to data subjects regarding the following: Purpose for collecting personal informationChoice and consentTypes of personal information collectedMethods of collection (for example, use of cookies or other tracking techniques)Use, retention, and disposalAccessDisclosure to third partiesSecurity for privacyQuality, including data subjects’ responsibilities for qualityMonitoring and enforcementIf personal information is collected from sources other than the individual, such sources are described in the privacy notice. Provides Notice to Data Subjects - Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified. Covers Entities and Activities in Notice - An objective description of the entities and activities covered is included in the entity’s privacy notice. Uses Clear and Conspicuous Language - The entity’s privacy notice is conspicuous and uses clear language.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_2_1": {"name": "P2.1 The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_2_1","Section": "P2.0 - Privacy Criteria Related to Choice and Consent","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented. Communicates to Data Subjects - Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise. Communicates Consequences of Denying or Withdrawing Consent - When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice. Obtains Implicit or Explicit Consent - Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon thereafter. The individual’s preferences expressed in his or her consent are confirmed and implemented. Documents and Obtains Consent for New Purposes and Uses - If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose. Obtains Explicit Consent for Sensitive Information - Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_3_1": {"name": "P3.1 Personal information is collected consistent with the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_3_1","Section": "P3.0 - Privacy Criteria Related to Collection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Limits the Collection of Personal Information - The collection of personal information is limited to that necessary to meet the entity’s objectives. Collects Information by Fair and Lawful Means - Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information. Collects Information From Reliable Sources - Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully. Informs Data Subjects When Additional Information Is Acquired - Data subjects are informed if the entity develops or acquires additional information about them for its use.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_3_2": {"name": "P3.2 For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_3_2","Section": "P3.0 - Privacy Criteria Related to Collection","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Obtains Explicit Consent for Sensitive Information - Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise. Documents Explicit Consent to Retain Information - Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_4_1": {"name": "P4.1 The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_4_1","Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Uses Personal Information for Intended Purposes - Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained unless a law or regulation specifically requires otherwise.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_4_2": {"name": "P4.2 The entity retains personal information consistent with the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_4_2","Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Retains Personal Information - Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise. Protects Personal Information - Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_4_3": {"name": "P4.3 The entity securely disposes of personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_4_3","Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Captures, Identifies, and Flags Requests for Deletion - Requests for deletion of personal information are captured, and information related to the requests is identified and flagged for destruction to meet the entity’s objectives related to privacy. Disposes of, Destroys, and Redacts Personal Information - Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access. Destroys Personal Information - Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for destruction.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_5_1": {"name": "P5.1 The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_5_1","Section": "P5.0 - Privacy Criteria Related to Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy. Authenticates Data Subjects’ Identity - The identity of data subjects who request access to their personal information is authenticated before they are given access to that information. Permits Data Subjects Access to Their Personal Information - Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information. Provides Understandable Personal Information Within Reasonable Time - Personal information is provided to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost, if any. Informs Data Subjects If Access Is Denied - When data subjects are denied access to their personal information, the entity informs them of the denial and the reason for the denial in a timely manner, unless prohibited by law or regulation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_5_2": {"name": "P5.2 The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_5_2","Section": "P5.0 - Privacy Criteria Related to Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy. Communicates Denial of Access Requests - Data subjects are informed, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation. Permits Data Subjects to Update or Correct Personal Information - Data subjects are able to update or correct personal information held by the entity. The entity provides such updated or corrected information to third parties that were previously provided with the data subject’s personal information consistent with the entity’s objective related to privacy. Communicates Denial of Correction Requests - Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_1": {"name": "P6.1 The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_1","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Communicates Privacy Policies to Third Parties - Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed. Discloses Personal Information Only When Appropriate - Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise. Discloses Personal Information Only to Appropriate Third Parties - Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_2": {"name": "P6.2 The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_2","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Creates and Retains Record of Authorized Disclosures - The entity creates and maintains a record of authorized disclosures of personal information that is complete, accurate, and timely.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_3": {"name": "P6.3 The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_3","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Creates and Retains Record of Detected or Reported Unauthorized Disclosures - The entity creates and maintains a record of detected or reported unauthorized disclosures of personal information that is complete, accurate, and timely.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_4": {"name": "P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_4","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary. Discloses Personal Information Only to Appropriate Third Parties - Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. Remediates Misuse of Personal Information by a Third Party - The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_5": {"name": "P6.5 The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_5","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy. Remediates Misuse of Personal Information by a Third Party - The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. Reports Actual or Suspected Unauthorized Disclosures - A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_6": {"name": "P6.6 The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_6","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Remediates Misuse of Personal Information by a Third Party - The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. Reports Actual or Suspected Unauthorized Disclosures - A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_6_7": {"name": "P6.7 The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_6_7","Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifies Types of Personal Information and Handling Process - The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. Captures, Identifies, and Communicates Requests for Information - Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured, and information related to the requests is identified and communicated to data subjects to meet the entity’s objectives related to privacy.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_7_1": {"name": "P7.1 The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_7_1","Section": "P7.0 - Privacy Criteria Related to Quality","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Ensures Accuracy and Completeness of Personal Information - Personal information is accurate and complete for the purposes for which it is to be used. Ensures Relevance of Personal Information - Personal information is relevant to the purposes for which it is to be used.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"p_8_1": {"name": "P8.1 The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "p_8_1","Section": "P8.0 - Privacy Criteria Related to Monitoring and Enforcement","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner. Communicates to Data Subjects—Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes. Addresses Inquiries, Complaints, and Disputes - A process is in place to address inquiries, complaints, and disputes. Documents and Communicates Dispute Resolution and Recourse - Each complaint is addressed, and the resolution is documented and communicated to the individual. Documents and Reports Compliance Review Results - Compliance with objectives related to privacy are reviewed and documented, and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. Documents and Reports Instances of Noncompliance - Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis. Performs Ongoing Monitoring - Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_1_1": {"name": "CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_1_1","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Sets the Tone at the Top - The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. Establishes Standards of Conduct - The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. Evaluates Adherence to Standards of Conduct - Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct. Addresses Deviations in a Timely Manner - Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_1_2": {"name": "CC1.2 COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_1_2","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establishes Oversight Responsibilities - The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations. Applies Relevant Expertise - The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. Operates Independently - The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. Additional point of focus specifically related to all engagements using the trust services criteria: Supplements Board Expertise - The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_1_3": {"name": "CC1.3 COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_1_3","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Considers All Structures of the Entity - Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives. Establishes Reporting Lines - Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. Defines, Assigns, and Limits Authorities and Responsibilities - Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. Additional points of focus specifically related to all engagements using the trust services criteria: Addresses Specific Requirements When Defining Authorities and Responsibilities—Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities — Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"cc_1_4": {"name": "CC1.4 COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_1_4","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establishes Policies and Practices - Policies and practices reflect expectations of competence necessary to support the achievement of objectives. Evaluates Competence and Addresses Shortcomings - The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings. Attracts, Develops, and Retains Individuals - The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. Plans and Prepares for Succession - Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control. Additional point of focus specifically related to all engagements using the trust services criteria: Considers the Background of Individuals - The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. Considers the Technical Competency of Individuals - The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. Provides Training to Maintain Technical Competencies - The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_1_5": {"name": "CC1.5 COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_1_5","Section": "CC1.0 - Common Criteria Related to Control Environment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Enforces Accountability Through Structures, Authorities, and Responsibilities - Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. Establishes Performance Measures, Incentives, and Rewards - Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance - Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives. Considers Excessive Pressures - Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. Evaluates Performance and Rewards or Disciplines Individuals - Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_2_1": {"name": "CC2.1 COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control","checks": {"cloudtrail_multi_region_enabled": "PASS","config_recorder_all_regions_enabled": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_2_1","Section": "CC2.0 - Common Criteria Related to Communication and Information","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifies Information Requirements - A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives. Captures Internal and External Sources of Data - Information systems capture internal and external sources of data. Processes Relevant Data Into Information - Information systems process and transform relevant data into information. Maintains Quality Throughout Processing - Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components.","checks_status": {"fail": 0,"pass": 1,"total": 4,"manual": 0}},"cc_2_2": {"name": "CC2.2 COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_2_2","Section": "CC2.0 - Common Criteria Related to Communication and Information","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Communicates Internal Control Information - A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. Communicates With the Board of Directors - Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives. Provides Separate Communication Lines - Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. Selects Relevant Method of Communication - The method of communication considers the timing, audience, and nature of the information. Additional point of focus specifically related to all engagements using the trust services criteria: Communicates Responsibilities - Entity personnel with responsibility for designing, developing, implementing,operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters—Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel. Communicates Objectives and Changes to Objectives - The entity communicates its objectives and changes to those objectives to personnel in a timely manner. Communicates Information to Improve Security Knowledge and Awareness - The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: Communicates Information About System Operation and Boundaries - The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized personnel to enable them to understand their role in the system and the results of system operation. Communicates System Objectives - The entity communicates its objectives to personnel to enable them to carry out their responsibilities. Communicates System Changes - System changes that affect responsibilities or the achievement of the entity's objectives are communicated in a timely manner.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_2_3": {"name": "CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_2_3","Section": "CC2.0 - Common Criteria Related to Communication and Information","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Communicates to External Parties - Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. Enables Inbound Communications - Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. Communicates With the Board of Directors - Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. Provides Separate Communication Lines - Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. Selects Relevant Method of Communication - The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Communicates Objectives Related to Confidentiality and Changes to Objectives - The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality. Additional point of focus that applies only to an engagement using the trust services criteria for privacy: Communicates Objectives Related to Privacy and Changes to Objectives - The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: Communicates Information About System Operation and Boundaries - The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. Communicates System Objectives - The entity communicates its system objectives to appropriate external users. Communicates System Responsibilities - External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters - External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_3_1": {"name": "CC3.1 COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_3_1","Section": "CC3.0 - Common Criteria Related to Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Operations Objectives: Reflects Management's Choices - Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity. Considers Tolerances for Risk - Management considers the acceptable levels of variation relative to the achievement of operations objectives. External Financial Reporting Objectives: Complies With Applicable Accounting Standards - Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances. External Nonfinancial Reporting Objectives: Complies With Externally Established Frameworks - Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations. Reflects Entity Activities - External reporting reflects the underlying transactions and events within a range of acceptable limits. Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting. Internal Reporting Objectives: Reflects Management's Choices - Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity. Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives. Reflects Entity Activities—Internal reporting reflects the underlying transactions and events within a range of acceptable limits. Compliance Objectives: Reflects External Laws and Regulations - Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives. Considers Tolerances for Risk - Management considers the acceptable levels of variation relative to the achievement of operations objectives. Additional point of focus specifically related to all engagements using the trust services criteria: Establishes Sub-objectives to Support Objectives—Management identifies sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of the entity’s objectives related to reporting, operations, and compliance.","checks_status": {"fail": 0,"pass": 2,"total": 3,"manual": 0}},"cc_3_2": {"name": "CC3.2 COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed","checks": {"guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_3_2","Section": "CC3.0 - Common Criteria Related to Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels - The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. Analyzes Internal and External Factors - Risk identification considers both internal and external factors and their impact on the achievement of objectives. Involves Appropriate Levels of Management - The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management. Estimates Significance of Risks Identified - Identified risks are analyzed through a process that includes estimating the potential significance of the risk. Determines How to Respond to Risks - Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. Additional points of focus specifically related to all engagements using the trust services criteria: Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities - The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"cc_3_3": {"name": "CC3.3 COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_3_3","Section": "CC3.0 - Common Criteria Related to Risk Assessment","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Considers Various Types of Fraud - The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. Assesses Incentives and Pressures - The assessment of fraud risks considers incentives and pressures. Assesses Opportunities - The assessment of fraud risk considers opportunities for unauthorized acquisition,use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts. Assesses Attitudes and Rationalizations - The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. Additional point of focus specifically related to all engagements using the trust services criteria: Considers the Risks Related to the Use of IT and Access to Information - The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_3_4": {"name": "CC3.4 COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_3_4","Section": "CC3.0 - Common Criteria Related to Risk Assessment","Service": "config","SubGroup": null,"SubSection": null}],"description": "Assesses Changes in the External Environment - The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. Assesses Changes in the Business Model - The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies. Assesses Changes in Leadership - The entity considers changes in management and respective attitudes and philosophies on the system of internal control. Assess Changes in Systems and Technology - The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment. Assess Changes in Vendor and Business Partner Relationships - The risk identification process considers changes in vendor and business partner relationships.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cc_4_1": {"name": "CC4.1 COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_4_1","Section": "CC4.0 - Monitoring Activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Considers a Mix of Ongoing and Separate Evaluations - Management includes a balance of ongoing and separate evaluations. Considers Rate of Change - Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations. Establishes Baseline Understanding - The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations. Uses Knowledgeable Personnel - Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated. Integrates With Business Processes - Ongoing evaluations are built into the business processes and adjust to changing conditions. Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk. Objectively Evaluates - Separate evaluations are performed periodically to provide objective feedback. Considers Different Types of Ongoing and Separate Evaluations - Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_4_2": {"name": "CC4.2 COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_4_2","Section": "CC4.0 - Monitoring Activities","Service": "guardduty","SubGroup": null,"SubSection": null}],"description": "Assesses Results - Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations. Communicates Deficiencies - Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate. Monitors Corrective Action - Management tracks whether deficiencies are remedied on a timely basis.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"cc_5_1": {"name": "CC5.1 COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_5_1","Section": "CC5.0 - Control Activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Integrates With Risk Assessment - Control activities help ensure that risk responses that address and mitigate risks are carried out. Considers Entity-Specific Factors - Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities. Determines Relevant Business Processes - Management determines which relevant business processes require control activities. Evaluates a Mix of 2017 Data Submitted Types - Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls. Considers at What Level Activities Are Applied - Management considers control activities at various levels in the entity. Addresses Segregation of Duties - Management segregates incompatible duties, and where such segregation is not practical, management selects and develops alternative control activities.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_5_2": {"name": "CC5.2 COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_5_2","Section": "CC5.0 - Control Activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls - Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls. Establishes Relevant Technology Infrastructure Control Activities - Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. Establishes Relevant Security Management Process Controls Activities - Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats. Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities - Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_5_3": {"name": "CCC5.3 COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_5_3","Section": "CC5.0 - Control Activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establishes Policies and Procedures to Support Deployment of Management ‘s Directives - Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions. Establishes Responsibility and Accountability for Executing Policies and Procedures - Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside. Performs in a Timely Manner - Responsible personnel perform control activities in a timely manner as defined by the policies and procedures. Takes Corrective Action - Responsible personnel investigate and act on matters identified as a result of executing control activities. Performs Using Competent Personnel - Competent personnel with sufficient authority perform control activities with diligence and continuing focus. Reassesses Policies and Procedures - Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_6_1": {"name": "CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives","checks": {"s3_bucket_public_access": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_1","Section": "CC6.0 - Logical and Physical Access","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Identifies and Manages the Inventory of Information Assets - The entity identifies, inventories, classifies, and manages information assets. Restricts Logical Access - Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. Identifies and Authenticates Users - Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely. Considers Network Segmentation - Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. Manages Points of Access - Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. Restricts Access to Information Assets - Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets. Manages Identification and Authentication - Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software. Manages Credentials for Infrastructure and Software - New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. Uses Encryption to Protect Data - The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk. Protects Encryption Keys - Processes are in place to protect encryption keys during generation, storage, use, and destruction.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cc_6_2": {"name": "CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_2","Section": "CC6.0 - Logical and Physical Access","Service": "rds","SubGroup": null,"SubSection": null}],"description": "Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. Controls Access Credentials to Protected Assets - Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. Removes Access to Protected Assets When Appropriate - Processes are in place to remove credential access when an individual no longer requires such access. Reviews Appropriateness of Access Credentials - The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"cc_6_3": {"name": "CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_3","Section": "CC6.0 - Logical and Physical Access","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Creates or Modifies Access to Protected Information Assets - Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. Removes Access to Protected Information Assets - Processes are in place to remove access to protected information assets when an individual no longer requires access. Uses Role-Based Access Controls - Role-based access control is utilized to support segregation of incompatible functions.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"cc_6_4": {"name": "CC6.4 The entity restricts physical access to facilities and protected information assets to authorized personnel to meet the entity’s objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_6_4","Section": "CC6.0 - Logical and Physical Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Creates or Modifies Physical Access - Processes are in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system's asset owner. Removes Physical Access - Processes are in place to remove access to physical resources when an individual no longer requires access. Reviews Physical Access - Processes are in place to periodically review physical access to ensure consistency with job responsibilities.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_6_5": {"name": "CC6.5 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_6_5","Section": "CC6.0 - Logical and Physical Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifies Data and Software for Disposal - Procedures are in place to identify data and software stored on equipment to be disposed and to render such data and software unreadable. Removes Data and Software From Entity Control - Procedures are in place to remove data and software stored on equipment to be removed from the physical control of the entity and to render such data and software unreadable.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_6_6": {"name": "CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries","checks": {"ec2_instance_public_ip": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_6_6","Section": "CC6.0 - Logical and Physical Access","Service": "ec2","SubGroup": null,"SubSection": null}],"description": "Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cc_6_7": {"name": "CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives","checks": {"acm_certificates_expiration_check": "PASS"},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_7","Section": "CC6.0 - Logical and Physical Access","Service": "acm","SubGroup": null,"SubSection": null}],"description": "Restricts the Ability to Perform Transmission - Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement and removal of information. Uses Encryption Technologies or Secure Communication Channels to Protect Data - Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. Protects Removal Media - Encryption technologies and physical asset protections are used for removable media (such as USB drives and back-up tapes), as appropriate. Protects Mobile Devices - Processes are in place to protect mobile devices (such as laptops, smart phones and tablets) that serve as information assets.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"cc_6_8": {"name": "CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_6_8","Section": "CC6.0 - Logical and Physical Access","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Restricts Application and Software Installation - The ability to install applications and software is restricted to authorized individuals. Detects Unauthorized Changes to Software and Configuration Parameters - Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. Uses a Defined Change Control Process - A management-defined change control process is used for the implementation of software. Uses Antivirus and Anti-Malware Software - Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software - Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"cc_7_1": {"name": "CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_7_1","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Uses Defined Configuration Standards - Management has defined configuration standards. Monitors Infrastructure and Software - The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives. Implements Change-Detection Mechanisms - The IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. Detects Unknown or Unauthorized Components - Procedures are in place to detect the introduction of unknown or unauthorized components. Conducts Vulnerability Scans - The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.","checks_status": {"fail": 2,"pass": 2,"total": 4,"manual": 0}},"cc_7_2": {"name": "CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_7_2","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implements Detection Policies, Procedures, and Tools - Detection policies and procedures are defined and implemented, and detection tools are implemented on Infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. Designs Detection Measures - Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. Implements Filters to Analyze Anomalies - Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events. Monitors Detection Tools for Effective Operation - Management has implemented processes to monitor the effectiveness of detection tools.","checks_status": {"fail": 7,"pass": 6,"total": 21,"manual": 0}},"cc_7_3": {"name": "CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","apigateway_restapi_logging_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_7_3","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Responds to Security Incidents - Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis. Communicates and Reviews Detected Security Events - Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. Develops and Implements Procedures to Analyze Security Incidents - Procedures are in place to analyze security incidents and determine system impact. Assesses the Impact on Personal Information - Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations. Determines Personal Information Used or Disclosed - When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.","checks_status": {"fail": 10,"pass": 3,"total": 17,"manual": 0}},"cc_7_4": {"name": "CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"guardduty_no_high_severity_findings": "FAIL","redshift_cluster_automated_snapshot": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_7_4","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Assigns Roles and Responsibilities - Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary. Contains Security Incidents - Procedures are in place to contain security incidents that actively threaten entity objectives. Mitigates Ongoing Security Incidents - Procedures are in place to mitigate the effects of ongoing security incidents. Ends Threats Posed by Security Incidents - Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. Restores Operations - Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives. Develops and Implements Communication Protocols for Security Incidents - Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. Obtains Understanding of Nature of Incident and Determines Containment Strategy - An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. Remediates Identified Vulnerabilities - Identified vulnerabilities are remediated through the development and execution of remediation activities. Communicates Remediation Activities - Remediation activities are documented and communicated in accordance with the incident response program. Evaluates the Effectiveness of Incident Response - The design of incident response activities is evaluated for effectiveness on a periodic basis. Periodically Evaluates Incidents - Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. Communicates Unauthorized Use and Disclosure - Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. Application of Sanctions - The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements.","checks_status": {"fail": 3,"pass": 3,"total": 16,"manual": 0}},"cc_7_5": {"name": "CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_7_5","Section": "CC7.0 - System Operations","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Restores the Affected Environment - The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. Communicates Information About the Event - Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). Determines Root Cause of the Event - The root cause of the event is determined. Implements Changes to Prevent and Detect Recurrences - Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. Improves Response and Recovery Procedures - Lessons learned are analyzed, and the incident response plan and recovery procedures are improved. Implements Incident Recovery Plan Testing - Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_8_1": {"name": "CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": "automated","ItemId": "cc_8_1","Section": "CC8.0 - Change Management","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Manages Changes Throughout the System Lifecycle - A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity. Authorizes Changes - A process is in place to authorize system changes prior to development. Designs and Develops Changes - A process is in place to design and develop system changes. Documents Changes - A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. Tracks System Changes - A process is in place to track system changes prior to implementation. Configures Software - A process is in place to select and implement the configuration parameters used to control the functionality of software. Tests System Changes - A process is in place to test system changes prior to implementation. Approves System Changes - A process is in place to approve system changes prior to implementation. Deploys System Changes - A process is in place to implement system changes. Identifies and Evaluates System Changes - Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents - Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification. Creates Baseline Configuration of IT Technology - A baseline configuration of IT and control systems is created and maintained. Provides for Changes Necessary in Emergency Situations - A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe). Protects Confidential Information - The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Protects Personal Information - The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cc_9_1": {"name": "CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_9_1","Section": "CC9.0 - Risk Mitigation","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Considers Mitigation of Risks of Business Disruption - Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity's objectives during response, mitigation, and recovery efforts. Considers the Use of Insurance to Mitigate Financial Impact Risks - The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_9_2": {"name": "CC9.2 The entity assesses and manages risks associated with vendors and business partners","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_9_2","Section": "CC9.0 - Risk Mitigation","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Establishes Requirements for Vendor and Business Partner Engagements - The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. Assesses Vendor and Business Partner Risks - The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives. Assigns Responsibility and Accountability for Managing Vendors and Business Partners - The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. Establishes Communication Protocols for Vendors and Business Partners - The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. Establishes Exception Handling Procedures From Vendors and Business Partners - The entity establishes exception handling procedures for service or product issues related to vendors and business partners. Assesses Vendor and Business Partner Performance - The entity periodically assesses the performance of vendors and business partners. Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments - The entity implements procedures for addressing issues identified with vendor and business partner relationships. Implements Procedures for Terminating Vendor and Business Partner Relationships - The entity implements procedures for terminating vendor and business partner relationships. Obtains Confidentiality Commitments from Vendors and Business Partners - The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners - On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. Obtains Privacy Commitments from Vendors and Business Partners - The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. Assesses Compliance with Privacy Commitments of Vendors and Business Partners - On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_a_1_1": {"name": "A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_a_1_1","Section": "CCA1.0 - Additional Criterial for Availability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Measures Current Usage - The use of the system components is measured to establish a baseline for capacity management and to use when evaluating the risk of impaired availability due to capacity constraints. Forecasts Capacity - The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. Makes Changes Based on Forecasts - The system change management process is initiated when forecasted usage exceeds capacity tolerances.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_a_1_2": {"name": "A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","redshift_cluster_automated_snapshot": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_a_1_2","Section": "CCA1.0 - Additional Criterial for Availability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Measures Current Usage - The use of the system components is measured to establish a baseline for capacity management and to use when evaluating the risk of impaired availability due to capacity constraints. Forecasts Capacity - The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. Makes Changes Based on Forecasts - The system change management process is initiated when forecasted usage exceeds capacity tolerances.","checks_status": {"fail": 6,"pass": 3,"total": 16,"manual": 0}},"cc_a_1_3": {"name": "A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives","checks": {},"status": "PASS","attributes": [{"Type": "manual","ItemId": "cc_a_1_3","Section": "CCA1.0 - Additional Criterial for Availability","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implements Business Continuity Plan Testing - Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results. Tests Integrity and Completeness of Back-Up Data - The integrity and completeness of back-up information is tested on a periodic basis.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"cc_c_1_1": {"name": "C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality","checks": {"rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_c_1_1","Section": "CCC1.0 - Additional Criterial for Confidentiality","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Identifies Confidential information - Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained. Protects Confidential Information from Destruction - Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cc_c_1_2": {"name": "C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality","checks": {"s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": "automated","ItemId": "cc_c_1_2","Section": "CCC1.0 - Additional Criterial for Confidentiality","Service": "s3","SubGroup": null,"SubSection": null}],"description": "Identifies Confidential Information for Destruction - Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached. Destroys Confidential Information - Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 10,"requirements_failed": 10,"requirements_manual": 36,"total_requirements": 56,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "8f43ba1e-a5fb-42c5-95ca-d0b199c62975","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cis_3.0_aws","framework": "CIS","version": "3.0","description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.","region": "eu-west-1","requirements": {"1.1": {"name": "1.1","checks": {"account_maintain_current_contact_details": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info","Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.","DefaultValue": null,"AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing ) 1. Sign in to the AWS Management Console and open the Billing and Cost Management console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose Account. 3. On the Account Settings page, review and verify the current details. 4. Under Contact Information, review and verify the current details.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.","RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing ). 1. Sign in to the AWS Management Console and open the Billing and Cost Management console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose Account. 3. On the Account Settings page, next to Account Settings, choose Edit. 4. Next to the field that you need to update, choose Edit. 5. After you have entered your changes, choose Save changes. 6. After you have made your changes, choose Done. 7. To edit your contact information, under Contact Information, choose Edit. 8. For the fields that you want to change, type your updated information, and then choose Update.","AdditionalInformation": ""}],"description": "Maintain current contact details","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.2": {"name": "1.2","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if security contact information is present:**From Console:**1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.","RemediationProcedure": "Perform the following to establish security contact information:**From Console:**1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.","AdditionalInformation": ""}],"description": "Ensure security contact information is registered","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.3": {"name": "1.3","checks": {"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS account as the 'root' user 2. On the top right you will see the __ 3. Click on the __ 4. From the drop-down menu Click `My Account`5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.","RemediationProcedure": "**From Console:**1. Login to the AWS Account as the 'root' user 2. Click on the __ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`6. Click on each `Question` - From the drop-down select an appropriate question- Click on the `Answer` section- Enter an appropriate answer - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location","AdditionalInformation": ""}],"description": "Ensure security questions are registered in the AWS account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.4": {"name": "1.4","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/","Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .**From Command Line:**Run the following command: ```aws iam get-account-summary | grep \"AccountAccessKeysPresent\"``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.","RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys**From Console:**1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on __ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active- Click on `Make Inactive` - (Temporarily disable Key - may be needed again)- Click `Delete` - (Deleted keys cannot be recovered)","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region."}],"description": "Ensure no 'root' user account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.5": {"name": "1.5","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `mfa_active` field is set to `TRUE` .**From Command Line:**1. Run the following command: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.When you are finished, the virtual MFA device starts generating one-time passwords.In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions."}],"description": "Ensure MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.6": {"name": "1.6","checks": {"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:1. Run the following command to determine if the 'root' account has MFA setup: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ```The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```aws iam list-virtual-mfa-devices``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation: `\"SerialNumber\": \"arn:aws:iam::__:mfa/root-account-mfa-device\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.","RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.Remediation for this recommendation is not available through AWS CLI.","AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions."}],"description": "Ensure hardware MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.7": {"name": "1.7","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html","Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.**From Command Line:**Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '' ```Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.","RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.","AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user."}],"description": "Eliminate use of the 'root' user for administrative and daily tasks","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.8": {"name": "1.8","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.**From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"**From Command Line:** ```aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy requires minimum length of 14 or greater","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.9": {"name": "1.9","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24**From Command Line:** ``` aws iam get-account-password-policy``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24` **From Command Line:** ```aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy prevents password reuse","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.1": {"name": "3.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events","Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane- You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`**From Command Line:** ```aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true```` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name  ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`","ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html","AssessmentStatus": "Automated","RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated onAWS global services- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account","RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented- Click `Add new trail` - Enter a trail name in the `Trail name` box- Set the `Apply trail to all regions` option to `Yes` - Specify an S3 bucket name in the `S3 bucket` box- Click `Create`4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.**From Command Line:** ``` aws cloudtrail create-trail --name  --bucket-name  --is-multi-region-trailaws cloudtrail update-trail --name  --is-multi-region-trail ```Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.","AdditionalInformation": ""}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.2": {"name": "3.2","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.","DefaultValue": null,"AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled` **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.","RemediationProcedure": "Perform the following to enable log file validation on a given trail:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`7. Click `Save changes` **From Command Line:** ``` aws cloudtrail update-trail --name  --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn  --start-time  --end-time  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail log file validation is enabled","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.3": {"name": "3.3","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html","Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.","DefaultValue": null,"AuditProcedure": "Process to evaluate AWS Config configuration per region**From Console:**1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.- Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.**From Command Line:**1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])Sample Output:``` {\"ConfigurationRecorders\": [{\"recordingGroup\": {\"allSupported\": true,\"resourceTypes\": [],\"includeGlobalResourceTypes\": true},\"roleARN\": \"arn:aws:iam:::role/service-role/\",\"name\": \"default\"}] } ```3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`","ImpactStatement": "It is recommended AWS Config be enabled in all regions.","AssessmentStatus": "Automated","RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.","RemediationProcedure": "To implement AWS Config configuration:**From Console:**1. Select the region you want to focus on in the top right of the console 2. Click `Services`3. Click `Config`4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account**From Command Line:**1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name  ```","AdditionalInformation": ""}],"description": "Ensure AWS Config is enabled in all regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.4": {"name": "3.4","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html","Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.","DefaultValue": null,"AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `` _ click on `Logging`8. Ensure `Enabled` is checked.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket  ``` Ensure command does not returns empty output.Sample Output for a bucket with logging enabled:``` {\"LoggingEnabled\": {\"TargetPrefix\": \"\",\"TargetBucket\": \"\"} } ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.","RemediationProcedure": "Perform the following to enable S3 bucket logging:**From Console:**1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:`  click on `Logging`5. Configure bucket logging- Click on the `Enabled` checkbox- Select Target Bucket from list- Enter a Target Prefix 6. Click `Save`.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region  --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``: ``` {\"LoggingEnabled\": {\"TargetBucket\": \"\",\"TargetPrefix\": \"\",\"TargetGrants\": [{\"Grantee\": {\"Type\": \"AmazonCustomerByEmail\",\"EmailAddress\": \"\"},\"Permission\": \"FULL_CONTROL\"}]}} ``` 3. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket  --bucket-logging-status file:// ```","AdditionalInformation": ""}],"description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.5": {"name": "3.5","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html","Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.**From Command Line:**1. Run the following command: ```aws cloudtrail describe-trails``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.","ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.","AssessmentStatus": "Automated","RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.","RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`6. Select an existing CMK from the `KMS key Id` drop-down menu- Note: Ensure the CMK is located in the same region as the S3 bucket- Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes` **From Command Line:** ``` aws cloudtrail update-trail --name  --kms-id  aws kms put-key-policy --key-id  --policy  ```","AdditionalInformation": "3 statements which need to be added to the CMK policy:1\\. Enable Cloudtrail to describe CMK properties ``` 
{\"Sid\": \"Allow CloudTrail access\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:DescribeKey\",\"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` 
{\"Sid\": \"Allow CloudTrail to encrypt logs\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:GenerateDataKey*\",\"Resource\": \"*\",\"Condition\": {\"StringLike\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": [\"arn:aws:cloudtrail:*:aws-account-id:trail/*\"]}} } ``` 3\\. Granting decrypt permissions ``` 
{\"Sid\": \"Enable CloudTrail log decrypt permissions\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"arn:aws:iam::aws-account-id:user/username\"},\"Action\": \"kms:Decrypt\",\"Resource\": \"*\",\"Condition\": {\"Null\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"}} } ```"}],"description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.6": {"name": "3.6","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final","Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the KMS console at: https://console.aws.amazon.com/kms. 2. In the left navigation pane, click Customer-managed keys. 3. Select a customer managed CMK where Key spec = SYMMETRIC_DEFAULT. 4. Select the Key rotation tab. 5. Ensure the Automatically rotate this KMS key every year checkbox is checked. 6. Repeat steps 3–5 for all customer-managed CMKs where 'Key spec = SYMMETRIC_DEFAULT'.","ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.","AssessmentStatus": "Automated","RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the KMS console at: https://console.aws.amazon.com/kms. 2. In the left navigation pane, click Customer-managed keys. 3. Select a key where Key spec = SYMMETRIC_DEFAULT that does not have automatic rotation enabled. 4. Select the Key rotation tab. 5. Check the Automatically rotate this KMS key every year checkbox. 6. Click Save. 7. Repeat steps 3–6 for all customer-managed CMKs that do not have automatic rotation enabled.","AdditionalInformation": ""}],"description": "Ensure rotation for customer created symmetric CMKs is enabled","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.7": {"name": "3.7","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html","Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.**From Command Line:**1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region  --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.","ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.","RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`9. Click `Create Log Flow`10. Click on `CloudWatch Logs Group` **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.**From Command Line:**1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"test\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\"Action\": \"sts:AssumeRole\"}] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\":[\"logs:CreateLogGroup\",\"logs:CreateLogStream\",\"logs:DescribeLogGroups\",\"logs:DescribeLogStreams\",\"logs:PutLogEvents\",\"logs:GetLogEvents\",\"logs:FilterLogEvents\"],\"Resource\": \"*\"}] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name  --assume-role-policy-document file://role_policy_document.json``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name  --policy-document file://iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name  ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region  ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids  --traffic-type REJECT --log-group-name  --deliver-logs-permission-arn  ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.","AdditionalInformation": ""}],"description": "Ensure VPC flow logging is enabled in all VPCs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.8": {"name": "3.8","checks": {"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/ 2. In the left panel, click Trails and then click on the CloudTrail Name that you want to examine. 3. Review General details 4. Confirm that Multi-region trail is set to Yes 5. Scroll down to Data events 6. Confirm that it reads: Data Events:S3 Log selector template Log all events If 'basic events selectors' is being used it should read: Data events: S3 Bucket Name: All current and future S3 buckets Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below..","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/ 2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine. 3. Click Properties tab to see in detail bucket configuration. 4. In the AWS Cloud Trail data events' section select the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by slicking the Configure in Cloudtrailbutton or navigating to the Cloudtrail console linkhttps://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, Select the data Data Events check box. 6. Select S3 from the `Data event type drop down. 7. Select Log all events from the Log selector template drop down. 8. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for write events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.9": {"name": "3.9","checks": {"cloudtrail_s3_dataevents_read_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.**From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region  --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.**From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for read events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.1": {"name": "4.1","checks": {"cloudwatch_log_metric_filter_unauthorized_api_calls": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with \"Name\":` note ``- From value associated with \"CloudWatchLogsLogGroupArn\" note Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this `` that you captured in step 1:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```4. Note the \"filterName\" `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.","AssessmentStatus": "Automated","RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for unauthorized API calls","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2": {"name": "4.2","checks": {"cloudwatch_log_metric_filter_sign_in_without_mfa": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all `CloudTrails`:``` aws cloudtrail describe-trails ```- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region `CloudTrail` is active``` aws cloudtrail get-trail-status --name  ```Ensure in the output that `IsLogging` is set to `TRUE`- Ensure identified Multi-region 'Cloudtrail' captures all Management Events``` aws cloudtrail get-event-selectors --trail-name  ```Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `` taken from audit step 1.Use Command: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account."}],"description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.3": {"name": "4.3","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**- ensures that activities from all regions (used as well as unused) are monitored- ensures that activities on all supported global services are monitored- ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for usage of 'root' account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.4": {"name": "4.4","checks": {"cloudwatch_log_metric_filter_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for IAM policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.5": {"name": "4.5","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6": {"name": "4.6","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.7": {"name": "4.7","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.8": {"name": "4.8","checks": {"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for S3 bucket policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.9": {"name": "4.9","checks": {"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Config configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"5.1": {"name": "5.1","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison","Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "**From Console:**Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "**From Console:**Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Click `Edit inbound rules`- Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule- Click `Save`","AdditionalInformation": ""}],"description": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"5.2": {"name": "5.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.3": {"name": "5.3","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the ::/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.4": {"name": "5.4","checks": {"ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group","Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:Security Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules existSecurity Group Members1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'","ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.","AssessmentStatus": "Automated","RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.","RemediationProcedure": "Security Group MembersPerform the following to implement the prescribed state:1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security groupSecurity Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rulesRecommended:IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"","AdditionalInformation": ""}],"description": "Ensure the default security group of every VPC restricts all traffic","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.5": {"name": "5.5","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html","Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.","DefaultValue": null,"AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.**From Command Line:**1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a __ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.","RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.**From Command Line:**1. For each __ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id  --destination-cidr-block  ```2. Create a new compliant route: ``` aws ec2 create-route --route-table-id  --destination-cidr-block  --vpc-peering-connection-id  ```","AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table."}],"description": "Ensure routing tables for VPC peering are \"least access\"","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"5.6": {"name": "5.6","checks": {"ec2_instance_imdsv2_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/:https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html","Description": "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).","DefaultValue": null,"AuditProcedure": "From Console: 1. Sign in to the AWS Management Console and navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/. 2. In the left navigation panel, under the INSTANCES section, choose Instances. 3. Select the EC2 instance that you want to examine. 4. Check for the IMDSv2 status, and ensure that it is set to Required. From Command Line: 1. Run the describe-instances command using appropriate filtering to list the IDs of all the existing EC2 instances currently available in the selected region: aws ec2 describe-instances --region  --output table --query 'Reservations[*].Instances[*].InstanceId' 2. The command output should return a table with the requested instance IDs. 3. Now run the describe-instances command using an instance ID returned at the previous step and custom filtering to determine whether the selected instance has IMDSv2: aws ec2 describe-instances --region  --instance-ids  --query 'Reservations[*].Instances[*].MetadataOptions' --output table 4. Ensure for all ec2 instances HttpTokens is set to required and State is set to applied. 5. Repeat steps no. 3 and 4 to verify other EC2 instances provisioned within the current region. 6. Repeat steps no. 1 – 5 to perform the audit process for other AWS regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups. When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). With IMDSv2, every request is now protected by session authentication. A session begins and ends a series of requests that software running on an EC2 instance uses to access the locally-stored EC2 instance metadata and credentials. Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security.","RemediationProcedure": "From Console: 1. Sign in to the AWS Management Console and navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/. 2. In the left navigation panel, under the INSTANCES section, choose Instances. 3. Select the EC2 instance that you want to examine. 4. Choose Actions > Instance Settings > Modify instance metadata options. 5. Ensure Instance metadata service is set to Enable and set IMDSv2 to Required. 6. Repeat steps no. 1 – 5 to perform the remediation process for other EC2 Instances in the all applicable AWS region(s). From Command Line: 1. Run the describe-instances command using appropriate filtering to list the IDs of all the existing EC2 instances currently available in the selected region: aws ec2 describe-instances --region  --output table -- query 'Reservations[*].Instances[*].InstanceId' 2. The command output should return a table with the requested instance IDs. 3. Now run the modify-instance-metadata-options command using an instance ID returned at the previous step to update the Instance Metadata Version: aws ec2 modify-instance-metadata-options --instance-id  --http-tokens required --region  4. Repeat steps no. 1 – 3 to perform the remediation process for other EC2 Instances in the same AWS region. 5. Change the region by updating --region and repeat the entire process for other regions.","AdditionalInformation": ""}],"description": "Ensure that EC2 Metadata Service only allows IMDSv2","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.10": {"name": "1.10","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users","Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:**From Console:**1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8``` 2. The output of this command will produce a table similar to the following: ```user,password_enabled,mfa_activeelise,false,falsebrandon,true,truerakesh,false,falsehelene,false,falseparas,true,trueanitha,false,false``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`","ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to enable MFA:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords.8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.9. Click `Assign MFA`.","AdditionalInformation": "**Forced IAM User Self-Service Remediation**Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts."}],"description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.11": {"name": "1.11","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html","Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_dateelise,false,true,2015-04-16T15:14:00+00:00,false,N/Abrandon,true,true,N/A,false,N/Arakesh,false,false,N/A,false,N/Ahelene,false,true,2015-11-18T17:47:00+00:00,false,N/Aparas,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.","RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:**From Console:**1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. As an Administrator - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User- Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.**From Command Line:** ``` aws iam delete-access-key --access-key-id  --user-name  ```","AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\""}],"description": "Do not setup access keys during initial user setup for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.12": {"name": "1.12","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if unused credentials exist:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`8. Check and ensure that `Console last sign-in` is less than 45 days ago.**Note** - `Never` means the user has never logged in.9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.**From Command Line:****Download Credential Report:**1. Run the following commands: ```aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^' ```**Ensure unused credentials do not exist:**2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.","RemediationProcedure": "**From Console:**Perform the following to manage Unused Password (IAM user console access)1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`9. Under Console Access select `Disable` 10.Click `Apply`Perform the following to deactivate Access Keys:1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select any access keys that are over 45 days old and that have been used and - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and - Click the X to `Delete`","AdditionalInformation": " is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days."}],"description": "Ensure credentials unused for 45 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.13": {"name": "1.13","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html","Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.**From Command Line:**1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name  ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.- Repeat steps no. 2 and 3 for each IAM user in your AWS account.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.**From Command Line:**1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user**Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id  --status Inactive --user-name  ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name  ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.","AdditionalInformation": ""}],"description": "Ensure there is only one active access key available for any single IAM user","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.14": {"name": "1.14","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.**From Command Line:**``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.","RemediationProcedure": "Perform the following to rotate access keys:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`4. As an Administrator - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User- Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`7. Update programmatic call with new Access Key credentials**From Command Line:**1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```At this point, the user has two active access keys.2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```","AdditionalInformation": ""}],"description": "Ensure access keys are rotated every 90 days or less","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.15": {"name": "1.15","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html","Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:1. Run the following to get a list of IAM users: ```aws iam list-users --query 'Users[*].UserName' --output text``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.","RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group` Perform the following to add a user to a given group:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`3. Select the group to add a user to 4. Click `Add Users To Group`5. Select the users to be added to the group 6. Click `Add Users` Perform the following to remove a direct association between a user and policy:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:- Select the user- Click on the `Permissions` tab- Expand `Permissions policies` - Click `X` for each policy; then click Detach or Remove (depending on policy type)","AdditionalInformation": ""}],"description": "Ensure IAM Users Receive Permissions Only Through Groups","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.16": {"name": "1.16","checks": {"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam","Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.","DefaultValue": null,"AuditProcedure": "Perform the following to determine what policies are created:**From Command Line:**1. Run the following to get a list of IAM policies: ```aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```aws iam get-policy-version --policy-arn  --version-id  ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.","RemediationProcedure": "From Console: Perform the following to detach the policy that has full administrative privileges: 1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first Detach 5. Select all Users, Groups, Roles that have this policy attached 6. Click Detach Policy 7. In the policy action menu, select Detach 8. Select the newly detached policy and select Delete From Command Line: Perform the following to detach the policy that has full administrative privileges as found in the audit step: 1. Lists all IAM users, groups, and roles that the specified managed policy is attached to. aws iam list-entities-for-policy --policy-arn  2. Detach the policy from all IAM Users: aws iam detach-user-policy --user-name  --policy-arn  3. Detach the policy from all IAM Groups: aws iam detach-group-policy --group-name  --policy-arn  4. Detach the policy from all IAM Roles: aws iam detach-role-policy --role-name  --policy-arn ","AdditionalInformation": ""}],"description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.17": {"name": "1.17","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html","Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.","DefaultValue": null,"AuditProcedure": "**From Command Line:**1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'If it returns empty refer to the remediation below.","ImpactStatement": "All AWS Support plans include an unlimited number of account and billing supportcases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option toinclude multiple enabled accounts in an aggregated monthly billing calculation. Monthlycharges for the Business and Enterprise support plans are based on each month's AWSusage charges, subject to a monthly minimum, billed in advance.When assigning rights, keep in mind that other policies may grant access to Support aswell. This may include AdministratorAccess and other policies including customermanaged policies. Utilizing the AWS managed 'AWSSupportAccess' role is one simpleway of ensuring that this permission is properly granted.To better support the principle of separation of duties, it would be best to only attach thisrole where necessary.","AssessmentStatus": "Automated","RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.","RemediationProcedure": "**From Command Line:**1. Create an IAM role for managing incidents with AWS:- Create a trust relationship policy document that allows  to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"\"},\"Action\": \"sts:AssumeRole\"}]} ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name  --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name  ```","AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account."}],"description": "Ensure a support role has been created to manage incidents with AWS Support","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.18": {"name": "1.18","checks": {"ec2_instance_profile_attached": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html","Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.","DefaultValue": null,"AuditProcedure": "Where an instance is associated with a Role:For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.Where an Instance Contains Embedded Credentials:- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.Where an Instance Application Contains Embedded Credentials:- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.","RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.","AdditionalInformation": ""}],"description": "Ensure IAM instance roles are used for AWS resource access from instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.19": {"name": "1.19","checks": {"iam_no_expired_server_certificates_stored": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html","Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.","DefaultValue": null,"AuditProcedure": "**From Console:**Getting the certificates expiration information via AWS Management Console is not currently supported.To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**Run list-server-certificates command to list all the IAM-stored server certificates:``` aws iam list-server-certificates ```The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):``` {\"ServerCertificateMetadataList\": [{\"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\"ServerCertificateName\": \"MyServerCertificate\",\"Expiration\": \"2018-07-10T23:59:59Z\",\"Path\": \"/\",\"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\"UploadDate\": \"2018-06-10T11:56:08Z\"}] } ```Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.","ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.","AssessmentStatus": "Automated","RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.","RemediationProcedure": "**From Console:**Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**To delete Expired Certificate run following command by replacing  with the name of the certificate to delete:``` aws iam delete-server-certificate --server-certificate-name  ```When the preceding command is successful, it does not return any output.","AdditionalInformation": ""}],"description": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.20": {"name": "1.20","checks": {"accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html","Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region**From Command Line:**1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`3. Repeat the steps above for each active region.If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.","RemediationProcedure": "**From Console:**Perform the following to enable IAM Access analyzer for IAM policies:1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.7. Choose `Create Analyzer`. 8. Repeat these step for each active region**From Command Line:**Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name  --type  ``` Repeat this command above for each active region.**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.","AdditionalInformation": ""}],"description": "Ensure that IAM Access analyzer is enabled for all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.21": {"name": "1.21","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "","Description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.","DefaultValue": null,"AuditProcedure": "For multi-account AWS environments with an external identity provider: 1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click Services 4. Click IAM 5. Click Identity providers 6. Verify the configuration Then, determine all accounts that should not have local users present. For each account: 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click Services 5. Click IAM 6. Click Users 7. Confirm that no IAM users representing individuals are present For multi-account AWS environments implementing AWS Organizations without an external identity provider: 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click Services 5. Click IAM 6. Click Users 7. Confirm that no IAM users representing individuals are present","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.","RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.","AdditionalInformation": ""}],"description": "Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.22": {"name": "1.22","checks": {},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html","Description": "AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.","DefaultValue": null,"AuditProcedure": "**From Console** 1. Open the IAM console at https://console.aws.amazon.com/iam/2. In the left pane, select Policies3. Search for and select AWSCloudShellFullAccess4. On the Entities attached tab, ensure that there are no entities using this policy **From Command Line**1. List IAM policies, filter for the 'AWSCloudShellFullAccess' managed policy, and note the \"\"Arn\"\" element value:```aws iam list-policies --query \"\"Policies[?PolicyName == 'AWSCloudShellFullAccess']\"\"``` 2. Check if the 'AWSCloudShellFullAccess' policy is attached to any role: ```aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess```3. In Output, Ensure PolicyRoles returns empty. 'Example: Example: PolicyRoles: [ ]'If it does not return empty refer to the remediation below.Note: Keep in mind that other policies may grant access.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Access to this policy should be restricted as it presents a potential channel for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy which denies file transfer permissions.","RemediationProcedure": "**From Console**1. Open the IAM console at https://console.aws.amazon.com/iam/2. In the left pane, select Policies 3. Search for and select AWSCloudShellFullAccess4. On the Entities attached tab, for each item, check the box and select Detach","AdditionalInformation": ""}],"description": "Ensure access to AWSCloudShellFullAccess is restricted","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"4.10": {"name": "4.10","checks": {"cloudwatch_log_metric_filter_security_group_changes": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"\" --filter-name \"\" --metric-transformations metricName= \"\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"\" ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"\" --protocol  --notification-endpoint \"\" ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"\" --metric-name \"\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"\" ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for security group changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.11": {"name": "4.11","checks": {"cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.12": {"name": "4.12","checks": {"cloudwatch_changes_to_network_gateways_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to network gateways","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.13": {"name": "4.13","checks": {"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","DefaultValue": null,"AuditProcedure": "If you are using CloudTrails and CloudWatch , perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarmsconfigured:1. Identify the log group name configured for use with active multi-region CloudTrail:• List all CloudTrails: aws cloudtrail describe-trails• Identify Multi region Cloudtrails: Trails with 'IsMultiRegionTrail' set totrue• From value associated with CloudWatchLogsLogGroupArn noteExample: for CloudWatchLogsLogGroupArn that looks likearn:aws:logs:::log-group:NewGroup:*, would be NewGroup• Ensure Identified Multi region CloudTrail is activeaws cloudtrail get-trail-status --name ensure IsLogging is set to TRUE• Ensure identified Multi-region Cloudtrail captures all Management Eventsaws cloudtrail get-event-selectors --trail-name Ensure there is at least one Event Selector for a Trail with IncludeManagementEvents setto true and ReadWriteType set to All2. Get a list of all associated metric filters for this :aws logs describe-metric-filters --log-group-name''3. Ensure the output from the above command contains the following:'filterPattern': '{($.eventSource = ec2.amazonaws.com) && ($.eventName =CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName =ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName= DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName =DisassociateRouteTable) }'4. Note the  value associated with thefilterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the captured in step 4.aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName==``]'6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topicaws sns list-subscriptions-by-topic --topic-arn at least one subscription should have 'SubscriptionArn' with valid aws ARN.Example of valid 'SubscriptionArn':'arn:aws:sns::::'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail Logs can also be sent to an external Security informationand event management (SIEM) environment for monitoring and alerting.Monitoring changes to route tables will help ensure that all VPC traffic flows through anexpected path and prevent any accidental or intentional modifications that may lead touncontrolled network traffic. An alarm should be triggered every time an AWS API call isperformed to create, replace, delete, or disassociate a Route Table.","RemediationProcedure": "If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: 1. Create a metric filter based on filter pattern provided which checks for route table changes and the  taken from audit step 1. aws logs put-metric-filter --log-group-name  -- filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. 2. Create an SNS topic that the alarm will notify aws sns create-topic --name  Note: you can execute this command once and then re-use the same topic for all monitoring alarms. 3. Create an SNS subscription to the topic created in step 2 aws sns subscribe --topic-arn  --protocol  - -notification-endpoint  Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. 4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 - -threshold 1 --comparison-operator GreaterThanOrEqualToThreshold -- evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions ","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure route table changes are monitored","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.14": {"name": "4.14","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for VPC changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.15": {"name": "4.15","checks": {"cloudwatch_log_metric_filter_aws_organizations_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.","DefaultValue": null,"AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name  ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.2. Get a list of all associated metric filters for this : ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `` value associated with the filterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":``` \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name  ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": ""}],"description": "Ensure a log metric filter and alarm exists for AWS Organizations changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.16": {"name": "4.16","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-get-started.html:https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-api:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/enable-security-hub.html","Description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.","DefaultValue": null,"AuditProcedure": "The process to evaluate AWS Security Hub configuration per region **From Console:**1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/. 2. On the top right of the console, select the target Region. 3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region. 4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions. 5. Repeat steps 2 to 4 for each region.","ImpactStatement": "It is recommended AWS Security Hub be enabled in all regions. AWS Security Hub requires AWS Config to be enabled.","AssessmentStatus": "Automated","RationaleStatement": "AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.","RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.Enabling Security Hub**From Console:**1. Use the credentials of the IAM identity to sign in to the Security Hub console. 2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub. 3. On the welcome page, Security standards list the security standards that Security Hub supports. 4. Choose Enable Security Hub.**From Command Line:**1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`. ``` aws securityhub enable-security-hub --enable-default-standards ```2. To enable the security hub without the default standards, include `--no-enable-default-standards`. ``` aws securityhub enable-security-hub --no-enable-default-standards ```","AdditionalInformation": ""}],"description": "Ensure AWS Security Hub is enabled","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.1": {"name": "2.1.1","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html","Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.","DefaultValue": null,"AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{\"Sid\": ,\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}' ``` `` and `` will be specific to your account5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket  | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.**From Console** using AWS Policy Generator:1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` =  5. Generate Policy 6. Copy the text and add it to the Bucket Policy.**From Command Line:**1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket  --query Policy --output text > policy.json ```2. Modify the policy.json file by adding in this statement: ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket  --policy file://policy.json ```","AdditionalInformation": ""}],"description": "Ensure S3 Bucket Policy is set to deny HTTP requests","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.2": {"name": "2.1.2","checks": {"s3_bucket_no_mfa_delete": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html","Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","DefaultValue": null,"AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket**From Console:**1. Login to the S3 console at `https://console.aws.amazon.com/s3/`2. Click the `Check` box next to the Bucket name you want to confirm3. In the window under `Properties`4. Confirm that Versioning is `Enabled`5. Confirm that MFA Delete is `Enabled`**From Command Line:**1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```Output example: ```  EnabledEnabled ```If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.","RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.**From Command line:**1. Run the s3api put-bucket-versioning command``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```","AdditionalInformation": ""}],"description": "Ensure MFA Delete is enabled on S3 buckets","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.3": {"name": "2.1.3","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html","Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.","DefaultValue": null,"AuditProcedure": "Perform the following steps to determine if Macie is running:**From Console:** 1. Login to the Macie console at https://console.aws.amazon.com/macie/ 2. In the left hand pane click on By job under findings. 3. Confirm that you have a Job setup for your S3 BucketsWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.","ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.","AssessmentStatus": "Manual","RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.","RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie**From Console:**1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`2. Click `Get started`.3. Click `Enable Macie`.Setup a repository for sensitive data discovery results1. In the Left pane, under Settings, click `Discovery results`.2. Make sure `Create bucket` is selected.3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.4. Click on `Advanced`.5. Block all public access, make sure `Yes` is selected.6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.7. Click on `Save`Create a job to discover sensitive data1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.2. Select the `check box` for each bucket that you want Macie to analyze as part of the job3. Click `Create job`.3. Click `Quick create`.4. For the Name and description step, enter a name and, optionally, a description of the job.5. Then click `Next`.6. For the Review and create step, click `Submit`.Review your findings1. In the left pane, click `Findings`.2. To view the details of a specific finding, choose any field other than the check box for the finding.If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.","AdditionalInformation": ""}],"description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.4": {"name": "2.1.4","checks": {"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html","Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.","DefaultValue": null,"AuditProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket  ``` Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"BlockPublicAcls\": true,\"IgnorePublicAcls\": true,\"BlockPublicPolicy\": true,\"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.**If utilizing Block Public Access (account settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.**From Command Line:**To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id  --region `Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"IgnorePublicAcls\": true, \"BlockPublicPolicy\": true, \"BlockPublicAcls\": true, \"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.","ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.","AssessmentStatus": "Automated","RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.","RemediationProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket  --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```**If utilizing Block Public Access (account settings)****From Console:**If the output reads `true` for the separate configuration settings then it is set on the account.1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.**From Command Line:**To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id  ```","AdditionalInformation": ""}],"description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.2.1": {"name": "2.2.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.2. Elastic Compute Cloud (EC2)","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/","Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.**Note:** EBS volume encryption is configured per region.","ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.**Note:** EBS volume encryption is configured per region.","AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically."}],"description": "Ensure EBS Volume Encryption is Enabled in all Regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.1": {"name": "2.3.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/","Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region  --db-snapshot-identifier  --db-instance-identifier  ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region  ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region  --source-db-snapshot-identifier  --target-db-snapshot-identifier  --copy-tags --kms-key-id  ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region  --db-instance-identifier  --db-snapshot-identifier  ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ```","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for RDS Instances","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.3.2": {"name": "2.3.2","checks": {"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to examine. 4. Click on the `Maintenance and backups` panel. 5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status. - If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.","RemediationProcedure": "**From Console:**1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to update. 4. Click on the `Modify` button placed on the top right side. 5. On the `Modify DB Instance: ` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button. 6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime. 7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region: ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime: ``` aws rds modify-db-instance --region  --db-instance-identifier  --auto-minor-version-upgrade --apply-immediately ``` 4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value. 5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable: ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.","AdditionalInformation": ""}],"description": "Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.3": {"name": "2.3.3","checks": {"rds_instance_no_public_access": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html:https://aws.amazon.com/rds/faqs/","Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to anypublicly accessible RDS database instance, you must disable the database PubliclyAccessible flag and update the VPC security group associated with the instance","DefaultValue": null,"AuditProcedure": "From Console: 1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click Databases. 3. Select the RDS instance that you want to examine. 4. Click Instance Name from the dashboard, Under `Connectivity and Security. 5. On the Security, check if the Publicly Accessible flag status is set to Yes, follow the below-mentioned steps to check database subnet access. • In the networking section, click the subnet link available under Subnets • The link will redirect you to the VPC Subnets page. • Select the subnet listed on the page and click the Route Table tab from the dashboard bottom panel. If the route table contains any entries with the destination CIDR block set to 0.0.0.0/0 and with an Internet Gateway attached. • The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet. 6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region. 7. Change the AWS region from the navigation bar and repeat the audit process for other regions. From Command Line: 1. Run describe-db-instances command to list all RDS database names, available in the selected AWS region: aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' 2. The command output should return each database instance identifier. 3. Run again describe-db-instances command using the PubliclyAccessible parameter as query filter to reveal the database instance Publicly Accessible flag status: aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].PubliclyAccessible' 4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to Yes. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access 5. Run again describe-db-instances command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance: aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.Subnets[]' • The command output should list the subnets available in the selected database subnet group. 6. Run describe-route-tables command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet: aws ec2 describe-route-tables --region  --filters 'Name=association.subnet-id,Values=' --query 'RouteTables[*].Routes[]' • If the command returns the route table associated with database instance subnet ID. Check the GatewayId and DestinationCidrBlock attributes values returned in the output. If the route table contains any entries with the GatewayId value set to igw-xxxxxxxx and the DestinationCidrBlock value set to 0.0.0.0/0, the selected RDS database instance was provisioned inside a public subnet. • Or • If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step 7. Run again describe-db-instances command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance: aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].DBSubnetGroup.VpcId' • The command output should show the VPC ID in the selected database subnet group 8. Now run describe-route-tables command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet: aws ec2 describe-route-tables --region  --filters 'Name=vpc- id,Values=' 'Name=association.main,Values=true' --query 'RouteTables[*].Routes[]' • The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the GatewayId and DestinationCidrBlock attributes values returned in the output. If the route table contains any entries with the GatewayId value set to igw-xxxxxxxx and the DestinationCidrBlock value set to 0.0.0.0/0, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.","RemediationProcedure": "From Console: 1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click Databases. 3. Select the RDS instance that you want to update. 4. Click Modify from the dashboard top menu. 5. On the Modify DB Instance panel, under the Connectivity section, click on Additional connectivity configuration and update the value for Publicly Accessible to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations: • Select the Connectivity and security tab, and click on the VPC attribute value inside the Networking section. • Select the Details tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. • On the Route table details page, select the Routes tab from the dashboard bottom panel and click on Edit routes. • On the Edit routes page, update the Destination of Target which is set to igw- xxxxx and click on Save routes. 6. On the Modify DB Instance panel Click on Continue and In the Scheduling of modifications section, perform one of the following actions based on your requirements: • Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window. • Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application. 7. Repeat steps 3 to 6 for each RDS instance available in the current region. 8. Change the AWS region from the navigation bar to repeat the process for other regions. From Command Line: 1. Run describe-db-instances command to list all RDS database names identifiers, available in the selected AWS region: aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' 2. The command output should return each database instance identifier. 3. Run modify-db-instance command to modify the selected RDS instance configuration. Then use the following command to disable the Publicly Accessible flag for the selected RDS instances. This command use the apply- immediately flag. If you want to avoid any downtime --no-apply-immediately flag can be used: aws rds modify-db-instance --region  --db-instance-identifier  --no-publicly-accessible --apply-immediately 4. The command output should reveal the PubliclyAccessible configuration under pending values and should get applied at the specified time. 5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure. 6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region. 7. Change the AWS region by using the --region filter to repeat the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that public access is not given to RDS Instance","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.4.1": {"name": "2.4.1","checks": {"efs_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.4 Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/index.html#efs","Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).","DefaultValue": null,"AuditProcedure": "**From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard. 2. Select `File Systems` from the left navigation panel. 3. Each item on the list has a visible Encrypted field that displays data at rest encryption status. 4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.**From CLI:** 1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region: ``` aws efs describe-file-systems --region  --output table --query 'FileSystems[*].FileSystemId' ``` 2. The command output should return a table with the requested file system IDs. 3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters: ``` aws efs describe-file-systems --region  --file-system-id  --query 'FileSystems[*].Encrypted' ``` 4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.","RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.**Steps to create an EFS file system with data encrypted at rest:****From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard. 2. Select `File Systems` from the left navigation panel. 3. Click `Create File System` button from the dashboard top menu to start the file system setup process. 4. On the `Configure file system access` configuration page, perform the following actions. - Choose the right VPC from the VPC dropdown list. - Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets. - Click `Next step` to continue.5. Perform the following on the `Configure optional settings` page. - Create `tags` to describe your new file system. - Choose `performance mode` based on your requirements. - Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS. - Click `Next step` to continue.6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system. 7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. 9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.**From CLI:** 1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource): ``` aws efs describe-file-systems --region  --file-system-id  ``` 2. The command output should return the requested configuration information. 3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\". 4. Run create-file-system command using the unique token created at the previous step. ``` aws efs create-file-system --region  --creation-token  --performance-mode generalPurpose --encrypted ``` 5. The command output should return the new file system configuration metadata. 6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target: ``` aws efs create-mount-target --region  --file-system-id  --subnet-id  ``` 7. The command output should return the new mount target metadata. 8. Now you can mount your file system from an EC2 instance. 9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. ``` aws efs delete-file-system --region  --file-system-id  ``` 11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for EFS file systems","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 51,"requirements_failed": 10,"requirements_manual": 1,"total_requirements": 62,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "a349f7c9-fce3-4ac4-821a-d0c974496c2b","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "nist_800_53_revision_5_aws","framework": "NIST-800-53-Revision-5","version": "","description": "The NIST 800-53 (Rev. 5) Low-Moderate-High framework represents the security controls and the associated assessment procedures that are defined in NIST SP 800-53 Revision 5 Recommended Security Controls for Federal Information Systems and Organizations. For any discrepancies that are noted in the content between this NIST SP 800-53 framework and the latest published NIST Special Publication SP 800-53 Revision 5, refer to the official published documents that are available at the NIST Computer Security Resource Center.","region": "eu-west-1","requirements": {"ac_3": {"name": "Access Enforcement (AC-3)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","checks_status": {"fail": 1,"pass": 7,"total": 21,"manual": 0}},"ac_4": {"name": "Information Flow Enforcement (AC-4)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"ac_6": {"name": "Least Privilege (AC-6)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_6","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"ca_7": {"name": "Continuous Monitoring (CA-7)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_7","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Continuously monitor configuration management processes. Determine security impact, environment and operational risks.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"cm_6": {"name": "Configuration Settings (CM-6)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_6","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"ia_2": {"name": "Identification and Authentication (Organizational users) (IA-2)","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5": {"name": "Authenticator Management (IA-5)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp_2": {"name": "Media Access (MP-2)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "mp_2","Section": "Media Protection (MP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"sc_6": {"name": "Resource Availability (SC-6)","checks": {"rds_instance_multi_az": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_6","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_8": {"name": "Transmission Confidentiality And Integrity (SC-8)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"ac_24": {"name": "Access Control Decisions (AC-24)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_24","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"au_10": {"name": "Non-Repudiation (AU-10)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_10","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].","checks_status": {"fail": 6,"pass": 2,"total": 13,"manual": 0}},"au_11": {"name": "Audit Record Retention (AU-11)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_11","Section": "Audit and Accountability (AU)","Service": "cloudwatch","SubGroup": null,"SubSection": null}],"description": "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_16": {"name": "Cross-Organizational Audit Logging (AU-16)","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_16","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cp_10": {"name": "System Recovery And Reconstitution (CP-10)","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_10","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.","checks_status": {"fail": 3,"pass": 1,"total": 7,"manual": 0}},"pm_16": {"name": "Threat Awareness Program (PM-16)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "pm_16","Section": "Program Management (PM)","Service": "guarduty","SubGroup": null,"SubSection": null}],"description": "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"pm_31": {"name": "Continuous Monitoring Strategy (PM-31)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_31","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"sc_12": {"name": "Cryptographic Key Establishment And Management (SC-12)","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_12","Section": "System and Communications Protection (SC)","Service": "kms","SubGroup": null,"SubSection": null}],"description": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_22": {"name": "Architecture And Provisioning For Name/Address Resolution Service (SC-22)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_22","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"sc_23": {"name": "Session Authenticity (SC-23)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_23","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Protect the authenticity of communications sessions.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc_25": {"name": "Thin Nodes (SC-25)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_25","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].","checks_status": {"fail": 1,"pass": 5,"total": 17,"manual": 0}},"sc_36": {"name": "Distributed Processing And Storage (SC-36)","checks": {"rds_instance_multi_az": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_36","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_12": {"name": "Information Management and Retention (SI-12)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_12","Section": "System and Information integrity (SI)","Service": "cloudwatch","SubGroup": null,"SubSection": null}],"description": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ac_2_1": {"name": "AC-2(1) Automated System Account Management","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Support the management of system accounts using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 1,"pass": 0,"total": 14,"manual": 0}},"ac_2_3": {"name": "AC-2(3) Disable Accounts","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period].","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_4": {"name": "AC-2(4) Automated Audit Actions","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Automatically audit account creation, modification, enabling, disabling, and removal actions.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac_2_6": {"name": "AC-2(6) Dynamic Privilege Management","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_2_6","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "Implement [Assignment: organization-defined dynamic privilege management capabilities].","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"ac_2_g": {"name": "AC-2(g)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_g","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: g. Monitors the use of information system accounts.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ac_2_j": {"name": "AC-2(j)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_j","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency].","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ac_3_1": {"name": "AC-3(1) Restricted Access To Privileged Functions","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac_3_2": {"name": "AC-3(2) Dual Authorization","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_3_2","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac_3_3": {"name": "AC-3(3) Mandatory Access Control","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4": {"name": "AC-3(4) Discretionary Access Control","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_7": {"name": "AC-3(7) Role-Based Access Control","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_7","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"ac_3_8": {"name": "AC-3(8) Revocation Of Access Authorizations","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_8","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_5_b": {"name": "AC-5(b)","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_5_b","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Separation Of Duties (AC-5)"}],"description": "Define system access authorizations to support separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_6_2": {"name": "AC-6(2)","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_6_2","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac_6_3": {"name": "AC-6(3)","checks": {"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_6_3","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac_6_9": {"name": "AC-6(9)","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_6_9","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "Log the execution of privileged functions.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac_7_4": {"name": "AC-7(4) Use Of Alternate Authentication Factor","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_7_4","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Unsuccessful Logon Attempts (AC-7)"}],"description": "Prevent non-privileged users from executing privileged functions.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"au_2_b": {"name": "AU-2(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_2_b","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Event Logging (AU-2)"}],"description": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_1": {"name": "AU-3(1) Additional Audit Information","checks": {"guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "au_3_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Generate audit records containing the following additional information: [Assignment: organization-defined additional information].","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"au_3_a": {"name": "AU-3(a)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_a","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: a. What type of event occurred.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_b": {"name": "AU-3(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_b","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: b. When the event occurred.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_c": {"name": "AU-3(c)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_c","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: c. Where the event occurred.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_d": {"name": "AU-3(d)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_d","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: d. Source of the event.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_e": {"name": "AU-3(e)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_e","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: e. Outcome of the event.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_3_f": {"name": "AU-3(f)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_3_f","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Content of Audit Records (AU-3)"}],"description": "Ensure that audit records contain information that establishes the following: e. Outcome of the event.","checks_status": {"fail": 5,"pass": 2,"total": 11,"manual": 0}},"au_4_1": {"name": "AU-4(1) Transfer To Alternate Storage","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_4_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Log Stprage Capacity (AU-4)"}],"description": "Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_6_1": {"name": "AU-6(1) Automated Process Integration","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"au_6_3": {"name": "AU-6(3) Correlate Audit Record Repositories","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_6_4": {"name": "AU-6(4) Central Review And Analysis","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_4","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_6_5": {"name": "AU-6(5) Central Review And Analysis","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_5","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"au_6_6": {"name": "AU-6(6) Correletion With Physical Monitoring","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_6","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_6_9": {"name": "AU-6(9) Correletion With From Nontechnical Sources","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_6_9","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Review, Analysis And Reporting (AU-6)"}],"description": "Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_7_1": {"name": "AU-7(1) Automatic Processing","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_7_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Reduction And Report Generation (AU-7)"}],"description": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_8_b": {"name": "AU-8(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_8_b","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Time Stamps (AU-8)"}],"description": "Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_9_2": {"name": "AU-9(2) Store On Separate Physical Systems Or Components","checks": {"s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9_2","Section": "Audit and Accountability (AU)","Service": "s3","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_9_3": {"name": "AU-9(3) Cryptographic Protection","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.","checks_status": {"fail": 8,"pass": 3,"total": 17,"manual": 0}},"au_9_7": {"name": "AU-9(7) Store On Component With Different Operation Systems","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9_7","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "Store audit information on a component running a different operating system than the system or component being audited.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_9_a": {"name": "AU-9(a)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_9_a","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ca_2_2": {"name": "CA-2(2) Specialized Assessments","checks": {"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_2_2","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": "Control Assessments (CA-2)"}],"description": "Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]].","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"ca_2_d": {"name": "CA-2(d)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ca_2_d","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": "Control Assessments (CA-2)"}],"description": "Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"ca_7_b": {"name": "CA-7(b)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_7_b","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": "Continuous Monitoring (CA-7)"}],"description": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness.","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"ca_9_b": {"name": "CA-9(b)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_9_b","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": null,"SubSection": "Internal System Connections (CA-9)"}],"description": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_2_2": {"name": "CM-2(2) Automation Support For Accuracy And Currency","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Baseline Configuration (CM-2)"}],"description": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 5,"pass": 0,"total": 5,"manual": 0}},"cm_2_a": {"name": "CM-2(a)","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Baseline Configuration (CM-2)"}],"description": "Develop, document, and maintain under configuration control, a current baseline configuration of the system.","checks_status": {"fail": 5,"pass": 0,"total": 5,"manual": 0}},"cm_2_b": {"name": "CM-2(b)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Baseline Configuration (CM-2)"}],"description": "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_3_3": {"name": "CM-3(3) Automated Change Implementation","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_3_3","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Configuration Change Control (CM-3)"}],"description": "Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_3_a": {"name": "CM-3(a)","checks": {"elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_3_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Configuration Change Control (CM-3)"}],"description": "Determine and document the types of changes to the system that are configuration-controlled.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_6_a": {"name": "CM-6(a)","checks": {"iam_root_mfa_enabled": null,"vpc_flow_logs_enabled": "FAIL","iam_no_root_access_key": null,"s3_bucket_public_access": null,"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","iam_user_accesskey_unused": null,"ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_6_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Configuration Settings (CM-6)"}],"description": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations].","checks_status": {"fail": 8,"pass": 6,"total": 31,"manual": 0}},"cm_7_b": {"name": "CM-7(b)","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_7_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Least Functionality (CM-7)"}],"description": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cm_8_1": {"name": "CM-8(1) Updates During Installation And Removals","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_1","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Update the inventory of system components as part of component installations, removals, and system updates.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_2": {"name": "CM-8(2) Automated Maintenance","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cm_8_6": {"name": "CM-8(6) Assessed Configurations And Approved Deviations","checks": {"elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_6","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.","checks_status": {"fail": 5,"pass": 0,"total": 5,"manual": 0}},"cm_8_a": {"name": "CM-8(a)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability].","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_b": {"name": "CM-8(b)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "System Component Inventory (CM-8)"}],"description": "Review and update the system component inventory [Assignment: organization-defined frequency].","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_9_b": {"name": "CM-9(b)","checks": {"iam_root_mfa_enabled": null,"vpc_flow_logs_enabled": "FAIL","iam_no_root_access_key": null,"s3_bucket_public_access": null,"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","iam_user_accesskey_unused": null,"ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_9_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Configuration Management Plan (CM-9)"}],"description": "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items.","checks_status": {"fail": 8,"pass": 6,"total": 31,"manual": 0}},"cp_1_2": {"name": "CP-1(2)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_1_2","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Policy And Procedures (CP-1)"}],"description": "Implement transaction recovery for systems that are transaction-based.","checks_status": {"fail": 2,"pass": 1,"total": 6,"manual": 0}},"cp_2_5": {"name": "CP-2(5) Continue Mission And Business Functions","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_5","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.","checks_status": {"fail": 5,"pass": 1,"total": 9,"manual": 0}},"cp_2_6": {"name": "CP-2(6) Alternate Processing And Storage Sites","checks": {"rds_instance_multi_az": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_6","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cp_2_a": {"name": "CP-2(a)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_a","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_2_d": {"name": "CP-2(d)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_d","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "Review the contingency plan for the system [Assignment: organization-defined frequency]","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_2_e": {"name": "CP-2(e)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_e","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Contingency Plan (CP-2)"}],"description": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_6_1": {"name": "CP-6(1) Separation From Primary Site","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_6_1","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Alternate Storage Sites (CP-6)"}],"description": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.","checks_status": {"fail": 2,"pass": 1,"total": 5,"manual": 0}},"cp_6_2": {"name": "CP-6(2) Recovery Time And Recovery Point Objectives","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_6_2","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Alternate Storage Sites (CP-6)"}],"description": "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.","checks_status": {"fail": 3,"pass": 1,"total": 7,"manual": 0}},"cp_6_a": {"name": "CP-6(a)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_6_a","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Alternate Storage Sites (CP-6)"}],"description": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information.","checks_status": {"fail": 2,"pass": 1,"total": 5,"manual": 0}},"cp_9_8": {"name": "CP-9(8) Cryptographic Protection","checks": {"s3_bucket_default_encryption": "PASS","rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_8","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information].","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"cp_9_a": {"name": "CP-9(a)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_a","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"cp_9_b": {"name": "CP-9(b)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_b","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"cp_9_c": {"name": "CP-9(c)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_c","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"cp_9_d": {"name": "CP-9(d)","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_9_d","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Backup (CP-9)"}],"description": "Protect the confidentiality, integrity, and availability of backup information.","checks_status": {"fail": 5,"pass": 3,"total": 13,"manual": 0}},"ia_2_1": {"name": "IA-2(1) Multi-Factor Authentication To Privileged Accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_1","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement multi-factor authentication for access to privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_2_2": {"name": "IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement multi-factor authentication for access to non-privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_2_6": {"name": "IA-2(6) Acces To Accounts — Separate Device","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_6","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_2_8": {"name": "IA-2(8) Access To Accounts — Replay Resistant","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_8","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_4_4": {"name": "IA-4(4)","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_4_4","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identifier Management (IA-4)"}],"description": "Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_4_8": {"name": "IA-4(8)","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_4_8","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identifier Management (IA-4)"}],"description": "Generate pairwise pseudonymous identifiers.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_4_b": {"name": "IA-4(b)","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_4_b","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identifier Management (IA-4)"}],"description": "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_4_d": {"name": "IA-4(d)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_4_d","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identifier Management (IA-4)"}],"description": "Manage system identifiers by: d. Preventing reuse of identifiers for [Assignment: organization-defined time period].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_8": {"name": "IA-5(8) Multiple System Accounts","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_8","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_b": {"name": "IA-5(b)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_b","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_c": {"name": "IA-5(c)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_c","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_d": {"name": "IA-5(d)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_d","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_f": {"name": "IA-5(f)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_f","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_h": {"name": "IA-5(h)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_h","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ir_4_a": {"name": "IR-4(a)","checks": {"guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir_4_a","Section": "Incident Response (IR)","Service": "guarduty","SubGroup": null,"SubSection": "Incident Handling (IR-4)"}],"description": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ma_4_c": {"name": "MA-4(c)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ma_4_c","Section": "Maintenance (MA)","Service": "iam","SubGroup": null,"SubSection": "Nonlocal Maintenance (MA-4)"}],"description": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"pe_6_2": {"name": "PE-6(2) Monitoring Physical Access","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "pe_6_2","Section": "Physical And Environmental Protection (PE)","Service": "guarduty","SubGroup": null,"SubSection": "Monitoring Physical Access (PE-6)"}],"description": "Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"pe_6_4": {"name": "PE-6(4) Monitoring Physical Access","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "pe_6_4","Section": "Physical And Environmental Protection (PE)","Service": "guarduty","SubGroup": null,"SubSection": "Monitoring Physical Access (PE-6)"}],"description": "Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_1_a": {"name": "RA-1(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_1_a","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Policy And Procedures (RA-1)"}],"description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_3_4": {"name": "RA-3(4) Predictive Cyber Analytics","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_3_4","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Risk Assessment (RA-3)"}],"description": "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_5_4": {"name": "RA-5(4) Discoverable Information","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_5_4","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Vulnerability Monitoring And Scanning (RA-5)"}],"description": "Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_5_a": {"name": "RA-5(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_5_a","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Vulnerability Monitoring And Scanning (RA-5)"}],"description": "Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sa_1_1": {"name": "SA-1(1)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_1_1","Section": "System and Services Acquisition (SA)","Service": "cloudtrail","SubGroup": null,"SubSection": "Policy And Procedures (SA-1)"}],"description": "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sa_9_6": {"name": "SA-9(6) Organization-Controlled Cryptographic Keys","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sa_9_6","Section": "System and Services Acquisition (SA)","Service": "kms","SubGroup": null,"SubSection": "External System Services (SA-9)"}],"description": "Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_5_1": {"name": "SC-5(1) Restrict Ability TO Attack Other Systems","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_1","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_5_2": {"name": "SC-5(2) Capacity, Bandwidth, And Redundancy","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_5_2","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.","checks_status": {"fail": 5,"pass": 1,"total": 10,"manual": 0}},"sc_5_a": {"name": "SC-5(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_a","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Denial Of Service Protection (SC-5)"}],"description": "[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_5_b": {"name": "SC-5(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_b","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_7_2": {"name": "SC-7(2) Public Access","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_2","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_3": {"name": "SC-7(3) Access Points","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_3","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Limit the number of external network connections to the system.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_5": {"name": "SC-7(5) Deny By Default — Allow By Exception","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]].","checks_status": {"fail": 5,"pass": 0,"total": 6,"manual": 0}},"sc_7_7": {"name": "SC-7(7) Split Tunneling For Remote Devices","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_7","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards].","checks_status": {"fail": 3,"pass": 5,"total": 16,"manual": 0}},"sc_7_a": {"name": "SC-7(a)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_a","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc_7_b": {"name": "SC-7(b)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_b","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_c": {"name": "SC-7(c)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_c","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc_8_1": {"name": "SC-8(1) Cryptographic Protection","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"sc_8_2": {"name": "SC-8(2) Pre- And Post-Transmission Handling","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_2","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc_8_3": {"name": "SC-8(3) Cryptographic Protection For Message Externals","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_3","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls].","checks_status": {"fail": 8,"pass": 3,"total": 18,"manual": 0}},"sc_8_4": {"name": "SC-8(4) Conceal Or Ramdomize Communications","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_4","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls].","checks_status": {"fail": 8,"pass": 3,"total": 18,"manual": 0}},"sc_8_5": {"name": "SC-8(5) Protected Distribution System","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_8_5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Confidentiality And Integrity (SC-8)"}],"description": "Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"si_2_2": {"name": "SI-2(2) Automated Flaw Remediation Status","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_2","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"si_2_5": {"name": "SI-2(5) Automatic Software And Firmware Updated","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_5","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"si_2_a": {"name": "SI-2(a)","checks": {"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_a","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Identify, report, and correct system flaws.","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"si_2_c": {"name": "SI-2(c)","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_c","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"si_2_d": {"name": "SI-2(d)","checks": {"ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_2_d","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "Incorporate flaw remediation into the organizational configuration management process.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"si_4_1": {"name": "SI-4(1) System-Wide Intrusion Detection System","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_1","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_2": {"name": "SI-4(2) Automated Tools For Real-Time Analysis","checks": {"guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_2","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Employ automated tools and mechanisms to support near real-time analysis of events.","checks_status": {"fail": 3,"pass": 2,"total": 9,"manual": 0}},"si_4_3": {"name": "SI-4(3) Automated Tools And Mechanism Integration","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_3","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_a": {"name": "SI-4(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_a","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_b": {"name": "SI-4(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_b","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_c": {"name": "SI-4(c)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_c","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_d": {"name": "SI-4(d)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_d","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Analyze detected events and anomalies.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_5_1": {"name": "SI-5(1) Automated Alerts And Advisories","checks": {"guardduty_is_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_5_1","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Secuity Alerts, Advisories, And Directives (SI-5)"}],"description": "Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 0,"pass": 1,"total": 5,"manual": 0}},"si_5_b": {"name": "SI-5(b)","checks": {"guardduty_is_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_5_b","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Secuity Alerts, Advisories, And Directives (SI-5)"}],"description": "Generate internal security alerts, advisories, and directives as deemed necessary.","checks_status": {"fail": 0,"pass": 1,"total": 5,"manual": 0}},"si_7_1": {"name": "SI-7(1) Integrity Checks","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_1","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_7_3": {"name": "SI-7(3) Centrally Managed Integrity Tools","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_3","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Employ centrally managed integrity verification tools.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_7_7": {"name": "SI-7(7) Integration Of Detection And Response","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_7","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"si_7_8": {"name": "SI-7(8) Auditing Capability For Significant Events","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_8","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"si_7_a": {"name": "SI-7(a)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_7_a","Section": "System and Information integrity (SI)","Service": "cloudtrail","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ac_16_b": {"name": "AC-16(b)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_16_b","Section": "Access Control (AC)","Service": "cloudwatch","SubGroup": null,"SubSection": "Security And Privacy Attributes (AC-16)"}],"description": "Ensure that the attribute associations are made and retained with the information.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ac_17_1": {"name": "AC-17(1) Monitoring And Control","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Employ automated mechanisms to monitor and control remote access methods.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"ac_17_2": {"name": "AC-17(2) Protection Of Confidentiality And Integrity Using Encryption","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ac_17_9": {"name": "AC-17(9) Disconnect Or Disable Access","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_9","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"ac_17_b": {"name": "AC-17(b)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_b","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Authorize each type of remote access to the system prior to allowing such connections.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"ac_24_1": {"name": "AC-24(1)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_24_1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Control Decisions (AC-24)"}],"description": "Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"ac_3_10": {"name": "AC-3(10) Audited Override Of Access Control Mechanisms","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_10","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac_3_13": {"name": "AC-3(13) Attribute-Based Access Control","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_13","Section": "Access Control (AC)","Service": "guarduty","SubGroup": null,"SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_4_21": {"name": "AC-4(21) Physical Or Logical Separation Of Infomation Flows","checks": {"ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"apigateway_restapi_waf_acl_attached": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4_21","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Flow Enforcement (AC-4)"}],"description": "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].","checks_status": {"fail": 5,"pass": 5,"total": 18,"manual": 0}},"ac_4_22": {"name": "AC-4(22) Access Only","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4_22","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Flow Enforcement (AC-4)"}],"description": "Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"ac_4_26": {"name": "AC-4(26) Audit Filtering Actions","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4_26","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Flow Enforcement (AC-4)"}],"description": "When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"ac_4_28": {"name": "AC-4(28) Linear Filter Pipelines","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_4_28","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Flow Enforcement (AC-4)"}],"description": "When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_6_10": {"name": "AC-6(10)","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_6_10","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "Prevent non-privileged users from executing privileged functions.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"au_11_1": {"name": "AU-11(1) Long-Term Retrieval Capability","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_11_1","Section": "Audit and Accountability (AU)","Service": "cloudwatch","SubGroup": null,"SubSection": "Audit Record Retention (AU-11)"}],"description": "Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au_12_1": {"name": "AU-12(1) System-Wide And Time-Correlated Audit Trial","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_12_2": {"name": "AU-12(2) Standardized Formats","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_2","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"au_12_3": {"name": "AU-12(3) Changes By Authorized Individuals","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"au_12_4": {"name": "AU-12(4) Query Parameter Audits Of Personally Identifiable Information","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_4","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_12_a": {"name": "AU-12(a)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_a","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components].","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_12_c": {"name": "AU-12(c)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_12_c","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Record Generation (AU-12)"}],"description": "Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_14_3": {"name": "AU-14(3) Remote Viewing And Listening","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_14_3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Session Audit (AU-14)"}],"description": "Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au_14_a": {"name": "AU-14(a)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_14_a","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Session Audit (AU-14)"}],"description": "Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances].","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"au_14_b": {"name": "AU-14(b)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au_14_b","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Session Audit (AU-14)"}],"description": "Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"cm_12_b": {"name": "CM-12(b)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "cm_12_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Information Location (CM-12)"}],"description": "Identify and document the users who have access to the system and system components where the information is processed and stored.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"cp_10_2": {"name": "CP-10(2) Transaction Recovery","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_10_2","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "System Recovery And Reconstitution (CP-10)"}],"description": "Implement transaction recovery for systems that are transaction-based.","checks_status": {"fail": 2,"pass": 1,"total": 6,"manual": 0}},"pm_11_b": {"name": "PM-11(b)","checks": {"s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_11_b","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": "Mission And Business Process Defination (PM-11)"}],"description": "Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"pm_14_b": {"name": "PM-14(b)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_14_b","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": "Testing, Training, And Monitoring (PM-14)"}],"description": "Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"pm_17_b": {"name": "PM-17(b)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_object_versioning": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_17_b","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": "Protecting Controlled Unclassified Information On External Systems (PM-17)"}],"description": "Review and update the policy and procedures [Assignment: organization-defined frequency].","checks_status": {"fail": 5,"pass": 0,"total": 6,"manual": 0}},"pm_21_b": {"name": "PM-21(b)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_21_b","Section": "Program Management (PM)","Service": "cloudwatch","SubGroup": null,"SubSection": "Accounting Of Disclosures (PM-21)"}],"description": "Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"ra_10_a": {"name": "RA-10(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_10_a","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Threat Hunting (RA-10)"}],"description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sa_10_1": {"name": "SA-10(1) Software And Firmware Integrity Verification","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_10_1","Section": "System and Services Acquisition (SA)","Service": "kms","SubGroup": null,"SubSection": "Developer Configuration Management (SA-10)"}],"description": "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_12_2": {"name": "SC-12(2) Symmetric Keys","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_12_2","Section": "System and Communications Protection (SC)","Service": "kms","SubGroup": null,"SubSection": "Cryptographic Key Establishment And Management (SC-12)"}],"description": "Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_12_6": {"name": "SC-12(6) Physical Control Of Keys","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_12_6","Section": "System and Communications Protection (SC)","Service": "kms","SubGroup": null,"SubSection": "Cryptographic Key Establishment And Management (SC-12)"}],"description": "Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"sc_13_a": {"name": "SC-13(a)","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_13_a","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Cryptographic Protection (SC-13)"}],"description": "Determine the [Assignment: organization-defined cryptographic uses].","checks_status": {"fail": 8,"pass": 3,"total": 18,"manual": 0}},"sc_16_1": {"name": "SC-16(1) Integrity Verification","checks": {"s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_16_1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Of Security And Privacy Attributes (SC-16)"}],"description": "Verify the integrity of transmitted security and privacy attributes.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"sc_23_3": {"name": "SC-23(3) Unique System-Generated Session Identifiers","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_23_3","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Session Authenticity (SC-23)"}],"description": "Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"sc_23_5": {"name": "SC-23(5) Allowed Certificate Authorities","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_23_5","Section": "System and Communications Protection (SC)","Service": "elb","SubGroup": null,"SubSection": "Session Authenticity (SC-23)"}],"description": "Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"sc_28_1": {"name": "SC-28(1) Cryptographic Protection","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_28_1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Protection Of Information At Rest (SC-28)"}],"description": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].","checks_status": {"fail": 5,"pass": 3,"total": 14,"manual": 0}},"sc_28_2": {"name": "SC-28(2) Offline Storage","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_28_2","Section": "System and Communications Protection (SC)","Service": "cloudwatch","SubGroup": null,"SubSection": "Protection Of Information At Rest (SC-28)"}],"description": "Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc_43_b": {"name": "SC-43(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_43_b","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": null,"SubSection": "Usage Restrictions (SC-43)"}],"description": "Authorize, monitor, and control the use of such components within the system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_7_11": {"name": "SC-7(11) Restrict Incoming communications Traffic","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_11","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc_7_12": {"name": "SC-7(12) Host-Based Protection","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_12","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components].","checks_status": {"fail": 3,"pass": 7,"total": 17,"manual": 0}},"sc_7_16": {"name": "SC-7(16) Prevent Discovery Of System Components","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_16","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prevent the discovery of specific system components that represent a managed interface.","checks_status": {"fail": 3,"pass": 7,"total": 17,"manual": 0}},"sc_7_20": {"name": "SC-7(20) Prevent Discovery Of System Components","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_20","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prevent the discovery of specific system components that represent a managed interface.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_21": {"name": "SC-7(21) Isolation Of System Components","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_21","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc_7_25": {"name": "SC-7(25) Unclassified National Security System Connections","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_25","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].","checks_status": {"fail": 3,"pass": 5,"total": 15,"manual": 0}},"sc_7_26": {"name": "SC-7(26) Classified National Security System Connections","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_26","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device].","checks_status": {"fail": 3,"pass": 5,"total": 15,"manual": 0}},"sc_7_27": {"name": "SC-7(27) Unclassified Non-National Security System Connections","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_27","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].","checks_status": {"fail": 3,"pass": 5,"total": 15,"manual": 0}},"sc_7_28": {"name": "SC-7(28) Connections To Public Networks","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_28","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "Prohibit the direct connection of [Assignment: organization-defined system] to a public network.","checks_status": {"fail": 3,"pass": 5,"total": 15,"manual": 0}},"si_13_5": {"name": "SI-13(5) Failover Capability","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_13_5","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Predictable Failure Prevention (SI-13)"}],"description": "Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.","checks_status": {"fail": 4,"pass": 1,"total": 8,"manual": 0}},"si_19_4": {"name": "SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_19_4","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "De-Identification (SI-19)"}],"description": "Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.","checks_status": {"fail": 4,"pass": 3,"total": 13,"manual": 0}},"si_4_10": {"name": "SI-4(10) Visibility Of Encrypted Communications","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_10","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_12": {"name": "SI-4(12) Automated Organization-Generated Alerts","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_12","Section": "System and Information integrity (SI)","Service": "cloudwatch","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts].","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"si_4_14": {"name": "SI-4(14) Wireless Intrusion Detection","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_14","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_17": {"name": "SI-4(17) Integrated Situational Awareness","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_17","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.","checks_status": {"fail": 7,"pass": 2,"total": 13,"manual": 0}},"si_4_20": {"name": "SI-4(20) Privileged Users","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_4_20","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring].","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"si_4_23": {"name": "SI-4(23) Host-Based Devices","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_23","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_25": {"name": "SI-4(25) Optimize Network Traffic Analysis","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_25","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "System Monitoring (SI-4)"}],"description": "Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_17_10": {"name": "AC-17(10) Authenticate Remote Commands","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_10","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"ac_2_3_a": {"name": "AC-2(3)(a)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3_a","Section": "Access Control (AC)","Service": "iam","SubGroup": "AC-2(3) Disable Accounts","SubSection": "Account Management (AC-2)"}],"description": "Support the management of system accounts using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_3_b": {"name": "AC-2(3)(b)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3_b","Section": "Access Control (AC)","Service": "iam","SubGroup": "AC-2(3) Disable Accounts","SubSection": "Account Management (AC-2)"}],"description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_3_c": {"name": "AC-2(3)(c)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3_c","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-2(3) Disable Accounts","SubSection": "Account Management (AC-2)"}],"description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_3_d": {"name": "AC-2(3)(d)","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_3_d","Section": "Access Control (AC)","Service": "iam","SubGroup": "AC-2(3) Disable Accounts","SubSection": "Account Management (AC-2)"}],"description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period].","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac_2_d_1": {"name": "AC-2(d)(1)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_d_1","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ac_2_i_2": {"name": "AC-2(i)(2)","checks": {"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_¡_2","Section": "Access Control (AC)","Service": "iam","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "i. Authorize access to the system based on: 2. Intended system usage.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac_3_3_a": {"name": "AC-3(3)(a)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_a","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_c": {"name": "AC-3(3)(c)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_c","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_a": {"name": "AC-3(4)(a)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_a","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_b": {"name": "AC-3(4)(b)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_b","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_c": {"name": "AC-3(4)(c)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_c","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_d": {"name": "AC-3(4)(d)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_d","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_4_e": {"name": "AC-3(4)(e)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_4_e","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(4) Discretionary Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_7_4_a": {"name": "AC-7(4)(a)","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_7_4_a","Section": "Access Control (AC)","Service": "iam","SubGroup": "AC-7(4) Use Of Alternate Authentication Factor","SubSection": "Unsuccessful Logon Attempts (AC-7)"}],"description": "Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"ca_7_4_c": {"name": "CA-7(4)(c)","checks": {"elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca_7_4_c","Section": "Assessment, Authorization, And Monitoring (CA)","Service": "aws","SubGroup": "CA-7(4) Risk Monitoring","SubSection": "Continuous Monitoring (CA-7)"}],"description": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (c) Change monitoring.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_2_b_1": {"name": "CM-2(b)(1)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_b_1","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-2(b)","SubSection": "Baseline Configuration (CM-2)"}],"description": "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency].","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_2_b_2": {"name": "CM-2(b)(2)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_b_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-2(b)","SubSection": "Baseline Configuration (CM-2)"}],"description": "Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances].","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_2_b_3": {"name": "CM-2(b)(3)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"ec2_instance_older_than_specific_days": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_2_b_3","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-2(b)","SubSection": "Baseline Configuration (CM-2)"}],"description": "Review and update the baseline configuration of the system: 3 When system components are installed or upgraded.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"cm_5_1_a": {"name": "CM-5(1)(a)","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_5_1_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-5(1) Automated Access Enforcement And Audit Records","SubSection": "Access Restrictions For Change (CM-5)"}],"description": "Enforce access restrictions using [Assignment: organization-defined automated mechanisms].","checks_status": {"fail": 1,"pass": 2,"total": 15,"manual": 0}},"cm_5_1_b": {"name": "CM-5(1)(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_5_1_b","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-5(1) Automated Access Enforcement And Audit Records","SubSection": "Access Restrictions For Change (CM-5)"}],"description": "Automatically generate audit records of the enforcement actions.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"cm_8_3_a": {"name": "CM-8(3)(a)","checks": {"guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_3_a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(3) Automated Unauthorized Component Detection","SubSection": "System Component Inventory (CM-8)"}],"description": "Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"cm_8_a_1": {"name": "CM-8(a)(1)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_1","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 1. Accurately reflects the system.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_a_2": {"name": "CM-8(a)(2)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 2. Includes all components within the system.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_a_3": {"name": "CM-8(a)(3)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_3","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_a_4": {"name": "CM-8(a)(4)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_4","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm_8_a_5": {"name": "CM-8(a)(5)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm_8_a_5","Section": "Configuration Management (CM)","Service": "aws","SubGroup": "CM-8(a)","SubSection": "System Component Inventory (CM-8)"}],"description": "Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability].","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cp_1_a_2": {"name": "CP-1(a)(2)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_1_a_2","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": "CP-1(a)","SubSection": "Policy And Procedures (CP-1)"}],"description": "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_2_a_6": {"name": "CP-2(a)(6)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_a_6","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": "CP-2(a)","SubSection": "Contingency Plan (CP-2)"}],"description": "Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cp_2_a_7": {"name": "CP-2(a)(7)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_2_a_7","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": "CP-2(a)","SubSection": "Contingency Plan (CP-2)"}],"description": "Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles].","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ia_2_6_a": {"name": "IA-2(6)(a)","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_2_6_a","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-2(6) Acces To Accounts — Separate Device","SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia_3_3_b": {"name": "IA-3(3)(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ia_3_3_b","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": "IA-3(3) Dynamic Address Allocation","SubSection": "Device Identification And Authentication (IA-3)"}],"description": "Audit lease information when assigned to a device.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"ia_5_1_c": {"name": "IA-5(1)(c)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ia_5_1_c","Section": "Identification and Authentication (IA)","Service": "aws","SubGroup": "IA-5(1) Password-Based Authentication","SubSection": "Authenticator Management (IA-5)"}],"description": "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ia_5_1_f": {"name": "IA-5(1)(f)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_1_f","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(1) Password-Based Authentication","SubSection": "Authenticator Management (IA-5)"}],"description": "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_1_g": {"name": "IA-5(1)(g)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_1_g","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(1) Password-Based Authentication","SubSection": "Authenticator Management (IA-5)"}],"description": "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_1_h": {"name": "IA-5(1)(h)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_1_h","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(1) Password-Based Authentication","SubSection": "Authenticator Management (IA-5)"}],"description": "For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_8_2_b": {"name": "IA-8(2)(b)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_8_2_b","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-8(2) Acceptance Of External Authenticators","SubSection": "Identification And Authentication (Non-Organizational Users) (IA-8)"}],"description": "Document and maintain a list of accepted external authenticators.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ma_4_1_a": {"name": "MA-4(1)(a)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ma_4_1_a","Section": "Maintenance (MA)","Service": "aws","SubGroup": "MA-4(1) Logging And Review","SubSection": "Nonlocal Maintenance (MA-4)"}],"description": "Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"ra_1_a_1": {"name": "RA-1(a)(1)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_1_a_1","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": "RA-1(a)","SubSection": "Policy And Procedures (RA-1)"}],"description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_1_a_2": {"name": "RA-1(a)(2)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_1_a_2","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": "RA-1(a)","SubSection": "Policy And Procedures (RA-1)"}],"description": "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_3_a_1": {"name": "RA-3(a)(1)","checks": {"guardduty_is_enabled": "PASS","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra_3_a_1","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": "Risk Assessment (RA-3)"}],"description": "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"sc_5_3_a": {"name": "SC-5(3)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_3_a","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": "SC-5(3) Detection And Monitoring","SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_5_3_b": {"name": "SC-5(3)(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc_5_3_b","Section": "System and Communications Protection (SC)","Service": "guarduty","SubGroup": "SC-5(3) Detection And Monitoring","SubSection": "Denial Of Service Protection (SC-5)"}],"description": "Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sc_7_4_b": {"name": "SC-7(4)(b)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_4_b","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(4) External Telecommunications Services","SubSection": "Boundary Protection (SC-7)"}],"description": "Establish a traffic flow policy for each managed interface.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc_7_4_g": {"name": "SC-7(4)(g)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_4_g","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(4) External Telecommunications Services","SubSection": "Boundary Protection (SC-7)"}],"description": "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc_7_9_a": {"name": "SC-7(9)(a)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_9_a","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(9) Restrict Threatening Outgoing Communications Traffic","SubSection": "Boundary Protection (SC-7)"}],"description": "Detect and deny outgoing communications traffic posing a threat to external systems.","checks_status": {"fail": 1,"pass": 5,"total": 13,"manual": 0}},"sc_7_9_b": {"name": "SC-7(9)(b)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_9_b","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(9) Restrict Threatening Outgoing Communications Traffic","SubSection": "Boundary Protection (SC-7)"}],"description": "Audit the identity of internal users associated with denied communications.","checks_status": {"fail": 5,"pass": 2,"total": 11,"manual": 0}},"si_1_1_c": {"name": "SI-1(1)(c)","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_1_1_c","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Policy And Procedures (SI-1)"}],"description": "Audit the use of the manual override capability.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"si_1_a_2": {"name": "SI-1(a)(2)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_object_versioning": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_1_a_2","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Policy And Procedures (SI-1)"}],"description": "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;.","checks_status": {"fail": 5,"pass": 0,"total": 6,"manual": 0}},"si_3_8_a": {"name": "SI-3(8)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_3_8_a","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": "SI-3(8) Detect Unauthorized Commands","SubSection": "Malicious Code Protection (SI-3)"}],"description": "Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_3_8_b": {"name": "SI-3(8)(b)","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_3_8_b","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": "SI-3(8) Detect Unauthorized Commands","SubSection": "Malicious Code Protection (SI-3)"}],"description": "[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command].","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"si_3_c_2": {"name": "SI-3(c)(2)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_3_c_2","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Malicious Code Protection (SI-3)"}],"description": "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si_4_4_a": {"name": "SI-4(4)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_4_a","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(4) Inbound and Outbound Communications Traffic","SubSection": "System Monitoring (SI-4)"}],"description": "Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_4_b": {"name": "SI-4(4)(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_4_b","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(4) Inbound and Outbound Communications Traffic","SubSection": "System Monitoring (SI-4)"}],"description": "Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_a_1": {"name": "SI-4(a)(1)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_a_1","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(a)","SubSection": "System Monitoring (SI-4)"}],"description": "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si_4_a_2": {"name": "SI-4(a)(2)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_a_2","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(a)","SubSection": "System Monitoring (SI-4)"}],"description": "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_17_4_a": {"name": "AC-17(4)(a)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_17_4_a","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-17(4) Privileged Commands And Access","SubSection": "Remote Access (AC-17)"}],"description": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];","checks_status": {"fail": 3,"pass": 5,"total": 16,"manual": 0}},"ac_2_12_a": {"name": "AC-2(12)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_2_12_a","Section": "Access Control (AC)","Service": "guarduty","SubGroup": "AC-2(12) Account Monitoring","SubSection": "Account Management (AC-2)"}],"description": "Monitor system accounts for [Assignment: organization-defined atypical usage].","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_3_12_a": {"name": "AC-3(12)(a)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_12_a","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(12)Assert And Enforce Application Access","SubSection": "Access Enforcement (AC-3)"}],"description": "Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions].","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_12_b": {"name": "AC-3(12)(b)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac_3_12_b","Section": "Access Control (AC)","Service": "guarduty","SubGroup": "AC-3(12) Assert And Enforce Application Access","SubSection": "Access Enforcement (AC-3)"}],"description": "Provide an enforcement mechanism to prevent unauthorized access;","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_3_15_a": {"name": "AC-3(15)(a)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_15_a","Section": "Access Control (AC)","Service": "guarduty","SubGroup": "AC-3(15) Discretionary And Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_15_b": {"name": "AC-3(15)(b)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_15_b","Section": "Access Control (AC)","Service": "guarduty","SubGroup": "AC-3(15) Discretionary And Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ia_5_18_a": {"name": "IA-5(18)(a)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_18_a","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(18) Password Managers","SubSection": "Authenticator Management (IA-5)"}],"description": "Employ [Assignment: organization-defined password managers] to generate and manage passwords.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia_5_18_b": {"name": "IA-5(18)(b)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia_5_18_b","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": "IA-5(18) Password Managers","SubSection": "Authenticator Management (IA-5)"}],"description": "Protect the passwords using [Assignment: organization-defined controls].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"pm_14_a_1": {"name": "PM-14(a)(1)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "pm_14_a_1","Section": "Program Management (PM)","Service": "aws","SubGroup": null,"SubSection": "Testing, Training, And Monitoring (PM-14)"}],"description": "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained.","checks_status": {"fail": 8,"pass": 4,"total": 20,"manual": 0}},"ra_10_a_1": {"name": "RA-10(a)(1)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_10_a_1","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": "RA-10(a)","SubSection": "Threat Hunting (RA-10)"}],"description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ra_10_a_2": {"name": "RA-10(a)(2)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ra_10_a_2","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": "RA-10(a)","SubSection": "Threat Hunting (RA-10)"}],"description": "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sa_15_a_4": {"name": "SA-15(a)(4)","checks": {"elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa_15_a_4","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": "Development Process, Standards, And Tools (SA-15)"}],"description": "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"sc_36_1_a": {"name": "SC-36(1)(a)","checks": {"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_36_1_a","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Distributed Processing And Storage (SC-36)"}],"description": "Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components].","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"sc_7_24_b": {"name": "SC-7(24)(b)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc_7_24_b","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": "SC-7(24) Personally Identifiable Information","SubSection": "Boundary Protection (SC-7)"}],"description": "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"si_10_1_c": {"name": "SI-10(1)(c)","checks": {"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si_10_1_c","Section": "System and Information integrity (SI)","Service": "aws","SubGroup": "SI-10(1) Manual Override Capability","SubSection": "Information Input Validation (SI-10)"}],"description": "Audit the use of the manual override capability.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"si_4_13_a": {"name": "SI-4(13)(a)","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si_4_13_a","Section": "System and Information integrity (SI)","Service": "guarduty","SubGroup": "SI-4(13) Analyze Traffic And Event Patterns","SubSection": "System Monitoring (SI-4)"}],"description": "Analyze communications traffic and event patterns for the system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ac_3_3_b_1": {"name": "AC-3(3)(b)(1)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_1","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_b_2": {"name": "AC-3(3)(b)(2)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_2","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_b_3": {"name": "AC-3(3)(b)(3)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_3","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_b_4": {"name": "AC-3(3)(b)(4)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_4","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"ac_3_3_b_5": {"name": "AC-3(3)(b)(5)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac_3_3_b_5","Section": "Access Control (AC)","Service": "aws","SubGroup": "AC-3(3) Mandatory Access Control","SubSection": "Access Enforcement (AC-3)"}],"description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access.","checks_status": {"fail": 1,"pass": 1,"total": 15,"manual": 0}},"cp_1_a_1_b": {"name": "CP-1(a)(1)(b)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp_1_a_1_b","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": "CP-1(a)","SubSection": "Policy And Procedures (CP-1)"}],"description": "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}}},"requirements_passed": 86,"requirements_failed": 202,"requirements_manual": 0,"total_requirements": 288,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "c7fda251-1b8b-4668-be6e-6929da58d6af","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "rbi_cyber_security_framework_aws","framework": "RBI-Cyber-Security-Framework","version": "","description": "The Reserve Bank had prescribed a set of baseline cyber security controls for primary (Urban) cooperative banks (UCBs) in October 2018. On further examination, it has been decided to prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks.","region": "eu-west-1","requirements": {"annex_i_6": {"name": "Annex I (6)","checks": {"ssm_managed_compliant_patching": "FAIL","guardduty_no_high_severity_findings": "FAIL","redshift_cluster_automatic_upgrades": null,"rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_6","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "Put in place systems and processes to identify, track, manage and monitor the status of patches to servers, operating system and application software running at the systems used by the UCB officials (end-users). Implement and update antivirus protection for all servers and applicable end points preferably through a centralised system.","checks_status": {"fail": 2,"pass": 1,"total": 6,"manual": 0}},"annex_i_12": {"name": "Annex I (12)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_12","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "Take periodic back up of the important data and store this data ‘off line’ (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files).","checks_status": {"fail": 2,"pass": 1,"total": 5,"manual": 0}},"annex_i_1_1": {"name": "Annex I (1.1)","checks": {"ec2_instance_managed_by_ssm": "FAIL","organizations_account_part_of_organizations": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_1_1","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: a) Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.), b. Details of systems where customer data are stored, c. Associated business applications, if any, d. Criticality of the IT asset (For example, High/Medium/Low).","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"annex_i_1_3": {"name": "Annex I (1.3)","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","backup_vaults_encrypted": "PASS","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","rds_snapshots_public_access": "PASS","ssm_documents_set_as_public": "PASS","s3_bucket_default_encryption": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","vpc_subnet_no_public_ip_by_default": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"sns_topics_kms_encryption_at_rest_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_1_3","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "Appropriately manage and provide protection within and outside UCB/network, keeping in mind how the data/information is stored, transmitted, processed, accessed and put to use within/outside the UCB’s network, and level of risk they are exposed to depending on the sensitivity of the data/information.","checks_status": {"fail": 12,"pass": 15,"total": 40,"manual": 0}},"annex_i_5_1": {"name": "Annex I (5.1)","checks": {"elbv2_waf_acl_attached": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_5_1","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically.","checks_status": {"fail": 4,"pass": 1,"total": 5,"manual": 0}},"annex_i_7_1": {"name": "Annex I (7.1)","checks": {"iam_no_root_access_key": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "annex_i_7_1","Section": null,"Service": "iam","SubGroup": null,"SubSection": null}],"description": "Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a ‘need to know’ and ‘need to do’ basis.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"annex_i_7_2": {"name": "Annex I (7.2)","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "annex_i_7_2","Section": null,"Service": "iam","SubGroup": null,"SubSection": null}],"description": "Passwords should be set as complex and lengthy and users should not use same passwords for all the applications/systems/devices.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"annex_i_7_3": {"name": "Annex I (7.3)","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "annex_i_7_3","Section": null,"Service": "vpc","SubGroup": null,"SubSection": null}],"description": "Remote Desktop Protocol (RDP) which allows others to access the computer remotely over a network or over the internet should be always disabled and should be enabled only with the approval of the authorised officer of the UCB. Logs for such remote access shall be enabled and monitored for suspicious activities.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"annex_i_7_4": {"name": "Annex I (7.4)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "annex_i_7_4","Section": null,"Service": "aws","SubGroup": null,"SubSection": null}],"description": "Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/super user/administrative access to critical systems (servers/databases, applications, network devices etc.)","checks_status": {"fail": 7,"pass": 3,"total": 15,"manual": 0}}},"requirements_passed": 3,"requirements_failed": 6,"requirements_manual": 0,"total_requirements": 9,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "c9352bc9-2107-40a5-8dc6-c67817863253","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "fedramp_moderate_revision_4_aws","framework": "FedRamp-Moderate-Revision-4","version": "","description": "The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011. It provides a cost-effective, risk-based approach for the adoption and use of cloud services by the U.S. federal government. FedRAMP empowers federal agencies to use modern cloud technologies, with an emphasis on the security and protection of federal information.","region": "eu-west-1","requirements": {"ac-3": {"name": "Access Enforcement (AC-3)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","checks_status": {"fail": 1,"pass": 6,"total": 21,"manual": 0}},"ac-4": {"name": "Information Flow Enforcement (AC-4)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"acm_certificates_expiration_check": "PASS","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.","checks_status": {"fail": 3,"pass": 7,"total": 16,"manual": 0}},"ac-6": {"name": "Least Privilege (AC-6)","checks": {"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-6","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.","checks_status": {"fail": 1,"pass": 6,"total": 20,"manual": 0}},"au-3": {"name": "Content of Audit Records (AU-3)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au-9": {"name": "Protection of Audit Information (AU-9)","checks": {"cloudtrail_kms_encryption_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-9","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"cm-2": {"name": "Baseline Configuration (CM-2)","checks": {"ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"ec2_instance_managed_by_ssm": "FAIL","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"ssm_managed_compliant_patching": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-2","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.","checks_status": {"fail": 8,"pass": 6,"total": 22,"manual": 0}},"ia-2": {"name": "Identification and Authentication (Organizational users) (IA-2)","checks": {"iam_no_root_access_key": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"ra-5": {"name": "Vulnerability Scanning (RA-5)","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ra-5","Section": "Risk Assessment (RA)","Service": "guarduty","SubGroup": null,"SubSection": null}],"description": "Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"sc-2": {"name": "Application Partitioning (SC-2)","checks": {"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc-2","Section": "System and Communications Protection (SC)","Service": "iam","SubGroup": null,"SubSection": null}],"description": "The information system separates user functionality (including user interface services) from information system management functionality.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"sc-4": {"name": "Information In Shared Resources (SC-4)","checks": {"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-4","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system prevents unauthorized and unintended information transfer via shared system resources.","checks_status": {"fail": 2,"pass": 5,"total": 14,"manual": 0}},"sc-5": {"name": "Denial Of Service Protection (SC-5)","checks": {"guardduty_is_enabled": "PASS","rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"rds_instance_deletion_protection": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-5","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].","checks_status": {"fail": 4,"pass": 1,"total": 6,"manual": 0}},"sc-7": {"name": "Boundary Protection (SC-7)","checks": {"elb_ssl_listeners": "FAIL","ec2_instance_public_ip": "FAIL","elbv2_waf_acl_attached": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-7","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.","checks_status": {"fail": 6,"pass": 6,"total": 21,"manual": 0}},"sc-8": {"name": "Transmission Integrity (SC-8)","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-8","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the confidentiality AND integrity of transmitted information.","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"si-7": {"name": "Software, Firmware, and Information Integrity (SI-7)","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-7","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"au-11": {"name": "Audit Record Retention (AU-11)","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-11","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cp-10": {"name": "Information System Recovery And Reconstitution (CP-10)","checks": {"rds_instance_multi_az": "FAIL","efs_have_backup_enabled": "FAIL","elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp-10","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.","checks_status": {"fail": 4,"pass": 1,"total": 9,"manual": 0}},"sa-10": {"name": "Developer Configuration Management (SA-10)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa-10","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].","checks_status": {"fail": 2,"pass": 2,"total": 4,"manual": 0}},"sc-12": {"name": "Cryptographic Key Establishment And Management (SC-12)","checks": {"kms_cmk_rotation_enabled": null,"acm_certificates_expiration_check": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sc-12","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"sc-13": {"name": "Use of Cryptography (SC-13)","checks": {"s3_bucket_default_encryption": "PASS","sns_topics_kms_encryption_at_rest_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-13","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"sc-23": {"name": "Session Authenticity (SC-23)","checks": {"elb_ssl_listeners": "FAIL","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-23","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the authenticity of communications sessions.","checks_status": {"fail": 3,"pass": 0,"total": 4,"manual": 0}},"sc-28": {"name": "Protection of Information at Rest (SC-28)","checks": {"ec2_ebs_volume_encryption": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-28","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The information system protects the confidentiality AND integrity of [Assignment: organization-defined information at rest].","checks_status": {"fail": 5,"pass": 2,"total": 13,"manual": 0}},"si-12": {"name": "Information Handling and Retention (SI-12)","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-12","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": null}],"description": "The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.","checks_status": {"fail": 3,"pass": 1,"total": 8,"manual": 0}},"ac-2-1": {"name": "AC-2(1) Automated System Account Management","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization employs automated mechanisms to support the management of information system accounts.","checks_status": {"fail": 0,"pass": 2,"total": 15,"manual": 0}},"ac-2-3": {"name": "AC-2-3","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-3","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The information system automatically disables inactive accounts after 90 days for user accounts.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"ac-2-4": {"name": "AC-2(4) Automated Audit Actions","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-2-4","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].","checks_status": {"fail": 3,"pass": 3,"total": 14,"manual": 0}},"ac-2-f": {"name": "AC-2(f)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-f","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions].","checks_status": {"fail": 0,"pass": 0,"total": 13,"manual": 0}},"ac-2-g": {"name": "AC-2(g)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-2-g","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: g. Monitors the use of information system accounts.","checks_status": {"fail": 3,"pass": 4,"total": 12,"manual": 0}},"ac-2-j": {"name": "AC-2(j)","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-j","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency].","checks_status": {"fail": 0,"pass": 0,"total": 12,"manual": 0}},"ac-5-c": {"name": "AC-5(c)","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-5-c","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Separation Of Duties (AC-5)"}],"description": "The organization: c. Defines information system access authorizations to support separation of duties.","checks_status": {"fail": 0,"pass": 0,"total": 8,"manual": 0}},"au-7-1": {"name": "AU-7(1) Automatic Processing","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-7-1","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Reduction And Report Generation (AU-7)"}],"description": "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].","checks_status": {"fail": 1,"pass": 0,"total": 5,"manual": 0}},"au-9-2": {"name": "AU-9(2) Audit Backup On Separate Physical Systems / Components","checks": {"s3_bucket_object_versioning": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-9-2","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Protection of Audit Information (AU-9)"}],"description": "The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"cm-7-a": {"name": "CM-7(a)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-7-a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Least Functionality (CM-7)"}],"description": "The organization: a. Configures the information system to provide only essential capabilities.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cm-8-1": {"name": "CM-8(1)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-8-1","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Information System Component Inventory (CM-8)"}],"description": "The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"cp-9-b": {"name": "CP-9(b))","checks": {"efs_have_backup_enabled": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"redshift_cluster_automated_snapshot": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cp-9-b","Section": "Contingency Planning (CP)","Service": "aws","SubGroup": null,"SubSection": "Information System Backup (CP-9)"}],"description": "The organization: b. Conducts backups of system-level information contained in the information system (daily incremental; weekly full).","checks_status": {"fail": 2,"pass": 1,"total": 7,"manual": 0}},"ia-2-1": {"name": "IA-2(1) Network Access To Privileged Accounts","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-2-1","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Identification and Authentication (Organizational users) (IA-2)"}],"description": "The information system implements multi-factor authentication for network access to privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ia-5-4": {"name": "IA-5(4) Automated Support For Password Strength Determination","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-5-4","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"ia-5-7": {"name": "IA-5(7) No Embedded Unencrypted Static Authenticators","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-5-7","Section": "Identification and Authentication (IA)","Service": "codebuild","SubGroup": null,"SubSection": "Authenticator Management (IA-5)"}],"description": "The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ir-4-1": {"name": "IR-4(1) Automated Incident Handling Processes","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir-4-1","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": "Incident Handling (IR-4)"}],"description": "The organization employs automated mechanisms to support the incident handling process.","checks_status": {"fail": 1,"pass": 2,"total": 7,"manual": 0}},"ir-6-1": {"name": "IR-6(1) Automated Reporting","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir-6-1","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": "Incident Reporting (IR-6)"}],"description": "The organization employs automated mechanisms to assist in the reporting of security incidents.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"ir-7-1": {"name": "IR-7(1) Automation Support For Availability Of Information / Support","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ir-7-1","Section": "Incident Response (IR)","Service": "aws","SubGroup": null,"SubSection": "Incident Response Assistance (IR-7)"}],"description": "The organization employs automated mechanisms to increase the availability of incident response-related information and support.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"sa-3-a": {"name": "SA-3(a)","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sa-3-a","Section": "System and Services Acquisition (SA)","Service": "aws","SubGroup": null,"SubSection": "System Development Life Cycle (SA-3)"}],"description": "The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sc-7-3": {"name": "SC-7(3) Access Points","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-7-3","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Boundary Protection (SC-7)"}],"description": "The organization limits the number of external network connections to the information system.","checks_status": {"fail": 3,"pass": 6,"total": 17,"manual": 0}},"sc-8-1": {"name": "SC-8(1) Cryptographic Or Alternate Physical Protection","checks": {"elb_ssl_listeners": "FAIL","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sc-8-1","Section": "System and Communications Protection (SC)","Service": "aws","SubGroup": null,"SubSection": "Transmission Integrity (SC-8)"}],"description": "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].","checks_status": {"fail": 3,"pass": 1,"total": 5,"manual": 0}},"si-2-2": {"name": "Automated Flaw Remediation Status (SI-2(2))","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-2-2","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Flaw Remediation (SI-2)"}],"description": "The organization employs automated mechanisms at least monthly to determine the state of information system components with regard to flaw remediation.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"si-4-1": {"name": "SI-4(1) System-Wide Intrusion Detection System","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-1","Section": "System and Information Integrity (SI)","Service": "guarduty","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"si-4-2": {"name": "SI-4(2) Automated Tools For Real-Time Analysis","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-2","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization employs automated tools to support near real-time analysis of events.","checks_status": {"fail": 0,"pass": 4,"total": 12,"manual": 0}},"si-4-4": {"name": "SI-4(4) Inbound and Outbound Communications Traffic","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-4","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.","checks_status": {"fail": 0,"pass": 4,"total": 12,"manual": 0}},"si-4-5": {"name": "SI-4(5) System-Generated Alerts","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-5","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].","checks_status": {"fail": 0,"pass": 4,"total": 12,"manual": 0}},"si-7-1": {"name": "SI-7(1) Integrity Checks","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-7-1","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Software, Firmware, and Information Integrity (SI-7)"}],"description": "The information system performs an integrity check of security relevant events at least monthly.","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"ac-17-1": {"name": "AC-17(1) Automated Monitoring/Control","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-17-1","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "The information system monitors and controls remote access methods.","checks_status": {"fail": 3,"pass": 8,"total": 19,"manual": 0}},"ac-17-2": {"name": "AC-17(2) Protection Of Confidentiality/Integrity Using Encryption","checks": {"elb_ssl_listeners": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-17-2","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Remote Access (AC-17)"}],"description": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.","checks_status": {"fail": 2,"pass": 1,"total": 3,"manual": 0}},"ac-21-b": {"name": "AC-21(b)","checks": {"ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ac-21-b","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Information Sharing (AC-21)"}],"description": "The organization: b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.","checks_status": {"fail": 3,"pass": 4,"total": 15,"manual": 0}},"ac-6-10": {"name": "AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions","checks": {"iam_no_root_access_key": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-6-10","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Least Privilege (AC-6)"}],"description": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"si-4-16": {"name": "SI-4(16) Correlate Monitoring Information","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "si-4-16","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization correlates information from monitoring tools employed throughout the information system.","checks_status": {"fail": 0,"pass": 3,"total": 7,"manual": 0}},"au-2-a-d": {"name": "AU-2(a)(d)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-2-a-d","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Events (AU-2)"}],"description": "The organization: a. Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. d. Determines that the following events are to be audited within the information system: [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event].","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"au-6-1-3": {"name": "AU-6(1)(3)","checks": {"elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-6-1-3","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Review, Analysis And Reporting (AU-6)"}],"description": "(1) The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.","checks_status": {"fail": 7,"pass": 4,"total": 19,"manual": 0}},"ca-7-a-b": {"name": "CA-7(a)(b)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ec2_instance_imdsv2_enabled": "PASS","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"rds_instance_enhanced_monitoring_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ca-7-a-b","Section": "Security Assessment And Authorization (CA)","Service": "aws","SubGroup": null,"SubSection": "Continuous Monitoring (CA-7)"}],"description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring.","checks_status": {"fail": 1,"pass": 4,"total": 13,"manual": 0}},"cm-8-3-a": {"name": "CM-8(3)(a)","checks": {"guardduty_is_enabled": "PASS","ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cm-8-3-a","Section": "Configuration Management (CM)","Service": "aws","SubGroup": null,"SubSection": "Information System Component Inventory (CM-8)"}],"description": "The organization: a. Employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection, to detect the presence of unauthorized hardware, software, and firmware components within the information system","checks_status": {"fail": 2,"pass": 1,"total": 4,"manual": 0}},"ia-2-1-2": {"name": "IA-2(1)(2)","checks": {"iam_root_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-2-1-2","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "IA-2(1) Network Access To Privileged Accounts"}],"description": "(1) The information system implements multifactor authentication for network access to privileged accounts. (2) The information system implements multifactor authentication for network access to non- privileged accounts.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"ac-2-12-a": {"name": "AC-2(12)(a)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ac-2-12-a","Section": "Access Control (AC)","Service": "aws","SubGroup": null,"SubSection": "Account Management (AC-2)"}],"description": "The organization: a. Monitors information system accounts for [Assignment: organization-defined atypical use].","checks_status": {"fail": 0,"pass": 2,"total": 2,"manual": 0}},"au-12-a-c": {"name": "AU-12(a)(c)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "au-12-a-c","Section": "Audit and Accountability (AU)","Service": "aws","SubGroup": null,"SubSection": "Audit Generation (AU-12)"}],"description": "The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at all information system and network components where audit capability is deployed/available c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.","checks_status": {"fail": 6,"pass": 2,"total": 12,"manual": 0}},"si-4-a-b-c": {"name": "SI-4(a)(b)(c)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_waf_acl_attached": "FAIL","ec2_instance_imdsv2_enabled": "PASS","apigateway_restapi_waf_acl_attached": "FAIL","guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "si-4-a-b-c","Section": "System and Information Integrity (SI)","Service": "aws","SubGroup": null,"SubSection": "Information System Monitoring (SI-4)"}],"description": "The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: i. strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization.","checks_status": {"fail": 4,"pass": 3,"total": 11,"manual": 0}},"ia-5-1-a-d-e": {"name": "IA-5(1)(a)(d)(e)","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "ia-5-1-a-d-e","Section": "Identification and Authentication (IA)","Service": "iam","SubGroup": null,"SubSection": "IA-5(1) Password-Based Authentication"}],"description": "The information system, for password-based authentication: a. Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; d. Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; e. Prohibits password reuse for 24 generations","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 20,"requirements_failed": 43,"requirements_manual": 1,"total_requirements": 64,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "d7024b7f-64c1-4d70-8f9d-7844c9194c42","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "gdpr_aws","framework": "GDPR","version": "","description": "The General Data Protection Regulation (GDPR) is a new European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC. It's intended to harmonize data protection laws throughout the European Union (EU). It does this by applying a single data protection law that's binding throughout each EU member state.","region": "eu-west-1","requirements": {"article_25": {"name": "Article 25 Data protection by design and by default","checks": {"iam_root_mfa_enabled": null,"vpc_flow_logs_enabled": "FAIL","iam_no_root_access_key": null,"iam_support_role_created": null,"kms_cmk_rotation_enabled": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","config_recorder_all_regions_enabled": null,"iam_user_mfa_enabled_console_access": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","iam_password_policy_minimum_length_14": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_log_metric_filter_policy_changes": null,"iam_inline_policy_no_administrative_privileges": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","cloudwatch_log_metric_filter_authentication_failures": null,"iam_aws_attached_policy_no_administrative_privileges": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"iam_customer_attached_policy_no_administrative_privileges": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "article_25","Section": "Article 25 Data protection by design and by default","Service": "aws","SubGroup": null,"SubSection": null}],"description": "To obtain the latest version of the official guide, please visit https://gdpr-info.eu/art-25-gdpr/. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.","checks_status": {"fail": 5,"pass": 2,"total": 42,"manual": 0}},"article_30": {"name": "Article 30 Records of processing activities","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","kms_cmk_rotation_enabled": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "article_30","Section": "Article 30 Records of processing activities","Service": "aws","SubGroup": null,"SubSection": null}],"description": " To obtain the latest version of the official guide, please visit https://www.privacy-regulation.eu/en/article-30-records-of-processing-activities-GDPR.htm. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information like the name and contact details of the controller and where applicable, the joint controller, the controller's representative and the data protection officer, the purposes of the processing etc. Each processor and where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable of the controller's or the processor's representative, and the data protection officer, where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.","checks_status": {"fail": 5,"pass": 1,"total": 12,"manual": 0}},"article_32": {"name": "Article 32 Security of processing","checks": {"elb_ssl_listeners": "FAIL","ec2_ebs_volume_encryption": "PASS","rds_instance_backup_enabled": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"acm_certificates_expiration_check": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","redshift_cluster_automated_snapshot": null,"cloudfront_distributions_https_enabled": null,"cloudtrail_log_file_validation_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "article_32","Section": "Article 32 Security of processing","Service": "aws","SubGroup": null,"SubSection": null}],"description": " To obtain the latest version of the official guide, please visit https://gdpr-info.eu/art-32-gdpr/. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.","checks_status": {"fail": 9,"pass": 4,"total": 25,"manual": 0}}},"requirements_passed": 0,"requirements_failed": 3,"requirements_manual": 0,"total_requirements": 3,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "df010cc1-e468-42d1-8b7c-37d614adf364","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_well_architected_framework_security_pillar_aws","framework": "AWS-Well-Architected-Framework-Security-Pillar","version": "","description": "Best Practices for AWS Well-Architected Framework Security Pillar. The focus of this framework is the security pillar of the AWS Well-Architected Framework. It provides guidance to help you apply best practices, current recommendations in the design, delivery, and maintenance of secure AWS workloads.","region": "eu-west-1","requirements": {"SEC01-BP01": {"name": "SEC01-BP01","checks": {"organizations_account_part_of_organizations": null},"status": "PASS","attributes": [{"Name": "SEC01-BP01 Separate workloads using accounts","Section": "Security foundations","SubSection": "AWS account management and separation","Description": "Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_multi_accounts.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_multi_accounts","WellArchitectedQuestionId": "securely-operate"}],"description": "Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC01-BP02": {"name": "SEC01-BP02","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Name": "SEC01-BP02 Secure account root user and properties","Section": "Security foundations","SubSection": "AWS account management and separation","Description": "The root user is the most privileged user in an AWS account, with full administrative access to all resources within the account, and in some cases cannot be constrained by security policies. Deactivating programmatic access to the root user, establishing appropriate controls for the root user, and avoiding routine use of the root user helps reduce the risk of inadvertent exposure of the root credentials and subsequent compromise of the cloud environment.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_aws_account.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_aws_account","WellArchitectedQuestionId": "securely-operate"}],"description": "The root user is the most privileged user in an AWS account, with full administrative access to all resources within the account, and in some cases cannot be constrained by security policies. Deactivating programmatic access to the root user, establishing appropriate controls for the root user, and avoiding routine use of the root user helps reduce the risk of inadvertent exposure of the root credentials and subsequent compromise of the cloud environment.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"SEC01-BP03": {"name": "SEC01-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC01-BP03 Identify and validate control objectives","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Based on your compliance requirements and risks identified from your threat model, derive and validate the control objectives and controls that you need to apply to your workload. Ongoing validation of control objectives and controls help you measure the effectiveness of risk mitigation.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_control_objectives.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_control_objectives","WellArchitectedQuestionId": "securely-operate"}],"description": "Based on your compliance requirements and risks identified from your threat model, derive and validate the control objectives and controls that you need to apply to your workload. Ongoing validation of control objectives and controls help you measure the effectiveness of risk mitigation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC01-BP04": {"name": "SEC01-BP04","checks": {},"status": "PASS","attributes": [{"Name": "SEC01-BP04 Keep up-to-date with security threats","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "To help you define and implement appropriate controls, recognize attack vectors by staying up to date with the latest security threats. Consume AWS Managed Services to make it easier to receive notification of unexpected or unusual behavior in your AWS accounts. Investigate using AWS Partner tools or third-party threat information feeds as part of your security information flow. The Common Vulnerabilities and Exposures (CVE) Listlist contains publicly disclosed cyber security vulnerabilities that you can use to stay up to date.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_updated_threats.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_updated_threats","WellArchitectedQuestionId": "securely-operate"}],"description": "To help you define and implement appropriate controls, recognize attack vectors by staying up to date with the latest security threats. Consume AWS Managed Services to make it easier to receive notification of unexpected or unusual behavior in your AWS accounts. Investigate using AWS Partner tools or third-party threat information feeds as part of your security information flow. The Common Vulnerabilities and Exposures (CVE) Listlist contains publicly disclosed cyber security vulnerabilities that you can use to stay up to date.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC01-BP05": {"name": "SEC01-BP05","checks": {},"status": "PASS","attributes": [{"Name": "SEC01-BP05 Keep up-to-date with security recommendations","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Stay up-to-date with both AWS and industry security recommendations to evolve the security posture of your workload. AWS Security Bulletins contain important information about security and privacy notifications.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_updated_recommendations.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_updated_recommendations","WellArchitectedQuestionId": "securely-operate"}],"description": "Stay up-to-date with both AWS and industry security recommendations to evolve the security posture of your workload. AWS Security Bulletins contain important information about security and privacy notifications.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC01-BP06": {"name": "SEC01-BP06","checks": {"ec2_instance_managed_by_ssm": "FAIL","ecr_repositories_scan_images_on_push_enabled": "FAIL","ecr_repositories_scan_vulnerabilities_in_latest_image": null},"status": "FAIL","attributes": [{"Name": "SEC01-BP06 Automate testing and validation of security controls in pipelines","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Establish secure baselines and templates for security mechanisms that are tested and validated as part of your build, pipelines, and processes. Use tools and automation to test and validate all security controls continuously. For example, scan items such as machine images and infrastructure-as-code templates for security vulnerabilities, irregularities, and drift from an established baseline at each stage. AWS CloudFormation Guard can help you verify that CloudFormation templates are safe, save you time, and reduce the risk of configuration error.Reducing the number of security misconfigurations introduced into a production environment is critical—the more quality control and reduction of defects you can perform in the build process, the better. Design continuous integration and continuous deployment (CI/CD) pipelines to test for security issues whenever possible. CI/CD pipelines offer the opportunity to enhance security at each stage of build and delivery. CI/CD security tooling must also be kept updated to mitigate evolving threats.Track changes to your workload configuration to help with compliance auditing, change management, and investigations that may apply to you. You can use AWS Config to record and evaluate your AWS and third-party resources. It allows you to continuously audit and assess the overall compliance with rules and conformance packs, which are collections of rules with remediation actions.Change tracking should include planned changes, which are part of your organization's change control process (sometimes referred to as MACD—Move, Add, Change, Delete), unplanned changes, and unexpected changes, such as incidents. Changes might occur on the infrastructure, but they might also be related to other categories, such as changes in code repositories, machine images and application inventory changes, process and policy changes, or documentation changes.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_test_validate_pipeline.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_test_validate_pipeline","WellArchitectedQuestionId": "securely-operate"}],"description": "Establish secure baselines and templates for security mechanisms that are tested and validated as part of your build, pipelines, and processes. Use tools and automation to test and validate all security controls continuously. For example, scan items such as machine images and infrastructure-as-code templates for security vulnerabilities, irregularities, and drift from an established baseline at each stage. AWS CloudFormation Guard can help you verify that CloudFormation templates are safe, save you time, and reduce the risk of configuration error.Reducing the number of security misconfigurations introduced into a production environment is critical—the more quality control and reduction of defects you can perform in the build process, the better. Design continuous integration and continuous deployment (CI/CD) pipelines to test for security issues whenever possible. CI/CD pipelines offer the opportunity to enhance security at each stage of build and delivery. CI/CD security tooling must also be kept updated to mitigate evolving threats.Track changes to your workload configuration to help with compliance auditing, change management, and investigations that may apply to you. You can use AWS Config to record and evaluate your AWS and third-party resources. It allows you to continuously audit and assess the overall compliance with rules and conformance packs, which are collections of rules with remediation actions.Change tracking should include planned changes, which are part of your organization's change control process (sometimes referred to as MACD—Move, Add, Change, Delete), unplanned changes, and unexpected changes, such as incidents. Changes might occur on the infrastructure, but they might also be related to other categories, such as changes in code repositories, machine images and application inventory changes, process and policy changes, or documentation changes.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"SEC01-BP07": {"name": "SEC01-BP07","checks": {"wellarchitected_workload_no_high_or_medium_risks": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC01-BP07 Identify threats and prioritize mitigations using a threat model","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Perform threat modeling to identify and maintain an up-to-date register of potential threats and associated mitigations for your workload. Prioritize your threats and adapt your security control mitigations to prevent, detect, and respond. Revisit and maintain this in the context of your workload, and the evolving security landscape.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_threat_model.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_threat_model","WellArchitectedQuestionId": "securely-operate"}],"description": "Perform threat modeling to identify and maintain an up-to-date register of potential threats and associated mitigations for your workload. Prioritize your threats and adapt your security control mitigations to prevent, detect, and respond. Revisit and maintain this in the context of your workload, and the evolving security landscape.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"SEC01-BP08": {"name": "SEC01-BP08","checks": {},"status": "PASS","attributes": [{"Name": "SEC01-BP08 Evaluate and implement new security services and features regularly","Section": "Security foundations","SubSection": "Operating your workloads securely","Description": "Evaluate and implement security services and features from AWS and AWS Partners that allow you to evolve the security posture of your workload. The AWS Security Blog highlights new AWS services and features, implementation guides, and general security guidance. What's New with AWS? is a great way to stay up to date with all new AWS features, services, and announcements.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_implement_services_features.html#implementation-guidance.","WellArchitectedPracticeId": "sec_securely_operate_implement_services_features","WellArchitectedQuestionId": "securely-operate"}],"description": "Evaluate and implement security services and features from AWS and AWS Partners that allow you to evolve the security posture of your workload. The AWS Security Blog highlights new AWS services and features, implementation guides, and general security guidance. What's New with AWS? is a great way to stay up to date with all new AWS features, services, and announcements.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC02-BP01": {"name": "SEC02-BP01","checks": {"iam_avoid_root_usage": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_user_hardware_mfa_enabled": null,"iam_user_two_active_access_key": null,"iam_user_mfa_enabled_console_access": null,"iam_user_no_setup_initial_access_key": null,"iam_password_policy_minimum_length_14": null,"directoryservice_supported_mfa_radius_enabled": null,"directoryservice_radius_server_security_protocol": null,"sagemaker_notebook_instance_root_access_disabled": null,"opensearch_service_domains_use_cognito_authentication_for_kibana": null},"status": "PASS","attributes": [{"Name": "SEC02-BP01 Use strong sign-in mechanisms","Section": "Identity and access management","SubSection": "Identity management","Description": "Sign-ins (authentication using sign-in credentials) can present risks when not using mechanisms like multi-factor authentication (MFA), especially in situations where sign-in credentials have been inadvertently disclosed or are easily guessed. Use strong sign-in mechanisms to reduce these risks by requiring MFA and strong password policies.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_enforce_mechanisms.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_enforce_mechanisms","WellArchitectedQuestionId": "identities"}],"description": "Sign-ins (authentication using sign-in credentials) can present risks when not using mechanisms like multi-factor authentication (MFA), especially in situations where sign-in credentials have been inadvertently disclosed or are easily guessed. Use strong sign-in mechanisms to reduce these risks by requiring MFA and strong password policies.","checks_status": {"fail": 0,"pass": 0,"total": 15,"manual": 0}},"SEC02-BP02": {"name": "SEC02-BP02","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Name": "SEC02-BP02 Use temporary credentials","Section": "Identity and access management","SubSection": "Identity management","Description": "When doing any type of authentication, it’s best to use temporary credentials instead of long-term credentials to reduce or eliminate risks, such as credentials being inadvertently disclosed, shared, or stolen.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_unique.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_unique","WellArchitectedQuestionId": "identities"}],"description": "When doing any type of authentication, it’s best to use temporary credentials instead of long-term credentials to reduce or eliminate risks, such as credentials being inadvertently disclosed, shared, or stolen.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC02-BP03": {"name": "SEC02-BP03","checks": {"ssm_document_secrets": "PASS","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","awslambda_function_no_secrets_in_code": "PASS","cloudformation_stack_outputs_find_secrets": "PASS","awslambda_function_no_secrets_in_variables": "PASS","ecs_task_definitions_no_environment_secrets": "PASS","autoscaling_find_secrets_ec2_launch_configuration": "PASS"},"status": "PASS","attributes": [{"Name": "SEC02-BP03 Store and use secrets securely","Section": "Identity and access management","SubSection": "Identity management","Description": "A workload requires an automated capability to prove its identity to databases, resources, and third-party services. This is accomplished using secret access credentials, such as API access keys, passwords, and OAuth tokens. Using a purpose-built service to store, manage, and rotate these credentials helps reduce the likelihood that those credentials become compromised.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_secrets.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_secrets","WellArchitectedQuestionId": "identities"}],"description": "A workload requires an automated capability to prove its identity to databases, resources, and third-party services. This is accomplished using secret access credentials, such as API access keys, passwords, and OAuth tokens. Using a purpose-built service to store, manage, and rotate these credentials helps reduce the likelihood that those credentials become compromised.","checks_status": {"fail": 0,"pass": 8,"total": 8,"manual": 0}},"SEC02-BP04": {"name": "SEC02-BP04","checks": {"iam_role_cross_service_confused_deputy_prevention": null},"status": "PASS","attributes": [{"Name": "SEC02-BP04 Rely on a centralized identity provider","Section": "Identity and access management","SubSection": "Identity management","Description": "For workforce identities, rely on an identity provider that enables you to manage identities in a centralized place. This makes it easier to manage access across multiple applications and services, because you are creating, managing, and revoking access from a single location. For example, if someone leaves your organization, you can revoke access for all applications and services (including AWS) from one location. This reduces the need for multiple credentials and provides an opportunity to integrate with existing human resources (HR) processes. For federation with individual AWS accounts, you can use centralized identities for AWS with a SAML 2.0-based provider with AWS Identity and Access Management. You can use any provider— whether hosted by you in AWS, external to AWS, or supplied by the AWS Partner—that is compatible with the SAML 2.0 protocol. You can use federation between your AWS account and your chosen provider to grant a user or application access to call AWS API operations by using a SAML assertion to get temporary security credentials. Web-based single sign-on is also supported, allowing users to sign in to the AWS Management Console from your sign in website. For federation to multiple accounts in your AWS Organizations, you can configure your identity source in AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center), and specify where your users and groups are stored. Once configured, your identity provider is your source of truth, and information can be synchronized using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. You can then look up users or groups and grant them IAM Identity Center access to AWS accounts, cloud applications, or both. IAM Identity Center integrates with AWS Organizations, which enables you to configure your identity provider once and then grant access to existing and new accounts managed in your organization. IAM Identity Center provides you with a default store, which you can use to manage your users and groups. If you choose to use the IAM Identity Center store, create your users and groups and assign their level of access to your AWS accounts and applications, keeping in mind the best practice of least privilege. Alternatively, you can choose to Connect to Your External Identity Provider using SAML 2.0, or Connect to Your Microsoft AD Directory using AWS Directory Service. Once configured, you can sign into the AWS Management Console, or the AWS mobile app, by authenticating through your central identity provider. For managing end-users or consumers of your workloads, such as a mobile app, you can use Amazon Cognito. It provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with sign-in credentials, or through a third party, such as Amazon, Apple, Facebook, or Google.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_identity_provider.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_identity_provider","WellArchitectedQuestionId": "identities"}],"description": "For workforce identities, rely on an identity provider that enables you to manage identities in a centralized place. This makes it easier to manage access across multiple applications and services, because you are creating, managing, and revoking access from a single location. For example, if someone leaves your organization, you can revoke access for all applications and services (including AWS) from one location. This reduces the need for multiple credentials and provides an opportunity to integrate with existing human resources (HR) processes. For federation with individual AWS accounts, you can use centralized identities for AWS with a SAML 2.0-based provider with AWS Identity and Access Management. You can use any provider— whether hosted by you in AWS, external to AWS, or supplied by the AWS Partner—that is compatible with the SAML 2.0 protocol. You can use federation between your AWS account and your chosen provider to grant a user or application access to call AWS API operations by using a SAML assertion to get temporary security credentials. Web-based single sign-on is also supported, allowing users to sign in to the AWS Management Console from your sign in website. For federation to multiple accounts in your AWS Organizations, you can configure your identity source in AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center), and specify where your users and groups are stored. Once configured, your identity provider is your source of truth, and information can be synchronized using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. You can then look up users or groups and grant them IAM Identity Center access to AWS accounts, cloud applications, or both. IAM Identity Center integrates with AWS Organizations, which enables you to configure your identity provider once and then grant access to existing and new accounts managed in your organization. IAM Identity Center provides you with a default store, which you can use to manage your users and groups. If you choose to use the IAM Identity Center store, create your users and groups and assign their level of access to your AWS accounts and applications, keeping in mind the best practice of least privilege. Alternatively, you can choose to Connect to Your External Identity Provider using SAML 2.0, or Connect to Your Microsoft AD Directory using AWS Directory Service. Once configured, you can sign into the AWS Management Console, or the AWS mobile app, by authenticating through your central identity provider. For managing end-users or consumers of your workloads, such as a mobile app, you can use Amazon Cognito. It provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with sign-in credentials, or through a third party, such as Amazon, Apple, Facebook, or Google.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC02-BP05": {"name": "SEC02-BP05","checks": {"kms_cmk_rotation_enabled": null,"iam_rotate_access_key_90_days": null,"secretsmanager_automatic_rotation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC02-BP05 Audit and rotate credentials periodically","Section": "Identity and access management","SubSection": "Identity management","Description": "When you cannot rely on temporary credentials and require long-term credentials, audit credentials to ensure that the defined controls for example, multi-factor authentication (MFA), are enforced, rotated regularly, and have the appropriate access level. Periodic validation, preferably through an automated tool, is necessary to verify that the correct controls are enforced. For human identities, you should require users to change their passwords periodically and retire access keys in favor of temporary credentials. As you are moving from users to centralized identities, you can generate a credential report to audit your users. We also recommend that you enforce MFA settings in your identity provider. You can set up AWS Config Rules to monitor these settings. For machine identities, you should rely on temporary credentials using IAM roles. For situations where this is not possible, frequent auditing and rotating access keys is necessary.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_audit.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_audit","WellArchitectedQuestionId": "identities"}],"description": "When you cannot rely on temporary credentials and require long-term credentials, audit credentials to ensure that the defined controls for example, multi-factor authentication (MFA), are enforced, rotated regularly, and have the appropriate access level. Periodic validation, preferably through an automated tool, is necessary to verify that the correct controls are enforced. For human identities, you should require users to change their passwords periodically and retire access keys in favor of temporary credentials. As you are moving from users to centralized identities, you can generate a credential report to audit your users. We also recommend that you enforce MFA settings in your identity provider. You can set up AWS Config Rules to monitor these settings. For machine identities, you should rely on temporary credentials using IAM roles. For situations where this is not possible, frequent auditing and rotating access keys is necessary.","checks_status": {"fail": 1,"pass": 0,"total": 3,"manual": 0}},"SEC02-BP06": {"name": "SEC02-BP06","checks": {"iam_policy_allows_privilege_escalation": null,"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Name": "SEC02-BP06 Leverage user groups and attributes","Section": "Identity and access management","SubSection": "Identity management","Description": "As the number of users you manage grows, you will need to determine ways to organize them so that you can manage them at scale. Place users with common security requirements in groups defined by your identity provider, and put mechanisms in place to ensure that user attributes that may be used for access control (for example, department or location) are correct and updated. Use these groups and attributes to control access, rather than individual users. This allows you to manage access centrally by changing a user's group membership or attributes once with a permission set, rather than updating many individual policies when a user's access needs change. You can use AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) to manage user groups and attributes. IAM Identity Center supports most commonly used attributes whether they are entered manually during user creation or automatically provisioned using a synchronization engine, such as defined in the System for Cross-Domain Identity Management (SCIM) specification.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_groups_attributes.html#implementation-guidance.","WellArchitectedPracticeId": "sec_identities_groups_attributes","WellArchitectedQuestionId": "identities"}],"description": "As the number of users you manage grows, you will need to determine ways to organize them so that you can manage them at scale. Place users with common security requirements in groups defined by your identity provider, and put mechanisms in place to ensure that user attributes that may be used for access control (for example, department or location) are correct and updated. Use these groups and attributes to control access, rather than individual users. This allows you to manage access centrally by changing a user's group membership or attributes once with a permission set, rather than updating many individual policies when a user's access needs change. You can use AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) to manage user groups and attributes. IAM Identity Center supports most commonly used attributes whether they are entered manually during user creation or automatically provisioned using a synchronization engine, such as defined in the System for Cross-Domain Identity Management (SCIM) specification.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"SEC03-BP01": {"name": "SEC03-BP01","checks": {"ec2_instance_imdsv2_enabled": "PASS","ec2_instance_profile_attached": "PASS","cloudwatch_cross_account_sharing_disabled": null},"status": "PASS","attributes": [{"Name": "SEC03-BP01 Define access requirements","Section": "Identity and access management","SubSection": "Permissions management","Description": "Each component or resource of your workload needs to be accessed by administrators, end users, or other components. Have a clear definition of who or what should have access to each component, choose the appropriate identity type and method of authentication and authorization.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_define.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_define","WellArchitectedQuestionId": "permissions"}],"description": "Each component or resource of your workload needs to be accessed by administrators, end users, or other components. Have a clear definition of who or what should have access to each component, choose the appropriate identity type and method of authentication and authorization.","checks_status": {"fail": 0,"pass": 2,"total": 3,"manual": 0}},"SEC03-BP02": {"name": "SEC03-BP02","checks": {"ec2_instance_profile_attached": "PASS","iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_internal_user_database_enabled": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Name": "SEC03-BP02 Grant least privilege access","Section": "Identity and access management","SubSection": "Permissions management","Description": "Grant only the access that identities require by allowing access to specific actions on specific AWS resources under specific conditions. Rely on groups and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, when a developer is removed from the group, access for the developer is revoked everywhere that group was used for access control, without requiring any changes to the access policies.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_least_privileges.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_least_privileges","WellArchitectedQuestionId": "permissions"}],"description": "Grant only the access that identities require by allowing access to specific actions on specific AWS resources under specific conditions. Rely on groups and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, when a developer is removed from the group, access for the developer is revoked everywhere that group was used for access control, without requiring any changes to the access policies.","checks_status": {"fail": 0,"pass": 1,"total": 6,"manual": 0}},"SEC03-BP03": {"name": "SEC03-BP03","checks": {"account_maintain_current_contact_details": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Name": "SEC03-BP03 Establish emergency access process","Section": "Identity and access management","SubSection": "Permissions management","Description": "A process that allows emergency access to your workload in the unlikely event of an automated process or pipeline issue. This will help you rely on least privilege access, but ensure users can obtain the right level of access when they require it. For example, establish a process for administrators to verify and approve their request, such as an emergency AWS cross-account role for access, or a specific process for administrators to follow to validate and approve an emergency request.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_emergency_process.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_emergency_process","WellArchitectedQuestionId": "permissions"}],"description": "A process that allows emergency access to your workload in the unlikely event of an automated process or pipeline issue. This will help you rely on least privilege access, but ensure users can obtain the right level of access when they require it. For example, establish a process for administrators to verify and approve their request, such as an emergency AWS cross-account role for access, or a specific process for administrators to follow to validate and approve an emergency request.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"SEC03-BP04": {"name": "SEC03-BP04","checks": {"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Name": "SEC03-BP04 Reduce permissions continuously","Section": "Identity and access management","SubSection": "Permissions management","Description": "As your teams determine what access is required, remove unneeded permissions and establish review processes to achieve least privilege permissions. Continually monitor and remove unused identities and permissions for both human and machine access.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_continuous_reduction.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_continuous_reduction","WellArchitectedQuestionId": "permissions"}],"description": "As your teams determine what access is required, remove unneeded permissions and establish review processes to achieve least privilege permissions. Continually monitor and remove unused identities and permissions for both human and machine access.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"SEC03-BP05": {"name": "SEC03-BP05","checks": {"organizations_account_part_of_organizations": null},"status": "PASS","attributes": [{"Name": "SEC03-BP05 Define permission guardrails for your organization","Section": "Identity and access management","SubSection": "Permissions management","Description": "Establish common controls that restrict access to all identities in your organization. For example, you can restrict access to specific AWS Regions, or prevent your operators from deleting common resources, such as an IAM role used for your central security team.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_define_guardrails.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_define_guardrails","WellArchitectedQuestionId": "permissions"}],"description": "Establish common controls that restrict access to all identities in your organization. For example, you can restrict access to specific AWS Regions, or prevent your operators from deleting common resources, such as an IAM role used for your central security team.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC03-BP06": {"name": "SEC03-BP06","checks": {"ec2_elastic_ip_unassigned": "FAIL","elbv2_listeners_underneath": "PASS","codebuild_project_older_90_days": "FAIL","appstream_fleet_maximum_session_duration": null,"ecr_repositories_lifecycle_policy_enabled": "FAIL","appstream_fleet_session_disconnect_timeout": null,"appstream_fleet_session_idle_disconnect_timeout": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "FAIL","attributes": [{"Name": "SEC03-BP06 Manage access based on lifecycle","Section": "Identity and access management","SubSection": "Permissions management","Description": "Integrate access controls with operator and application lifecycle and your centralized federation provider. For example, remove a user's access when they leave the organization or change roles. As you manage workloads using separate accounts, there will be cases where you need to share resources between those accounts. We recommend that you share resources using AWS Resource Access Manager (AWS RAM). This service enables you to easily and securely share AWS resources within your AWS Organizations and Organizational Units. Using AWS RAM, access to shared resources is automatically granted or revoked as accounts are moved in and out of the Organization or Organization Unit with which they are shared. This helps ensure that resources are only shared with the accounts that you intend.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_lifecycle.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_lifecycle","WellArchitectedQuestionId": "permissions"}],"description": "Integrate access controls with operator and application lifecycle and your centralized federation provider. For example, remove a user's access when they leave the organization or change roles. As you manage workloads using separate accounts, there will be cases where you need to share resources between those accounts. We recommend that you share resources using AWS Resource Access Manager (AWS RAM). This service enables you to easily and securely share AWS resources within your AWS Organizations and Organizational Units. Using AWS RAM, access to shared resources is automatically granted or revoked as accounts are moved in and out of the Organization or Organization Unit with which they are shared. This helps ensure that resources are only shared with the accounts that you intend.","checks_status": {"fail": 4,"pass": 1,"total": 9,"manual": 0}},"SEC03-BP07": {"name": "SEC03-BP07","checks": {"ec2_ami_public": null,"elb_internet_facing": "FAIL","elbv2_internet_facing": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"apigateway_restapi_public": "FAIL","efs_not_publicly_accessible": "FAIL","rds_snapshots_public_access": "PASS","ssm_documents_set_as_public": "PASS","awslambda_function_url_public": null,"rds_instance_no_public_access": "PASS","emr_cluster_publicly_accesible": null,"redshift_cluster_public_access": null,"kms_key_not_publicly_accessible": null,"awslambda_function_url_cors_policy": null,"sns_topics_not_publicly_accessible": "PASS","sqs_queues_not_publicly_accessible": "PASS","eks_cluster_not_publicly_accessible": null,"glacier_vaults_policy_public_access": null,"s3_bucket_policy_public_write_access": "PASS","emr_cluster_master_nodes_no_public_ip": null,"s3_account_level_public_access_blocks": null,"ecr_repositories_not_publicly_accessible": "PASS","emr_cluster_account_public_block_enabled": "PASS","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","appstream_fleet_default_internet_access_disabled": null,"opensearch_service_domains_not_publicly_accessible": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","codeartifact_packages_external_public_publishing_disabled": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Name": "SEC03-BP07 Analyze public and cross-account access","Section": "Identity and access management","SubSection": "Permissions management","Description": "Continuously monitor findings that highlight public and cross-account access. Reduce public access and cross-account access to only resources that require this type of access.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_analyze_cross_account.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_analyze_cross_account","WellArchitectedQuestionId": "permissions"}],"description": "Continuously monitor findings that highlight public and cross-account access. Reduce public access and cross-account access to only resources that require this type of access.","checks_status": {"fail": 4,"pass": 13,"total": 35,"manual": 0}},"SEC03-BP08": {"name": "SEC03-BP08","checks": {"ssm_document_secrets": "PASS","awslambda_function_not_publicly_accessible": "PASS","codebuild_project_user_controlled_buildspec": "PASS","opensearch_service_domains_not_publicly_accessible": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "PASS","attributes": [{"Name": "SEC03-BP08 Share resources securely within your organization","Section": "Identity and access management","SubSection": "Permissions management","Description": "Govern the consumption of shared resources across accounts or within your AWS Organizations. Monitor shared resources and review shared resource access.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_share_securely.html#implementation-guidance.","WellArchitectedPracticeId": "sec_permissions_share_securely","WellArchitectedQuestionId": "permissions"}],"description": "Govern the consumption of shared resources across accounts or within your AWS Organizations. Monitor shared resources and review shared resource access.","checks_status": {"fail": 0,"pass": 3,"total": 5,"manual": 0}},"SEC04-BP01": {"name": "SEC04-BP01","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"apigatewayv2_api_access_logging_enabled": "FAIL","s3_bucket_server_access_logging_enabled": "FAIL","cloudfront_distributions_logging_enabled": null,"rds_instance_integration_cloudwatch_logs": "FAIL","acm_certificates_transparency_logs_enabled": "PASS","eks_control_plane_logging_all_types_enabled": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"directoryservice_directory_log_forwarding_enabled": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"route53_public_hosted_zones_cloudwatch_logging_enabled": null,"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC04-BP01 Configure service and application logging","Section": "Detection","SubSection": "Detection","Description": "Retain security event logs from services and applications. This is a fundamental principle of security for audit, investigations, and operational use cases, and a common security requirement driven by governance, risk, and compliance (GRC) standards, policies, and procedures.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html#implementation-guidance.","WellArchitectedPracticeId": "sec_detect_investigate_events_app_service_logging","WellArchitectedQuestionId": "detect-investigate-events"}],"description": "Retain security event logs from services and applications. This is a fundamental principle of security for audit, investigations, and operational use cases, and a common security requirement driven by governance, risk, and compliance (GRC) standards, policies, and procedures.","checks_status": {"fail": 8,"pass": 3,"total": 21,"manual": 0}},"SEC04-BP02": {"name": "SEC04-BP02","checks": {"vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS","config_recorder_all_regions_enabled": null},"status": "FAIL","attributes": [{"Name": "SEC04-BP02 Analyze logs, findings, and metrics centrally","Section": "Detection","SubSection": "Detection","Description": "Security operations teams rely on the collection of logs and the use of search tools to discover potential events of interest, which might indicate unauthorized activity or unintentional change. However, simply analyzing collected data and manually processing information is insufficient to keep up with the volume of information flowing from complex architectures. Analysis and reporting alone don't facilitate the assignment of the right resources to work an event in a timely fashion. A best practice for building a mature security operations team is to deeply integrate the flow of security events and findings into a notification and workflow system such as a ticketing system, a bug or issue system, or other security information and event management (SIEM) system. This takes the workflow out of email and static reports, and allows you to route, escalate, and manage events or findings. Many organizations are also integrating security alerts into their chat or collaboration, and developer productivity platforms. For organizations embarking on automation, an API-driven, low-latency ticketing system offers considerable flexibility when planning what to automate first. This best practice applies not only to security events generated from log messages depicting user activity or network events, but also from changes detected in the infrastructure itself. The ability to detect change, determine whether a change was appropriate, and then route that information to the correct remediation workflow is essential in maintaining and validating a secure architecture, in the context of changes where the nature of their undesirability is sufficiently subtle that their execution cannot currently be prevented with a combination of AWS Identity and Access Management (IAM) and AWS Organizations configuration. Amazon GuardDuty and AWS Security Hub provide aggregation, deduplication, and analysis mechanisms for log records that are also made available to you via other AWS services. GuardDuty ingests, aggregates, and analyzes information from sources such as AWS CloudTrail management and data events, VPC DNS logs, and VPC Flow Logs. Security Hub can ingest, aggregate, and analyze output from GuardDuty, AWS Config, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and a significant number of third-party security products available in the AWS Marketplace, and if built accordingly, your own code. Both GuardDuty and Security Hub have an Administrator-Member model that can aggregate findings and insights across multiple accounts, and Security Hub is often used by customers who have an on- premises SIEM as an AWS-side log and alert preprocessor and aggregator from which they can then ingest Amazon EventBridge through a AWS Lambda-based processor and forwarder.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_analyze_all.html#implementation-guidance.","WellArchitectedPracticeId": "sec_detect_investigate_events_analyze_all","WellArchitectedQuestionId": "detect-investigate-events"}],"description": "Security operations teams rely on the collection of logs and the use of search tools to discover potential events of interest, which might indicate unauthorized activity or unintentional change. However, simply analyzing collected data and manually processing information is insufficient to keep up with the volume of information flowing from complex architectures. Analysis and reporting alone don't facilitate the assignment of the right resources to work an event in a timely fashion. A best practice for building a mature security operations team is to deeply integrate the flow of security events and findings into a notification and workflow system such as a ticketing system, a bug or issue system, or other security information and event management (SIEM) system. This takes the workflow out of email and static reports, and allows you to route, escalate, and manage events or findings. Many organizations are also integrating security alerts into their chat or collaboration, and developer productivity platforms. For organizations embarking on automation, an API-driven, low-latency ticketing system offers considerable flexibility when planning what to automate first. This best practice applies not only to security events generated from log messages depicting user activity or network events, but also from changes detected in the infrastructure itself. The ability to detect change, determine whether a change was appropriate, and then route that information to the correct remediation workflow is essential in maintaining and validating a secure architecture, in the context of changes where the nature of their undesirability is sufficiently subtle that their execution cannot currently be prevented with a combination of AWS Identity and Access Management (IAM) and AWS Organizations configuration. Amazon GuardDuty and AWS Security Hub provide aggregation, deduplication, and analysis mechanisms for log records that are also made available to you via other AWS services. GuardDuty ingests, aggregates, and analyzes information from sources such as AWS CloudTrail management and data events, VPC DNS logs, and VPC Flow Logs. Security Hub can ingest, aggregate, and analyze output from GuardDuty, AWS Config, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and a significant number of third-party security products available in the AWS Marketplace, and if built accordingly, your own code. Both GuardDuty and Security Hub have an Administrator-Member model that can aggregate findings and insights across multiple accounts, and Security Hub is often used by customers who have an on- premises SIEM as an AWS-side log and alert preprocessor and aggregator from which they can then ingest Amazon EventBridge through a AWS Lambda-based processor and forwarder.","checks_status": {"fail": 1,"pass": 1,"total": 3,"manual": 0}},"SEC04-BP03": {"name": "SEC04-BP03","checks": {"elb_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","cloudtrail_multi_region_enabled": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC04-BP03 Automate response to events","Section": "Detection","SubSection": "Detection","Description": "Using automation to investigate and remediate events reduces human effort and error, and enables you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. In AWS, investigating events of interest and information on potentially unexpected changes into an automated workflow can be achieved using Amazon EventBridge. This service provides a scalable rules engine designed to broker both native AWS event formats (such as AWS CloudTrail events), as well as custom events you can generate from your application. Amazon GuardDuty also allows you to route events to a workflow system for those building incident response systems (AWS Step Functions), or to a central Security Account, or to a bucket for further analysis. Detecting change and routing this information to the correct workflow can also be accomplished using AWS Config Rules and Conformance Packs. AWS Config detects changes to in-scope services (though with higher latency than EventBridge) and generates events that can be parsed using AWS Config Rules for rollback, enforcement of compliance policy, and forwarding of information to systems, such as change management platforms and operational ticketing systems. As well as writing your own Lambda functions to respond to AWS Config events, you can also take advantage of the AWS Config Rules Development Kit, and a library of open source AWS Config Rules. Conformance packs are a collection of AWS Config Rules and remediation actions you deploy as a single entity authored as a YAML template. A sample conformance pack template is available for the Well-Architected Security Pillar.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_auto_response.html#implementation-guidance.","WellArchitectedPracticeId": "sec_detect_investigate_events_auto_response","WellArchitectedQuestionId": "detect-investigate-events"}],"description": "Using automation to investigate and remediate events reduces human effort and error, and enables you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. In AWS, investigating events of interest and information on potentially unexpected changes into an automated workflow can be achieved using Amazon EventBridge. This service provides a scalable rules engine designed to broker both native AWS event formats (such as AWS CloudTrail events), as well as custom events you can generate from your application. Amazon GuardDuty also allows you to route events to a workflow system for those building incident response systems (AWS Step Functions), or to a central Security Account, or to a bucket for further analysis. Detecting change and routing this information to the correct workflow can also be accomplished using AWS Config Rules and Conformance Packs. AWS Config detects changes to in-scope services (though with higher latency than EventBridge) and generates events that can be parsed using AWS Config Rules for rollback, enforcement of compliance policy, and forwarding of information to systems, such as change management platforms and operational ticketing systems. As well as writing your own Lambda functions to respond to AWS Config events, you can also take advantage of the AWS Config Rules Development Kit, and a library of open source AWS Config Rules. Conformance packs are a collection of AWS Config Rules and remediation actions you deploy as a single entity authored as a YAML template. A sample conformance pack template is available for the Well-Architected Security Pillar.","checks_status": {"fail": 2,"pass": 1,"total": 3,"manual": 0}},"SEC04-BP04": {"name": "SEC04-BP04","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"directoryservice_directory_monitor_notifications": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Name": "SEC04-BP04 Implement actionable security events","Section": "Detection","SubSection": "Detection","Description": "Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For each detective mechanism you have, you should also have a process, in the form of a runbook or playbook, to investigate. For example, when you enable Amazon GuardDuty, it generates different findings. You should have a runbook entry for each finding type, for example, if a trojan is discovered, your runbook has simple instructions that instruct someone to investigate and remediate.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_actionable_events.html#implementation-guidance.","WellArchitectedPracticeId": "sec_detect_investigate_events_actionable_events","WellArchitectedQuestionId": "detect-investigate-events"}],"description": "Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For each detective mechanism you have, you should also have a process, in the form of a runbook or playbook, to investigate. For example, when you enable Amazon GuardDuty, it generates different findings. You should have a runbook entry for each finding type, for example, if a trojan is discovered, your runbook has simple instructions that instruct someone to investigate and remediate.","checks_status": {"fail": 1,"pass": 3,"total": 20,"manual": 0}},"SEC05-BP01": {"name": "SEC05-BP01","checks": {"cloudfront_distributions_using_waf": null,"apigateway_restapi_waf_acl_attached": "FAIL","eks_cluster_not_publicly_accessible": null,"sagemaker_models_vpc_settings_configured": null,"vpc_endpoint_connections_trust_boundaries": "FAIL","awslambda_function_not_publicly_accessible": "PASS","sagemaker_models_network_isolation_enabled": null,"sagemaker_training_jobs_vpc_settings_configured": null,"sagemaker_training_jobs_network_isolation_enabled": null,"opensearch_service_domains_not_publicly_accessible": null,"sagemaker_notebook_instance_vpc_settings_configured": null,"vpc_endpoint_services_allowed_principals_trust_boundaries": null},"status": "FAIL","attributes": [{"Name": "SEC05-BP01 Create network layers","Section": "Infrastructure protection","SubSection": "Protecting networks","Description": "Group components that share reachability requirements into layers. For example, a database cluster in a virtual private cloud (VPC) with no need for internet access should be placed in subnets with no route to or from the internet. In a serverless workload operating without a VPC, similar layering and segmentation with microservices can achieve the same goal. Components such as Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) database clusters, and AWS Lambda functions that share reachability requirements can be segmented into layers formed by subnets. For example, an Amazon RDS database cluster in a VPC with no need for internet access should be placed in subnets with no route to or from the internet. This layered approach for the controls mitigates the impact of a single layer misconfiguration, which could allow unintended access. For Lambda, you can run your functions in your VPC to take advantage of VPC-based controls. For network connectivity that can include thousands of VPCs, AWS accounts, and on-premises networks, you should use AWS Transit Gateway. It acts as a hub that controls how traffic is routed among all the connected networks, which act like spokes. Traffic between an Amazon Virtual Private Cloud and AWS Transit Gateway remains on the AWS private network, which reduces external threat vectors such as distributed denial of service (DDoS) attacks and common exploits, such as SQL injection, cross-site scripting, cross-site request forgery, or abuse of broken authentication code. AWS Transit Gateway inter-region peering also encrypts inter-region traffic with no single point of failure or bandwidth bottleneck.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_create_layers.html#implementation-guidance.","WellArchitectedPracticeId": "sec_network_protection_create_layers","WellArchitectedQuestionId": "network-protection"}],"description": "Group components that share reachability requirements into layers. For example, a database cluster in a virtual private cloud (VPC) with no need for internet access should be placed in subnets with no route to or from the internet. In a serverless workload operating without a VPC, similar layering and segmentation with microservices can achieve the same goal. Components such as Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) database clusters, and AWS Lambda functions that share reachability requirements can be segmented into layers formed by subnets. For example, an Amazon RDS database cluster in a VPC with no need for internet access should be placed in subnets with no route to or from the internet. This layered approach for the controls mitigates the impact of a single layer misconfiguration, which could allow unintended access. For Lambda, you can run your functions in your VPC to take advantage of VPC-based controls. For network connectivity that can include thousands of VPCs, AWS accounts, and on-premises networks, you should use AWS Transit Gateway. It acts as a hub that controls how traffic is routed among all the connected networks, which act like spokes. Traffic between an Amazon Virtual Private Cloud and AWS Transit Gateway remains on the AWS private network, which reduces external threat vectors such as distributed denial of service (DDoS) attacks and common exploits, such as SQL injection, cross-site scripting, cross-site request forgery, or abuse of broken authentication code. AWS Transit Gateway inter-region peering also encrypts inter-region traffic with no single point of failure or bandwidth bottleneck.","checks_status": {"fail": 2,"pass": 1,"total": 12,"manual": 0}},"SEC05-BP02": {"name": "SEC05-BP02","checks": {"ec2_ebs_public_snapshot": "PASS","s3_bucket_no_mfa_delete": "FAIL","s3_bucket_acl_prohibited": "FAIL","apigatewayv2_api_authorizers_enabled": "FAIL","apigateway_restapi_authorizers_enabled": "PASS","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Name": "SEC05-BP02 Control traffic at all layers","Section": "Infrastructure protection","SubSection": "Protecting networks","Description": "When architecting your network topology, you should examine the connectivity requirements of each component. For example, if a component requires internet accessibility (inbound and outbound), connectivity to VPCs, edge services, and external data centers. A VPC allows you to define your network topology that spans an AWS Region with a private IPv4 address range that you set, or an IPv6 address range AWS selects. You should apply multiple controls with a defense in depth approach for both inbound and outbound traffic, including the use of security groups (stateful inspection firewall), Network ACLs, subnets, and route tables. Within a VPC, you can create subnets in an Availability Zone. Each subnet can have an associated route table that defines routing rules for managing the paths that traffic takes within the subnet. You can define an internet routable subnet by having a route that goes to an internet or NAT gateway attached to the VPC, or through another VPC. When an instance, Amazon Relational Database Service(Amazon RDS) database, or other service is launched within a VPC, it has its own security group per network interface. This firewall is outside the operating system layer and can be used to define rules for allowed inbound and outbound traffic. You can also define relationships between security groups. For example, instances within a database tier security group only accept traffic from instances within the application tier, by reference to the security groups applied to the instances involved. Unless you are using non-TCP protocols, it shouldn't be necessary to have an Amazon Elastic Compute Cloud(Amazon EC2) instance directly accessible by the internet (even with ports restricted by security groups) without a load balancer, or CloudFront. This helps protect it from unintended access through an operating system or application issue. A subnet can also have a network ACL attached to it, which acts as a stateless firewall. You should configure the network ACL to narrow the scope of traffic allowed between layers, note that you need to define both inbound and outbound rules. Some AWS services require components to access the internet for making API calls, where AWS API endpoints are located. Other AWS services use VPC endpoints within your Amazon VPCs. Many AWS services, including Amazon S3 and Amazon DynamoDB, support VPC endpoints, and this technology has been generalized in AWS PrivateLink. We recommend you use this approach to access AWS services, third-party services, and your own services hosted in other VPCs securely. All network traffic on AWS PrivateLink stays on the global AWS backbone and never traverses the internet. Connectivity can only be initiated by the consumer of the service, and not by the provider of the service. Using AWS PrivateLink for external service access allows you to create air-gapped VPCs with no internet access and helps protect your VPCs from external threat vectors. Third-party services can use AWS PrivateLink to allow their customers to connect to the services from their VPCs over private IP addresses. For VPC assets that need to make outbound connections to the internet, these can be made outbound only (one-way) through an AWS managed NAT gateway, outbound only internet gateway, or web proxies that you create and manage.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_layered.html#implementation-guidance.","WellArchitectedPracticeId": "sec_network_protection_layered","WellArchitectedQuestionId": "network-protection"}],"description": "When architecting your network topology, you should examine the connectivity requirements of each component. For example, if a component requires internet accessibility (inbound and outbound), connectivity to VPCs, edge services, and external data centers. A VPC allows you to define your network topology that spans an AWS Region with a private IPv4 address range that you set, or an IPv6 address range AWS selects. You should apply multiple controls with a defense in depth approach for both inbound and outbound traffic, including the use of security groups (stateful inspection firewall), Network ACLs, subnets, and route tables. Within a VPC, you can create subnets in an Availability Zone. Each subnet can have an associated route table that defines routing rules for managing the paths that traffic takes within the subnet. You can define an internet routable subnet by having a route that goes to an internet or NAT gateway attached to the VPC, or through another VPC. When an instance, Amazon Relational Database Service(Amazon RDS) database, or other service is launched within a VPC, it has its own security group per network interface. This firewall is outside the operating system layer and can be used to define rules for allowed inbound and outbound traffic. You can also define relationships between security groups. For example, instances within a database tier security group only accept traffic from instances within the application tier, by reference to the security groups applied to the instances involved. Unless you are using non-TCP protocols, it shouldn't be necessary to have an Amazon Elastic Compute Cloud(Amazon EC2) instance directly accessible by the internet (even with ports restricted by security groups) without a load balancer, or CloudFront. This helps protect it from unintended access through an operating system or application issue. A subnet can also have a network ACL attached to it, which acts as a stateless firewall. You should configure the network ACL to narrow the scope of traffic allowed between layers, note that you need to define both inbound and outbound rules. Some AWS services require components to access the internet for making API calls, where AWS API endpoints are located. Other AWS services use VPC endpoints within your Amazon VPCs. Many AWS services, including Amazon S3 and Amazon DynamoDB, support VPC endpoints, and this technology has been generalized in AWS PrivateLink. We recommend you use this approach to access AWS services, third-party services, and your own services hosted in other VPCs securely. All network traffic on AWS PrivateLink stays on the global AWS backbone and never traverses the internet. Connectivity can only be initiated by the consumer of the service, and not by the provider of the service. Using AWS PrivateLink for external service access allows you to create air-gapped VPCs with no internet access and helps protect your VPCs from external threat vectors. Third-party services can use AWS PrivateLink to allow their customers to connect to the services from their VPCs over private IP addresses. For VPC assets that need to make outbound connections to the internet, these can be made outbound only (one-way) through an AWS managed NAT gateway, outbound only internet gateway, or web proxies that you create and manage.","checks_status": {"fail": 4,"pass": 2,"total": 7,"manual": 0}},"SEC05-BP03": {"name": "SEC05-BP03","checks": {"elbv2_waf_acl_attached": "FAIL","ec2_securitygroup_not_used": "FAIL","elbv2_desync_mitigation_mode": "FAIL","ec2_securitygroup_from_launch_wizard": "FAIL","route53_domains_transferlock_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","route53_domains_privacy_protection_enabled": null,"ec2_securitygroup_with_many_ingress_egress_rules": "PASS","shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC05-BP03 Automate network protections","Section": "Infrastructure protection","SubSection": "Protecting networks","Description": "Automate protection mechanisms to provide a self-defending network based on threat intelligence and anomaly detection. For example, intrusion detection and prevention tools that can adapt to current threats and reduce their impact. A web application firewall is an example of where you can automate network protection, for example, by using the AWS WAF Security Automations solution (https://github.com/awslabs/aws-waf-security-automations) to automatically block requests originating from IP addresses associated with known threat actors.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_auto_protect.html#implementation-guidance.","WellArchitectedPracticeId": "sec_network_protection_auto_protect","WellArchitectedQuestionId": "network-protection"}],"description": "Automate protection mechanisms to provide a self-defending network based on threat intelligence and anomaly detection. For example, intrusion detection and prevention tools that can adapt to current threats and reduce their impact. A web application firewall is an example of where you can automate network protection, for example, by using the AWS WAF Security Automations solution (https://github.com/awslabs/aws-waf-security-automations) to automatically block requests originating from IP addresses associated with known threat actors.","checks_status": {"fail": 8,"pass": 16,"total": 33,"manual": 0}},"SEC05-BP04": {"name": "SEC05-BP04","checks": {"guardduty_is_enabled": "PASS","vpc_flow_logs_enabled": "FAIL","apigateway_restapi_authorizers_enabled": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC05-BP04 Implement inspection and protection","Section": "Infrastructure protection","SubSection": "Protecting networks","Description": "Inspect and filter your traffic at each layer. You can inspect your VPC configurations for potential unintended access using VPC Network Access Analyzer. You can specify your network access requirements and identify potential network paths that do not meet them. For components transacting over HTTP-based protocols, a web application firewall can help protect from common attacks. AWS WAF is a web application firewall that lets you monitor and block HTTP(s) requests that match your configurable rules that are forwarded to an Amazon API Gateway API, Amazon CloudFront, or an Application Load Balancer. To get started with AWS WAF, you can use AWS Managed Rules in combination with your own, or use existing partner integrations. For managing AWS WAF, AWS Shield Advanced protections, and Amazon VPC security groups across AWS Organizations, you can use AWS Firewall Manager. It allows you to centrally configure and manage firewall rules across your accounts and applications, making it easier to scale enforcement of common rules. It also enables you to rapidly respond to attacks, using AWS Shield Advanced, or solutions that can automatically block unwanted requests to your web applications. Firewall Manager also works with AWS Network Firewall. AWS Network Firewall is a managed service that uses a rules engine to give you fine-grained control over both stateful and stateless network traffic. It supports the Suricata compatible open source intrusion prevention system (IPS) specifications for rules to help protect your workload.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_inspection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_network_protection_inspection","WellArchitectedQuestionId": "network-protection"}],"description": "Inspect and filter your traffic at each layer. You can inspect your VPC configurations for potential unintended access using VPC Network Access Analyzer. You can specify your network access requirements and identify potential network paths that do not meet them. For components transacting over HTTP-based protocols, a web application firewall can help protect from common attacks. AWS WAF is a web application firewall that lets you monitor and block HTTP(s) requests that match your configurable rules that are forwarded to an Amazon API Gateway API, Amazon CloudFront, or an Application Load Balancer. To get started with AWS WAF, you can use AWS Managed Rules in combination with your own, or use existing partner integrations. For managing AWS WAF, AWS Shield Advanced protections, and Amazon VPC security groups across AWS Organizations, you can use AWS Firewall Manager. It allows you to centrally configure and manage firewall rules across your accounts and applications, making it easier to scale enforcement of common rules. It also enables you to rapidly respond to attacks, using AWS Shield Advanced, or solutions that can automatically block unwanted requests to your web applications. Firewall Manager also works with AWS Network Firewall. AWS Network Firewall is a managed service that uses a rules engine to give you fine-grained control over both stateful and stateless network traffic. It supports the Suricata compatible open source intrusion prevention system (IPS) specifications for rules to help protect your workload.","checks_status": {"fail": 1,"pass": 2,"total": 3,"manual": 0}},"SEC06-BP01": {"name": "SEC06-BP01","checks": {"ec2_instance_imdsv2_enabled": "PASS","ssm_managed_compliant_patching": "FAIL","redshift_cluster_automatic_upgrades": null,"cloudtrail_log_file_validation_enabled": "FAIL","rds_instance_minor_version_upgrade_enabled": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","opensearch_service_domains_updated_to_the_latest_service_software_version": null},"status": "FAIL","attributes": [{"Name": "SEC06-BP01 Perform vulnerability management","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats. Starting with the configuration of your compute infrastructure, you can automate creating and updating resources using AWS CloudFormation. CloudFormation allows you to create templates written in YAML or JSON, either using AWS examples or by writing your own. This allows you to create secure-by-default infrastructure templates that you can verify with CloudFormation Guard, to save you time and reduce the risk of configuration error. You can build your infrastructure and deploy your applications using continuous delivery, for example with AWS CodePipeline, to automate the building, testing, and release. You are responsible for patch management for your AWS resources, including Amazon Elastic Compute Cloud(Amazon EC2) instances, Amazon Machine Images (AMIs), and many other compute resources. For Amazon EC2 instances, AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) You can use Patch Manager to install Service Packs on Windows instances and perform minor version upgrades on Linux instances. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows Server, Amazon Linux, Amazon Linux 2, CentOS, Debian Server, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Ubuntu Server. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_inspection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_vulnerability_management","WellArchitectedQuestionId": "protect-compute"}],"description": "Frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats. Starting with the configuration of your compute infrastructure, you can automate creating and updating resources using AWS CloudFormation. CloudFormation allows you to create templates written in YAML or JSON, either using AWS examples or by writing your own. This allows you to create secure-by-default infrastructure templates that you can verify with CloudFormation Guard, to save you time and reduce the risk of configuration error. You can build your infrastructure and deploy your applications using continuous delivery, for example with AWS CodePipeline, to automate the building, testing, and release. You are responsible for patch management for your AWS resources, including Amazon Elastic Compute Cloud(Amazon EC2) instances, Amazon Machine Images (AMIs), and many other compute resources. For Amazon EC2 instances, AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) You can use Patch Manager to install Service Packs on Windows instances and perform minor version upgrades on Linux instances. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows Server, Amazon Linux, Amazon Linux 2, CentOS, Debian Server, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Ubuntu Server. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.","checks_status": {"fail": 3,"pass": 2,"total": 7,"manual": 0}},"SEC06-BP02": {"name": "SEC06-BP02","checks": {"awslambda_function_not_publicly_accessible": "PASS","ecr_repositories_scan_images_on_push_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC06-BP02 Reduce attack surface","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Reduce your exposure to unintended access by hardening operating systems and minimizing the components, libraries, and externally consumable services in use. Start by reducing unused components, whether they are operating system packages or applications, for Amazon Elastic Compute Cloud (Amazon EC2)-based workloads, or external software modules in your code, for all workloads. You can find many hardening and security configuration guides for common operating systems and server software. For example, you can start with the Center for Internet Security and iterate.In Amazon EC2, you can create your own Amazon Machine Images (AMIs), which you have patched and hardened, to help you meet the specific security requirements for your organization. The patches and other security controls you apply on the AMI are effective at the point in time in which they were created—they are not dynamic unless you modify after launching, for example, with AWS Systems Manager.You can simplify the process of building secure AMIs with EC2 Image Builder. EC2 Image Builder significantly reduces the effort required to create and maintain golden images without writing and maintaining automation. When software updates become available, Image Builder automatically produces a new image without requiring users to manually initiate image builds. EC2 Image Builder allows you to easily validate the functionality and security of your images before using them in production with AWS-provided tests and your own tests. You can also apply AWS-provided security settings to further secure your images to meet internal security criteria. For example, you can produce images that conform to the Security Technical Implementation Guide (STIG) standard using AWS-provided templates.Using third-party static code analysis tools, you can identify common security issues such as unchecked function input bounds, as well as applicable common vulnerabilities and exposures (CVEs). You can use Amazon CodeGuru for supported languages. Dependency checking tools can also be used to determine whether libraries your code links against are the latest versions, are themselves free of CVEs, and have licensing conditions that meet your software policy requirements.Using Amazon Inspector, you can perform configuration assessments against your instances for known CVEs, assess against security benchmarks, and automate the notification of defects. Amazon Inspector runs on production instances or in a build pipeline, and it notifies developers and engineers when findings are present. You can access findings programmatically and direct your team to backlogs and bug-tracking systems. EC2 Image Builder can be used to maintain server images (AMIs) with automated patching, AWS-provided security policy enforcement, and other customizations. When using containers implement ECR Image Scanning in your build pipeline and on a regular basis against your image repository to look for CVEs in your containers.While Amazon Inspector and other tools are effective at identifying configurations and any CVEs that are present, other methods are required to test your workload at the application level. Fuzzing is a well-known method of finding bugs using automation to inject malformed data into input fields and other areas of your application.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_reduce_surface.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_reduce_surface","WellArchitectedQuestionId": "protect-compute"}],"description": "Reduce your exposure to unintended access by hardening operating systems and minimizing the components, libraries, and externally consumable services in use. Start by reducing unused components, whether they are operating system packages or applications, for Amazon Elastic Compute Cloud (Amazon EC2)-based workloads, or external software modules in your code, for all workloads. You can find many hardening and security configuration guides for common operating systems and server software. For example, you can start with the Center for Internet Security and iterate.In Amazon EC2, you can create your own Amazon Machine Images (AMIs), which you have patched and hardened, to help you meet the specific security requirements for your organization. The patches and other security controls you apply on the AMI are effective at the point in time in which they were created—they are not dynamic unless you modify after launching, for example, with AWS Systems Manager.You can simplify the process of building secure AMIs with EC2 Image Builder. EC2 Image Builder significantly reduces the effort required to create and maintain golden images without writing and maintaining automation. When software updates become available, Image Builder automatically produces a new image without requiring users to manually initiate image builds. EC2 Image Builder allows you to easily validate the functionality and security of your images before using them in production with AWS-provided tests and your own tests. You can also apply AWS-provided security settings to further secure your images to meet internal security criteria. For example, you can produce images that conform to the Security Technical Implementation Guide (STIG) standard using AWS-provided templates.Using third-party static code analysis tools, you can identify common security issues such as unchecked function input bounds, as well as applicable common vulnerabilities and exposures (CVEs). You can use Amazon CodeGuru for supported languages. Dependency checking tools can also be used to determine whether libraries your code links against are the latest versions, are themselves free of CVEs, and have licensing conditions that meet your software policy requirements.Using Amazon Inspector, you can perform configuration assessments against your instances for known CVEs, assess against security benchmarks, and automate the notification of defects. Amazon Inspector runs on production instances or in a build pipeline, and it notifies developers and engineers when findings are present. You can access findings programmatically and direct your team to backlogs and bug-tracking systems. EC2 Image Builder can be used to maintain server images (AMIs) with automated patching, AWS-provided security policy enforcement, and other customizations. When using containers implement ECR Image Scanning in your build pipeline and on a regular basis against your image repository to look for CVEs in your containers.While Amazon Inspector and other tools are effective at identifying configurations and any CVEs that are present, other methods are required to test your workload at the application level. Fuzzing is a well-known method of finding bugs using automation to inject malformed data into input fields and other areas of your application.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"SEC06-BP03": {"name": "SEC06-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC06-BP03 Implement managed services","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Implement services that manage resources, such as Amazon Relational Database Service (Amazon RDS), AWS Lambda, and Amazon Elastic Container Service (Amazon ECS), to reduce your security maintenance tasks as part of the shared responsibility model. For example, Amazon RDS helps you set up, operate, and scale a relational database, automates administration tasks such as hardware provisioning, database setup, patching, and backups. This means you have more free time to focus on securing your application in other ways described in the AWS Well-Architected Framework. Lambda lets you run code without provisioning or managing servers, so you only need to focus on the connectivity, invocation, and security at the code level–not the infrastructure or operating system.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_implement_managed_services.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_implement_managed_services","WellArchitectedQuestionId": "protect-compute"}],"description": "Implement services that manage resources, such as Amazon Relational Database Service (Amazon RDS), AWS Lambda, and Amazon Elastic Container Service (Amazon ECS), to reduce your security maintenance tasks as part of the shared responsibility model. For example, Amazon RDS helps you set up, operate, and scale a relational database, automates administration tasks such as hardware provisioning, database setup, patching, and backups. This means you have more free time to focus on securing your application in other ways described in the AWS Well-Architected Framework. Lambda lets you run code without provisioning or managing servers, so you only need to focus on the connectivity, invocation, and security at the code level–not the infrastructure or operating system.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC06-BP04": {"name": "SEC06-BP04","checks": {"ec2_instance_managed_by_ssm": "FAIL","ec2_instance_profile_attached": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC06-BP04 Automate compute protection","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Automate your protective compute mechanisms including vulnerability management, reduction in attack surface, and management of resources. The automation will help you invest time in securing other aspects of your workload, and reduce the risk of human error.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_auto_protection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_auto_protection","WellArchitectedQuestionId": "protect-compute"}],"description": "Automate your protective compute mechanisms including vulnerability management, reduction in attack surface, and management of resources. The automation will help you invest time in securing other aspects of your workload, and reduce the risk of human error.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"SEC06-BP05": {"name": "SEC06-BP05","checks": {"ec2_instance_managed_by_ssm": "FAIL","ec2_instance_profile_attached": "PASS"},"status": "FAIL","attributes": [{"Name": "SEC06-BP05 Enable people to perform actions at a distance","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Removing the ability for interactive access reduces the risk of human error, and the potential for manual configuration or management. For example, use a change management workflow to deploy Amazon Elastic Compute Cloud (Amazon EC2) instances using infrastructure-as-code, then manage Amazon EC2 instances using tools such as AWS Systems Manager instead of allowing direct access or through a bastion host. AWS Systems Manager can automate a variety of maintenance and deployment tasks, using features including automation workflows, documents (playbooks), and the run command. AWS CloudFormation stacks build from pipelines and can automate your infrastructure deployment and management tasks without using the AWS Management Console or APIs directly.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_actions_distance.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_actions_distance","WellArchitectedQuestionId": "protect-compute"}],"description": "Removing the ability for interactive access reduces the risk of human error, and the potential for manual configuration or management. For example, use a change management workflow to deploy Amazon Elastic Compute Cloud (Amazon EC2) instances using infrastructure-as-code, then manage Amazon EC2 instances using tools such as AWS Systems Manager instead of allowing direct access or through a bastion host. AWS Systems Manager can automate a variety of maintenance and deployment tasks, using features including automation workflows, documents (playbooks), and the run command. AWS CloudFormation stacks build from pipelines and can automate your infrastructure deployment and management tasks without using the AWS Management Console or APIs directly.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"SEC06-BP06": {"name": "SEC06-BP06","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC06-BP06 Validate software integrity","Section": "Infrastructure protection","SubSection": "Protecting compute","Description": "Implement mechanisms (for example, code signing) to validate that the software, code and libraries used in the workload are from trusted sources and have not been tampered with. For example, you should verify the code signing certificate of binaries and scripts to confirm the author, and ensure it has not been tampered with since created by the author. AWS Signer can help ensure the trust and integrity of your code by centrally managing the code- signing lifecycle, including signing certification and public and private keys. You can learn how to use advanced patterns and best practices for code signing with AWS Lambda. Additionally, a checksum of software that you download, compared to that of the checksum from the provider, can help ensure it has not been tampered with.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_validate_software_integrity.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_compute_validate_software_integrity","WellArchitectedQuestionId": "protect-compute"}],"description": "Implement mechanisms (for example, code signing) to validate that the software, code and libraries used in the workload are from trusted sources and have not been tampered with. For example, you should verify the code signing certificate of binaries and scripts to confirm the author, and ensure it has not been tampered with since created by the author. AWS Signer can help ensure the trust and integrity of your code by centrally managing the code- signing lifecycle, including signing certification and public and private keys. You can learn how to use advanced patterns and best practices for code signing with AWS Lambda. Additionally, a checksum of software that you download, compared to that of the checksum from the provider, can help ensure it has not been tampered with.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"SEC07-BP01": {"name": "SEC07-BP01","checks": {},"status": "PASS","attributes": [{"Name": "SEC07-BP01 Identify the data within your workload","Section": "Data protection","SubSection": "Data classification","Description": "It’s critical to understand the type and classification of data your workload is processing, the associated business processes, where the data is stored, and who is the data owner. You should also have an understanding of the applicable legal and compliance requirements of your workload, and what data controls need to be enforced. Identifying data is the first step in the data classification journey.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_data_classification_identify_data.html#implementation-guidance.","WellArchitectedPracticeId": "sec_data_classification_identify_data","WellArchitectedQuestionId": "data-classification"}],"description": "It’s critical to understand the type and classification of data your workload is processing, the associated business processes, where the data is stored, and who is the data owner. You should also have an understanding of the applicable legal and compliance requirements of your workload, and what data controls need to be enforced. Identifying data is the first step in the data classification journey.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC07-BP02": {"name": "SEC07-BP02","checks": {},"status": "PASS","attributes": [{"Name": "SEC07-BP02 Define data protection controls","Section": "Data protection","SubSection": "Data classification","Description": "Protect data according to its classification level. For example, secure data classified as public by using relevant recommendations while protecting sensitive data with additional controls.By using resource tags, separate AWS accounts per sensitivity (and potentially also for each caveat, enclave, or community of interest), IAM policies, AWS Organizations SCPs, AWS Key Management Service (AWS KMS), and AWS CloudHSM, you can define and implement your policies for data classification and protection with encryption. For example, if you have a project with S3 buckets that contain highly critical data or Amazon Elastic Compute Cloud (Amazon EC2) instances that process confidential data, they can be tagged with a Project=ABC tag. Only your immediate team knows what the project code means, and it provides a way to use attribute-based access control. You can define levels of access to the AWS KMS encryption keys through key policies and grants to ensure that only appropriate services have access to the sensitive content through a secure mechanism. If you are making authorization decisions based on tags you should make sure that the permissions on the tags are defined appropriately using tag policies in AWS Organizations.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_data_classification_define_protection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_data_classification_define_protection","WellArchitectedQuestionId": "data-classification"}],"description": "Protect data according to its classification level. For example, secure data classified as public by using relevant recommendations while protecting sensitive data with additional controls.By using resource tags, separate AWS accounts per sensitivity (and potentially also for each caveat, enclave, or community of interest), IAM policies, AWS Organizations SCPs, AWS Key Management Service (AWS KMS), and AWS CloudHSM, you can define and implement your policies for data classification and protection with encryption. For example, if you have a project with S3 buckets that contain highly critical data or Amazon Elastic Compute Cloud (Amazon EC2) instances that process confidential data, they can be tagged with a Project=ABC tag. Only your immediate team knows what the project code means, and it provides a way to use attribute-based access control. You can define levels of access to the AWS KMS encryption keys through key policies and grants to ensure that only appropriate services have access to the sensitive content through a secure mechanism. If you are making authorization decisions based on tags you should make sure that the permissions on the tags are defined appropriately using tag policies in AWS Organizations.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC07-BP03": {"name": "SEC07-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC07-BP03 Automate identification and classification","Section": "Data protection","SubSection": "Data classification","Description": "Automating the identification and classification of data can help you implement the correct controls. Using automation for this instead of direct access from a person reduces the risk of human error and exposure. You should evaluate using a tool, such as Amazon Macie, that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data, such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_data_classification_auto_classification.html#implementation-guidance.","WellArchitectedPracticeId": "sec_data_classification_auto_classification","WellArchitectedQuestionId": "data-classification"}],"description": "Automating the identification and classification of data can help you implement the correct controls. Using automation for this instead of direct access from a person reduces the risk of human error and exposure. You should evaluate using a tool, such as Amazon Macie, that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data, such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC07-BP04": {"name": "SEC07-BP04","checks": {},"status": "PASS","attributes": [{"Name": "SEC07-BP04 Define data lifecycle management","Section": "Data protection","SubSection": "Data classification","Description": "Your defined lifecycle strategy should be based on sensitivity level as well as legal and organization requirements. Aspects including the duration for which you retain data, data destruction processes, data access management, data transformation, and data sharing should be considered. When choosing a data classification methodology, balance usability versus access. You should also accommodate the multiple levels of access and nuances for implementing a secure, but still usable, approach for each level. Always use a defense in depth approach and reduce human access to data and mechanisms for transforming, deleting, or copying data. For example, require users to strongly authenticate to an application, and give the application, rather than the users, the requisite access permission to perform action at a distance. In addition, ensure that users come from a trusted network path and require access to the decryption keys. Use tools, such as dashboards and automated reporting, to give users information from the data rather than giving them direct access to the data.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_data_classification_lifecycle_management.html#implementation-guidance.","WellArchitectedPracticeId": "sec_data_classification_lifecycle_management","WellArchitectedQuestionId": "data-classification"}],"description": "Your defined lifecycle strategy should be based on sensitivity level as well as legal and organization requirements. Aspects including the duration for which you retain data, data destruction processes, data access management, data transformation, and data sharing should be considered. When choosing a data classification methodology, balance usability versus access. You should also accommodate the multiple levels of access and nuances for implementing a secure, but still usable, approach for each level. Always use a defense in depth approach and reduce human access to data and mechanisms for transforming, deleting, or copying data. For example, require users to strongly authenticate to an application, and give the application, rather than the users, the requisite access permission to perform action at a distance. In addition, ensure that users come from a trusted network path and require access to the decryption keys. Use tools, such as dashboards and automated reporting, to give users information from the data rather than giving them direct access to the data.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC08-BP01": {"name": "SEC08-BP01","checks": {"kms_cmk_are_used": null},"status": "PASS","attributes": [{"Name": "SEC08-BP01 Implement secure key management","Section": "Data protection","SubSection": "Protecting data at rest","Description": "By defining an encryption approach that includes the storage, rotation, and access control of keys, you can help provide protection for your content against unauthorized users and against unnecessary exposure to authorized users. AWS Key Management Service (AWS KMS) helps you manage encryption keys and integrates with many AWS services. This service provides durable, secure, and redundant storage for your AWS KMS keys. You can define your key aliases as well as key-level policies. The policies help you define key administrators as well as key users. Additionally, AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys in the AWS Cloud. It helps you meet corporate, contractual, and regulatory compliance requirements for data security by using FIPS 140-2 Level 3 validated HSMs.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_key_mgmt.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_key_mgmt","WellArchitectedQuestionId": "protect-data-rest"}],"description": "By defining an encryption approach that includes the storage, rotation, and access control of keys, you can help provide protection for your content against unauthorized users and against unnecessary exposure to authorized users. AWS Key Management Service (AWS KMS) helps you manage encryption keys and integrates with many AWS services. This service provides durable, secure, and redundant storage for your AWS KMS keys. You can define your key aliases as well as key-level policies. The policies help you define key administrators as well as key users. Additionally, AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys in the AWS Cloud. It helps you meet corporate, contractual, and regulatory compliance requirements for data security by using FIPS 140-2 Level 3 validated HSMs.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"SEC08-BP02": {"name": "SEC08-BP02","checks": {"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","ec2_ebs_snapshots_encrypted": "FAIL","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","workspaces_volume_encryption_enabled": null,"glue_database_connections_ssl_enabled": null,"sqs_queues_server_side_encryption_enabled": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"glue_etl_jobs_amazon_s3_encryption_enabled": "PASS","cloudwatch_log_group_kms_encryption_enabled": "FAIL","glue_etl_jobs_job_bookmark_encryption_enabled": "FAIL","glue_data_catalogs_metadata_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"glue_development_endpoints_s3_encryption_enabled": null,"glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"sagemaker_training_jobs_intercontainer_encryption_enabled": null,"glue_data_catalogs_connection_passwords_encryption_enabled": "FAIL","glue_development_endpoints_job_bookmark_encryption_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"glue_development_endpoints_cloudwatch_logs_encryption_enabled": null},"status": "FAIL","attributes": [{"Name": "SEC08-BP02 Enforce encryption at rest","Section": "Data protection","SubSection": "Protecting data at rest","Description": "You should ensure that the only way to store data is by using encryption. AWS Key Management Service (AWS KMS) integrates seamlessly with many AWS services to make it easier for you to encrypt all your data at rest. For example, in Amazon Simple Storage Service (Amazon S3), you can set default encryption on a bucket so that all new objects are automatically encrypted. Additionally, Amazon Elastic Compute Cloud (Amazon EC2) and Amazon S3 support the enforcement of encryption by setting default encryption. You can use AWS Config Rules to check automatically that you are using encryption, for example, for Amazon Elastic Block Store (Amazon EBS) volumes, Amazon Relational Database Service (Amazon RDS) instances, and Amazon S3 buckets.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_encrypt.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_encrypt","WellArchitectedQuestionId": "protect-data-rest"}],"description": "You should ensure that the only way to store data is by using encryption. AWS Key Management Service (AWS KMS) integrates seamlessly with many AWS services to make it easier for you to encrypt all your data at rest. For example, in Amazon Simple Storage Service (Amazon S3), you can set default encryption on a bucket so that all new objects are automatically encrypted. Additionally, Amazon Elastic Compute Cloud (Amazon EC2) and Amazon S3 support the enforcement of encryption by setting default encryption. You can use AWS Config Rules to check automatically that you are using encryption, for example, for Amazon Elastic Block Store (Amazon EBS) volumes, Amazon Relational Database Service (Amazon RDS) instances, and Amazon S3 buckets.","checks_status": {"fail": 9,"pass": 4,"total": 25,"manual": 0}},"SEC08-BP03": {"name": "SEC08-BP03","checks": {"s3_bucket_default_encryption": "PASS","sagemaker_notebook_instance_encryption_enabled": null},"status": "PASS","attributes": [{"Name": "SEC08-BP03 Automate data at rest protection","Section": "Data protection","SubSection": "Protecting data at rest","Description": "Use automated tools to validate and enforce data at rest controls continuously, for example, verify that there are only encrypted storage resources. You can automate validation that all EBS volumes are encrypted using AWS Config Rules. AWS Security Hub can also verify several different controls through automated checks against security standards. Additionally, your AWS Config Rules can automatically remediate noncompliant resources.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_automate_protection.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_automate_protection","WellArchitectedQuestionId": "protect-data-rest"}],"description": "Use automated tools to validate and enforce data at rest controls continuously, for example, verify that there are only encrypted storage resources. You can automate validation that all EBS volumes are encrypted using AWS Config Rules. AWS Security Hub can also verify several different controls through automated checks against security standards. Additionally, your AWS Config Rules can automatically remediate noncompliant resources.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"SEC08-BP04": {"name": "SEC08-BP04","checks": {"s3_bucket_object_versioning": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","organizations_account_part_of_organizations": null},"status": "FAIL","attributes": [{"Name": "SEC08-BP04 Enforce access control","Section": "Data protection","SubSection": "Protecting data at rest","Description": "To help protect your data at rest, enforce access control using mechanisms, such as isolation and versioning, and apply the principle of least privilege. Prevent the granting of public access to your data.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_access_control.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_access_control","WellArchitectedQuestionId": "protect-data-rest"}],"description": "To help protect your data at rest, enforce access control using mechanisms, such as isolation and versioning, and apply the principle of least privilege. Prevent the granting of public access to your data.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"SEC08-BP05": {"name": "SEC08-BP05","checks": {},"status": "PASS","attributes": [{"Name": "SEC08-BP05 Use mechanisms to keep people away from data","Section": "Data protection","SubSection": "Protecting data at rest","Description": "Keep all users away from directly accessing sensitive data and systems under normal operational circumstances. For example, use a change management workflow to manage Amazon Elastic Compute Cloud (Amazon EC2) instances using tools instead of allowing direct access or a bastion host. This can be achieved using AWS Systems Manager Automation, which uses automation documents that contain steps you use to perform tasks. These documents can be stored in source control, be peer reviewed before running, and tested thoroughly to minimize risk compared to shell access. Business users could have a dashboard instead of direct access to a data store to run queries. Where CI/CD pipelines are not used, determine which controls and processes are required to adequately provide a normally disabled break-glass access mechanism.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_use_people_away.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_rest_use_people_away","WellArchitectedQuestionId": "protect-data-rest"}],"description": "Keep all users away from directly accessing sensitive data and systems under normal operational circumstances. For example, use a change management workflow to manage Amazon Elastic Compute Cloud (Amazon EC2) instances using tools instead of allowing direct access or a bastion host. This can be achieved using AWS Systems Manager Automation, which uses automation documents that contain steps you use to perform tasks. These documents can be stored in source control, be peer reviewed before running, and tested thoroughly to minimize risk compared to shell access. Business users could have a dashboard instead of direct access to a data store to run queries. Where CI/CD pipelines are not used, determine which controls and processes are required to adequately provide a normally disabled break-glass access mechanism.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC09-BP01": {"name": "SEC09-BP01","checks": {"acm_certificates_expiration_check": "PASS","directoryservice_ldap_certificate_expiration": null},"status": "PASS","attributes": [{"Name": "SEC09-BP01 Implement secure key and certificate management","Section": "Data protection","SubSection": "Protecting data in transit","Description": "Store encryption keys and certificates securely and rotate them at appropriate time intervals with strict access control. The best way to accomplish this is to use a managed service, such as AWS Certificate Manager (ACM). It lets you easily provision, manage, and deploy public and private Transport Layer Security (TLS) certificates for use with AWS services and your internal connected resources. TLS certificates are used to secure network communications and establish the identity of websites over the internet as well as resources on private networks. ACM integrates with AWS resources, such as Elastic Load Balancers (ELBs), AWS distributions, and APIs on API Gateway, also handling automatic certificate renewals. If you use ACM to deploy a private root CA, both certificates and private keys can be provided by it for use in Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and so on.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_key_cert_mgmt.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_transit_key_cert_mgmt","WellArchitectedQuestionId": "protect-data-transit"}],"description": "Store encryption keys and certificates securely and rotate them at appropriate time intervals with strict access control. The best way to accomplish this is to use a managed service, such as AWS Certificate Manager (ACM). It lets you easily provision, manage, and deploy public and private Transport Layer Security (TLS) certificates for use with AWS services and your internal connected resources. TLS certificates are used to secure network communications and establish the identity of websites over the internet as well as resources on private networks. ACM integrates with AWS resources, such as Elastic Load Balancers (ELBs), AWS distributions, and APIs on API Gateway, also handling automatic certificate renewals. If you use ACM to deploy a private root CA, both certificates and private keys can be provided by it for use in Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and so on.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"SEC09-BP02": {"name": "SEC09-BP02","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","elb_insecure_ssl_ciphers": "PASS","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_secure_transport_policy": "FAIL","cloudfront_distributions_https_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","cloudfront_distributions_field_level_encryption_enabled": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Name": "SEC09-BP02 Enforce encryption in transit","Section": "Data protection","SubSection": "Protecting data in transit","Description": "Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements. AWS services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with the AWS APIs. Insecure protocols, such as HTTP, can be audited and blocked in a VPC through the use of security groups. HTTP requests can also be automatically redirected to HTTPS in Amazon CloudFront or on an Application Load Balancer. You have full control over your computing resources to implement encryption in transit across your services. Additionally, you can use VPN connectivity into your VPC from an external network to facilitate encryption of traffic. Third-party solutions are available in the AWS Marketplace, if you have special requirements.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_encrypt.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_transit_encrypt","WellArchitectedQuestionId": "protect-data-transit"}],"description": "Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements. AWS services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with the AWS APIs. Insecure protocols, such as HTTP, can be audited and blocked in a VPC through the use of security groups. HTTP requests can also be automatically redirected to HTTPS in Amazon CloudFront or on an Application Load Balancer. You have full control over your computing resources to implement encryption in transit across your services. Additionally, you can use VPN connectivity into your VPC from an external network to facilitate encryption of traffic. Third-party solutions are available in the AWS Marketplace, if you have special requirements.","checks_status": {"fail": 4,"pass": 2,"total": 11,"manual": 0}},"SEC09-BP03": {"name": "SEC09-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC09-BP03 Automate detection of unintended data access","Section": "Data protection","SubSection": "Protecting data in transit","Description": "Use tools such as Amazon GuardDuty to automatically detect suspicious activity or attempts to move data outside of defined boundaries. For example, GuardDuty can detect Amazon Simple Storage Service (Amazon S3) read activity that is unusual with the Exfiltration:S3/AnomalousBehavior finding. In addition to GuardDuty, Amazon VPC Flow Logs, which capture network traffic information, can be used with Amazon EventBridge to trigger detection of abnormal connections–both successful and denied. Amazon S3 Access Analyzer can help assess what data is accessible to who in your Amazon S3 buckets.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_auto_unintended_access.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_transit_auto_unintended_access","WellArchitectedQuestionId": "protect-data-transit"}],"description": "Use tools such as Amazon GuardDuty to automatically detect suspicious activity or attempts to move data outside of defined boundaries. For example, GuardDuty can detect Amazon Simple Storage Service (Amazon S3) read activity that is unusual with the Exfiltration:S3/AnomalousBehavior finding. In addition to GuardDuty, Amazon VPC Flow Logs, which capture network traffic information, can be used with Amazon EventBridge to trigger detection of abnormal connections–both successful and denied. Amazon S3 Access Analyzer can help assess what data is accessible to who in your Amazon S3 buckets.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC09-BP04": {"name": "SEC09-BP04","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Name": "SEC09-BP04 Authenticate network communications","Section": "Data protection","SubSection": "Protecting data in transit","Description": "Verify the identity of communications by using protocols that support authentication, such as Transport Layer Security (TLS) or IPsec. Using network protocols that support authentication, allows for trust to be established between the parties. This adds to the encryption used in the protocol to reduce the risk of communications being altered or intercepted. Common protocols that implement authentication include Transport Layer Security (TLS), which is used in many AWS services, and IPsec, which is used in AWS Virtual Private Network (AWS VPN).","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_authentication.html#implementation-guidance.","WellArchitectedPracticeId": "sec_protect_data_transit_authentication","WellArchitectedQuestionId": "protect-data-transit"}],"description": "Verify the identity of communications by using protocols that support authentication, such as Transport Layer Security (TLS) or IPsec. Using network protocols that support authentication, allows for trust to be established between the parties. This adds to the encryption used in the protocol to reduce the risk of communications being altered or intercepted. Common protocols that implement authentication include Transport Layer Security (TLS), which is used in many AWS services, and IPsec, which is used in AWS Virtual Private Network (AWS VPN).","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"SEC10-BP01": {"name": "SEC10-BP01","checks": {"iam_support_role_created": null,"account_maintain_current_contact_details": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Name": "SEC10-BP01 Identify key personnel and external resources","Section": "Incident response","SubSection": "Prepare","Description": "Identify internal and external personnel, resources, and legal obligations that would help your organization respond to an incident.When you define your approach to incident response in the cloud, in unison with other teams (such as your legal counsel, leadership, business stakeholders, AWS Support Services, and others), you must identify key personnel, stakeholders, and relevant contacts. To reduce dependency and decrease response time, make sure that your team, specialist security teams, and responders are educated about the services that you use and have opportunities to practice hands-on.We encourage you to identify external AWS security partners that can provide you with outside expertise and a different perspective to augment your response capabilities. Your trusted security partners can help you identify potential risks or threats that you might not be familiar with.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_identify_personnel.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_identify_personnel","WellArchitectedQuestionId": "incident-response"}],"description": "Identify internal and external personnel, resources, and legal obligations that would help your organization respond to an incident.When you define your approach to incident response in the cloud, in unison with other teams (such as your legal counsel, leadership, business stakeholders, AWS Support Services, and others), you must identify key personnel, stakeholders, and relevant contacts. To reduce dependency and decrease response time, make sure that your team, specialist security teams, and responders are educated about the services that you use and have opportunities to practice hands-on.We encourage you to identify external AWS security partners that can provide you with outside expertise and a different perspective to augment your response capabilities. Your trusted security partners can help you identify potential risks or threats that you might not be familiar with.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"SEC10-BP02": {"name": "SEC10-BP02","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP02 Develop incident management plans","Section": "Incident response","SubSection": "Prepare","Description": "Create plans to help you respond to, communicate during, and recover from an incident. For example, you can start an incident response plan with the most likely scenarios for your workload and organization. Include how you would communicate and escalate both internally and externally.","LevelOfRisk": "High","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_develop_management_plans.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_develop_management_plans","WellArchitectedQuestionId": "incident-response"}],"description": "Create plans to help you respond to, communicate during, and recover from an incident. For example, you can start an incident response plan with the most likely scenarios for your workload and organization. Include how you would communicate and escalate both internally and externally.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP03": {"name": "SEC10-BP03","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP03 Prepare forensic capabilities","Section": "Incident response","SubSection": "Prepare","Description": "It's important for your incident responders to understand when and how the forensic investigation fits into your response plan. Your organization should define what evidence is collected and what tools are used in the process. Identify and prepare forensic investigation capabilities that are suitable, including external specialists, tools, and automation. A key decision that you should make upfront is if you will collect data from a live system. Some data, such as the contents of volatile memory or active network connections, will be lost if the system is powered off or rebooted.Your response team can combine tools, such as AWS Systems Manager, Amazon EventBridge, and AWS Lambda, to automatically run forensic tools within an operating system and VPC traffic mirroring to obtain a network packet capture, to gather non-persistent evidence. Conduct other activities, such as log analysis or analyzing disk images, in a dedicated security account with customized forensic workstations and tools accessible to your responders.Routinely ship relevant logs to a data store that provides high durability and integrity. Responders should have access to those logs. AWS offers several tools that can make log investigation easier, such as Amazon Athena, Amazon OpenSearch Service (OpenSearch Service), and Amazon CloudWatch Logs Insights. Additionally, preserve evidence securely using Amazon Simple Storage Service (Amazon S3) Object Lock. This service follows the WORM (write-once- read-many) model and prevents objects from being deleted or overwritten for a defined period. As forensic investigation techniques require specialist training, you might need to engage external specialists.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_prepare_forensic.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_prepare_forensic","WellArchitectedQuestionId": "incident-response"}],"description": "It's important for your incident responders to understand when and how the forensic investigation fits into your response plan. Your organization should define what evidence is collected and what tools are used in the process. Identify and prepare forensic investigation capabilities that are suitable, including external specialists, tools, and automation. A key decision that you should make upfront is if you will collect data from a live system. Some data, such as the contents of volatile memory or active network connections, will be lost if the system is powered off or rebooted.Your response team can combine tools, such as AWS Systems Manager, Amazon EventBridge, and AWS Lambda, to automatically run forensic tools within an operating system and VPC traffic mirroring to obtain a network packet capture, to gather non-persistent evidence. Conduct other activities, such as log analysis or analyzing disk images, in a dedicated security account with customized forensic workstations and tools accessible to your responders.Routinely ship relevant logs to a data store that provides high durability and integrity. Responders should have access to those logs. AWS offers several tools that can make log investigation easier, such as Amazon Athena, Amazon OpenSearch Service (OpenSearch Service), and Amazon CloudWatch Logs Insights. Additionally, preserve evidence securely using Amazon Simple Storage Service (Amazon S3) Object Lock. This service follows the WORM (write-once- read-many) model and prevents objects from being deleted or overwritten for a defined period. As forensic investigation techniques require specialist training, you might need to engage external specialists.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP04": {"name": "SEC10-BP04","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP04 Automate containment capability","Section": "Incident response","SubSection": "Iterate","Description": "Automate containment and recovery of an incident to reduce response times and organizational impact.Once you create and practice the processes and tools from your playbooks, you can deconstruct the logic into a code-based solution, which can be used as a tool by many responders to automate the response and remove variance or guess-work by your responders. This can speed up the lifecycle of a response. The next goal is to enable this code to be fully automated by being invoked by the alerts or events themselves, rather than by a human responder, to create an event-driven response. These processes should also automatically add relevant data to your security systems. For example, an incident involving traffic from an unwanted IP address can automatically populate an AWS WAF block list or Network Firewall rule group to prevent further activity.With an event-driven response system, a detective mechanism triggers a responsive mechanism to automatically remediate the event. You can use event-driven response capabilities to reduce the time-to-value between detective mechanisms and responsive mechanisms. To create this event-driven architecture, you can use AWS Lambda, which is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. For example, assume that you have an AWS account with the AWS CloudTrail service enabled. If CloudTrail is ever disabled (through the cloudtrail:StopLogging API call), you can use Amazon EventBridge to monitor for the specific cloudtrail:StopLogging event, and invoke a Lambda function to call cloudtrail:StartLogging to restart logging.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_auto_contain.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_auto_contain","WellArchitectedQuestionId": "incident-response"}],"description": "Automate containment and recovery of an incident to reduce response times and organizational impact.Once you create and practice the processes and tools from your playbooks, you can deconstruct the logic into a code-based solution, which can be used as a tool by many responders to automate the response and remove variance or guess-work by your responders. This can speed up the lifecycle of a response. The next goal is to enable this code to be fully automated by being invoked by the alerts or events themselves, rather than by a human responder, to create an event-driven response. These processes should also automatically add relevant data to your security systems. For example, an incident involving traffic from an unwanted IP address can automatically populate an AWS WAF block list or Network Firewall rule group to prevent further activity.With an event-driven response system, a detective mechanism triggers a responsive mechanism to automatically remediate the event. You can use event-driven response capabilities to reduce the time-to-value between detective mechanisms and responsive mechanisms. To create this event-driven architecture, you can use AWS Lambda, which is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. For example, assume that you have an AWS account with the AWS CloudTrail service enabled. If CloudTrail is ever disabled (through the cloudtrail:StopLogging API call), you can use Amazon EventBridge to monitor for the specific cloudtrail:StopLogging event, and invoke a Lambda function to call cloudtrail:StartLogging to restart logging.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP05": {"name": "SEC10-BP05","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP05 Pre-provision access","Section": "Incident response","SubSection": "Prepare","Description": "Verify that incident responders have the correct access pre-provisioned in AWS to reduce the time needed for investigation through to recovery.Common anti-patterns:Using the root account for incident response.Altering existing accounts.Manipulating IAM permissions directly when providing just-in-time privilege elevation.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_pre_provision_access.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_pre_provision_access","WellArchitectedQuestionId": "incident-response"}],"description": "Verify that incident responders have the correct access pre-provisioned in AWS to reduce the time needed for investigation through to recovery.Common anti-patterns:Using the root account for incident response.Altering existing accounts.Manipulating IAM permissions directly when providing just-in-time privilege elevation.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP06": {"name": "SEC10-BP06","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP06 Pre-deploy tools","Section": "Incident response","SubSection": "Prepare","Description": "Ensure that security personnel have the right tools pre-deployed into AWS to reduce the time for investigation through to recovery.To automate security engineering and operations functions, you can use a comprehensive set of APIs and tools from AWS. You can fully automate identity management, network security, data protection, and monitoring capabilities and deliver them using popular software development methods that you already have in place. When you build security automation, your system can monitor, review, and initiate a response, rather than having people monitor your security position and manually react to events. An effective way to automatically provide searchable and relevant log data across AWS services to your incident responders is to enable Amazon Detective.If your incident response teams continue to respond to alerts in the same way, they risk alert fatigue. Over time, the team can become desensitized to alerts and can either make mistakes handling ordinary situations or miss unusual alerts. Automation helps avoid alert fatigue by using functions that process the repetitive and ordinary alerts, leaving humans to handle the sensitive and unique incidents. Integrating anomaly detection systems, such as Amazon GuardDuty, AWS CloudTrail Insights, and Amazon CloudWatch Anomaly Detection, can reduce the burden of common threshold-based alerts.You can improve manual processes by programmatically automating steps in the process. After you define the remediation pattern to an event, you can decompose that pattern into actionable logic, and write the code to perform that logic. Responders can then execute that code to remediate the issue. Over time, you can automate more and more steps, and ultimately automatically handle whole classes of common incidents.For tools that execute within the operating system of your Amazon Elastic Compute Cloud (Amazon EC2) instance, you should evaluate using the AWS Systems Manager Run Command, which enables you to remotely and securely administrate instances using an agent that you install on your Amazon EC2 instance operating system. It requires the Systems Manager Agent (SSM Agent), which is installed by default on many Amazon Machine Images (AMIs). Be aware, though, that once an instance has been compromised, no responses from tools or agents running on it should be considered trustworthy.","LevelOfRisk": "Low","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_pre_deploy_tools.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_pre_deploy_tools","WellArchitectedQuestionId": "incident-response"}],"description": "Ensure that security personnel have the right tools pre-deployed into AWS to reduce the time for investigation through to recovery.To automate security engineering and operations functions, you can use a comprehensive set of APIs and tools from AWS. You can fully automate identity management, network security, data protection, and monitoring capabilities and deliver them using popular software development methods that you already have in place. When you build security automation, your system can monitor, review, and initiate a response, rather than having people monitor your security position and manually react to events. An effective way to automatically provide searchable and relevant log data across AWS services to your incident responders is to enable Amazon Detective.If your incident response teams continue to respond to alerts in the same way, they risk alert fatigue. Over time, the team can become desensitized to alerts and can either make mistakes handling ordinary situations or miss unusual alerts. Automation helps avoid alert fatigue by using functions that process the repetitive and ordinary alerts, leaving humans to handle the sensitive and unique incidents. Integrating anomaly detection systems, such as Amazon GuardDuty, AWS CloudTrail Insights, and Amazon CloudWatch Anomaly Detection, can reduce the burden of common threshold-based alerts.You can improve manual processes by programmatically automating steps in the process. After you define the remediation pattern to an event, you can decompose that pattern into actionable logic, and write the code to perform that logic. Responders can then execute that code to remediate the issue. Over time, you can automate more and more steps, and ultimately automatically handle whole classes of common incidents.For tools that execute within the operating system of your Amazon Elastic Compute Cloud (Amazon EC2) instance, you should evaluate using the AWS Systems Manager Run Command, which enables you to remotely and securely administrate instances using an agent that you install on your Amazon EC2 instance operating system. It requires the Systems Manager Agent (SSM Agent), which is installed by default on many Amazon Machine Images (AMIs). Be aware, though, that once an instance has been compromised, no responses from tools or agents running on it should be considered trustworthy.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC10-BP07": {"name": "SEC10-BP07","checks": {},"status": "PASS","attributes": [{"Name": "SEC10-BP07 Run game days","Section": "Incident response","SubSection": "Simulate","Description": "Game days, also known as simulations or exercises, are internal events that provide a structured opportunity to practice your incident management plans and procedures during a realistic scenario. These events should exercise responders using the same tools and techniques that would be used in a real-world scenario - even mimicking real-world environments. Game days are fundamentally about being prepared and iteratively improving your response capabilities. Some of the reasons you might find value in performing game day activities include:Validating readinessDeveloping confidence – learning from simulations and training staffFollowing compliance or contractual obligationsGenerating artifacts for accreditationBeing agile – incremental improvementBecoming faster and improving toolsRefining communication and escalationDeveloping comfort with the rare and the unexpectedFor these reasons, the value derived from participating in a simulation activity increases an organization's effectiveness during stressful events. Developing a simulation activity that is both realistic and beneficial can be a difficult exercise. Although testing your procedures or automation that handles well-understood events has certain advantages, it is just as valuable to participate in creative Security Incident Response Simulations (SIRS) activities to test yourself against the unexpected and continuously improve.Create custom simulations tailored to your environment, team, and tools. Find an issue and design your simulation around it. This could be something like a leaked credential, a server communicating with unwanted systems, or a misconfiguration that results in unauthorized exposure. Identify engineers who are familiar with your organization to create the scenario and another group to participate. The scenario should be realistic and challenging enough to be valuable. It should include the opportunity to get hands on with logging, notifications, escalations, and executing runbooks or automation. During the simulation, your responders should exercise their technical and organizational skills, and leaders should be involved to build their incident management skills. At the end of the simulation, celebrate the efforts of the team and look for ways to iterate, repeat, and expand into further simulations.AWS has created Incident Response Runbook templates that you can use not only to prepare your response efforts, but also as a basis for a simulation. When planning, a simulation can be broken into five phases.Evidence gathering: In this phase, a team will get alerts through various means, such as an internal ticketing system, alerts from monitoring tooling, anonymous tips, or even public news. Teams then start to review infrastructure and application logs to determine the source of the compromise. This step should also involve internal escalations and incident leadership. Once identified, teams move on to containing the incidentContain the incident: Teams will have determined there has been an incident and established the source of the compromise. Teams now should take action to contain it, for example, by disabling compromised credentials, isolating a compute resource, or revoking a role's permission.Eradicate the incident: Now that they've contained the incident, teams will work towards mitigating any vulnerabilities in applications or infrastructure configurations that were susceptible to the compromise. This could include rotating all credentials used for a workload, modifying Access Control Lists (ACLs) or changing network configurations.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_incident_response_run_game_days.html#implementation-guidance.","WellArchitectedPracticeId": "sec_incident_response_run_game_days","WellArchitectedQuestionId": "incident-response"}],"description": "Game days, also known as simulations or exercises, are internal events that provide a structured opportunity to practice your incident management plans and procedures during a realistic scenario. These events should exercise responders using the same tools and techniques that would be used in a real-world scenario - even mimicking real-world environments. Game days are fundamentally about being prepared and iteratively improving your response capabilities. Some of the reasons you might find value in performing game day activities include:Validating readinessDeveloping confidence – learning from simulations and training staffFollowing compliance or contractual obligationsGenerating artifacts for accreditationBeing agile – incremental improvementBecoming faster and improving toolsRefining communication and escalationDeveloping comfort with the rare and the unexpectedFor these reasons, the value derived from participating in a simulation activity increases an organization's effectiveness during stressful events. Developing a simulation activity that is both realistic and beneficial can be a difficult exercise. Although testing your procedures or automation that handles well-understood events has certain advantages, it is just as valuable to participate in creative Security Incident Response Simulations (SIRS) activities to test yourself against the unexpected and continuously improve.Create custom simulations tailored to your environment, team, and tools. Find an issue and design your simulation around it. This could be something like a leaked credential, a server communicating with unwanted systems, or a misconfiguration that results in unauthorized exposure. Identify engineers who are familiar with your organization to create the scenario and another group to participate. The scenario should be realistic and challenging enough to be valuable. It should include the opportunity to get hands on with logging, notifications, escalations, and executing runbooks or automation. During the simulation, your responders should exercise their technical and organizational skills, and leaders should be involved to build their incident management skills. At the end of the simulation, celebrate the efforts of the team and look for ways to iterate, repeat, and expand into further simulations.AWS has created Incident Response Runbook templates that you can use not only to prepare your response efforts, but also as a basis for a simulation. When planning, a simulation can be broken into five phases.Evidence gathering: In this phase, a team will get alerts through various means, such as an internal ticketing system, alerts from monitoring tooling, anonymous tips, or even public news. Teams then start to review infrastructure and application logs to determine the source of the compromise. This step should also involve internal escalations and incident leadership. Once identified, teams move on to containing the incidentContain the incident: Teams will have determined there has been an incident and established the source of the compromise. Teams now should take action to contain it, for example, by disabling compromised credentials, isolating a compute resource, or revoking a role's permission.Eradicate the incident: Now that they've contained the incident, teams will work towards mitigating any vulnerabilities in applications or infrastructure configurations that were susceptible to the compromise. This could include rotating all credentials used for a workload, modifying Access Control Lists (ACLs) or changing network configurations.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"SEC11-BP02": {"name": "SEC11-BP02","checks": {"ecr_repositories_scan_images_on_push_enabled": "FAIL","ecr_repositories_scan_vulnerabilities_in_latest_image": null},"status": "FAIL","attributes": [{"Name": "SEC11-BP02 Automate testing throughout the development and release lifecycle","Section": "Application Security","SubSection": null,"Description": "Automate the testing for security properties throughout the development and release lifecycle. Automation makes it easier to consistently and repeatably identify potential issues in software prior to release, which reduces the risk of security issues in the software being provided. The goal of automated testing is to provide a programmatic way of detecting potential issues early and often throughout the development lifecycle. When you automate regression testing, you can rerun functional and non-functional tests to verify that previously tested software still performs as expected after a change. When you define security unit tests to check for common misconfigurations, such as broken or missing authentication, you can identify and fix these issues early in the development process. Test automation uses purpose-built test cases for application validation, based on the application’s requirements and desired functionality. The result of the automated testing is based on comparing the generated test output to its respective expected output, which expedites the overall testing lifecycle. Testing methodologies such as regression testing and unit test suites are best suited for automation. Automating the testing of security properties allows builders to receive automated feedback without having to wait for a security review. Automated tests in the form of static or dynamic code analysis can increase code quality and help detect potential software issues early in the development lifecycle.","LevelOfRisk": "Medium","AssessmentMethod": "Automated","ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_appsec_automate_testing_throughout_lifecycle.html#implementation-guidance.","WellArchitectedPracticeId": "sec_appsec_automate_testing_throughout_lifecycle","WellArchitectedQuestionId": "application-security"}],"description": "Automate the testing for security properties throughout the development and release lifecycle. Automation makes it easier to consistently and repeatably identify potential issues in software prior to release, which reduces the risk of security issues in the software being provided. The goal of automated testing is to provide a programmatic way of detecting potential issues early and often throughout the development lifecycle. When you automate regression testing, you can rerun functional and non-functional tests to verify that previously tested software still performs as expected after a change. When you define security unit tests to check for common misconfigurations, such as broken or missing authentication, you can identify and fix these issues early in the development process. Test automation uses purpose-built test cases for application validation, based on the application’s requirements and desired functionality. The result of the automated testing is based on comparing the generated test output to its respective expected output, which expedites the overall testing lifecycle. Testing methodologies such as regression testing and unit test suites are best suited for automation. Automating the testing of security properties allows builders to receive automated feedback without having to wait for a security review. Automated tests in the form of static or dynamic code analysis can increase code quality and help detect potential software issues early in the development lifecycle.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}}},"requirements_passed": 17,"requirements_failed": 23,"requirements_manual": 17,"total_requirements": 57,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "e079e750-59b8-4d29-9e57-1a10a0e63be4","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "aws_foundational_security_best_practices_aws","framework": "AWS-Foundational-Security-Best-Practices","version": "","description": "The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices.","region": "eu-west-1","requirements": {"s3": {"name": "Benchmark: S3","checks": {"s3_bucket_public_access": null,"s3_bucket_acl_prohibited": "FAIL","s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","s3_account_level_public_access_blocks": null,"s3_bucket_server_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "s3","Section": "S3","Service": "s3","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS S3 resources and options.","checks_status": {"fail": 4,"pass": 2,"total": 9,"manual": 0}},"acm": {"name": "ACM","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "acm","Section": "Acm","Service": "acm","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring ACM resources.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"dms": {"name": "Benchmark: DMS","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "dms","Section": "DMS","Service": "dms","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS DMS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"ec2": {"name": "Benchmark: EC2","checks": {"vpc_flow_logs_enabled": "FAIL","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","ec2_securitygroup_not_used": "FAIL","ec2_instance_imdsv2_enabled": "PASS","ec2_instance_older_than_specific_days": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ec2","Section": "EC2","Service": "ec2","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring EC2 resources and options.","checks_status": {"fail": 6,"pass": 4,"total": 10,"manual": 0}},"ecr": {"name": "Benchmark: Elastic Container Registry","checks": {"ecr_repositories_lifecycle_policy_enabled": "FAIL","ecr_repositories_scan_images_on_push_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ecr","Section": "ECR","Service": "ecr","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS ECR resources and options.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"ecs": {"name": "Benchmark: Elastic Container Service","checks": {"ecs_task_definitions_no_environment_secrets": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "ecs","Section": "ECS","Service": "ecs","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring ECS resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"efs": {"name": "Benchmark: EFS","checks": {"efs_have_backup_enabled": "FAIL","efs_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "efs","Section": "EFS","Service": "efs","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS EFS resources and options.","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"eks": {"name": "Benchmark: EKS","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "eks","Section": "EKS","Service": "eks","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS EKS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elb": {"name": "Benchmark: ELB","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","elbv2_deletion_protection": "FAIL","elbv2_desync_mitigation_mode": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "elb","Section": "ELB","Service": "elb","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elastic Load Balancer resources and options.","checks_status": {"fail": 4,"pass": 0,"total": 4,"manual": 0}},"emr": {"name": "Benchmark: EMR","checks": {"emr_cluster_master_nodes_no_public_ip": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "emr","Section": "EMR","Service": "emr","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring EMR resources.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"iam": {"name": "Benchmark: IAM","checks": {"iam_no_root_access_key": null,"iam_user_accesskey_unused": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "iam","Section": "IAM","Service": "iam","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS IAM resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 10,"manual": 0}},"kms": {"name": "Benchmark: KMS","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "kms","Section": "KMS","Service": "kms","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS KMS resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"rds": {"name": "Benchmark: RDS","checks": {"rds_instance_multi_az": "FAIL","rds_snapshots_public_access": "PASS","rds_instance_no_public_access": "PASS","rds_instance_storage_encrypted": "FAIL","rds_instance_deletion_protection": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","rds_instance_minor_version_upgrade_enabled": "PASS"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "rds","Section": "RDS","Service": "rds","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS RDS resources and options.","checks_status": {"fail": 5,"pass": 3,"total": 10,"manual": 0}},"sns": {"name": "Benchmark: SNS","checks": {"sns_topics_kms_encryption_at_rest_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "sns","Section": "SNS","Service": "sns","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS SNS resources and options.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"sqs": {"name": "Benchmark: SQS","checks": {"sqs_queues_server_side_encryption_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "sqs","Section": "SQS","Service": "sqs","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS SQS resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"ssm": {"name": "Benchmark: SSM","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "ssm","Section": "SSM","Service": "ssm","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Systems Manager resources and options.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"waf": {"name": "Benchmark: WAF","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "waf","Section": "WAF","Service": "waf","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS WAF resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elbv2": {"name": "Benchmark: ELBv2","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "elbv2","Section": "ELBv2","Service": "elbv2","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elastic Load Balancer resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"config": {"name": "Benchmark: Config","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "config","Section": "Config","Service": "config","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Config.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"lambda": {"name": "Benchmark: Lambda","checks": {"awslambda_function_url_public": null,"awslambda_function_using_supported_runtimes": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "lambda","Section": "Lambda","Service": "lambda","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Lambda resources and options.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"account": {"name": "Account","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "account","Section": "Account","Service": "account","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Account.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"kinesis": {"name": "Benchmark: Kinesis","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "kinesis","Section": "Kinesis","Service": "kinesis","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Kinesis resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"dynamodb": {"name": "Benchmark: DynamoDB","checks": {"dynamodb_tables_pitr_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "dynamodb","Section": "DynamoDB","Service": "dynamodb","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Dynamo DB resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"redshift": {"name": "Benchmark: Redshift","checks": {"redshift_cluster_public_access": null,"redshift_cluster_automated_snapshot": null,"redshift_cluster_automatic_upgrades": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "redshift","Section": "Redshift","Service": "redshift","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Redshift resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"codebuild": {"name": "Benchmark: CodeBuild","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "codebuild","Section": "CodeBuild","Service": "codebuild","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CodeBuild resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"guardduty": {"name": "Benchmark: GuardDuty","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Type": null,"ItemId": "guardduty","Section": "GuardDuty","Service": "guardduty","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS GuardDuty resources and options.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"sagemaker": {"name": "Benchmark: SageMaker","checks": {"sagemaker_notebook_instance_root_access_disabled": null,"sagemaker_notebook_instance_vpc_settings_configured": null,"sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "sagemaker","Section": "SageMaker","Service": "sagemaker","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Sagemaker resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"cloudfront": {"name": "Benchmark: CloudFront","checks": {"cloudfront_distributions_using_waf": null,"cloudfront_distributions_https_enabled": null,"cloudfront_distributions_logging_enabled": null,"cloudfront_distributions_field_level_encryption_enabled": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "cloudfront","Section": "CloudFront","Service": "cloudfront","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudFront resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"cloudtrail": {"name": "Benchmark: CloudTrail","checks": {"cloudtrail_multi_region_enabled": "PASS","cloudtrail_kms_encryption_enabled": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "cloudtrail","Section": "CloudTrail","Service": "cloudtrail","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudTrail resources and options.","checks_status": {"fail": 3,"pass": 1,"total": 4,"manual": 0}},"opensearch": {"name": "Benchmark: OpenSearch","checks": {"opensearch_service_domains_not_publicly_accessible": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "opensearch","Section": "OpenSearch","Service": "opensearch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring OpenSearch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"api-gateway": {"name": "API Gateway","checks": {"apigateway_restapi_logging_enabled": "PASS","apigateway_restapi_waf_acl_attached": "FAIL","apigatewayv2_api_authorizers_enabled": "FAIL","apigatewayv2_api_access_logging_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "api-gateway","Section": "API Gateway","Service": "apigateway","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring API Gateway resources.","checks_status": {"fail": 4,"pass": 1,"total": 5,"manual": 0}},"auto-scaling": {"name": "Benchmark: Auto Scaling","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "auto-scaling","Section": "Auto Scaling","Service": "autoscaling","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Auto Scaling resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elasticsearch": {"name": "Benchmark: Elasticsearch","checks": {"opensearch_service_domains_audit_logging_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "elasticsearch","Section": "ElasticSearch","Service": "elasticsearch","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Elasticsearch resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"cloudformation": {"name": "Benchmark: CloudFormation","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "cloudformation","Section": "CloudFormation","Service": "cloudformation","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring CloudFormation resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"secretsmanager": {"name": "Benchmark: Secrets Manager","checks": {"secretsmanager_automatic_rotation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "secretsmanager","Section": "Secrets Manager","Service": "secretsmanager","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Secrets Manager resources.","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"network-firewall": {"name": "Benchmark: Network Firewall","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "network-firewall","Section": "Network Firewall","Service": "network-firewall","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring Network Firewall resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"elastic-beanstalk": {"name": "Benchmark: Elastic Beanstalk","checks": {},"status": "PASS","attributes": [{"Type": null,"ItemId": "elastic-beanstalk","Section": "Elastic Beanstalk","Service": "elasticbeanstalk","SubGroup": null,"SubSection": null}],"description": "This section contains recommendations for configuring AWS Elastic Beanstalk resources and options.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}}},"requirements_passed": 14,"requirements_failed": 12,"requirements_manual": 11,"total_requirements": 37,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "e23a4728-558b-4a92-8e7d-f1473c21cc6e","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "ens_rd2022_aws","framework": "ENS","version": "RD2022","description": "The accreditation scheme of the ENS (National Security Scheme) has been developed by the Ministry of Finance and Public Administrations and the CCN (National Cryptological Center). This includes the basic principles and minimum requirements necessary for the adequate protection of information.","region": "eu-west-1","requirements": {"mp.s.1.aws.wm.1": {"name": "mp.s.1.aws.wm.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.s.1","DescripcionControl": "Se deberá hacer uso del cifrado de la información contenida en los correos electrónicos."}],"description": "Protección del correo electrónico","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.s.1.aws.wm.2": {"name": "mp.s.1.aws.wm.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.s.1","DescripcionControl": "Habilitar el registro de eventos de Workmail en CloudWatch para realizar el seguimiento de mensajes con spam."}],"description": "Protección del correo electrónico","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.s.1.aws.wm.3": {"name": "mp.s.1.aws.wm.3","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.s.1","DescripcionControl": "En SES, se debe hacer uso de la opción que permite a los usuarios enviar correo electrónico cifrado con S/MIME"}],"description": "Protección del correo electrónico","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.s.4.aws.as.1": {"name": "mp.s.4.aws.as.1","checks": {"autoscaling_group_multiple_az": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.4","DescripcionControl": "Activar la solución AWS Auto Scaling para dotar a los sistemas de la capacidad suficiente para atender la carga prevista con holgura y desplegar tecnologías para la prevención de ataques conocidos."}],"description": "Protección frente a la denegación de servicio ","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.s.2.aws.waf.1": {"name": "mp.s.2.aws.waf.1","checks": {"cloudfront_distributions_using_waf": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.2","DescripcionControl": "Todas las aplicaciones web distribuidas por el servicio de AWS CloudFront deben estar integradas con el servicio de firewall de aplicaciones web AWS WAF."}],"description": "Protección de servicios y aplicaciones web","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.s.2.aws.waf.2": {"name": "mp.s.2.aws.waf.2","checks": {"apigateway_restapi_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.2","DescripcionControl": "Los API gateways deben tener un ACL WAF asociado."}],"description": "Protección de servicios y aplicaciones web","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.s.2.aws.waf.3": {"name": "mp.s.2.aws.waf.3","checks": {"elbv2_waf_acl_attached": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.2","DescripcionControl": "Todos los balanceadores de aplicación deben estar integrados con el servicio de firewall de aplicación web para quedar protegidos ante ataques de la capa de aplicación"}],"description": "Protección de servicios y aplicaciones web","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.es.1": {"name": "mp.si.2.aws.es.1","checks": {"opensearch_service_domains_encryption_at_rest_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre todos los dominios del servicio Amazon Elasticsearch Service (ES). En caso de usar este servicio, deberá asegurarse la activación del cifrado en reposo."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.s3.1": {"name": "mp.si.2.aws.s3.1","checks": {"s3_bucket_default_encryption": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre los distintos buckets de S3, de los cuales se debe asegurar que tengan activado el cifrado en reposo."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.pl.4.aws.sq.1": {"name": "op.pl.4.aws.sq.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4","DescripcionControl": "La entidad usuaria deberá llevar a cabo el estudio de capacidades a las que hace referencia la medida de seguridad, si bien (…) deberá tener especialmente en cuenta: * Las cuotas de los servicios a utilizar."}],"description": "Necesidades de procesamiento","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.1.aws.cf.1": {"name": "mp.com.1.aws.cf.1","checks": {"cloudfront_distributions_https_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Asegurar que la distribución entre frontales CloudFront y sus orígenes únicamente emplee tráfico HTTPs "}],"description": "Perímetro seguro","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.com.1.aws.s3.1": {"name": "mp.com.1.aws.s3.1","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Asegurar que los Buckets S3 de almacenamiento apliquen cifrado para la transferencia de datos empleando Secure Sockets Layer (SSL)"}],"description": "Perímetro seguro","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.1.aws.sg.1": {"name": "mp.com.1.aws.sg.1","checks": {"ec2_securitygroup_from_launch_wizard": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Asegurar que el Security Group restrinja todo el tráfico. Para ello, se deberán agregar las reglas del Security Group que se aplica por defecto cuando se crea una VPC."}],"description": "Perímetro seguro","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"mp.com.1.aws.sg.2": {"name": "mp.com.1.aws.sg.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Evitar la existencia de Security Groups que dejen abierto todo el tráfico entrante."}],"description": "Perímetro seguro","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.1.aws.sg.3": {"name": "mp.com.1.aws.sg.3","checks": {"ec2_securitygroup_not_used": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Evitar tener un repositorio de Security Groups que no estén siendo usados."}],"description": "Perímetro seguro","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.3.aws.cf.1": {"name": "mp.com.3.aws.cf.1","checks": {"cloudfront_distributions_https_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.3","DescripcionControl": "Asegurar que la distribución entre frontales CloudFront y sus orígenes únicamente emplee tráfico HTTPS."}],"description": "Protección de la integridad y de la autenticidad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.com.3.aws.s3.1": {"name": "mp.com.3.aws.s3.1","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.3","DescripcionControl": "Asegurar que los Buckets de almacenamiento S3 apliquen cifrado para la transferencia de datos empleando TLS."}],"description": "Protección de la integridad y de la autenticidad","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.4.aws.ws.1": {"name": "mp.com.4.aws.ws.1","checks": {"workspaces_vpc_2private_1public_subnets_nat": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "segregación de redes","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4","DescripcionControl": "Se deberán abrir solo los puertos necesarios para el uso del servicio AWS WorkSpaces."}],"description": "Separación de flujos de información en la red","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.elb.1": {"name": "mp.si.2.aws.elb.1","checks": {"ec2_ebs_snapshots_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Se recomienda dejar activada la opción de cifrado por defecto para nuevos volúmenes."}],"description": "Criptografía","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.kms.1": {"name": "mp.si.2.aws.kms.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre el almacenamiento de las instancias en todos sus volúmenes de datos."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.si.2.aws.rds.1": {"name": "mp.si.2.aws.rds.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre las bases de datos AWS RDS."}],"description": "Criptografía","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.sqs.1": {"name": "mp.si.2.aws.sqs.1","checks": {"sqs_queues_server_side_encryption_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre las colas de mensajes de AWS (Amazon SQS)."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.1.aws.re.1": {"name": "op.exp.1.aws.re.1","checks": {"resourceexplorer2_indexes_found": "PASS"},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "Se recomienda el uso de AWS Resource Explorer para la exploración de los recursos como instancias RDB, buckets S3o tablas de Amazon DynamoDB."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.5.aws.cm.1": {"name": "op.exp.5.aws.cm.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.5","DescripcionControl": "La entidad usuaria puede hacer uso de la utilidad AWS Change Manager para mantener un registro actualizado de las plantillas y peticiones de cambio en las que se incluya información en detalle sobre estos."}],"description": "Gestión de cambios","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.5.aws.ct.1": {"name": "op.exp.5.aws.ct.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.5","DescripcionControl": "Asegurar que CloudTrail esté activo para todas las regiones."}],"description": "Gestión de cambios","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.6.aws.gd.1": {"name": "op.exp.6.aws.gd.1","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.6","DescripcionControl": "Activar la protección contra software malintencionado de GuardDuty en todas las regiones."}],"description": "Protección frente a código dañino","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.7.aws.cf.1": {"name": "op.exp.7.aws.cf.1","checks": {"cloudfront_distributions_logging_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.7","DescripcionControl": "Habilitar los logs de acceso de CloudFront"}],"description": "Gestión de incidentes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.7.aws.gd.1": {"name": "op.exp.7.aws.gd.1","checks": {"guardduty_is_enabled": "PASS","guardduty_no_high_severity_findings": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.7","DescripcionControl": "Habilitar GuardDuty para la detección de incidentes de seguridad"}],"description": "Gestión de incidentes","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"op.exp.7.aws.sh.1": {"name": "op.exp.7.aws.sh.1","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.7","DescripcionControl": "Habilitar Security Hub"}],"description": "Gestión de incidentes","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.8.aws.ct.1": {"name": "op.exp.8.aws.ct.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Habilitar la herramienta CloudTrail en todas las regiones. Este serviio está habilitado por defecto cuando se crea una nueva cuenta, pero es posible deshabilitarlo."}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.8.aws.ct.2": {"name": "op.exp.8.aws.ct.2","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Establecer un filtro de métricas desde AWS CloudWatch para detectar cambios en las configuraciones de CloudTrail"}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.aws.ct.3": {"name": "op.exp.8.aws.ct.3","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Habilitar la validación de archivos en todos los trails, evitando así que estos se vean modificados o eliminados."}],"description": "Registro de actividad","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.aws.ct.4": {"name": "op.exp.8.aws.ct.4","checks": {"cloudtrail_s3_dataevents_write_enabled": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Habilitar la entrega continua de eventos de CloudTrail a un bucket S3 dedicado con el fin de unificar los archivos de registro."}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"op.exp.8.aws.ct.5": {"name": "op.exp.8.aws.ct.5","checks": {"cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Se deberán habilitar alertas para los siguientes eventos: * Llamadas no permitidas a la API, * Accesos no permitidos a la consola, * Todos los intentos de acceso sin el correcto uso de MFA, * Toda la actividad realizada sobre y por la cuenta root, * Cualquier cambio en las políticas IAM"}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"op.exp.8.aws.ct.6": {"name": "op.exp.8.aws.ct.6","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "medida","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Activar el servicio de AWS CloudTrail para registrar la actividad de los usuarios relativa a la configuración de los servicios VPN Site-to-Site y AWS DirectConnect"}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.8.aws.cw.1": {"name": "op.exp.8.aws.cw.1","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8","DescripcionControl": "Crear alertas utilizando herramientas como Amazon CloudWatch Events para anunciar el inicio de sesión y el uso de las credenciales de usuario root de la cuenta de administración"}],"description": "Registro de actividad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.9.aws.ct.1": {"name": "op.exp.9.aws.ct.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.9","DescripcionControl": "Habilitar AWS Incident Manager y AWS CloudTrail en todas las regiones con el fin de recopilar información para generar contenido prescriptivo para la creación de informes exigidos por la medida de seguridad."}],"description": "Registro de la gestión de incidentes","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.ext.7.aws.am.1": {"name": "op.ext.7.aws.am.1","checks": {"account_maintain_current_contact_details": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.7","DescripcionControl": "Deberá proveerse la información relacionada con contactos alternativos (de facturación, operaciones y seguridad), con correos que no dependan de la misma persona. Deberá comprobarse regularmente que estas cuentas funcionan correctamente y mantener listas de correo para asegurar la recepción de avisos por personal disponible en cada momento. Además, deberán establecerse preguntas de desafío de seguridad y respuestas para el caso de que sea necesario autenticarse como propiterio de la cuenta para ponerse en contacto con el soporte de AWS."}],"description": "Gestión de incidentes","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"op.mon.1.aws.ct.1": {"name": "op.mon.1.aws.ct.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "Activar el servicio de eventos AWS CloudTrail para todas las regiones."}],"description": "Detección de intrusión","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.1.aws.gd.1": {"name": "op.mon.1.aws.gd.1","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "En ausencia de otras herramientas de terceros, habilitar Amazon GuarDuty para la detección de amenazas e intrusiones."}],"description": "Detección de intrusión","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.1.aws.gd.2": {"name": "op.mon.1.aws.gd.2","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "Deberá habilitarse Amazon GuardDuty para todas las regiones tanto en la cuenta raíz como en las cuentas miembro de un entorno multi-cuenta."}],"description": "Detección de intrusión","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.1.aws.gd.3": {"name": "op.mon.1.aws.gd.3","checks": {"guardduty_centrally_managed": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "Todas las cuentas miembro deberán estar añadidas para la supervisión bajo la cuenta raíz."}],"description": "Detección de intrusión","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.mon.1.aws.gd.4": {"name": "op.mon.1.aws.gd.4","checks": {},"status": "PASS","attributes": [{"Tipo": "medida","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.mon.1","DescripcionControl": "La administración de Amazon GuardDuty quedará delegada exclusivamente a la cuenta de seguridad para garantizar una correcta asignación de los roles para este servicio."}],"description": "Detección de intrusión","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.mon.2.aws.sh.1": {"name": "op.mon.2.aws.sh.1","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.2","DescripcionControl": "Utilizar Security Hub para obtener una vista consolidada de los hallazgos de seguridad en los servicios de AWS habilitados."}],"description": "Sistema de métricas","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.pl.4.aws.ec2.1": {"name": "op.pl.4.aws.ec2.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4","DescripcionControl": "La entidad usuaria deberá llevar a cabo el estudio de capacidades a las que hace referencia la medida de seguridad, si bien (…) deberá tener especialmente en cuenta: * Las capacidades de procesamiento, almacenamiento y comunicaciones de las instancais desplegadas en AWS."}],"description": "Necesidades de procesamiento","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.1.aws.elb.1": {"name": "mp.com.1.aws.elb.1","checks": {"elb_ssl_listeners": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Habilitar TLS en los balanceadores de carga ELB "}],"description": "Perímetro seguro","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.1.aws.elb.2": {"name": "mp.com.1.aws.elb.2","checks": {"elb_insecure_ssl_ciphers": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Evitar el uso de protocolos de cifrado inseguros para las políticas de seguridad de ELB. Esto podría dejar la conexión SSL entre balanceadores y clientes vulnerables a ser explotados. En particular deberá evitarse el uso de TLS 1.0. "}],"description": "Perímetro seguro","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.1.aws.nfw.1": {"name": "mp.com.1.aws.nfw.1","checks": {"networkfirewall_in_all_vpc": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Filtrar todo el tráfico entrante y saliente de la VPC a través de Firewalls de red."}],"description": "Perímetro seguro","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.1.aws.nfw.2": {"name": "mp.com.1.aws.nfw.2","checks": {"fms_policy_compliant": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.1","DescripcionControl": "Incidir en la utilización de AWS Firewall Manager para gestionar los firewalls de forma centralizada."}],"description": "Perímetro seguro","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"mp.com.2.aws.vpn.1": {"name": "mp.com.2.aws.vpn.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.com.2","DescripcionControl": "Garantizar que las conexiones entre la VPC y la red local (remota) se canalizan a través de VPN Site-to-Site o bien a través de Direct Connect."}],"description": "Protección de la confidencialidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.2.aws.vpn.2": {"name": "mp.com.2.aws.vpn.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.com.2","DescripcionControl": "Garantizar que las conexiones entre la VPC y la red local (remota) se canalizan a través de VPN Site-to-Site o bien a través de Direct Connect."}],"description": "Protección de la confidencialidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.3.aws.elb.1": {"name": "mp.com.3.aws.elb.1","checks": {"elbv2_insecure_ssl_ciphers": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.3","DescripcionControl": "Habilitar TLS en los balanceadores de carga ELB."}],"description": "Protección de la integridad y de la autenticidad","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.3.aws.elb.2": {"name": "mp.com.3.aws.elb.2","checks": {"elbv2_insecure_ssl_ciphers": "PASS"},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.3","DescripcionControl": "Evitar el uso de protocolos de cifrado inseguros en la conexión TLS entre clientes y balanceadores de carga. En particular, se deberá evitar el uso de TLS 1.0."}],"description": "Protección de la integridad y de la autenticidad","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.4.aws.vpc.1": {"name": "mp.com.4.aws.vpc.1","checks": {"vpc_subnet_separate_private_public": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4","DescripcionControl": "Los flujos de información de red se deben separar a través de la utilización de diferentes subnets."}],"description": "Separación de flujos de información en la red","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.com.4.aws.vpc.2": {"name": "mp.com.4.aws.vpc.2","checks": {"ec2_instance_internet_facing_with_instance_profile": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4","DescripcionControl": "Evitar el uso de subnets con la opción de asignación automática de IPs (auto-assign Public IP)."}],"description": "Separación de flujos de información en la red","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.si.2.aws.dydb.1": {"name": "mp.si.2.aws.dydb.1","checks": {"dynamodb_tables_kms_cmk_encryption_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2","DescripcionControl": "Aplicar cifrado sobre las bases de datos DynamoDB, que deben implementar cifrado seguro mediante el uso de claves de cliente (KMS)."}],"description": "Criptografía","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.1.aws.iam.1": {"name": "op.acc.1.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Utilizar los grupos y roles, en lugar de los usuarios individuales, para controlar el acceso. Esto permitirá implementar un conjunto de permisos en lugar de actualizar muchas políticas individuales cuando el acceso de un usuario necesita cambiar."}],"description": "Identificador único","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.2": {"name": "op.acc.1.aws.iam.2","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.1","DescripcionControl": "Es muy recomendable la utilización de un proveedor de identidades que permita administrar las identidades en un lugar centralizado, en vez de utilizar IAM para ello."}],"description": "Proveedor de identidad centralizado","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.1.aws.iam.3": {"name": "op.acc.1.aws.iam.3","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "El usuario raíz actúa como usuario IAM de seguridad (usuario \"breakglass\"), dado que no se encuentra sincronizado con el proveedor de identidades externo, lo que permite la recuperación de emergencia del acceso a AWS en caso de imposibilidad de autenticar a los usuarios a través del proveedor de identidades."}],"description": "Proveedor de identidad centralizado","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.4": {"name": "op.acc.1.aws.iam.4","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Utilizar identificadores únicos para los usuarios del sistema."}],"description": "Identificador único","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.5": {"name": "op.acc.1.aws.iam.5","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Cada cuenta estará asociada a un identificador único."}],"description": "Identificador único","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.6": {"name": "op.acc.1.aws.iam.6","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Las cuentas deben ser inhabilitadas en los siguientes casos: cuando el usuario deja la organización; cuando el usuario cesa en la función para la cual se requería la cuenta de usuario; o, cuando la persona que la autorizó, da orden en sentido contrario."}],"description": "Cuentas de usuario","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.aws.iam.7": {"name": "op.acc.1.aws.iam.7","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1","DescripcionControl": "Las cuentas se retendrán durante el periodo necesario para atender a las necesidades de trazabilidad de los registros de actividad asociados a las mismas. A este periodo se le denominará periodo de retención."}],"description": "Cuentas de usuario","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.iam.1": {"name": "op.acc.2.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "Hacer uso de las políticas IAM para la asignación de privilegios de acceso. Deberán administrarse permisos para controlar el acceso de las identidades de personas y máquinas y sus cargas de trabajo."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.iam.2": {"name": "op.acc.2.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "Deberá definirse una política IAM que conceda permiso al usuario o rol de IAM para utilizar los recursos y las acciones de la API específicos que necesita"}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.iam.3": {"name": "op.acc.2.aws.iam.3","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "De acuerdo con las medidas del Esquema Nacional de seguridad los derechos de acceso de cada recurso, se establecerán según las decisiones de la persona responsable del recurso, ateniéndose a la política y normativa de seguridad del sistema"}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.iam.4": {"name": "op.acc.2.aws.iam.4","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.2","DescripcionControl": "Se deberá delegar en cuentas administradoras la administración de la organización, dejando la cuenta maestra sin uso y con las medidas de seguridad pertinentes."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.2.aws.vpn.1": {"name": "op.acc.2.aws.vpn.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "Deberá definirse una correcta política de permisos IAM para operaciones de Amazon WorkSpaces según las recomendaciónes establecidas en la sección 3.1.1 Control de Acceso de la guía CCN STIC-887A Guía de configuración segura AWS."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.vpn.2": {"name": "op.acc.2.aws.vpn.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "Deberán restringirse los permisos a usuarios para utilizar la acción ec2:DescribeVpnConnections. Esta acción permite a los usuarios ver la información de configuración de la gateway de cliente sobre las conexiones Site-to-Site VPN de su cuenta."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.aws.vpn.3": {"name": "op.acc.2.aws.vpn.3","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2","DescripcionControl": "La rotación de certificados de VPN deberá asignarse siguiendo las recomendaciónes de segregación de funciones tal y como se explica en la sección 3.1.1."}],"description": "Requisitos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.aws.iam.1": {"name": "op.acc.3.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3","DescripcionControl": "Enumerar los recursos específicos a los que puede obtener acceso una función de trabajo."}],"description": "Segregación de funciones y tareas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.aws.iam.2": {"name": "op.acc.3.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3","DescripcionControl": "Emplear correctamente el uso de RBAC/ABAC para separar las funciones de desarrollo y operación."}],"description": "Segregación de funciones y tareas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.aws.iam.3": {"name": "op.acc.3.aws.iam.3","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3","DescripcionControl": "Emplear correctamente el uso de RBAC/ABAC para separar las funciones de autorización y control de uso."}],"description": "Segregación de funciones y tareas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.aws.iam.4": {"name": "op.acc.3.aws.iam.4","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3","DescripcionControl": "Las políticas IAM deberían estar asociadas solo a grupos y a roles."}],"description": "Segregación de funciones y tareas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.1": {"name": "op.acc.4.aws.iam.1","checks": {"awslambda_function_url_public": null,"awslambda_function_url_cors_policy": null,"sqs_queues_not_publicly_accessible": "PASS","organizations_scp_check_deny_regions": null,"s3_bucket_policy_public_write_access": "PASS","iam_policy_allows_privilege_escalation": null,"cloudwatch_cross_account_sharing_disabled": null,"awslambda_function_not_publicly_accessible": "PASS","organizations_account_part_of_organizations": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Las políticas IAM deben permitir sólo los privilegios necesarios para cada rol. Se recomienda comenzar con el mínimo nivel de permisos e ir añadiendo permisos adicionales según vaya surgiendo la necesidad en lugar de comenzar con permisos administrativos."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 3,"total": 13,"manual": 0}},"op.acc.4.aws.iam.2": {"name": "op.acc.4.aws.iam.2","checks": {"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Evitar políticas con comodines (wildcards) en su definición, que puedan otorgar privilegios administrativos completos."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 5,"manual": 0}},"op.acc.4.aws.iam.3": {"name": "op.acc.4.aws.iam.3","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automatico","IdGrupoControl": "op.acc.4","DescripcionControl": "Para una correcta implementación de la estrategia de políticas de acceso, se recomienda utilizar la herramienta Policy Simulator para probar y solucionar posibles problemas en la asignación de políticas."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.acc.4.aws.iam.4": {"name": "op.acc.4.aws.iam.4","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Se puede utilizar Acces Analyzer para identificar recursos y cuentas, validar las políticas contra las prácticas recomendadas y generar políticas con base en la actividad de acceso de registros de CloudTrail."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.5": {"name": "op.acc.4.aws.iam.5","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "En cuanto a los accesos a las instancias alojadas en AWS se recomienda emplear mecanismos para mantener a las personas alejadas de los datos. Es decir, limitar al máximo el acceso directo a los datos por parte de los usuarios."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.6": {"name": "op.acc.4.aws.iam.6","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Con AWS Systems Manager Automation pueden utilizarse documentos de automatización y diseñar flujos de trabajo para la administración de cambios o la ejecución de operaciones estándar para administrar las instancias EC2 (p. ej., actualizar los sistemas operativos), en lugar de permitir el acceso directo. "}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.acc.4.aws.iam.7": {"name": "op.acc.4.aws.iam.7","checks": {"iam_avoid_root_usage": null,"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Se restringirá todo acceso a las acciones especificadas para el usuario root de una cuenta."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.acc.4.aws.iam.8": {"name": "op.acc.4.aws.iam.8","checks": {"organizations_scp_check_deny_regions": null,"organizations_account_part_of_organizations": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Se restringirá todo acceso a las acciones especificadas para el usuario root de una cuenta."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.acc.4.aws.iam.9": {"name": "op.acc.4.aws.iam.9","checks": {"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Se configurarán diferentes permisos a las cuentas de usuario, limitando la utilización de la cuenta “root” para tareas específicas que necesiten un nivel de privilegios elevado, esta configuración debe entenderse como un mecanismo para impedir que el trabajo directo con usuarios con privilegios de administrador repercuta negativamente en la seguridad, a acometer todas las acciones con el máximo privilegio cuando este no es siempre requerido."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"op.acc.4.aws.sys.1": {"name": "op.acc.4.aws.sys.1","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.4","DescripcionControl": "Habilitar systems manager automation para evitar acceso remoto humano a tareas automatizables."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.acc.4.aws.vpn.1": {"name": "op.acc.4.aws.vpn.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Las configuraciones de las políticas de las AWS VPN deben tener las redes específicas con las que se va a establecer la conectividad y evitar políticas genéricas basadas en routing donde se pierde el control granular de las redes permitidas en los SA de la VPN."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.vpn.2": {"name": "op.acc.4.aws.vpn.2","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "En configuraciones de AWS DirectConnect, deberán controlarse los AS y el routing que se lleva por BGP, de modo que se propague el mínimo de rutas y se asegure que no exista redistribución de rutas/redes privadas de entornos del cliente hacia el ISP."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.aws.iam.1": {"name": "op.acc.6.aws.iam.1","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6","DescripcionControl": "Evitar el uso permanente de múltiples claves de acceso para un mismo usuario IAM."}],"description": "Mecanismo de autenticación (usuarios de la organización)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.6.aws.iam.2": {"name": "op.acc.6.aws.iam.2","checks": {"iam_user_accesskey_unused": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6","DescripcionControl": "Las claves de acceso deberán rotarse cada 90 días o menos."}],"description": "Mecanismo de autenticación (usuarios de la organización)","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"op.acc.6.aws.iam.3": {"name": "op.acc.6.aws.iam.3","checks": {"iam_user_accesskey_unused": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6","DescripcionControl": "Deberá habilitarse el vencimiento de las credenciales de los usuarios. (Bien a través de la política de contraseñas de IAM o del proveedor de identidades federado)."}],"description": "Mecanismo de autenticación (usuarios de la organización)","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"op.acc.6.aws.iam.4": {"name": "op.acc.6.aws.iam.4","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6","DescripcionControl": "Se deberá evitar la asignación por defecto de claves de acceso para todos los usuarios que tengan acceso a la consola. Para cumplir con este requisito, se recomienda revisar qué usuarios se encuentran dados de alta en la cuenta de AWS y disponen de acceso a la consola de administración y evitar la asignación de claves de acceso cuando no son necesarias."}],"description": "Mecanismo de autenticación (usuarios de la organización)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.cont.2.aws.az.1": {"name": "op.cont.2.aws.az.1","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "continuidad del servicio","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.cont.2","DescripcionControl": "(Organizativo) Deberá implementarse correctamente la distribución de servicios según regiones y zonas de disponibilidad para limitar al máximo los riesgos asociados a una única ubicación."}],"description": "Plan de continuidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.1.aws.cfg.1": {"name": "op.exp.1.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "En lo referente al inventariado de activos, asegurar que AWS Config está habilitado en todas las regiones y utilizar la herramienta para obtener una vista de los recursos existentes en las cuentas de AWS."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.1.aws.cfg.2": {"name": "op.exp.1.aws.cfg.2","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "bajo","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "Configurar una regla de Config Rules que alerte sobre el despliegue de recursos sin las etiquetas correspondientes asociadas."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.1.aws.sys.1": {"name": "op.exp.1.aws.sys.1","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "En el ámbito del software desplegado en las instancias de EC2, habilitar AWS System Manager Inventory para todo el entorno de EC2 en caso de no utilizar herramientas de terceros."}],"description": "Inventario de activos","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"op.exp.1.aws.sys.2": {"name": "op.exp.1.aws.sys.2","checks": {"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "Asignar metadatos personalizados a cada nodo administrado con información sobre el responsable del activo."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.1.aws.tag.1": {"name": "op.exp.1.aws.tag.1","checks": {"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.1","DescripcionControl": "Para la correcta identificación del responsable, asociar etiquetas para todos los activos."}],"description": "Inventario de activos","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.3.aws.cfg.1": {"name": "op.exp.3.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "bajo","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.3","DescripcionControl": "El cumplimiento de los requisitos se puede apoyar en la utilización de los servicios Config, Config Rules y Conformance Packs para identificar líneas base de configuración para evaluar si los recursos de AWS se ajustan a las prácticas autorizadas por la organización."}],"description": "Gestión de la configuración de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.4.aws.ami.1": {"name": "op.exp.4.aws.ami.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.4","DescripcionControl": "Una forma eficiente de garantizar la instalación de las versiones actualizadas y aprobadas del software de los sistemas es la utilización de Golden AMIs."}],"description": "Mantenimiento y actualizaciones de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.4.aws.sys.2": {"name": "op.exp.4.aws.sys.2","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.4","DescripcionControl": "Utilizar AWS Systems Manager Patch Manager para planificar y gestionar la aplicación de parches minimizando los riesgos asociados a tener instancias con software desactualizado y expuesto a vulnerabilidades conocidas."}],"description": "Mantenimiento y actualizaciones de seguridad","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"op.exp.5.aws.cal.1": {"name": "op.exp.5.aws.cal.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.5","DescripcionControl": "Utilizar AWS Change Calendar para establecer una ventana de tiempo (fecha y hora) en la que realizar los cambios y las pruebas de preproducción en equipos equivalentes a los de producción sin riesgo a que estas afecten a la continuidad del servicio prestado."}],"description": "Gestión de cambios","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.9.aws.img.1": {"name": "op.exp.9.aws.img.1","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssmincidents_enabled_with_plans": null},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.9","DescripcionControl": "Habilitar AWS Incident Manager y AWS CloudTrail en todas las regiones con el fin de recopilar información para generar contenido prescriptivo para la creación de informes exigidos por la medida de seguridad."}],"description": "Registro de la gestión de incidentes","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"op.mon.3.aws.cwl.1": {"name": "op.mon.3.aws.cwl.1","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automatico","IdGrupoControl": "op.mon.3","DescripcionControl": "Deberá asegurarse que todos los servicios que se utilicen en la arquitectura de la aplicación desplegada en AWS estén generando logs"}],"description": "Vigilancia","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.info.6.aws.iam.1": {"name": "mp.info.6.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.info.6","DescripcionControl": "La organización puede hacer uso de roles y políticas IAM para la definición y asignación de permisos en cuanto a controles de acceso de las copias de respaldo."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.info.6.aws.tag.1": {"name": "mp.info.6.aws.tag.1","checks": {"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.info.6","DescripcionControl": "Los planes de respaldo se pueden integrar con AWS Tags, acotando con base en las etiquetas de los recursos el alcance de cada proceso de copiado."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.4.aws.iam.10": {"name": "op.acc.4.aws.iam.10","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Se evitará que los usuarios puedan deshabilitar o modificar servicios relacionados con el área de seguridad como AWS Config o AWS CloudWatch."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.11": {"name": "op.acc.4.aws.iam.11","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Deberá definirse una política de IAM que conceda permiso al usuario o rol de IAMpara utilizar exclusivamente los recursos y las acciones de WorkSpace que necesita."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.12": {"name": "op.acc.4.aws.iam.12","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "Las políticas IAM únicamente deben poder asignarse por el usuario que tenga la función de control de accesos expresamente atribuida."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.4.aws.iam.13": {"name": "op.acc.4.aws.iam.13","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.4","DescripcionControl": "No utilizar el usuario raíz salvo necesidad expresa."}],"description": "Proceso de gestión de derechos de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.cont.3.aws.drs.1": {"name": "op.cont.3.aws.drs.1","checks": {"drs_job_exist": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "continuidad del servicio","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.cont.3","DescripcionControl": "La organización puede hacer uso del servicio AWS Elastic Disaster Recovery, programando y ejecutando pruebas no disruptivas (simulacros que no afectan ni al servidor de origen ni a la replicación de datos en curso) que prueben el correcto funcionamiento de las recuperaciones del plan de continuidad."}],"description": "Pruebas periódicas","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.1": {"name": "op.exp.10.aws.cmk.1","checks": {"iam_policy_no_full_access_to_kms": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Los usuarios o roles con privilegios para la creación de claves deben ser diferentes a los que van a utilizar las claves para operaciones de cifrado."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.2": {"name": "op.exp.10.aws.cmk.2","checks": {"iam_policy_no_full_access_to_kms": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Utilizar claves gestionadas por los clientes (CMK)."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.3": {"name": "op.exp.10.aws.cmk.3","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Activar la rotación de las claves CMK."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.4": {"name": "op.exp.10.aws.cmk.4","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Para el archivo posterior a la explotación y destrucción de las claves se debe deshabilitar todas las claves CMK que no estén en uso."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.5": {"name": "op.exp.10.aws.cmk.5","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Eliminar las claves deshabilitadas que no estén en uso y no mantengan ningún objeto o recurso cifrado, completando el ciclo de vida de la clave."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.10.aws.cmk.6": {"name": "op.exp.10.aws.cmk.6","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.10","DescripcionControl": "Utilizar el principio de mínimos privilegios para las políticas asociadas a claves."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.10.aws.cmk.7": {"name": "op.exp.10.aws.cmk.7","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.10","DescripcionControl": "Utilizar tags y alias para una mejor administración de las claves."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.10.aws.cmk.8": {"name": "op.exp.10.aws.cmk.8","checks": {},"status": "PASS","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.10","DescripcionControl": "Utilizar las políticas IAM y las concesiones de claves para el acceso a las mismas."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.10.aws.tag.1": {"name": "op.exp.10.aws.tag.1","checks": {"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.10","DescripcionControl": "Se recomienda utilizar tags y alias para una mejor gestión y administración de las claves."}],"description": "Protección de claves criptográficas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.mon.1.aws.flow.1": {"name": "op.mon.1.aws.flow.1","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "requisito","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.1","DescripcionControl": "Activar el servicio VPC FlowLogs."}],"description": "Detección de intrusión","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.pl.2.aws.warch.1": {"name": "op.pl.2.aws.warch.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.2.r3","DescripcionControl": "Es recomendable que la entidad usuaria se apoye en el marco de trabajo AWS Well-Architected Framework"}],"description": "Validación de datos","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.cw.1": {"name": "op.pl.4.r1.aws.cw.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "En caso de no disponer de herramientas de terceros, se deberán utilizar las herramientas de monitorización de la capaciad indicadas para monitorizar las capacidades de la infraestructura y el grado de consumo de los servicios en función de las cuotas disponibles. (CloudWatch)"}],"description": "Mejora continua de la gestión de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.sq.1": {"name": "op.pl.4.r1.aws.sq.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "En caso de no disponer de herramientas de terceros, se deberán utilizar las herramientas de monitorización de la capaciad indicadas para monitorizar las capacidades de la infraestructura y el grado de consumo de los servicios en función de las cuotas disponibles. (Service Quotas)"}],"description": "Mejora continua de la gestión de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.sq.2": {"name": "op.pl.4.r1.aws.sq.2","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "En cuanto a la monitorización sobre el grado de consumo, utilizar la solución nativa Quota Monitor."}],"description": "Previsión y actualización de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.sq.3": {"name": "op.pl.4.r1.aws.sq.3","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "Visualizar las cuotas de servicio y configurar alarmas a través de la integración de AWS Service Quotas con CloudWatch."}],"description": "Monitorización de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.info.6.aws.bcku.1": {"name": "mp.info.6.aws.bcku.1","checks": {"backup_plans_exist": "PASS","backup_vaults_exist": null,"backup_reportplans_exist": null},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.info.6","DescripcionControl": "Para los procedimientos de respaldo de cualquiera de los dos entornos (local y nube) y siempre y cuando se utilicen recursos compatibles en el entorno local, la entidad puede hacer uso de AWS Backup, que permite elaboración de planes de respaldo y la definición de reglas de frecuencia, ciclo de vida, lugar de almacenamiento y etiquetado de las copias de seguridad."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 1,"total": 3,"manual": 0}},"mp.si.2.r1.aws.kms.1": {"name": "mp.si.2.r1.aws.kms.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.si.2.r1","DescripcionControl": "Utilizar productos certificados conforme a op.pl.5, si bien AWS KMS es un producto certificado cuyo uso satisface la exigencia de este control."}],"description": "Productos certificados","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.si.2.r2.aws.ebs.1": {"name": "mp.si.2.r2.aws.ebs.1","checks": {"ec2_ebs_snapshots_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los soportes de información","Dimensiones": ["confidencialidad","integridad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.si.2.r2","DescripcionControl": "Se deberá asegurar el cifrado de las copias de seguridad (snapshots) de EBS."}],"description": "Copias de seguridad","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"mp.sw.2.r1.aws.acb.1": {"name": "mp.sw.2.r1.aws.acb.1","checks": {"codebuild_project_older_90_days": "FAIL","codebuild_project_user_controlled_buildspec": "PASS"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.sw.2.r1","DescripcionControl": "Habilitar Amazon CodeBuild para el apoyo de la realización de pruebas en entornos aisaldos."}],"description": "Aceptación y puesta en servicio","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"op.exp.8.r1.aws.ct.2": {"name": "op.exp.8.r1.aws.ct.2","checks": {"cloudtrail_insights_exist": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Configurar la herramienta CloudTrail de manera que realice el registro de eventos de administración, eventos de datos y eventos anómalos (insights)."}],"description": "Revisión de los registros","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"op.exp.8.r1.aws.ct.3": {"name": "op.exp.8.r1.aws.ct.3","checks": {"cloudtrail_insights_exist": null,"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Registrar los eventos de lectura y escritura de datos."}],"description": "Revisión de los registros","checks_status": {"fail": 0,"pass": 0,"total": 4,"manual": 0}},"op.exp.8.r1.aws.ct.4": {"name": "op.exp.8.r1.aws.ct.4","checks": {"cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Registrar los eventos de lectura y escritura de datos."}],"description": "Revisión de los registros","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.exp.8.r1.aws.ct.6": {"name": "op.exp.8.r1.aws.ct.6","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Habilitar la entrega continua de eventos de CloudTrail a un bucket de Amazon S3"}],"description": "Revisión de los registros","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r1.aws.ct.7": {"name": "op.exp.8.r1.aws.ct.7","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Integrar CloudTrail con el servicio CloudWatch Logs"}],"description": "Revisión de los registros","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r1.aws.cw.1": {"name": "op.exp.8.r1.aws.cw.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.8.r1","DescripcionControl": "Utilizar el servicio AWS CloudWatch para centralizar y revisar los registros de todos los sistemas independientemente de su origen."}],"description": "Revisión de los registros","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.8.r3.aws.ct.1": {"name": "op.exp.8.r3.aws.ct.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.8.r3","DescripcionControl": "Ejecutar la acción PutRetentionPolicy de Amazon CloudWatch, permitiendo así establecer la retención del grupo de registros especificado y configurar el número de días durante los cuales se conservarán los eventos de registro en el grupo seleccionado de acuerdo con el documento de seguridad correspondiente. Paralelamente, se debe definir un periodo de retención para los datos almacenados en CloudTrail Lakes."}],"description": "Retención de registros","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.8.r3.aws.cw.1": {"name": "op.exp.8.r3.aws.cw.1","checks": {"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r3","DescripcionControl": "Ejecutar la acción PutRetentionPolicy de Amazon CloudWatch, permitiendo así establecer la retención del grupo de registros especificado y configurar el número de días durante los cuales se conservarán los eventos de registro en el grupo seleccionado de acuerdo con el documento de seguridad correspondiente. Paralelamente, se debe definir un periodo de retención para los datos almacenados en CloudTrail Lakes."}],"description": "Retención de registros","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.1": {"name": "op.exp.8.r4.aws.ct.1","checks": {"iam_policy_allows_privilege_escalation": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Asignar correctamente las políticas AWS IAM para el acceso y borrado de los registros y sus copias de seguridad haciendo uso del principio de mínimo privilegio."}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 0,"total": 7,"manual": 0}},"op.exp.8.r4.aws.ct.2": {"name": "op.exp.8.r4.aws.ct.2","checks": {"s3_bucket_public_access": null,"s3_bucket_policy_public_write_access": "PASS","cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Utilizar una política de bucket para restringir el acceso de forma pública e imponer restricciones sobre cuáles de los usuarios pueden eliminar objetos de Amazon S3."}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 2,"total": 3,"manual": 0}},"op.exp.8.r4.aws.ct.3": {"name": "op.exp.8.r4.aws.ct.3","checks": {"cloudtrail_bucket_requires_mfa_delete": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Activar el acceso por MFA al registro de actividad almacenado en los buckets de Amazon S3 dedicados para AWS CloudTrail."}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.4": {"name": "op.exp.8.r4.aws.ct.4","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Configurar los archivos de logs de AWS CloudTrail para aprovechar el cifrado del lado del servidor (SSE – Server Side Encryption) y las claves maestras creadas por el cliente (CMK de KMS)."}],"description": "Control de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.5": {"name": "op.exp.8.r4.aws.ct.5","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "El almacén de logs de CloudTrail no debería ser accesible de forma pública"}],"description": "Control de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.6": {"name": "op.exp.8.r4.aws.ct.6","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "El almacén de logs de CloudTrail no debería ser accesible de forma pública(ACLs)"}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.7": {"name": "op.exp.8.r4.aws.ct.7","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Cifrado de los trails con KMS"}],"description": "Control de acceso","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.8.r4.aws.ct.8": {"name": "op.exp.8.r4.aws.ct.8","checks": {"iam_policy_allows_privilege_escalation": null,"iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["trazabilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.8.r4","DescripcionControl": "Asignar correctamente las políticas IAM para el acceso y borrado de los registros y sus copias de seguridad haciendo uso del principio de mínimo privilegio."}],"description": "Control de acceso","checks_status": {"fail": 0,"pass": 0,"total": 7,"manual": 0}},"op.mon.3.r1.aws.gd.1": {"name": "op.mon.3.r1.aws.gd.1","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r1","DescripcionControl": "Activar GuardDuty y Security Hub o bien disponer de un SIEM externo a AWS"}],"description": "Correlación de eventos","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.3.r1.aws.sh.1": {"name": "op.mon.3.r1.aws.sh.1","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r1","DescripcionControl": "Activar GuardDuty y Security Hub o bien disponer de un SIEM externo a AWS"}],"description": "Correlación de eventos","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.3.r2.aws.sh.1": {"name": "op.mon.3.r2.aws.sh.1","checks": {"securityhub_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r2","DescripcionControl": "Utilizar las herramientas AWS Config y Security hub"}],"description": "Análisis dinámico","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.mon.3.r3.aws.gd.1": {"name": "op.mon.3.r3.aws.gd.1","checks": {"guardduty_is_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r3","DescripcionControl": "Activar GuardDuty (ya cubierto)"}],"description": "Ciberamenazas avanzadas","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.pl.4.r1.aws.sns.1": {"name": "op.pl.4.r1.aws.sns.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "Para la creación de alarmas en materia de capacidad de las instancias, se debe configurar un tema de SNS que permita el envío de mails automáticos a la dirección de correo seleccionada."}],"description": "Monitorización de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.pl.4.r1.aws.sns.2": {"name": "op.pl.4.r1.aws.sns.2","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "planificación","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.pl.4.r1","DescripcionControl": "Configurar alarmas correspondientes a las diferentes capacidades (SNS) como uso de CPU, capacidad de almacenamiento o latencia."}],"description": "Monitorización de la capacidad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.3.r1.aws.vpn.1": {"name": "mp.com.3.r1.aws.vpn.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["integridad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.com.3.r1","DescripcionControl": "Utilizar VPN Site-to-Site para conectar las VPCs con las redes locales o externas."}],"description": "Redes privadas virtuales","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.com.4.r1.aws.vpc.1": {"name": "mp.com.4.r1.aws.vpc.1","checks": {"vpc_different_regions": null,"vpc_subnet_separate_private_public": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4.r1","DescripcionControl": "Implementar la segmentación a través de la utilización de diferentes VPCs."}],"description": "Segmentación lógica avanzada","checks_status": {"fail": 1,"pass": 0,"total": 2,"manual": 0}},"mp.com.4.r2.aws.vpc.1": {"name": "mp.com.4.r2.aws.vpc.1","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": ["mp.com.4.r3"],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4.r2","DescripcionControl": "Implementar la segmentación a través de la utilización de diferentes VPCs conectadas entre sí por VPN."}],"description": "Segmentación lógica avanzada","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"mp.com.4.r3.aws.vpc.1": {"name": "mp.com.4.r3.aws.vpc.1","checks": {"vpc_different_regions": null,"vpc_subnet_different_az": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de las comunicaciones","Dimensiones": ["confidencialidad","integridad"],"Dependencias": ["mp.com.4.r2"],"ModoEjecucion": "automático","IdGrupoControl": "mp.com.4.r3","DescripcionControl": "Implementar la segmentación a través de diferentes VPCs situadas en diferentes ubicaciones."}],"description": "Segmentación física","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"mp.sw.2.r1.aws.cfgd.1": {"name": "mp.sw.2.r1.aws.cfgd.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.sw.2.r2","DescripcionControl": "Habilitar CloudFormation Guard para el apoyo en las tareas de inspección de recursos no conformes implementados en el código fuente."}],"description": "Aceptación y puesta en servicio","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.1.r1.aws.iam.1": {"name": "op.acc.1.r1.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.1.r1","DescripcionControl": "Los identificadores de usuario deberán ser asignados en el proveedor de identidades (o en IAM) de modo que se permita singularizar a la persona asociada a cada identificador y cumplir con el resto de requisitos del refuerzo"}],"description": "Identificación de usuario","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.2.r1.aws.iam.1": {"name": "op.acc.2.r1.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.2.r1","DescripcionControl": "Evitar el uso de asunción de roles para cualquier cuenta."}],"description": "Privilegios de acceso","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.3.r1.aws.iam.1": {"name": "op.acc.3.r1.aws.iam.1","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.3.r1","DescripcionControl": "En caso de ser de aplicación, la segregación deberá tener en cuenta la separación de las funciones de configuración y mantenimiento y de auditoría de cualquier otra."}],"description": "Segregación rigurosa","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.3.r2.aws.iam.1": {"name": "op.acc.3.r2.aws.iam.1","checks": {"iam_securityaudit_role_created": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.3.r2","DescripcionControl": "Disponer de cuentas con privilegios de auditoría estrictamente controladas y personalizadas."}],"description": "Privilegios de auditoría","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.3.r3.aws.iam.1": {"name": "op.acc.3.r3.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.3.r3","DescripcionControl": "Limitar el acceso a la información de seguridad del sistema a los administradores de seguridad utilizando los mecanismos de acceso imprescindibles (consola, interfaz web, acceso remoto etc.)."}],"description": "Acceso a la información de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r1.aws.iam.1": {"name": "op.acc.6.r1.aws.iam.1","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": ["op.acc.6.r2","op.acc.6.r4"],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r1","DescripcionControl": "Las contraseñas de los usuarios deberán tener normas de complejidad mínima y robustez."}],"description": "Contraseñas","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"op.acc.6.r2.aws.iam.1": {"name": "op.acc.6.r2.aws.iam.1","checks": {"iam_root_mfa_enabled": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": ["op.acc.6.r1","op.acc.6.r4"],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r2","DescripcionControl": "MFA deberá estar habilitado para todas las cuentas que tengan contraseña para acceder a la consola, incluyendo el usuario root."}],"description": "Contraseña + otro factor de autenticación","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"op.acc.6.r2.aws.iam.2": {"name": "op.acc.6.r2.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.r2","DescripcionControl": "Se recomienda que la organización determine qué llamadas a la API deben también contar con seguridad reforzada a través de un doble factor de autenticación."}],"description": "Contraseña + otro factor de autenticación","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r3.aws.iam.1": {"name": "op.acc.6.r3.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.r3","DescripcionControl": "Utilizar el servicio AWS IAM Roles Anywhere para crear un ancla de confianza en la que se haga referencia al servicio AWS Certificate Manager Private CA o registrar sus propias autoridades de certificación (CA), permitiendo usar el certificado emitido por la misma para obtener credenciales temporales para el acceso al entorno AWS. Estos certificados deberán estar protegidos por un segundo factor."}],"description": "Certificados","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r4.aws.iam.1": {"name": "op.acc.6.r4.aws.iam.1","checks": {"iam_root_hardware_mfa_enabled": null,"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": ["op.acc.6.r1","op.acc.6.r3"],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r4","DescripcionControl": "Habilitar los dispositivos MFA físicos para todos los usuarios IAM mediante la consola, línea de comandos o la propia API de IAM. Del mismo modo, el uso de estos certificados deberá estar protegido por un segundo factor de tipo PIN o biométrico."}],"description": "Certificados en dispositvo físico","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.acc.6.r5.aws.iam.1": {"name": "op.acc.6.r5.aws.iam.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r5","DescripcionControl": "Para registrar los intentos de acceso, se deberá habilitar CloudTrail en todas las regiones y activar el registro de acceso de usuarios."}],"description": "Registro","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"op.acc.6.r5.aws.iam.2": {"name": "op.acc.6.r5.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.r5","DescripcionControl": "Habilitar la información de usuario sobre la fecha de último uso de sus claves de acceso."}],"description": "Registro","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r7.aws.iam.1": {"name": "op.acc.6.r7.aws.iam.1","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r7","DescripcionControl": "Activar la deshabilitación de las credenciales de los usuarios IAM que no hayan sido empleadas durante un periodo de tiempo (o bien, se deberá establecer la deshabilitación en el proveedor de identidades)."}],"description": "Suspensión por no utilización","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"op.acc.6.r8.aws.iam.1": {"name": "op.acc.6.r8.aws.iam.1","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.acc.6.r8","DescripcionControl": "Se deberá emplear como mecanismo de autenticación o bien una contraseña más otro factor de autenticación, o bien un certificado cualificado (con o sin soporte físico) protegido por un doble factor de autenticación."}],"description": "Doble factor para acceso desde o a través de zonas no controladas","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.acc.6.r9.aws.iam.1": {"name": "op.acc.6.r9.aws.iam.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.9","DescripcionControl": "Deberá asegurarse que se está haciendo uso de HTTPS en todas las llamadas a API. Esto se puede lograr a través de una política IAM que rechace el tráfico que no sea HTTPS."}],"description": "Acceso remoto (todos los niveles)","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.acc.6.r9.aws.iam.2": {"name": "op.acc.6.r9.aws.iam.2","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "control de acceso","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.acc.6.9","DescripcionControl": "En caso de que las llamadas a las APIs no se produzcan de manera constante, se recomienda condicionar su realización a aquellas franjas horarias en las que sean necesarias. "}],"description": "Acceso remoto (todos los niveles)","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.1.r3.aws.tag.1": {"name": "op.exp.1.r3.aws.tag.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.1.r4","DescripcionControl": "Mantener actualizada una relación de los componentes software de terceros utilizados en el despliegue del sistema. Listado equivalente a lo requerido en mp.sw.1.r5."}],"description": "Lista de componentes software","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.3.r3.aws.cfg.1": {"name": "op.exp.3.r3.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.3.r3","DescripcionControl": "La entidad usuaria puede consultar el histórico de configuraciones de recursos en AWS Config."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.3.r4.aws.cfg.2": {"name": "op.exp.3.r4.aws.cfg.2","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.3.r3","DescripcionControl": "Desplegar toda la infraestructura de AWS a través de código con el servicio AWS CloudFormation."}],"description": "Copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.4.r2.aws.sys.1": {"name": "op.exp.4.r2.aws.sys.1","checks": {"ec2_instance_managed_by_ssm": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.4.r2","DescripcionControl": "Utilizar la solución AWS Systems Manager Automation para automatizar las tareas de corrección en servicios de AWS como EC2 y RDS."}],"description": "Prevención de fallos","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"op.exp.6.r1.aws.sys.1": {"name": "op.exp.6.r1.aws.sys.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.6.r1","DescripcionControl": "Automatizar las operaciones estándar a llevar a cabo para la respuesta en caso de incidente a través de AWS System Manager"}],"description": "Escaneo periódico","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.6.r3.aws.sys.1": {"name": "op.exp.6.r3.aws.sys.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.6.r3","DescripcionControl": "Hacer uso de AWS System Manager Inventory para definir, a nivel de software, una lista blanca de aplicaciones."}],"description": "Lista blanca","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.6.r4.aws.sys.1": {"name": "op.exp.6.r4.aws.sys.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.6.r4","DescripcionControl": "Automatizar tareas estándar a través de AWS System Manager"}],"description": "Capacidad de respuesta en caso de incidente","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.mon.3.r2.aws.cfg.1": {"name": "op.mon.3.r2.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r2","DescripcionControl": "Utilizar las herramientas AWS Config y Security hub"}],"description": "Análisis dinámico","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.mon.3.r6.aws.cfg.1": {"name": "op.mon.3.r6.aws.cfg.1","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r6","DescripcionControl": "Utilizar Config Rules y AWS Inspector"}],"description": "Inspecciones de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"op.exp.4.r4.aws.insp.1": {"name": "op.exp.4.r4.aws.insp.1","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.exp.4.r4","DescripcionControl": "Desplegar a nivel de sistema una estrategia de monitorización continua de amenazas y vulnerabilidades detallando: indicadores críticos de seguridad, política de aplicación de parches y criterios de revisión regular y excepcional de amenazas del sistema."}],"description": "Monitorización continua","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"op.mon.3.r2.aws.insp.1": {"name": "op.mon.3.r2.aws.insp.1","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r2","DescripcionControl": "Utilizar la herramienta Inspector para la detección de posibles vulneerabilidades de las instancias EC2, las funciones Lambda y las imágenes de contenedor."}],"description": "Análisis dinámico","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"op.mon.3.r6.aws.insp.1": {"name": "op.mon.3.r6.aws.insp.1","checks": {"inspector2_is_enabled": "FAIL","inspector2_active_findings_exist": "FAIL"},"status": "FAIL","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "alto","Categoria": "monitorización del sistema","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "op.mon.3.r6","DescripcionControl": "Utilizar Config Rules y AWS Inspector."}],"description": "Inspecciones de seguridad","checks_status": {"fail": 2,"pass": 0,"total": 2,"manual": 0}},"mp.info.6.r2.aws.bcku.1": {"name": "mp.info.6.r2.aws.bcku.1","checks": {},"status": "PASS","attributes": [{"Tipo": "recomendacion","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de la información","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "mp.info.6.r2","DescripcionControl": "La organización puede hacer uso de la nube de AWS como ubicación diferente para el almacenamiento de la copia de seguridad separada del resto o, incluo, utilizar los servicios de ubicación para separar una copia de seguridad en una ubicación diferente dentro de la propia nube."}],"description": "Protección de las copias de seguridad","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"op.exp.1.r2.aws.sminv.1": {"name": "op.exp.1.r2.aws.sminv.1","checks": {},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "operacional","Nivel": "opcional","Categoria": "explotación","Dimensiones": ["confidencialidad","integridad","trazabilidad","autenticidad","disponibilidad"],"Dependencias": [],"ModoEjecucion": "manual","IdGrupoControl": "op.exp.1.r2","DescripcionControl": "Disponer de herramientas que permitan visualizar de forma continua el estado de todos los equipos en la red, en particular servidores y los dispositivos de red y comunicaciones."}],"description": "Identificación periódica de activos","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"mp.s.4.r1.aws.shieldadv.1": {"name": "mp.s.4.r1.aws.shieldadv.1","checks": {"shield_advanced_protection_in_global_accelerators": null,"shield_advanced_protection_in_route53_hosted_zones": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"shield_advanced_protection_in_internet_facing_load_balancers": null},"status": "PASS","attributes": [{"Tipo": "refuerzo","Marco": "medidas de protección","Nivel": "alto","Categoria": "protección de los servicios","Dimensiones": ["disponibilidad"],"Dependencias": [],"ModoEjecucion": "automático","IdGrupoControl": "mp.s.4.r1","DescripcionControl": "Activar AWS Shield Advanced con el fin de disponer de una herramienta de prevención, detección y mitigación de ataques de denegación de servicio."}],"description": "Detección y reacción","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}}},"requirements_passed": 83,"requirements_failed": 37,"requirements_manual": 69,"total_requirements": 189,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "eeee198e-1eda-48dc-aeb6-eb28e98f8dde","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "kisa_isms_p_2023_korean_aws","framework": "KISA-ISMS-P","version": "2023-korean","description": "ISMS-P 인증은 한국인터넷진흥원(KISA)이 제정한 정보보호 및 개인정보보호 관리체계를 기반으로, 독립적인 심사기관이 기업이나 조직의 보안 및 개인정보 보호 활동이 인증 기준을 충족하는지 평가한 후 인증을 부여하는 제도입니다. 이를 통해 기업과 기관은 제공하는 서비스에 대한 대중의 신뢰를 높이고, 점점 복잡해지는 사이버 위협에 효과적으로 대응할 수 있습니다. 또한, ISMS-P는 정보보호와 개인정보 보호를 체계적으로 수립하고 운영할 수 있는 포괄적인 지침을 제공합니다.","region": "eu-west-1","requirements": {"1.1.1": {"name": "경영진의 참여","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.1 경영진의 참여","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 보고 체계(의사소통계획 등)","정보보호 및 개인정보보호 위원회 회의록","정보보호 및 개인정보보호 정책·지침(경영진 승인내역 포함)","정보보호계획 및 내부 관리계획(경영진 승인내역 포함)","정보보호 및 개인정보보호 조직도"],"AuditChecklist": ["정보보호 및 개인정보보호 관리체계의 수립 및 운영활동 전반에 경영진의 참여가 이루어질 수 있도록 보고 및 의사결정 등의 책임과 역할을 문서화하고 있는가?","경영진이 정보보호 및 개인정보보호 활동에 관한 의사결정에 적극적으로 참여할 수 있는 보고, 검토 및 승인 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 정책서에 분기별로 정보보호 및 개인정보보호 현황을 경영진에게 보고하도록 명시하였으나, 장기간 관련 보고를 수행하지 않은 경우","사례 2 : 중요 정보보호 활동(위험평가, 위험수용수준 결정, 정보보호대책 및 이행계획 검토, 정보보호대책 이행결과 검토, 보안감사 등)을 수행하면서 관련 활동관련 보고, 승인 등 의사결정에 경영진 또는 경영진의 권한을 위임받은 자가 참여하지 않았거나 관련 증거자료가 확인되지 않은 경우"],"RelatedRegulations": []}],"description": "최고경영자는 정보보호 및 개인정보보호 관리체계의 수립과 운영활동 전반에 경영진의 참여가 이루어질 수 있도록 보고 및 의사결정 체계를 수립하여 운영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.2": {"name": "최고책임자의 지정","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.2 최고책임자의 지정","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 최고책임자 및 개인정보 보호책임자 임명관련 자료(인사명령, 인사카드 등)","정보보호 및 개인정보보호 조직도","정보보호 및 개인정보보호 정책·지침","직무기술서(정보보호 최고책임자 및 개인정보 보호책임자의 역할 및 책임에 관한 사항)","정보보호 최고책임자 신고 내역","내부 관리계획(개인정보 보호책임자 지정에 관한 사항)"],"AuditChecklist": ["최고경영자는 정보보호 및 개인정보보호 처리에 관한 업무를 총괄하여 책임질 최고책임자를 공식적으로 지정하고 있는가?","정보보호 최고책임자 및 개인정보 보호책임자는 예산, 인력 등 자원을 할당할 수 있는 임원급으로 지정하고 있으며, 관련 법령에 따른 자격요건을 충족하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보통신망법에 따른 정보보호 최고책임자 지정 및 신고 의무 대상자임에도 불구하고 정보보호 최고책임자를 지정 및 신고하지 않은 경우","사례 2 : 개인정보 보호와 관련된 실질적인 권한 및 지위를 보유하고 있지 않은 인원을 개인정보 보호 책임자로 지정하고 있어, 개인정보 처리에 관한 업무를 총괄해서 책임질 수 있다고 보기 어려운 경우","사례 3 : 조직도상에 정보보호 최고책임자 및 개인정보 보호책임자를 명시하고 있으나, 인사발령 등의 공식적인 지정절차를 거치지 않은 경우","사례 4 : ISMS 인증 의무대상자이면서 전년도 말 기준 자산총액이 5천억 원을 초과한 정보통신서비스 제공자이지만 정보보호 최고책임자가 CIO를 겸직하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무), 제31조(개인정보 보호책임자의 지정)","정보통신망법 제45조의3(정보보호 최고책임자의 지정 등)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "최고경영자는 정보보호 업무를 총괄하는 정보보호 최고책임자와 개인정보보호 업무를 총괄하는 개인정보보호 책임자를 예산·인력 등 자원을 할당할 수 있는 임원급으로 지정하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.3": {"name": "조직 구성","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.3 조직 구성","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 위원회 규정·회의록","정보보호 및 개인정보보호 실무 협의체 규정·회의록","정보보호 및 개인정보보호 조직도","내부 관리계획","직무기술서"],"AuditChecklist": ["정보보호 최고책임자 및 개인정보 보호책임자의 업무를 지원하고 조직의 정보보호 및 개인정보보호 활동을 체계적으로 이행하기 위하여 전문성을 갖춘 실무조직을 구성하여 운영하고 있는가?","조직 전반에 걸친 중요한 정보보호 및 개인정보보호 관련사항에 대하여 검토, 승인 및 의사결정을 할 수 있는 위원회를 구성하여 운영하고 있는가?","전사적 정보보호 및 개인정보보호 활동을 위하여 정보보호 및 개인정보보호 관련 담당자 및 부서별 담당자로 구성된 실무 협의체를 구성하여 운영하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 위원회를 구성하였으나, 임원 등 경영진이 포함되어 있지 않고 실무 부서의 장으로 구성되어 있어 조직의 중요 정보 및 개인정보 보호에 관한 사항을 결정할 수 없는 경우","사례 2 : 내부 지침에 따라 중요 정보처리 부서 및 개인정보처리 부서의 장(팀장급)으로 구성된 정보보호 및 개인정보보호 실무 협의체를 구성하였으나, 장기간 운영 실적이 없는 경우","사례 3 : 정보보호 및 개인정보보호 위원회를 개최하였으나, 연간 정보보호 및 개인정보보호 계획 및 교육 계획, 예산 및 인력 등 정보보호 및 개인정보보호에 관한 주요 사항이 검토 및 의사결정이 되지 않은 경우","사례 4 : 정보보호 및 개인정보보호 관련 심의·의결을 위해 정보보호위원회를 구성하여 운영하고 있으나, 운영 및 IT보안 관련 조직만 참여하고 개인정보보호 관련 조직은 참여하지 않고 있어 개인정보보호에 관한 사항을 결정할 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "최고경영자는 정보보호와 개인정보보호의 효과적 구현을 위한 실무조직, 조직 전반의 정보보호와 개인정보보호 관련 주요 사항을 검토 및 의결할 수 있는 위원회, 전사적 보호활동을 위한 부서별 정보보호와 개인정보보호 담당자로 구성된 협의체를 구성하여 운영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.4": {"name": "범위 설정","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.4 범위 설정","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 관리체계 범위 정의서","정보자산 및 개인정보 목록","문서 목록","서비스 흐름도","개인정보 흐름도","전사 조직도","시스템 및 네트워크 구성도"],"AuditChecklist": ["조직의 핵심 서비스 및 개인정보 처리에 영향을 줄 수 있는 핵심자산을 포함하도록 관리체계 범위를 설정하고 있는가?","정의된 범위 내에서 예외사항이 있을 경우 명확한 사유 및 관련자 협의·책임자 승인 등 관련 근거를 기록·관리하고 있는가?","정보보호 및 개인정보보호 관리체계 범위를 명확히 확인할 수 있도록 관련된 내용(주요 서비스 및 업무 현황, 정보시스템 목록, 문서목록 등)이 포함된 문서를 작성하여 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템 및 개인정보처리시스템 개발업무에 관련한 개발 및 시험 시스템, 외주업체직원, PC, 테스트용 단말기 등이 관리체계 범위에서 누락된 경우","사례 2 : 정보보호 및 개인정보보호 관리체계 범위로 설정된 서비스 또는 사업에 대하여 중요 의사결정자 역할을 수행하고 있는 임직원, 사업부서 등의 핵심 조직(인력)을 인증범위에 포함하지 않은 경우","사례 3 : 정보시스템 및 개인정보처리시스템 개발업무에 관련한 개발 및 시험 시스템, 개발자 PC, 테스트용 단말기, 개발조직 등이 관리체계 범위에서 누락된 경우"],"RelatedRegulations": []}],"description": "조직의 핵심 서비스와 개인정보 처리 현황 등을 고려하여 관리체계 범위를 설정하고, 관련된 서비스를 비롯하여 개인정보 처리 업무와 조직, 자산, 물리적 위치 등을 문서화하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.5": {"name": "정책 수립","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.5 정책 수립","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 정책·지침·절차서(제·개정 내역 포함)","정보보호 및 개인정보보호 정책·지침절차서 제·개정 시 이해관계자 검토 회의록","개인정보 내부 관리계획","정보보호 및 개인정보보호 정책·지침 제·개정 공지내역(그룹웨어, 사내게시판 등)","정보보호 및 개인정보보호 위원회 회의록"],"AuditChecklist": ["조직이 수행하는 모든 정보보호 및 개인정보보호 활동의 근거를 포함하는 최상위 수준의 정보보호 및 개인정보보호 정책을 수립하고 있는가?","정보보호 및 개인정보보호 정책의 시행을 위하여 필요한 세부적인 방법, 절차, 주기 등을 규정한 지침, 절차, 매뉴얼 등을 수립하고 있는가?","정보보호 및 개인정보보호 정책·시행문서의 제·개정 시 최고경영자 또는 최고경영자로부터 권한을 위임받은 자의 승인을 받고 있는가?","정보보호 및 개인정보보호 정책·시행문서의 최신본을 관련 임직원에게 이해하기 쉬운 형태로 제공하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 규정에 따르면 정보보호 및 개인정보보호 정책서 제·개정 시에는 정보보호 및 개인정보보호 위원회의 의결을 거치도록 하고 있으나, 최근 정책서 개정 시 위원회에 안건으로 상정하지 않고 정보보호 최고책임자 및 개인정보 보호책임자의 승인을 근거로만 개정한 경우","사례 2 : 정보보호 및 개인정보보호 정책 및 지침서가 최근에 개정되었으나, 해당 사항이 관련 부서 및 임직원에게 공유·전달되지 않아 일부 부서에서는 구버전의 지침서를 기준으로 업무를 수행하고 있는 경우","사례 3 : 정보보호 및 개인정보보호 정책 및 지침서를 보안부서에서만 관리하고 있고, 임직원이 열람할 수 있도록 게시판, 문서 등의 방법으로 제공하지 않는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "정보보호와 개인정보보호 정책 및 시행문서를 수립·작성하며, 이때 조직의 정보보호와 개인정보보호 방침 및 방향을 명확하게 제시하여야 한다. 또한 정책과 시행문서는 경영진의 승인을 받고, 임직원 및 관련자에게 이해하기 쉬운 형태로 전달하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.1.6": {"name": "자원 할당","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.1.6 자원 할당","Subdomain": "1.1. 관리체계","AuditEvidence": ["정보보호 및 개인정보보호 활동 연간 추진계획서(예산 및 인력운영계획)","정보보호 및 개인정보보호 활동 결과 보고서","정보보호 및 개인정보보호 투자 내역","정보보호 및 개인정보보호 조직도"],"AuditChecklist": ["정보보호 및 개인정보보호 분야별 전문성을 갖춘 인력을 확보하고 있는가?","정보보호 및 개인정보보호 관리체계의 효과적 구현과 지속적 운영을 위하여 필요한 자원을 평가하여 필요한 예산과 인력을 지원하고 있는가?","연도별 정보보호 및 개인정보보호 업무 세부추진 계획을 수립·시행하고, 그 추진결과에 대한 심사분석·평가를 실시하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 조직을 구성하는데, 분야별 전문성을 갖춘 인력이 아닌 정보보호 관련 또는 IT 관련 전문성이 없는 인원으로만 보안인력을 구성한 경우","사례 2 : 개인정보처리시스템의 기술적·관리적 보호조치의 요건을 갖추기 위한 최소한의 보안 솔루션 도입, 안전조치 적용 등을 위한 비용을 최고경영자가 지원하지 않고 있는 경우","사례 3 : 인증을 취득한 이후에 인력과 예산 지원을 대폭 줄이고 기존 인력을 다른 부서로 배치하거나 일부 예산을 다른 용도로 사용하는 경우"],"RelatedRegulations": []}],"description": "최고경영자는 정보보호와 개인정보보호 분야별 전문성을 갖춘 인력을 확보하고, 관리체계의 효과적 구현과 지속적 운영을 위한 예산 및 자원을 할당하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.1": {"name": "정보자산 식별","checks": {"macie_is_enabled": "PASS","resourceexplorer2_indexes_found": "PASS","config_recorder_all_regions_enabled": null,"organizations_account_part_of_organizations": null,"organizations_tags_policies_enabled_and_attached": null},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.2.1 정보자산 식별","Subdomain": "1.2. 위험 관리","AuditEvidence": ["정보자산 및 개인정보 자산분류 기준","정보자산 및 개인정보 자산목록(자산관리시스템 화면)","정보자산 및 개인정보 보안등급","자산실사 내역","위험분석 보고서(자산식별 내역)"],"AuditChecklist": ["정보자산의 분류기준을 수립하고 정보보호 및 개인정보보호 관리체계 범위 내의 모든 자산을 식별하여 목록으로 관리하고 있는가?","식별된 정보자산에 대하여 법적 요구사항 및 업무에 미치는 영향 등을 고려하여 중요도를 결정하고 보안등급을 부여하고 있는가?","정기적으로 정보자산 현황을 조사하여 정보자산목록을 최신으로 유지하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 관리체계 범위 내의 자산 목록에서 중요정보 취급자 및 개인정보 취급자 PC를 통제하는 데 사용되는 출력물 보안, 문서암호화, USB매체제어 등의 내부정보 유출통제 시스템이 누락된 경우","사례 2 : 정보보호 및 개인정보보호 관리체계 범위 내에서 제3자로부터 제공받은 개인정보가 있으나, 해당 개인정보에 대한 자산 식별이 이루어지지 않은 경우","사례 3 : 내부 지침에 명시된 정보자산 및 개인정보 보안등급 분류 기준과 자산관리 대장의 분류 기준이 일치하지 않은 경우","사례 4 : 온프레미스 자산에 대해서는 식별이 이루어졌으나, 외부에 위탁한 IT 서비스(웹호스팅, 서버호스팅, 클라우드 등)에 대한 자산 식별이 누락된 경우(단, 인증범위 내)","사례 5 : 고유식별정보 등 개인정보를 저장하고 있는 백업서버의 기밀성 등급을 (하)로 산정하는 등 정보자산 중요도 평가의 합리성 및 신뢰성이 미흡한 경우"],"RelatedRegulations": []}],"description": "조직의 업무특성에 따라 정보자산 분류기준을 수립하여 관리체계 범위 내 모든 정보자산을 식별·분류하고, 중요도를 산정한 후 그 목록을 최신으로 관리하여야 한다.","checks_status": {"fail": 0,"pass": 2,"total": 5,"manual": 0}},"1.2.2": {"name": "현황 및 흐름분석","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.2.2 현황 및 흐름분석","Subdomain": "1.2. 위험 관리","AuditEvidence": ["정보서비스 현황표","정보서비스 업무흐름표·업무흐름도","개인정보 처리 현황표(ISMS-P 인증인 경우)","개인정보 흐름표·흐름도(ISMS-P 인증인 경우)"],"AuditChecklist": ["관리체계 전 영역에 대한 정보서비스 현황을 식별하고 업무 절차와 흐름을 파악하여 문서화하고 있는가?","관리체계 범위 내 개인정보 처리 현황을 식별하고 개인정보의 흐름을 파악하여 개인정보 흐름도 등으로 문서화하고 있는가?","서비스 및 업무, 정보자산 등의 변화에 따른 업무절차 및 개인정보 흐름을 주기적으로 검토하여 흐름도 등 관련 문서의 최신성을 유지하고 있는가?"],"NonComplianceCases": ["사례 1 : 관리체계 범위 내 주요 서비스의 업무 절차·흐름 및 현황에 문서화가 이루어지지 않은 경우","사례 2 : 개인정보 흐름도를 작성하였으나, 실제 개인정보의 흐름과 상이한 부분이 다수 존재하거나 중요한 개인정보 흐름이 누락되어 있는 경우","사례 3 : 최초 개인정보 흐름도 작성 이후에 현행화가 이루어지지 않아 변화된 개인정보 흐름이 흐름도에 반영되지 않고 있는 경우"],"RelatedRegulations": []}],"description": "관리체계 전 영역에 대한 정보서비스 및 개인정보 처리 현황을 분석하고 업무 절차와 흐름을 파악하여 문서화하며, 이를 주기적으로 검토하여 최신성을 유지하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.3": {"name": "위험 평가","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.2.3 위험 평가","Subdomain": "1.2. 위험 관리","AuditEvidence": ["위험관리 지침","위험관리 매뉴얼·가이드","위험관리 계획서","위험평가 결과보고서","정보보호 및 개인정보보호 위원회 회의록","정보보호 및 개인정보보호 실무 협의회 회의록","정보자산 및 개인정보자산 목록","정보서비스 및 개인정보 흐름표·흐름도"],"AuditChecklist": ["조직 또는 서비스의 특성에 따라 다양한 측면에서 발생할 수 있는 위험을 식별하고 평가할 수 있는 방법을 정의하고 있는가?","위험관리 방법 및 절차(수행인력, 기간, 대상, 방법, 예산 등)를 구체화한 위험관리계획을 매년 수립하고 있는가?","위험관리계획에 따라 연 1회 이상 정기적으로 또는 필요한 시점에 위험평가를 수행하고 있는가?","조직에서 수용 가능한 목표 위험수준을 정하고, 그 수준을 초과하는 위험을 식별하고 있는가?","위험식별 및 평가 결과를 경영진에게 보고하고 있는가?"],"NonComplianceCases": ["사례 1 : 수립된 위험관리계획서에 위험평가 기간 및 위험관리 대상과 방법이 정의되어 있으나, 위험관리 수행 인력과 소요 예산 등 구체적인 실행계획이 누락되어 있는 경우","사례 2 : 전년도에는 위험평가를 수행하였으나, 금년도에는 자산 변경이 없었다는 사유로 위험 평가를 수행하지 않은 경우","사례 3 : 위험관리 계획에 따라 위험 식별 및 평가를 수행하고 있으나, 범위 내 중요 정보자산에 대한 위험 식별 및 평가를 수행하지 않았거나, 정보보호 관련 법적 요구 사항 준수 여부에 따른 위험을 식별 및 평가하지 않은 경우","사례 4 : 위험관리 계획에 따라 위험 식별 및 평가를 수행하고 수용 가능한 목표 위험수준을 설정하였으나, 관련 사항을 경영진(정보보호 최고책임자 등)에 보고하여 승인받지 않은 경우","사례 5 : 내부 지침에 정의한 위험 평가 방법과 실제 수행한 위험 평가 방법이 상이할 경우","사례 6 : 정보보호 관리체계와 관련된 관리적·물리적 영역의 위험 식별 및 평가를 수행하지 않고, 단순히 기술적 취약점진단 결과를 위험 평가 결과로 갈음하고 있는 경우","사례 7 : 수용 가능한 목표 위험수준(DoA)을 타당한 사유 없이 과도하게 높이는 것으로 결정함에 따라, 실질적으로 대응이 필요한 주요 위험들이 조치가 불필요한 위험(수용 가능한 위험)으로 지정된 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "조직의 대내외 환경분석을 통하여 유형별 위협정보를 수집하고 조직에 적합한 위험 평가 방법을 선정하여 관리체계 전 영역에 대하여 연 1회 이상 위험을 평가하며, 수용할 수 있는 위험은 경영진의 승인을 받아 관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.2.4": {"name": "보호대책 선정","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.2.4 보호대책 선정","Subdomain": "1.2. 위험 관리","AuditEvidence": ["정보보호 및 개인정보보호 이행계획서·위험관리계획서","정보보호 및 개인정보보호 대책서","정보보호 및 개인정보보호 마스터플랜","정보보호 및 개인정보보호 이행계획 경영진 보고 및 승인 내역"],"AuditChecklist": ["식별된 위험에 대한 처리 전략(감소, 회피, 전가, 수용 등)을 수립하고 위험처리를 위한 보호대책을 선정하고 있는가?","보호대책의 우선순위를 고려하여 일정, 담당부서 및 담당자, 예산 등의 항목을 포함한 보호대책 이행계획을 수립하고 경영진에 보고하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 대책에 대한 이행계획은 수립하였으나, 정보보호 최고책임자 및 개인정보 보호책임자에게 보고가 이루어지지 않은 경우","사례 2 : 위험감소가 요구되는 일부 위험의 조치 이행계획이 누락되어 있는 경우","사례 3 : 법에 따라 의무적으로 이행하여야 할 사항, 보안 취약성이 높은 위험 등을 별도의 보호조치 계획 없이 위험수용으로 결정하여 조치하지 않은 경우","사례 4 : 위험수용에 대한 근거와 타당성이 미흡하고, 시급성 및 구현 용이성 등의 측면에서 즉시 또는 단기 조치가 가능한 위험요인에 대해서도 특별한 사유 없이 장기 조치계획으로 분류한 경우"],"RelatedRegulations": []}],"description": "위험 평가 결과에 따라 식별된 위험을 처리하기 위하여 조직에 적합한 보호대책을 선정하고, 보호대책의 우선순위와 일정·담당자·예산 등을 포함한 이행계획을 수립하여 경영진의 승인을 받아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.1": {"name": "보호대책 구현","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.3.1 보호대책 구현","Subdomain": "1.3. 관리체계 운영","AuditEvidence": ["정보보호 및 개인정보보호 이행계획서·위험관리계획서","정보보호 및 개인정보보호 대책서","정보보호 및 개인정보보호 이행계획 경과보고서(경영진 보고 포함)","정보보호 및 개인정보보호 이행 완료 보고서(경영진 보고 포함)","정보보호 및 개인정보보호 운영명세서"],"AuditChecklist": ["이행계획에 따라 보호대책을 효과적으로 구현하고 이행결과의 정확성 및 효과성 여부를 경영진이 확인할 수 있도록 보고하고 있는가?","관리체계 인증기준별로 보호대책 구현 및 운영 현황을 기록한 운영명세서를 구체적으로 작성하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 대책에 대한 이행완료 결과를 정보보호 최고책임자 및 개인정보 보호책임자에게 보고하지 않은 경우","사례 2 : 위험조치 이행결과보고서는 ʻ조치 완료ʼ로 명시되어 있으나, 관련된 위험이 여전히 존재하거나 이행결과의 정확성 및 효과성이 확인되지 않은 경우","사례 3 : 전년도 정보보호대책 이행계획에 따라 중·장기로 분류된 위험들이 해당연도에 구현이 되고 있지 않거나 이행결과를 경영진이 검토 및 확인하고 있지 않은 경우","사례 4 : 운영명세서에 작성된 운영 현황이 실제와 일치하지 않고, 운명명세서에 기록되어 있는 관련 문서, 결재 내용, 회의록 등이 존재하지 않는 경우","사례 5 : 이행계획 시행에 대한 결과를 정보보호 최고책임자 및 개인정보 보호책임자에게 보고하였으나, 일부 미이행된 건에 대한 사유 보고 및 후속 조치가 이루어지지 않은 경우"],"RelatedRegulations": []}],"description": "선정한 보호대책은 이행계획에 따라 효과적으로 구현하고, 경영진은 이행결과의 정확성과 효과성 여부를 확인하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.2": {"name": "보호대책 공유","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.3.2 보호대책 공유","Subdomain": "1.3. 관리체계 운영","AuditEvidence": ["정보보호 및 개인정보보호 대책별 운영부서 또는 시행부서 현황","정보보호 및 개인정보 관리계획 내부공유 증거자료(공지 내역, 교육자료, 공유 자료 등)"],"AuditChecklist": ["구현된 보호대책을 운영 또는 시행할 부서 및 담당자를 명확하게 파악하고 있는가?","구현된 보호대책을 운영 또는 시행할 부서 및 담당자에게 관련 내용을 공유 또는 교육하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호대책을 마련하여 구현하고 있으나, 관련 내용을 충분히 공유·교육하지 않아 실제 운영 또는 수행 부서 및 담당자가 해당 내용을 인지하지 못하고 있는 경우"],"RelatedRegulations": []}],"description": "보호대책의 실제 운영 또는 시행할 부서 및 담당자를 파악하여 관련 내용을 공유하고 교육하여 지속적으로 운영되도록 하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.3.3": {"name": "운영현황 관리","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.3.3 운영현황 관리","Subdomain": "1.3. 관리체계 운영","AuditEvidence": ["정보보호 및 개인정보보호 연간계획서","정보보호 및 개인정보보호 운영현황표","정보보호 및 개인정보보호 활동 수행 여부 점검 결과"],"AuditChecklist": ["관리체계 운영을 위하여 주기적 또는 상시적으로 수행하여야 하는 정보보호 및 개인정보보호 활동을 문서화하여 관리하고 있는가?","경영진은 주기적으로 관리체계 운영활동의 효과성을 확인하고 이를 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 관리체계 운영현황 중 주기적 또는 상시적인 활동이 요구되는 활동 현황을 문서화하지 않은 경우","사례 2 : 정보보호 및 개인정보보호 관리체계 운영현황에 대한 문서화는 이루어졌으나, 해당 운영현황에 대한 주기적인 검토가 이루어지지 않아 월별 및 분기별 활동이 요구되는 일부 정보보호 및 개인정보보호 활동이 누락되었고 일부는 이행 여부를 확인할 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제31조(개인정보 보호책임자의 지정)","정보통신망법 제45조의3(정보보호 최고책임자의 지정 등)"]}],"description": "조직이 수립한 관리체계에 따라 상시적 또는 주기적으로 수행하여야 하는 운영활동 및 수행 내역은 식별 및 추적이 가능하도록 기록하여 관리하고, 경영진은 주기적으로 운영활동의 효과성을 확인하여 관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.1": {"name": "법적 요구사항 준수 검토","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.4.1 법적 요구사항 준수 검토","Subdomain": "1.4. 관리체계 점검 및 개선","AuditEvidence": ["법적 준거성 검토 내역","정보보호 및 개인정보보호 정책·지침 검토 및 개정이력","정책·지침 신구대조표","법 개정사항 내부공유 자료","개인정보 손해배상 책임보장 입증 자료(사이버보험 약정서 등)","정보보호 공시 내역"],"AuditChecklist": ["조직이 준수하여야 하는 정보보호 및 개인정보보호 관련 법적 요구사항을 파악하여 최신성을 유지하고 있는가?","법적 요구사항의 준수 여부를 연 1회 이상 정기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보통신망법 및 개인정보 보호법이 최근 개정되었으나 개정사항이 조직에 미치는 영향을 검토하지 않았으며, 정책서·시행문서 및 법적준거성 체크리스트 등에도 해당 내용을 반영하지 않아 정책서·시행문서 및 법적준거성 체크리스트 등의 내용이 법령 내용과 일치하지 않은 경우","사례 2 : 조직에서 준수하여야 할 법률이 개정되었으나, 해당 법률 준거성 검토를 장기간 수행하지 않은 경우","사례 3 : 법적 준거성 준수 여부에 대한 검토가 적절히 이루어지지 않아 개인정보 보호법 등 법규 위반 사항이 다수 발견된 경우","사례 4 : 개인정보 보호법에 따라 개인정보 손해배상책임 보장제도 적용 대상이 되었으나, 이를 인지하지 못하여 보험 가입이나 준비금 적립을 하지 않은 경우 또는 보험 가입을 하였으나 이용자 수 및 매출액에 따른 최저가입금액 기준을 준수하지 못한 경우","사례 5 : 정보보호 공시 의무대상 사업자이지만 법에 정한 시점 내에 정보보호 공시가 시행되지 않은 경우","사례 6 : 모바일앱을 통해 위치정보사업자로부터 이용자의 개인위치정보를 전송받아 서비스에 이용하고 있으나, 위치기반서비스사업 신고를 하지 않은 경우","사례 7 : 국내에 주소 또는 영업소가 없는 개인정보처리자로서 전년도 말 기준 직전 3개월 간 그 개인정보가 저장·관리되고 있는 국내 정보주체의 수가 일일평균 100만명 이상인 자에 해당되어 국내대리인 지정의무에 해당됨에도 불구하고, 국내대리인을 문서로 지정하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "조직이 준수하여야 할 정보보호 및 개인정보보호 관련 법적 요구사항을 주기적으로 파악하여 규정에 반영하고, 준수 여부를 지속적으로 검토하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.2": {"name": "관리체계 점검","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.4.2 관리체계 점검","Subdomain": "1.4. 관리체계 점검 및 개선","AuditEvidence": ["관리체계 점검 계획서(내부점검 계획서, 내부감사 계획서)","관리체계 점검 결과보고서","정보보호 및 개인정보보호 위원회 회의록"],"AuditChecklist": ["법적 요구사항 및 수립된 정책에 따라 정보보호 및 개인정보보호 관리체계가 효과적으로 운영되는지를 점검하기 위한 관리체계 점검기준, 범위, 주기, 점검인력 자격요건 등을 포함한 관리체계 점검 계획을 수립하고 있는가?","관리체계 점검 계획에 따라 독립성, 객관성 및 전문성이 확보된 인력을 구성하여 연 1회 이상 점검을 수행하고 발견된 문제점을 경영진에게 보고하고 있는가?"],"NonComplianceCases": ["사례 1 : 관리체계 점검 인력에 점검 대상으로 식별된 전산팀 직원이 포함되어 전산팀 관리 영역에 대한 점검에 관여하고 있어, 점검의 독립성이 훼손된 경우","사례 2 : 금년도 관리체계 점검을 실시하였으나, 점검범위가 일부 영역에 국한되어 있어 정보보호 및 개인정보보호 관리체계 범위를 충족하지 못한 경우","사례 3 : 관리체계 점검팀이 위험평가 또는 취약점 점검 등 관리체계 구축 과정에 참여한 내부 직원 및 외부 컨설턴트로만 구성되어, 점검의 독립성이 확보되었다고 볼 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "관리체계가 내부 정책 및 법적 요구사항에 따라 효과적으로 운영되고 있는지 독립성과 전문성이 확보된 인력을 구성하여 연 1회 이상 점검하고, 발견된 문제점을 경영진에게 보고하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"1.4.3": {"name": "관리체계 개선","checks": {},"status": "PASS","attributes": [{"Domain": "1. 관리체계 수립 및 운영","Section": "1.4.3 관리체계 개선","Subdomain": "1.4. 관리체계 점검 및 개선","AuditEvidence": ["관리체계 점검 결과보고서","관리체계 점검 조치계획서·이행조치결과서","재발방지 대책","효과성 측정 지표 및 측정 결과(경영진 보고 포함)"],"AuditChecklist": ["법적 요구사항 준수검토 및 관리체계 점검을 통하여 식별된 관리체계상의 문제점에 대한 근본 원인을 분석하여 재발방지 및 개선 대책을 수립·이행하고 있는가?","재발방지 및 개선 결과의 정확성 및 효과성 여부를 확인하기 위한 기준과 절차를 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부점검을 통하여 발견된 정보보호 및 개인정보보호 관리체계 운영상 문제점이 매번 동일하게 반복되어 발생되는 경우","사례 2 : 내부 규정에는 내부점검 시 발견된 문제점에 대해서는 근본원인에 대한 분석 및 재발방지 대책을 수립하도록 되어 있으나, 최근에 수행된 내부점검에서는 발견된 문제점에 대하여 근본원인 분석 및 재발방지 대책이 수립되지 않은 경우","사례 3 : 관리체계상 문제점에 대한 재발방지 대책을 수립하고 핵심성과지표를 마련하여 주기적으로 측정하고 있으나, 그 결과에 대하여 경영진 보고가 장기간 이루어지지 않은 경우","사례 4 : 관리체계 점검 시 발견된 문제점에 대하여 조치계획을 수립하지 않았거나 조치 완료 여부를 확인하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "법적 요구사항 준수검토 및 관리체계 점검을 통하여 식별된 관리체계상의 문제점에 대한 원인을 분석하고 재발방지 대책을 수립·이행하여야 하며, 경영진은 개선 결과의 정확성과 효과성 여부를 확인하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.1": {"name": "정책의 유지관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.1.1 정책의 유지관리","Subdomain": "2.1. 정책, 조직, 자산 관리","AuditEvidence": ["정보보호 및 개인정보보호 정책 및 시행문서(지침, 절차, 가이드, 매뉴얼 등)","정책·지침 정기·비정기 타당성 검토 결과","정책·지침 관련 부서와의 검토 회의록, 회람내용","정책·지침 제·개정 이력"],"AuditChecklist": ["정보보호 및 개인정보보호 관련 정책 및 시행문서에 대한 정기적인 타당성 검토 절차를 수립·이행하고 있는가?","조직의 대내외 환경에 중대한 변화 발생 시 정보보호 및 개인정보보호 관련 정책 및 시행문서에 미치는 영향을 검토하고 필요시 제·개정하고 있는가?","정보보호 및 개인정보보호 관련 정책 및 시행문서의 제·개정 시 이해 관계자의 검토를 받고 있는가?","정보보호 및 개인정보보호 관련 정책 및 시행문서의 제·개정 내역에 대하여 이력관리를 하고 있는가?"],"NonComplianceCases": ["사례 1 : 지침서와 절차서 간 패스워드 설정 규칙에 일관성이 없는 경우","사례 2 : 정보보호 활동(정보보호 교육, 암호화, 백업 등)의 대상, 주기, 수준, 방법 등이 관련 내부 규정, 지침, 절차에 서로 다르게 명시되어 일관성이 없는 경우","사례 3 : 데이터베이스에 대한 접근 및 작업이력을 효과적으로 기록 및 관리하기 위하여 데이터베이스 접근통제 솔루션을 신규로 도입하여 운영하고 있으나, 보안시스템 보안 관리지침 및 데이터베이스 보안 관리지침 등 내부 보안지침에 접근통제, 작업이력, 로깅, 검토 등에 관한 사항이 반영되어 있지 않은 경우","사례 4 : 개인정보보호 정책이 개정되었으나 정책 시행 기준일이 명시되어 있지 않으며, 관련 정책의 작성일, 작성자 및 승인자 등이 누락되어 있는 경우","사례 5 : 개인정보 보호 관련 법령, 고시 등에 중대한 변경사항이 발생하였으나, 이러한 변경이 개인정보보호 정책 및 시행문서에 미치는 영향을 검토하지 않았거나 변경사항을 반영하여 개정하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "정보보호 및 개인정보보호 관련 정책과 시행문서는 법령 및 규제, 상위 조직 및 관련 기관 정책과의 연계성, 조직의 대내외 환경변화 등에 따라 주기적으로 검토하여 필요한 경우 제·개정하고 그 내역을 이력관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.2": {"name": "조직의 유지관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.1.2 조직의 유지관리","Subdomain": "2.1. 정책, 조직, 자산 관리","AuditEvidence": ["정보보호 및 개인정보보호 조직도","정보보호 및 개인정보보호 조직 직무기술서","정보보호 및 개인정보보호 업무 분장표","정보보호 및 개인정보보호 정책·지침, 내부 관리계획","정보보호 및 개인정보보호 의사소통 관리계획","의사소통 수행 이력(월간보고, 주간보고, 내부공지 등)","의사소통 채널(정보보호포털, 게시판 등)"],"AuditChecklist": ["정보보호 및 개인정보보호 관련 책임자와 담당자의 역할 및 책임을 명확히 정의하고 있는가?","정보보호 및 개인정보보호 관련 책임자와 담당자의 활동을 평가할 수 있는 체계를 수립하고 있는가?","정보보호 및 개인정보보호 관련 조직 및 조직의 구성원 간 상호 의사소통할 수 있는 체계 및 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 지침 및 직무기술서에 정보보호 최고책임자, 개인정보 보호책임자 및 관련 담당자의 역할과 책임을 정의하고 있으나, 실제 운영현황과 일치하지 않는 경우","사례 2 : 정보보호 최고책임자 및 관련 담당자의 활동을 주기적으로 평가할 수 있는 목표, 기준, 지표 등의 체계가 마련되어 있지 않은 경우","사례 3 : 내부 지침에는 부서별 정보보호 담당자는 정보보호와 관련된 KPI를 설정하여 인사평가 시 반영하도록 되어 있으나, 부서별 정보보호 담당자의 KPI에 정보보호와 관련된 사항이 전혀 반영되어 있지 않은 경우","사례 4 : 정보보호 최고책임자 및 개인정보 보호책임자가 지정되어 있으나, 관련 법령에서 요구하는 역할 및 책임이 내부 지침이나 직무기술서 등에 구체적으로 명시되어 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무), 제31조(개인정보 보호책임자의 지정)","정보통신망법 제45조의3(정보보호 최고책임자의 지정 등)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "조직의 각 구성원에게 정보보호와 개인정보보호 관련 역할 및 책임을 할당하고, 그 활동을 평가할 수 있는 체계와 조직 및 조직의 구성원 간 상호 의사소통할 수 있는 체계를 수립하여 운영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.1.3": {"name": "정보자산 관리","checks": {"macie_is_enabled": "PASS","resourceexplorer2_indexes_found": "PASS","config_recorder_all_regions_enabled": null,"account_maintain_current_contact_details": null,"organizations_account_part_of_organizations": null,"organizations_tags_policies_enabled_and_attached": null,"account_security_contact_information_is_registered": null,"account_security_questions_are_registered_in_the_aws_account": null,"account_maintain_different_contact_details_to_security_billing_and_operations": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.1.3 정보자산 관리","Subdomain": "2.1. 정책, 조직, 자산 관리","AuditEvidence": ["정보자산 목록(책임자, 담당자 지정)","정보자산 취급 절차(문서, 정보시스템 등)","정보자산 관리 시스템 화면","정보자산 보안등급 표시 내역"],"AuditChecklist": ["정보자산의 보안등급에 따른 취급절차(생성·도입, 저장, 이용, 파기) 및 보호대책을 정의하고 이행하고 있는가?","식별된 정보자산에 대하여 책임자 및 관리자를 지정하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 지침에 따라 문서에 보안등급을 표기하도록 되어 있으나, 이를 표시하지 않은 경우","사례 2 : 정보자산별 담당자 및 책임자를 식별하지 않았거나, 자산목록 현행화가 미흡하여 퇴직, 전보 등 인사이동이 발생하여 주요 정보자산의 담당자 및 책임자가 변경되었음에도 이를 식별하지 않은 경우","사례 3 : 식별된 정보자산에 대한 중요도 평가를 실시하여 보안등급을 부여하고 정보 자산목록에 기록하고 있으나, 보안등급에 따른 취급절차를 정의하지 않은 경우"],"RelatedRegulations": []}],"description": "정보자산의 용도와 중요도에 따른 취급 절차 및 보호대책을 수립·이행하고, 자산별 책임소재를 명확히 정의하여 관리하여야 한다.","checks_status": {"fail": 0,"pass": 2,"total": 9,"manual": 0}},"2.2.1": {"name": "주요 직무자 지정 및 관리","checks": {"iam_support_role_created": null,"organizations_delegated_administrators": null,"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.1 주요 직무자 지정 및 관리","Subdomain": "2.2. 인적 보안","AuditEvidence": ["주요 직무 기준","주요직무자 목록","개인정보취급자 목록","중요 정보시스템 및 개인정보처리시스템 계정 및 권한 관리 대장","주요 직무자에 대한 관리 현황(교육 결과, 보안서약서 등)"],"AuditChecklist": ["개인정보 및 중요정보의 취급, 주요 시스템 접근 등 주요 직무의 기준을 명확히 정의하고 있는가?","주요 직무를 수행하는 임직원 및 외부자를 주요 직무자로 지정하고 그 목록을 최신으로 관리하고 있는가?","업무상 개인정보를 취급하는 자를 개인정보취급자로 지정하고 목록을 최신으로 관리하고 있는가?","업무 필요성에 따라 주요 직무자 및 개인정보취급자 지정을 최소화하는 등 관리방안을 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 주요 직무자 명단(개인정보취급자 명단, 비밀정보관리자 명단 등)을 작성하고 있으나, 대량의 개인정보 등 중요정보를 취급하는 일부 임직원(DBA, DLP 관리자 등)을 명단에 누락한 경우","사례 2 : 주요 직무자 및 개인정보취급자 목록을 관리하고 있으나, 퇴사한 임직원이 포함되어 있고 최근 신규 입사한 인력이 포함되어 있지 않는 등 현행화 관리가 되어 있지 않은 경우","사례 3 : 부서 단위로 개인정보취급자 권한을 일괄 부여하고 있어 실제 개인정보를 취급할 필요가 없는 인원까지 과다하게 개인정보취급자로 지정된 경우","사례 4 : 내부 지침에는 주요 직무자 권한 부여 시에는 보안팀의 승인을 받고 주요 직무에 따른 보안서약서를 작성하도록 하고 있으나, 보안팀 승인 및 보안서약서 작성 없이 등록된 주요 직무자가 다수 존재하는 경우"],"RelatedRegulations": ["개인정보 보호법 제28조(개인정보취급자에 대한 감독), 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "개인정보 및 중요정보의 취급이나 주요 시스템 접근 등 주요 직무의 기준과 관리방안을 수립하고, 주요 직무자를 최소한으로 지정하여 그 목록을 최신으로 관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 3,"manual": 0}},"2.2.2": {"name": "직무 분리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.2 직무 분리","Subdomain": "2.2. 인적 보안","AuditEvidence": ["직무 분리 관련 지침(인적 보안 지침 등)","직무기술서(시스템 운영·관리, 개발·운영 등)","직무 미분리 시 보완통제 현황"],"AuditChecklist": ["권한 오·남용 등으로 인한 잠재적인 피해 예방을 위하여 직무 분리 기준을 수립하여 적용하고 있는가?","직무 분리가 어려운 경우 직무자 간 상호 검토, 상위관리자 정기 모니터링 및 변경사항 승인, 책임추적성 확보 방안 등의 보완통제를 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 조직의 규모와 인원이 담당자별 직무 분리가 충분히 가능한 조직임에도 업무 편의성만을 사유로 내부 규정으로 정한 직무 분리 기준을 준수하고 있지 않은 경우","사례 2 : 조직의 특성상 경영진의 승인을 받은 후 개발과 운영 직무를 병행하고 있으나, 직무자 간 상호 검토, 상위관리자의 주기적인 직무수행 모니터링 및 변경 사항 검토·승인, 직무자의 책임추적성 확보 등의 보완통제 절차가 마련되어 있지 않은 경우"],"RelatedRegulations": []}],"description": "권한 오·남용 등으로 인한 잠재적인 피해 예방을 위하여 직무 분리 기준을 수립하고 적용하여야 한다. 다만 불가피하게 직무 분리가 어려운 경우 별도의 보완대책을 마련하여 이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.3": {"name": "보안 서약","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.3 보안 서약","Subdomain": "2.2. 인적 보안","AuditEvidence": ["정보보호 및 개인정보보호 서약서(임직원, 외부인력)","비밀유지서약서(퇴직자)"],"AuditChecklist": ["신규 인력 채용 시 정보보호 및 개인정보보호 책임이 명시된 정보보호 및 개인정보보호 서약서를 받고 있는가?","임시직원, 외주용역직원 등 외부자에게 정보자산에 대한 접근권한을 부여할 경우 정보보호 및 개인정보보호에 대한 책임, 비밀유지 의무 등이 명시된 서약서를 받고 있는가?","임직원 퇴직 시 별도의 비밀유지에 관련한 서약서를 받고 있는가?","정보보호, 개인정보보호 및 비밀유지 서약서는 안전하게 보관하고 필요시 쉽게 찾아볼 수 있도록 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 신규 입사자에 대해서는 입사 절차상에 보안서약서를 받도록 규정하고 있으나, 최근에 입사한 일부 직원의 보안서약서 작성이 누락된 경우","사례 2 : 임직원에 대해서는 보안서약서를 받고 있으나, 정보처리시스템에 직접 접속이 가능한 외주 인력에 대해서는 보안서약서를 받지 않은 경우","사례 3 : 제출된 정보보호 및 개인정보보호 서약서를 모아 놓은 문서철이 비인가자가 접근 가능한 상태로 사무실 책상에 방치되어 있는 등 관리가 미흡한 경우","사례 4 : 개인정보취급자에 대하여 보안서약서만 받고 있으나, 보안서약서 내에 비밀유지에 대한 내용만 있고 개인정보보호에 관한 책임 및 내용이 포함되어 있지 않은 경우"],"RelatedRegulations": []}],"description": "정보자산을 취급하거나 접근권한이 부여된 임직원·임시직원·외부자 등이 내부 정책 및","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.4": {"name": "인식제고 및 교육훈련","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.4 인식제고 및 교육훈련","Subdomain": "2.2. 인적 보안","AuditEvidence": ["정보보호 및 개인정보보호 교육 계획서","교육 결과보고서","공통, 직무별 교육자료","교육참석자 목록"],"AuditChecklist": ["정보보호 및 개인정보보호 교육의 시기, 기간, 대상, 내용, 방법 등의 내용이 포함된 연간 교육 계획을 수립하고 경영진의 승인을 받고 있는가?","관리체계 범위 내 모든 임직원과 외부자를 대상으로 연간 교육 계획에 따라 연 1회 이상 정기적으로 교육을 수행하고, 관련 법규 및 규정의 중대한 변경 시 이에 대한 추가교육을 수행하고 있는가?","임직원 채용 및 외부자 신규 계약 시 업무 시작 전에 정보보호 및 개인정보보호 교육을 시행하고 있는가?","IT 및 정보보호, 개인정보보호 조직 내 임직원은 정보보호 및 개인정보보호와 관련하여 직무별 전문성 제고를 위한 별도의 교육을 받고 있는가?","교육시행에 대한 기록을 남기고 교육 효과와 적정성을 평가하여 다음 교육 계획에 반영하고 있는가?"],"NonComplianceCases": ["사례 1 : 전년도에는 연간 정보보호 및 개인정보보호 교육 계획을 수립하여 이행하였으나, 당해 연도에 타당한 사유 없이 연간 정보보호 및 개인정보보호 교육 계획을 수립하지 않은 경우","사례 2 : 연간 정보보호 및 개인정보보호 교육 계획에 교육 주기와 대상은 명시하고 있으나, 시행 일정, 내용 및 방법 등의 내용이 포함되어 있지 않은 경우","사례 3 : 연간 정보보호 및 개인정보보호 교육 계획에 전 직원을 대상으로 하는 개인정보보호 인식 교육은 일정시간 계획되어 있으나, 개인정보 보호책임자 및 개인정보담당자 등 직무별로 필요한 개인정보보호 관련 교육 계획이 포함되어 있지 않은 경우","사례 4 : 정보보호 및 개인정보보호 교육 계획서 및 결과 보고서를 확인한 결과, 인증범위 내의 정보자산 및 설비에 접근하는 외주용역업체 직원(전산실 출입 청소원, 경비원, 외주개발자 등)을 교육 대상에서 누락한 경우","사례 5 : 당해 연도 정보보호 및 개인정보보호 교육을 실시하였으나, 교육시행 및 평가에 관한 기록(교육 자료, 출석부, 평가 설문지, 결과보고서 등) 일부를 남기지 않고 있는 경우","사례 6 : 정보보호 및 개인정보보호 교육 미이수자를 파악하지 않고 있거나, 해당 미이수자에 대한 추가교육 방법(전달교육, 추가교육, 온라인교육 등)을 수립·이행하고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한), 제28조(개인정보 취급자에 대한 감독), 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검)"]}],"description": "임직원 및 관련 외부자가 조직의 관리체계와 정책을 이해하고 직무별 전문성을 확보할 수 있도록 연간 인식제고 활동 및 교육훈련 계획을 수립·운영하고, 그 결과에 따른 효과성을 평가하여 다음 계획에 반영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.5": {"name": "퇴직 및 직무변경 관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.5 퇴직 및 직무변경 관리","Subdomain": "2.2. 인적 보안","AuditEvidence": ["퇴직 및 직무변경 절차서","퇴직 시 자산(계정) 반납관리대장","퇴직자 보안점검 체크리스트 및 점검 내역"],"AuditChecklist": ["퇴직, 직무변경, 부서이동, 휴직 등으로 인한 인사변경 내용이 인사부서, 정보보호 및 개인정보보호 부서, 정보시스템 및 개인정보처리시스템 운영부서 간 공유되고 있는가?","조직 내 인력(임직원, 임시직원, 외주용역직원 등)의 퇴직 또는 직무변경 시 지체 없는 정보자산 반납, 접근권한 회수·조정, 결과 확인 등의 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 직무 변동에 따라 개인정보취급자에서 제외된 인력의 계정과 권한이 개인정보처리시스템에 그대로 남아 있는 경우","사례 2 : 최근에 퇴직한 주요직무자 및 개인정보취급자에 대하여 자산반납, 권한 회수 등의 퇴직절차 이행 기록이 확인되지 않은 경우","사례 3 : 임직원 퇴직 시 자산반납 관리는 잘 이행하고 있으나, 인사규정에서 정한 퇴직자 보안점검 및 퇴직확인서를 작성하지 않은 경우","사례 4 : 개인정보취급자 퇴직 시 개인정보처리시스템의 접근 권한은 지체 없이 회수되었지만, 출입통제 시스템 및 VPN 등 일부 시스템의 접근 권한이 회수되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "퇴직 및 직무변경 시 인사·정보보호·개인정보보호·IT 등 관련 부서별 이행하여야 할 자산반납, 계정 및 접근권한 회수·조정, 결과확인 등의 절차를 수립·관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.2.6": {"name": "보안 위반 시 조치","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.2.6 보안 위반 시 조치","Subdomain": "2.2. 인적 보안","AuditEvidence": ["인사 규정(정보보호 및 개인정보보호 관련 규정 위반에 따른 처벌규정)","정보보호 및 개인정보보호 지침 위반자 징계 내역","사고 사례(전사 공지, 교육 내용)"],"AuditChecklist": ["임직원 및 관련 외부자가 법령과 규제 및 내부정책에 따른 정보보호 및 개인정보보호 책임과 의무를 위반한 경우에 대한 처벌 규정을 수립하고 있는가?","정보보호 및 개인정보 보호 위반 사항이 적발된 경우 내부 절차에 따른 조치를 수행하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 규정 위반자에 대한 처리 기준 및 절차가 내부 규정에 전혀 포함되어 있지 않은 경우","사례 2 : 보안시스템(DLP, 데이터베이스 접근제어시스템, 내부정보유출통제시스템 등)을 통하여 정책 위반이 탐지된 관련자에게 경고 메시지를 전달하고 있으나, 이에 대한 소명 및 추가 조사, 징계 처분 등 내부 규정에 따른 후속 조치가 이행되고 있지 않은 경우"],"RelatedRegulations": []}],"description": "임직원 및 관련 외부자가 법령, 규제 및 내부정책을 위반한 경우 이에 따른 조치 절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.1": {"name": "외부자 현황 관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.3.1 외부자 현황 관리","Subdomain": "2.3. 외부자 보안","AuditEvidence": ["외부 위탁 및 외부 시설·서비스 현황","외부 위탁 계약서","위험분석 보고서 및 보호대책","위탁 보안관리 지침, 체크리스트 등"],"AuditChecklist": ["관리체계 범위 내에서 발생하고 있는 업무 위탁 및 외부 시설·서비스의 이용 현황을 식별하고 있는가?","업무 위탁 및 외부 시설·서비스의 이용에 따른 법적 요구사항과 위험을 파악하고 적절한 보호대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 규정에 따라 외부 위탁 및 외부 시설·서비스 현황을 목록으로 관리하고 있으나, 몇 개월 전에 변경된 위탁업체가 목록에 반영되어 있지 않은 등 현행화 관리가 미흡한 경우","사례 2 : 관리체계 범위 내 일부 개인정보처리시스템을 외부 클라우드 서비스로 이전하였으나, 이에 대한 식별 및 위험평가가 수행되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)","정보통신망법 제50조의3(영리목적의 광고성 정보 전송의 위탁 등)"]}],"description": "업무의 일부(개인정보취급, 정보보호, 정보시스템 운영 또는 개발 등)를 외부에 위탁하거나 외부의 시설 또는 서비스(집적정보통신시설, 클라우드 서비스, 애플리케이션 서비스 등)를 이용하는 경우 그 현황을 식별하고 법적 요구사항 및 외부 조직·서비스로부터 발생되는 위험을 파악하여 적절한 보호대책을 마련하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.2": {"name": "외부자 계약 시 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.3.2 외부자 계약 시 보안","Subdomain": "2.3. 외부자 보안","AuditEvidence": ["위탁 계약서","정보보호 및 개인정보보호 협약서(약정서, 부속합의서)","위탁 관련 내부 지침","위탁업체 선정 관련 RFP(제안요청서), 평가표"],"AuditChecklist": ["중요정보 및 개인정보 처리와 관련된 외부 서비스 및 위탁 업체를 선정하는 경우 정보보호 및 개인정보 보호 역량을 고려하도록 절차를 마련하고 있는가?","외부 서비스 이용 및 업무 위탁에 따른 정보보호 및 개인정보보호 요구사항을 식별하고 이를 계약서 또는 협정서에 명시하고 있는가?","정보시스템 및 개인정보처리시스템 개발을 위탁하는 경우 개발 시 준수하여야 할 정보보호 및 개인정보보호 요구사항을 계약서에 명시하고 있는가?"],"NonComplianceCases": ["사례 1 : IT 운영, 개발 및 개인정보 처리업무를 위탁하는 외주용역업체에 대한 위탁계약서가 존재하지 않는 경우","사례 2 : 개인정보 처리업무를 위탁하는 외부업체와의 위탁계약서상에 개인정보 보호법 등 법령에서 요구하는 일부 항목(관리·감독에 관한 사항 등)이 포함되어 있지 않은 경우","사례 3 : 인프라 운영과 개인정보 처리업무 일부를 외부업체에 위탁하고 있으나, 계약서 등에는 위탁업무의 특성에 따른 보안 요구사항을 식별·반영하지 않고 비밀유지 및 손해배상에 관한 일반 사항만 규정하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)"]}],"description": "외부 서비스를 이용하거나 외부자에게 업무를 위탁하는 경우 이에 따른 정보보호 및 개인정보보호 요구사항을 식별하고, 관련 내용을 계약서 또는 협정서 등에 명시하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.3": {"name": "외부자 보안 이행 관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.3.3 외부자 보안 이행 관리","Subdomain": "2.3. 외부자 보안","AuditEvidence": ["외부자 및 수탁자 보안점검 결과","외부자 및 수탁자 교육 내역(교육 결과, 참석자 명단, 교육교재 등)","개인정보 위탁 계약서","개인정보 처리업무 재위탁 시 위탁자 동의 증거자료"],"AuditChecklist": ["외부자가 계약서, 협정서, 내부정책에 명시된 정보보호 및 개인정보보호 요구사항을 준수하고 있는지 주기적으로 점검 또는 감사를 수행하고 있는가?","외부자에 대한 점검 또는 감사 시 발견된 문제점에 대하여 개선계획을 수립·이행하고 있는가?","개인정보 처리업무를 위탁받은 수탁자가 관련 업무를 제3자에게 재위탁하는 경우 위탁자의 동의를 받도록 하고 있는가?"],"NonComplianceCases": ["사례 1 : 회사 내에 상주하여 IT 개발 및 운영 업무를 수행하는 외주업체에 대해서는 정기적으로 보안점검을 수행하고 있지 않은 경우","사례 2 : 개인정보 수탁자에 대하여 보안교육을 실시하라는 공문을 발송하고 있으나, 교육 수행 여부를 확인하고 있지 않은 경우","사례 3 : 수탁자가 자체적으로 보안점검을 수행한 후 그 결과를 통지하도록 하고 있으나, 수탁자가 보안 점검을 충실히 수행하고 있는지 여부에 대하여 확인하는 절차가 존재하지 않아 보안점검 결과의 신뢰성이 매우 떨어지는 경우","사례 4 : 개인정보 처리업무 수탁자 중 일부가 위탁자의 동의 없이 해당 업무를 제3자에게 재위탁한 경우","사례 5 : 영리 목적의 광고성 정보전송 업무를 타인에게 위탁하면서 수탁자에 대한 관리·감독을 수행하지 않고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)","정보통신망법 제50조의3(영리목적의 광고성 정보 전송의 위탁 등)"]}],"description": "계약서, 협정서, 내부정책에 명시된 정보보호 및 개인정보보호 요구사항에 따라 외부자의 보호대책 이행 여부를 주기적인 점검 또는 감사 등 관리·감독하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.3.4": {"name": "외부자 계약 변경 및 만료 시 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.3.4 외부자 계약 변경 및 만료 시 보안","Subdomain": "2.3. 외부자 보안","AuditEvidence": ["정보보호 및 개인정보보호 서약서","비밀유지 확약서","정보 및 개인정보 파기 확약서","외부자 계약 종료와 관련된 내부 정책, 지침"],"AuditChecklist": ["외부자 계약만료, 업무 종료, 담당자 변경 시 공식적인 절차에 따른 정보자산 반납, 정보시스템 접근계정 삭제, 비밀유지 확약서 징구 등이 이루어질 수 있도록 보안대책을 수립·이행하고 있는가?","외부자 계약 만료 시 위탁 업무와 관련하여 외부자가 중요정보 및 개인정보를 보유하고 있는지 확인하고 이를 회수·파기할 수 있도록 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 일부 정보시스템에서 계약 만료된 외부자의 계정 및 권한이 삭제되지 않고 존재하는 경우","사례 2 : 외주용역사업 수행과정에서 일부 용역업체 담당자가 교체되거나 계약 만료로 퇴직하였으나, 관련 인력들에 대한 퇴사 시 보안서약서 등 내부 규정에 따른 조치가 이행되지 않은 경우","사례 3 : 개인정보 처리 위탁한 업체와 계약 종료 이후 보유하고 있는 개인정보를 파기하였는지 여부를 확인·점검하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)","정보통신망법 제50조의3(영리목적의 광고성 정보 전송의 위탁 등)"]}],"description": "외부자 계약만료, 업무종료, 담당자 변경 시에는 제공한 정보자산 반납, 정보시스템 접근계정 삭제, 중요정보 파기, 업무 수행 중 취득정보의 비밀유지 확약서 징구 등의 보호대책을 이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.1": {"name": "보호구역 지정","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.1 보호구역 지정","Subdomain": "2.4. 물리 보안","AuditEvidence": ["물리적 보안 지침(보호구역 지정 기준)","보호구역 지정 현황","보호구역 표시","보호구역별 보호대책 현황"],"AuditChecklist": ["물리적·환경적 위협으로부터 개인정보 및 중요정보, 문서, 저장매체, 주요 설비 및 시스템 등을 보호하기 위하여 통제구역, 제한구역, 접견구역 등 물리적 보호구역 지정기준을 마련하고 있는가?","물리적 보호구역 지정기준에 따라 보호구역을 지정하고 구역별 보호대책을 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 물리보안 지침에는 개인정보 보관시설 및 시스템 구역을 통제구역으로 지정한다고 명시되어 있으나, 멤버십 가입신청 서류가 보관되어 있는 문서고 등 일부 대상 구역이 통제구역에서 누락된 경우","사례 2 : 내부 물리보안 지침에 통제구역에 대해서는 지정된 양식의 통제구역 표지판을 설치하도록 명시하고 있으나, 일부 통제구역에 표시판을 설치하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치)"]}],"description": "물리적·환경적 위협으로부터 개인정보 및 중요정보, 문서, 저장매체, 주요 설비 및 시스템 등을 보호하기 위하여 통제구역·제한구역·접견구역 등 물리적 보호구역을 지정하고 구역별 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.2": {"name": "출입통제","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.2 출입통제","Subdomain": "2.4. 물리 보안","AuditEvidence": ["출입 관리대장 및 출입로그","출입 등록 신청서 및 승인 내역","출입기록 검토서","출입통제시스템 관리화면(출입자 등록 현황 등)"],"AuditChecklist": ["보호구역은 출입절차에 따라 출입이 허가된 자만 출입하도록 통제하고 있는가?","각 보호구역에 대한 내·외부자 출입기록을 일정기간 보존하고 출입기록 및 출입권한을 주기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 통제구역을 정의하여 보호대책을 수립하고 출입 가능한 임직원을 관리하고 있으나, 출입기록을 주기적으로 검토하지 않아 퇴직, 전배 등에 따른 장기 미출입자가 다수 존재하고 있는 경우","사례 2 : 전산실, 문서고 등 통제구역에 출입통제 장치가 설치되어 있으나, 타당한 사유 또는 승인 없이 장시간 개방 상태로 유지하고 있는 경우","사례 3 : 일부 외부 협력업체 직원에게 과도하게 전 구역을 상시 출입할 수 있는 출입카드를 부여하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치)"]}],"description": "보호구역은 인가된 사람만이 출입하도록 통제하고 책임추적성을 확보할 수 있도록 출입 및 접근 이력을 주기적으로 검토하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.3": {"name": "정보시스템 보호","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.3 정보시스템 보호","Subdomain": "2.4. 물리 보안","AuditEvidence": ["정보처리시설 도면","정보시스템 배치도","자산목록"],"AuditChecklist": ["정보시스템의 중요도, 용도, 특성 등을 고려하여 배치 장소를 분리하고 있는가?","정보시스템의 실제 물리적 위치를 손쉽게 확인할 수 있는 방안을 마련하고 있는가?","전력 및 통신케이블을 외부로부터의 물리적 손상 및 전기적 영향으로부터 안전하게 보호하고 있는가?"],"NonComplianceCases": ["사례 1 : 시스템 배치도가 최신 변경사항을 반영하여 업데이트되지 않아 장애가 발생된 정보시스템을 신속하게 확인할 수 없는 경우","사례 2 : 서버실 바닥 또는 랙에 많은 케이블이 정리되지 않고 뒤엉켜 있어 전기적으로 간섭, 손상, 누수, 부주의 등에 의한 장애 발생이 우려되는 경우"],"RelatedRegulations": []}],"description": "정보시스템은 환경적 위협과 유해요소, 비인가 접근 가능성을 감소시킬 수 있도록 중요도와 특성을 고려하여 배치하고, 통신 및 전력 케이블이 손상을 입지 않도록 보호하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.4": {"name": "보호설비 운영","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.4 보호설비 운영","Subdomain": "2.4. 물리 보안","AuditEvidence": ["물리적 보안 지침(보호설비 관련)","전산실 설비 현황 및 점검표","IDC 위탁운영 계약서, SLA 등"],"AuditChecklist": ["각 보호구역의 중요도 및 특성에 따라 화재, 수해, 전력 이상 등 인재 및 자연재해 등에 대비하여 필요한 설비를 갖추고 운영절차를 수립하여 운영하고 있는가?","외부 집적정보통신시설(IDC)에 위탁 운영하는 경우 물리적 보호에 필요한 요구사항을 계약서에 반영하고 운영상태를 주기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 본사 전산실 등 일부 보호구역에 내부 지침에 정한 보호설비를 갖추고 있지 않은 경우","사례 2 : 전산실 내에 UPS, 소화설비 등의 보호설비는 갖추고 있으나, 관련 설비에 대한 운영 및 점검 기준을 수립하고 있지 않은 경우","사례 3 : 운영지침에 따라 전산실 내에 온·습도 조절기를 설치하였으나, 용량 부족으로 인하여 표준 온·습도를 유지하지 못하여 장애발생 가능성이 높은 경우"],"RelatedRegulations": ["정보통신망법 제46조(집적된 정보통신시설의 보호)","집적정보 통신시설 보호지침","소방시설 설치 및 관리에 관한 법률(소방시설법) 제12조(특정소방대상물에 설치하는 소방시설의 관리 등), 제16조(피난시설, 방화구역 및 방화시설의 관리)"]}],"description": "보호구역에 위치한 정보시스템의 중요도 및 특성에 따라 온·습도 조절, 화재감지, 소화설비, 누수감지, UPS, 비상발전기, 이중전원선 등의 보호설비를 갖추고 운영절차를 수립·운영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.5": {"name": "보호구역 내 작업","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.5 보호구역 내 작업","Subdomain": "2.4. 물리 보안","AuditEvidence": ["작업 신청서, 작업 일지","통제구역 출입 대장","통제구역에 대한 출입기록 및 작업 기록 검토 내역"],"AuditChecklist": ["정보시스템 도입, 유지보수 등으로 보호구역 내 작업이 필요한 경우에 대한 공식적인 작업신청 및 수행 절차를 수립·이행하고 있는가?","보호구역 내 작업이 통제 절차에 따라 적절히 수행되었는지 여부를 확인하기 위하여 작업 기록을 주기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 전산실 출입로그에는 외부 유지보수 업체 직원의 출입기록이 남아 있으나, 이에 대한 보호구역 작업 신청 및 승인 내역이 존재하지 않은 경우(내부 규정에 따른 보호구역 작업 신청 없이 보호구역 출입 및 작업이 이루어지고 있는 경우)","사례 2 : 내부 규정에는 보호구역 내 작업 기록에 대하여 분기별 1회 이상 점검하도록 되어 있으나, 특별한 사유 없이 장기간 동안 보호구역 내 작업 기록에 대한 점검이 이루어지고 있지 않은 경우"],"RelatedRegulations": []}],"description": "보호구역 내에서의 비인가행위 및 권한 오·남용 등을 방지하기 위한 작업 절차를 수립 및이행하고, 작업 기록을 주기적으로 검토하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.6": {"name": "반출입 기기 통제","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.6 반출입 기기 통제","Subdomain": "2.4. 물리 보안","AuditEvidence": ["보호구역 내 반출입 신청서","반출입 관리대장","반출입 이력 검토 결과"],"AuditChecklist": ["정보시스템, 모바일 기기, 저장매체 등을 보호구역에 반입하거나 반출하는 경우 정보유출, 악성코드 감염 등 보안사고 예방을 위한 통제 절차를 수립·이행하고 있는가?","반출입 통제절차에 따른 기록을 유지·관리하고, 절차 준수 여부를 확인할 수 있도록 반출입 이력을 주기적으로 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 이동컴퓨팅기기 반출입에 대한 통제 절차를 수립하고 있으나, 통제구역 내 이동컴퓨팅기기 반입에 대한 통제를 하고 있지 않아 출입이 허용된 내·외부인이 이동컴퓨팅기기를 제약 없이 사용하고 있는 경우","사례 2 : 내부 지침에 따라 전산장비 반출입이 있는 경우 작업계획서에 반출입 내용을 기재하고 관리 책임자의 서명을 받도록 되어 있으나, 작업계획서의 반출입 기록에 관리책임자의 서명이 다수 누락되어 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치)"]}],"description": "보호구역 내 정보시스템, 모바일 기기, 저장매체 등에 대한 반출입 통제절차를 수립 및이행하고 주기적으로 검토하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.4.7": {"name": "업무환경 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.4.7 업무환경 보안","Subdomain": "2.4. 물리 보안","AuditEvidence": ["사무실 및 공용공간 보안점검 보고서","사무실 및 공용공간 보안점검표","미준수자에 대한 조치 사항(교육, 상벌 등)","출력·복사물 보호조치 현황"],"AuditChecklist": ["문서고, 공용 PC, 복합기, 파일서버 등 공용으로 사용하는 시설 및 사무용 기기에 대한 보호대책을 수립·이행하고 있는가?","업무용 PC, 책상, 서랍 등 개인업무 환경을 통한 개인정보 및 중요정보의 유·노출을 방지하기 위한 보호대책을 수립·이행하고 있는가?","개인정보가 포함된 종이 인쇄물 등 개인정보의 출력·복사물을 안전하게 관리하기 위해 필요한 보호조치를 하고 있는가?","개인 및 공용업무 환경에서의 정보보호 준수 여부를 주기적으로 검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보 내부 관리계획서 내 개인정보보호를 위한 생활보안 점검(클린데스크 운영 등)을 정기적으로 수행하도록 명시하고 있으나, 이를 이행하지 않은 경우","사례 2 : 멤버십 가입신청서 등 개인정보가 포함된 서류를 잠금장치가 없는 사무실 문서함에 보관한 경우","사례 3 : 직원들의 컴퓨터 화면보호기 및 패스워드가 설정되어 있지 않고, 휴가자 책상 위에 중요문서가 장기간 방치되어 있는 경우","사례 4 : 회의실 등 공용 사무 공간에 설치된 공용PC에 대한 보호대책이 수립되어 있지 않아 개인정보가 포함된 파일이 암호화되지 않은 채로 저장되어 있거나, 보안 업데이트 미적용, 백신 미설치 등 취약한 상태로 유지하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치), 제12조(출력·복사시 안전조치)"]}],"description": "공용으로 사용하는 사무용 기기(문서고, 공용 PC, 복합기, 파일서버 등) 및 개인 업무환경(업무용 PC, 책상 등)을 통하여 개인정보 및 중요정보가 비인가자에게 노출 또는 유출되지 않도록 클린데스크, 정기점검 등 업무환경 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.5.1": {"name": "사용자 계정 관리","checks": {"iam_user_accesskey_unused": null,"iam_securityaudit_role_created": null,"iam_user_console_access_unused": null,"iam_policy_no_full_access_to_kms": null,"iam_role_administratoraccess_policy": null,"iam_user_administrator_access_policy": null,"organizations_scp_check_deny_regions": null,"iam_group_administrator_access_policy": null,"iam_policy_allows_privilege_escalation": null,"iam_inline_policy_no_full_access_to_kms": null,"iam_policy_no_full_access_to_cloudtrail": null,"iam_policy_attached_only_to_group_or_roles": null,"cognito_user_pool_self_registration_disabled": null,"iam_role_cross_account_readonlyaccess_policy": null,"iam_inline_policy_allows_privilege_escalation": null,"iam_inline_policy_no_administrative_privileges": null,"iam_inline_policy_no_full_access_to_cloudtrail": null,"iam_no_custom_policy_permissive_role_assumption": null,"iam_role_cross_service_confused_deputy_prevention": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"iam_customer_unattached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.1 사용자 계정 관리","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["사용자 계정 및 권한 신청서","사용자 계정 및 권한 관리대장 또는 화면","정보시스템 및 개인정보처리시스템별 접근권한 분류표","정보시스템 및 개인정보처리시스템별 사용자, 관리자, 개인정보취급자 목록"],"AuditChecklist": ["정보시스템과 개인정보 및 중요정보에 접근할 수 있는 사용자 계정 및 접근권한의 등록·변경·삭제에 관한 공식적인 절차를 수립·이행하고 있는가?","정보시스템과 개인정보 및 중요정보에 접근할 수 있는 사용자 계정 및 접근권한 생성 및 등록·변경 시 직무별 접근권한 분류 체계에 따라 업무상 필요한 최소한의 권한만을 부여하고 있는가?","사용자에게 계정 및 접근권한을 부여하는 경우 해당 계정에 대한 보안책임이 본인에게 있음을 명확히 인식시키고 있는가?"],"NonComplianceCases": ["사례 1 : 사용자 및 개인정보취급자에 대한 계정·권한에 대한 사용자 등록, 해지 및 승인절차 없이 구두 요청, 이메일 등으로 처리하여 이에 대한 승인 및 처리 이력이 확인되지 않는 경우","사례 2 : 개인정보취급자가 휴가, 출장, 공가 등에 따른 업무 백업을 사유로 공식적인 절차를 거치지 않고 개인정보취급자로 지정되지 않은 인원에게 개인정보취급자 계정을 알려주는 경우","사례 3 : 정보시스템 또는 개인정보처리시스템 사용자에게 필요 이상의 과도한 권한을 부여하여 업무상 불필요한 정보 또는 개인정보에 접근이 가능한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "정보시스템과 개인정보 및 중요정보에 대한 비인가 접근을 통제하고 업무 목적에 따른 접근권한을 최소한으로 부여할 수 있도록 사용자 등록·해지 및 접근권한 부여·변경·말소 절차를 수립·이행하고, 사용자 등록 및 권한부여 시 사용자에게 보안책임이 있음을 규정화하고 인식시켜야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 22,"manual": 0}},"2.5.2": {"name": "사용자 식별","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.2 사용자 식별","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["정보시스템 및 개인정보처리시스템 로그인 화면","정보시스템 및 개인정보처리시스템 관리자, 사용자, 개인정보취급자 계정 목록","예외 처리에 대한 승인 내역"],"AuditChecklist": ["정보시스템 및 개인정보처리시스템에서 사용자 및 개인정보취급자를 유일하게 구분할 수 있는 식별자를 할당하고 추측 가능한 식별자의 사용을 제한하고 있는가?","불가피한 사유로 동일한 식별자를 공유하여 사용하는 경우 그 사유와 타당성을 검토하고 보완대책을 마련하여 책임자의 승인을 받고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템(서버, 네트워크, 침입차단시스템, DBMS 등)의 계정 현황을 확인한 결과, 제조사에서 제공하는 기본 관리자 계정을 기술적으로 변경 가능함에도 불구하고 변경하지 않고 사용하고 있는 경우","사례 2 : 개발자가 개인정보처리시스템 계정을 공용으로 사용하고 있으나, 타당성 검토 또는 책임자의 승인 등이 없이 사용하고 있는 경우","사례 3 : 외부직원이 유지보수하고 있는 정보시스템의 운영계정을 별도의 승인 절차 없이 개인 계정처럼 사용하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "사용자 계정은 사용자별로 유일하게 구분할 수 있도록 식별자를 할당하고 추측 가능한 식별자 사용을 제한하여야 하며, 동일한 식별자를 공유하여 사용하는 경우 그 사유와 타당성을 검토하여 책임자의 승인 및 책임추적성 확보 등 보완대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.5.3": {"name": "사용자 인증","checks": {"iam_root_mfa_enabled": null,"iam_user_accesskey_unused": null,"iam_check_saml_providers_sts": null,"cognito_user_pool_mfa_enabled": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_hardware_mfa_enabled": null,"iam_user_two_active_access_key": null,"iam_administrator_access_with_mfa": null,"iam_user_mfa_enabled_console_access": null,"iam_user_with_temporary_credentials": null,"apigatewayv2_api_authorizers_enabled": "FAIL","iam_user_no_setup_initial_access_key": null,"apigateway_restapi_authorizers_enabled": "PASS","rds_cluster_iam_authentication_enabled": "FAIL","rds_instance_iam_authentication_enabled": "FAIL","kafka_cluster_unrestricted_access_disabled": null,"cognito_identity_pool_guest_access_disabled": "FAIL","cognito_user_pool_advanced_security_enabled": null,"cognito_user_pool_self_registration_disabled": null,"directoryservice_supported_mfa_radius_enabled": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cognito_user_pool_client_token_revocation_enabled": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"opensearch_service_domains_internal_user_database_enabled": null,"cognito_user_pool_blocks_potential_malicious_sign_in_attempts": null,"opensearch_service_domains_use_cognito_authentication_for_kibana": null,"cognito_user_pool_blocks_compromised_credentials_sign_in_attempts": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.3 사용자 인증","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["정보시스템 및 개인정보처리시스템 로그인 화면","로그인 횟수 제한 설정 화면","로그인 실패 메시지 화면","외부 접속 시 절차(외부접속 신청서, 외부접속자 현황 등)"],"AuditChecklist": ["정보시스템 및 개인정보처리시스템에 대한 접근은 사용자 인증, 로그인 횟수 제한, 불법 로그인 시도 경고 등 안전한 사용자 인증 절차에 따라 통제하고 있는가?","정보통신망을 통하여 외부에서 개인정보처리시스템에 접속하려는 경우에는 법적 요구사항에 따라 안전한 인증수단 또는 안전한 접속수단을 적용하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보취급자가 공개된 외부 인터넷망을 통하여 이용자의 개인정보를 처리하는 개인정보처리 시스템에 접근 시 안전한 인증수단을 적용하지 않고 ID·비밀번호 방식으로만 인증하고 있는 경우","사례 2 : 정보시스템 및 개인정보처리시스템 로그인 실패 시 해당 ID가 존재하지 않거나 비밀번호가 틀림을 자세히 표시해 주고 있으며, 로그인 실패횟수에 대한 제한이 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리), 제6조(접근통제)"]}],"description": "정보시스템과 개인정보 및 중요정보에 대한 사용자의 접근은 안전한 인증절차와 필요에 따라 강화된 인증방식을 적용하여야 한다. 또한 로그인 횟수 제한, 불법 로그인 시도 경고 등 비인가자 접근 통제방안을 수립·이행하여야 한다.","checks_status": {"fail": 4,"pass": 1,"total": 29,"manual": 0}},"2.5.4": {"name": "비밀번호 관리","checks": {"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_reuse_24": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_password_policy_minimum_length_14": null,"cognito_user_pool_password_policy_number": null,"cognito_user_pool_password_policy_symbol": null,"cognito_user_pool_password_policy_lowercase": null,"cognito_user_pool_password_policy_uppercase": null,"cognito_user_pool_temporary_password_expiration": null,"cognito_user_pool_password_policy_minimum_length_14": null,"iam_password_policy_expires_passwords_within_90_days_or_less": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.4 비밀번호 관리","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["웹페이지, 정보시스템 및 개인정보처리시스템 비밀번호 설정 화면","비밀번호 관리 정책 및 절차"],"AuditChecklist": ["정보시스템에 대한 안전한 사용자 비밀번호 관리절차 및 작성규칙을 수립·이행하고 있는가?","정보주체(이용자)가 안전한 비밀번호를 이용할 수 있도록 비밀번호 작성규칙을 수립 및 이행하고 있는가?","개인정보취급자 또는 정보주체의 인증수단을 안전하게 적용하고 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보보호 및 개인정보보호 관련 정책, 지침 등에서 비밀번호 생성규칙의 기준을 정하고 있으나, 일부 정보시스템 및 개인정보처리시스템에서 내부 지침과 상이한 비밀번호를 사용하고 있는 경우","사례 2 : 비밀번호 관련 내부 규정에는 비밀번호를 초기화 시 임시 비밀번호를 부여받고 강제적으로 변경하도록 되어 있으나, 실제로는 임시 비밀번호를 그대로 사용하고 있는 경우","사례 3 : 비밀번호 관련 내부 규정에는 사용자 및 개인정보취급자의 비밀번호 변경주기를 정하고 이행하도록 하고 있음에도 불구하고 변경하지 않고 그대로 사용하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "법적 요구사항, 외부 위협요인 등을 고려하여 정보시스템 사용자 및 고객, 회원 등 정보주체(이용자)가 사용하는 비밀번호 관리절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 13,"manual": 0}},"2.5.5": {"name": "특수 계정 및 권한 관리","checks": {"iam_avoid_root_usage": null,"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_support_role_created": null,"rds_cluster_default_admin": "FAIL","rds_instance_default_admin": "FAIL","ec2_instance_profile_attached": "PASS","iam_root_hardware_mfa_enabled": null,"organizations_delegated_administrators": null,"cloudwatch_log_metric_filter_root_usage": null,"sagemaker_notebook_instance_root_access_disabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.5 특수 계정 및 권한 관리","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["특수권한 관련 지침","특수권한 신청·승인 내역","특수권한자 목록","특수권한 검토 내용"],"AuditChecklist": ["관리자 권한 등 특수권한은 최소한의 인원에게만 부여될 수 있도록 공식적인 권한 신청 및 승인 절차를 수립·이행하고 있는가?","특수 목적을 위하여 부여한 계정 및 권한을 식별하고 별도 목록으로 관리하는 등 통제절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템 및 개인정보처리시스템의 관리자 및 특수권한 부여 등의 승인 이력이 시스템이나 문서상으로 확인이 되지 않거나, 승인 이력과 특수권한 내역이 서로 일치되지 않는 경우","사례 2 : 내부 규정에는 개인정보 관리자 및 특수권한 보유자를 목록으로 작성·관리하도록 되어 있으나 이를 작성·관리하고 있지 않거나, 보안시스템 관리자 등 일부 특수권한이 식별·관리되지 않는 경우","사례 3 : 정보시스템 및 개인정보처리시스템의 유지보수를 위하여 분기 1회에 방문하는 유지보수용 특수 계정이 사용기간 제한없이 상시로 활성화되어 있는 경우","사례 4 : 관리자 및 특수권한의 사용 여부를 정기적으로 검토하지 않아 일부 특수권한자의 업무가 변경되었음에도 불구하고 기존 관리자 및 특수권한을 계속 보유하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "정보시스템 관리, 개인정보 및 중요정보 관리 등 특수 목적을 위하여 사용하는 계정 및 권한은 최소한으로 부여하고 별도로 식별하여 통제하여야 한다.","checks_status": {"fail": 2,"pass": 1,"total": 11,"manual": 0}},"2.5.6": {"name": "접근권한 검토","checks": {"accessanalyzer_enabled": "PASS","cloudtrail_insights_exist": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.5.6 접근권한 검토","Subdomain": "2.5. 인증 및 권한관리","AuditEvidence": ["접근권한 검토 기준 및 절차","접근권한 검토 이력","접근권한 검토 결과보고서 및 후속조치 내역"],"AuditChecklist": ["정보시스템과 개인정보 및 중요정보에 대한 사용자 계정 및 접근권한 생성·등록·부여 및 이용·변경·말소 등의 이력을 남기고 있는가?","정보시스템과 개인정보 및 중요정보에 대한 사용자 계정 및 접근권한의 적정성 검토 기준, 검토주체, 검토방법, 주기 등을 수립하여 정기적 검토를 이행하고 있는가?","접근권한 검토 결과 접근권한 과다 부여, 권한부여 절차 미준수, 권한 오·남용 등 문제점이 발견된 경우 그에 따른 조치절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 접근권한 검토와 관련된 방법, 점검주기, 보고체계, 오·남용 기준 등이 관련 지침에 구체적으로 정의되어 있지 않아 접근권한 검토가 정기적으로 수행되지 않은 경우","사례 2 : 내부 정책, 지침 등에 장기 미사용자 계정에 대한 잠금(비활성화) 또는 삭제 조치하도록 되어 있으나, 6개월 이상 미접속한 사용자의 계정이 활성화되어 있는 경우(접근권한 검토가 충실히 수행되지 않아 해당 계정이 식별되지 않은 경우)","사례 3 : 접근권한 검토 시 접근권한의 과다 부여 및 오·남용 의심사례가 발견되었으나, 이에 대한 상세조사, 내부보고 등의 후속조치가 수행되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근 권한의 관리)"]}],"description": "정보시스템과 개인정보 및 중요정보에 접근하는 사용자 계정의 등록·이용·삭제 및 접근권한의 부여·변경·삭제 이력을 남기고 주기적으로 검토하여 적정성 여부를 점검하여야 한다.","checks_status": {"fail": 2,"pass": 1,"total": 14,"manual": 0}},"2.6.1": {"name": "네트워크 접근","checks": {"ec2_ami_public": null,"elb_internet_facing": "FAIL","ec2_elastic_ip_shodan": null,"elbv2_internet_facing": "PASS","ec2_instance_public_ip": "FAIL","ec2_ebs_public_snapshot": "PASS","kafka_cluster_is_public": null,"s3_bucket_acl_prohibited": "FAIL","apigateway_restapi_public": "FAIL","lightsail_database_public": null,"lightsail_instance_public": null,"ec2_securitygroup_not_used": "FAIL","elbv2_listeners_underneath": "PASS","networkfirewall_in_all_vpc": "FAIL","s3_bucket_public_write_acl": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","ssm_documents_set_as_public": "PASS","awslambda_function_url_public": null,"dms_instance_no_public_access": null,"rds_instance_no_public_access": "PASS","emr_cluster_publicly_accesible": null,"redshift_cluster_public_access": null,"neptune_cluster_public_snapshot": null,"eks_cluster_private_nodes_enabled": null,"awslambda_function_url_cors_policy": null,"documentdb_cluster_public_snapshot": null,"eks_cluster_network_policy_enabled": null,"neptune_cluster_uses_public_subnet": null,"sns_topics_not_publicly_accessible": "PASS","sqs_queues_not_publicly_accessible": "PASS","vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","eks_cluster_not_publicly_accessible": null,"glacier_vaults_policy_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_access_point_public_access_block": "PASS","s3_bucket_level_public_access_block": "PASS","iam_user_administrator_access_policy": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"iam_group_administrator_access_policy": null,"s3_account_level_public_access_blocks": null,"apigateway_restapi_authorizers_enabled": "PASS","elasticache_cluster_uses_public_subnet": "PASS","rds_instance_iam_authentication_enabled": "FAIL","appstream_fleet_maximum_session_duration": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ecr_repositories_not_publicly_accessible": "PASS","emr_cluster_account_public_block_enabled": "PASS","sagemaker_models_vpc_settings_configured": null,"apigateway_restapi_public_with_authorizer": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","vpc_endpoint_connections_trust_boundaries": "FAIL","appstream_fleet_session_disconnect_timeout": null,"awslambda_function_not_publicly_accessible": "PASS","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_instance_port_ldap_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","kafka_cluster_unrestricted_access_disabled": null,"sagemaker_models_network_isolation_enabled": null,"cognito_identity_pool_guest_access_disabled": "FAIL","ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","workspaces_vpc_2private_1public_subnets_nat": null,"ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_transitgateway_auto_accept_vpc_attachments": null,"appstream_fleet_session_idle_disconnect_timeout": null,"ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","rds_instance_event_subscription_security_groups": "FAIL","sagemaker_training_jobs_vpc_settings_configured": null,"vpc_peering_routing_tables_with_least_privilege": "PASS","appstream_fleet_default_internet_access_disabled": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","cloudfront_distributions_geo_restrictions_enabled": null,"sagemaker_training_jobs_network_isolation_enabled": null,"opensearch_service_domains_not_publicly_accessible": null,"sagemaker_notebook_instance_vpc_settings_configured": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","vpc_endpoint_services_allowed_principals_trust_boundaries": null,"ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","cognito_user_pool_blocks_potential_malicious_sign_in_attempts": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.1 네트워크 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["네트워크 구성도","IP 관리대장","정보자산 목록","방화벽룰"],"AuditChecklist": ["조직의 네트워크에 접근할 수 있는 모든 경로를 식별하고 접근통제 정책에 따라 내부 네트워크는 인가된 사용자만이 접근할 수 있도록 통제하고 있는가?","서비스, 사용자 그룹, 정보자산의 중요도, 법적 요구사항에 따라 네트워크 영역을 물리적 또는 논리적으로 분리하고 각 영역 간 접근통제를 적용하고 있는가?","네트워크 대역별 IP주소 부여 기준을 마련하고 데이터베이스 서버 등 외부 연결이 필요하지 않은 경우 사설 IP로 할당하는 등의 대책을 적용하고 있는가?","물리적으로 떨어진 IDC, 지사, 대리점 등과의 네트워크 연결 시 전송구간 보호대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 네트워크 구성도와 인터뷰를 통하여 확인한 결과, 외부 지점에서 사용하는 정보시스템 및 개인정보 처리시스템과 IDC에 위치한 서버 간 연결 시 일반 인터넷 회선을 통하여 데이터 송수신을 처리하고 있어 내부 규정에 명시된 VPN이나 전용망 등을 이용한 통신이 이루어지고 있지 않은 경우","사례 2 : 내부망에 위치한 데이터베이스 서버 등 일부 중요 서버의 IP주소가 내부 규정과 달리 공인 IP로 설정되어 있고, 네트워크 접근 차단이 적용되어 있지 않은 경우","사례 3 : 서버팜이 구성되어 있으나, 네트워크 접근제어 설정 미흡으로 내부망에서 서버팜으로의 접근이 과도하게 허용되어 있는 경우","사례 4 : 외부자(외부 개발자, 방문자 등)에게 제공되는 네트워크를 별도의 통제 없이 내부 업무 네트워크와 분리하지 않은 경우","사례 5 : 내부 규정과는 달리 MAC주소 인증, 필수 보안 소프트웨어 설치 등의 보호대책을 적용하지 않은 상태로 네트워크 케이블 연결만으로 사내 네트워크에 접근 및 이용할 수 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "네트워크에 대한 비인가 접근을 통제하기 위하여 IP관리, 단말인증 등 관리절차를 수립 및이행하고, 업무목적 및 중요도에 따라 네트워크 분리(DMZ, 서버팜, DB존, 개발존 등)와 접근통제를 적용하여야 한다.","checks_status": {"fail": 17,"pass": 54,"total": 112,"manual": 0}},"2.6.2": {"name": "정보시스템 접근","checks": {"ec2_elastic_ip_shodan": null,"ec2_instance_public_ip": "FAIL","ec2_elastic_ip_unassigned": "FAIL","lightsail_instance_public": null,"lightsail_static_ip_unused": null,"ec2_instance_managed_by_ssm": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.2 정보시스템 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["정보시스템 운영체제 계정 목록","서버 보안 설정","서버접근제어 정책(SecureOS 관리화면 등)","서버 및 네트워크 구성도","정보자산 목록"],"AuditChecklist": ["서버, 네트워크시스템, 보안시스템 등 정보시스템별 운영체제(OS)에 접근이 허용되는 사용자, 접근 가능 위치, 접근 수단 등을 정의하여 통제하고 있는가?","정보시스템에 접속 후 일정시간 업무처리를 하지 않는 경우 자동으로 시스템 접속이 차단되도록 하고 있는가?","정보시스템의 사용목적과 관계 없는 서비스를 제거하고 있는가?","주요 서비스를 제공하는 정보시스템은 독립된 서버로 운영하고 있는가?"],"NonComplianceCases": ["사례 1 : 사무실에서 서버관리자가 IDC에 위치한 윈도우 서버에 접근 시 터미널 서비스를 이용하여 접근하고 있으나, 터미널 서비스에 대한 세션 타임아웃 설정이 되어 있지 않아 장시간 아무런 작업을 하지 않아도 해당 세션이 차단되지 않는 경우","사례 2 : 서버 간 접속이 적절히 제한되지 않아 특정 사용자가 본인에게 인가된 서버에 접속한 후 해당 서버를 경유하여 다른 인가받지 않은 서버에도 접속할 수 있는 경우","사례 3 : 타당한 사유 또는 보완 대책 없이 안전하지 않은 접속 프로토콜(telnet, ftp 등)을 사용하여 접근하고 있으며, 불필요한 서비스 및 포트를 오픈하고 있는 경우","사례 4 : 모든 서버로의 접근은 서버접근제어 시스템을 통하도록 접근통제 정책을 가져가고 있으나, 서버접근제어 시스템을 통하지 않고 서버에 접근할 수 있는 우회 경로가 존재하는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "서버, 네트워크시스템 등 정보시스템에 접근을 허용하는 사용자, 접근제한 방식, 안전한 접근수단 등을 정의하여 통제하여야 한다.","checks_status": {"fail": 8,"pass": 13,"total": 24,"manual": 0}},"2.6.3": {"name": "응용프로그램 접근","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.3 응용프로그램 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["응용프로그램 접근권한 분류 체계","응용프로그램 계정·권한 관리 화면","응용프로그램 사용자·관리자 화면(개인정보 조회 등)","응용프로그램 세션 타임 및 동시접속 허용 여부 내역","응용프로그램 관리자 접속로그 모니터링 내역","정보자산 목록","개인정보처리시스템의 개인정보 조회, 검색 화면","개인정보 마스킹 표준","개인정보 마스킹 적용 화면"],"AuditChecklist": ["중요정보 접근을 통제하기 위하여 사용자의 업무에 따라 응용프로그램 접근권한을 차등 부여하고 있는가?","일정시간 동안 입력이 없는 세션은 자동 차단하고, 동일 사용자의 동시 세션 수를 제한하고 있는가?","관리자 전용 응용프로그램(관리자 웹페이지, 관리콘솔 등)은 비인가자가 접근할 수 없도록 접근을 통제하고 있는가?","개인정보 및 중요정보의 표시제한 보호조치의 일관성을 확보할 수 있도록 관련 기준을 수립하여 적용하고 있는가?","개인정보 및 중요정보의 불필요한 노출(조회, 화면표시, 인쇄, 다운로드 등)을 최소화할 수 있도록 응용프로그램을 구현하여 운영하고 있는가?"],"NonComplianceCases": ["사례 1 : 응용프로그램의 개인정보 처리화면 중 일부 화면의 권한 제어 기능에 오류가 존재하여 개인정보 열람 권한이 없는 사용자에게도 개인정보가 노출되고 있는 경우","사례 2 : 응용프로그램의 관리자 페이지가 외부인터넷에 오픈되어 있으면서 안전한 인증수단이 적용되어 있지 않은 경우","사례 3 : 응용프로그램에 대하여 타당한 사유 없이 세션 타임아웃 또는 동일 사용자 계정의 동시 접속을 제한하고 있지 않은 경우","사례 4 : 응용프로그램을 통하여 개인정보를 다운로드받는 경우 해당 파일 내에 주민등록번호 등 업무상 불필요한 정보가 과도하게 포함되어 있는 경우","사례 5 : 응용프로그램의 개인정보 조회화면에서 like 검색을 과도하게 허용하고 있어, 모든 사용자가 본인의 업무 범위를 초과하여 성씨만으로도 전체 고객 정보를 조회할 수 있는 경우","사례 6 : 개인정보 표시제한 조치 기준이 마련되어 있지 않거나 이를 준수하지 않는 등의 사유로 동일한 개인정보 항목에 대하여 개인정보처리시스템 화면별로 서로 다른 마스킹 기준이 적용된 경우","사례 7 : 개인정보처리시스템의 화면상에는 개인정보가 마스킹되어 표시되어 있으나, 웹브라우저 소스보기를 통하여 마스킹되지 않은 전체 개인정보가 노출되는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근권한의 관리), 제6조(접근통제), 제12조(출력·복사시 안전조치)"]}],"description": "사용자별 업무 및 접근 정보의 중요도 등에 따라 응용프로그램 접근권한을 제한하고, 불필요한 정보 또는 중요정보 노출을 최소화할 수 있도록 기준을 수립하여 적용하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.6.4": {"name": "데이터베이스 접근","checks": {"accessanalyzer_enabled": "PASS","lightsail_database_public": null,"rds_snapshots_public_access": "PASS","dms_instance_no_public_access": null,"rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"neptune_cluster_public_snapshot": null,"rds_instance_transport_encrypted": "FAIL","documentdb_cluster_public_snapshot": null,"neptune_cluster_uses_public_subnet": null,"vpc_subnet_separate_private_public": "FAIL","dynamodb_table_cross_account_access": null,"rds_cluster_iam_authentication_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","rds_instance_iam_authentication_enabled": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","neptune_cluster_iam_authentication_enabled": null,"ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","opensearch_service_domains_not_publicly_accessible": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_internal_user_database_enabled": null,"ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","opensearch_service_domains_use_cognito_authentication_for_kibana": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.4 데이터베이스 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["데이터베이스 현황(테이블, 컬럼 등)","데이터베이스 접속자 계정·권한 목록","데이터베이스 접근제어 정책(데이터베이스 접근제어시스템 관리화면 등)","네트워크 구성도(데이터베이스존 등)","정보자산 목록"],"AuditChecklist": ["데이터베이스의 테이블 목록 등 저장·관리되고 있는 정보를 식별하고 있는가?","데이터베이스 내 정보에 접근이 필요한 응용프로그램, 정보시스템(서버) 및 사용자를 명확히 식별하고 접근통제 정책에 따라 통제하고 있는가?"],"NonComplianceCases": ["사례 1 : 대량의 개인정보를 보관·처리하고 있는 데이터베이스를 인터넷을 통하여 접근 가능한 웹 응용프로그램과 분리하지 않고 물리적으로 동일한 서버에서 운영하고 있는 경우","사례 2 : 개발자 및 운영자들이 응응 프로그램에서 사용하고 있는 계정을 공유하여 운영 데이터베이스에 접속하고 있는 경우","사례 3 : 내부 규정에는 데이터베이스의 접속권한을 오브젝트별로 제한하도록 되어 있으나, 데이터베이스 접근권한을 운영자에게 일괄 부여하고 있어 개인정보 테이블에 접근할 필요가 없는 운영자에게도 과도하게 접근 권한이 부여된 경우","사례 4 : 데이터베이스 접근제어 솔루션을 도입하여 운영하고 있으나, 데이터베이스 접속자에 대한 IP주소 등이 적절히 제한되어 있지 않아 데이터베이스 접근제어 솔루션을 우회하여 데이터베이스에 접속하고 있는 경우","사례 5 : 개인정보를 저장하고 있는 데이터베이스의 테이블 현황이 파악되지 않아, 임시로 생성된 테이블에 불필요한 개인정보가 파기되지 않고 대량으로 저장되어 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제5조(접근권한의 관리), 제6조(접근통제)"]}],"description": "테이블 목록 등 데이터베이스 내에서 저장·관리되고 있는 정보를 식별하고, 정보의 중요도와 응용프로그램 및 사용자 유형 등에 따른 접근통제 정책을 수립·이행하여야 한다.","checks_status": {"fail": 6,"pass": 19,"total": 37,"manual": 0}},"2.6.5": {"name": "무선 네트워크 접근","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.5 무선 네트워크 접근","Subdomain": "2.6. 접근통제","AuditEvidence": ["네트워크 구성도","AP 보안 설정 내역","비인가 무선 네트워크 점검 이력","무선네트워크 사용 신청·승인 이력"],"AuditChecklist": ["무선네트워크를 업무적으로 사용하는 경우 무선 AP 및 네트워크 구간 보안을 위하여 인증, 송수신 데이터 암호화 등 보호대책을 수립·이행하고 있는가?","인가된 임직원만이 무선네트워크를 사용할 수 있도록 사용 신청 및 해지 절차를 수립 및 이행하고 있는가?","AD Hoc 접속 및 조직 내 허가받지 않은 무선 AP 탐지·차단 등 비인가된 무선네트워크에 대한 보호대책을 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 외부인용 무선 네트워크와 내부 무선 네트워크 영역대가 동일하여 외부인도 무선네트워크를 통하여 별도의 통제 없이 내부 네트워크에 접근이 가능한 경우","사례 2 : 무선 AP 설정 시 정보 송수신 암호화 기능을 설정하였으나, 안전하지 않은 방식으로 설정한 경우","사례 3 : 업무 목적으로 내부망에 연결된 무선AP에 대하여 무선AP 관리자 비밀번호 노출(디폴트 비밀번호 사용), 접근제어 미적용 등 보안 설정이 미흡한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "무선 네트워크를 사용하는 경우 사용자 인증, 송수신 데이터 암호화, AP 통제 등 무선 네트워크 보호대책을 적용하여야 한다. 또한 AD Hoc 접속, 비인가 AP 사용 등 비인가 무선 네트워크 접속으로부터 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.6.6": {"name": "원격접근 통제","checks": {"vpc_flow_logs_enabled": "FAIL","networkfirewall_in_all_vpc": "FAIL","cognito_user_pool_mfa_enabled": null,"iam_user_console_access_unused": null,"vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","iam_user_mfa_enabled_console_access": null,"workspaces_volume_encryption_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","appstream_fleet_maximum_session_duration": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","appstream_fleet_session_disconnect_timeout": null,"ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","cognito_identity_pool_guest_access_disabled": "FAIL","workspaces_vpc_2private_1public_subnets_nat": null,"cognito_user_pool_self_registration_disabled": null,"appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"ec2_client_vpn_endpoint_connection_logging_enabled": null,"cloudwatch_log_metric_filter_authentication_failures": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.6 원격접근 통제","Subdomain": "2.6. 접근통제","AuditEvidence": ["VPN 등 사외접속 신청서","VPN 계정 목록","VPN 접근제어 정책 설정 현황","IP 관리대장","원격 접근제어 설정(서버 설정, 보안시스템 설정 등)","관리용 단말기 지정 및 관리 현황","네트워크 구성도"],"AuditChecklist": ["인터넷과 같은 외부 네트워크를 통한 정보시스템 원격운영은 원칙적으로 금지하고 장애대응 등 부득이하게 허용하는 경우 보완대책을 마련하고 있는가?","내부 네트워크를 통하여 원격으로 정보시스템을 운영하는 경우 특정 단말에 한해서만 접근을 허용하고 있는가?","재택근무, 원격협업, 스마트워크 등과 같은 원격업무 수행 시 중요정보 유출, 해킹 등 침해사고 예방을 위한 보호대책을 수립·이행하고 있는가?","개인정보처리시스템의 관리, 운영, 개발, 보안 등을 목적으로 원격으로 개인정보처리 시스템에 접속하는 단말기는 관리용 단말기로 지정하고 임의조작 및 목적 외 사용 금지 등 안전조치를 적용하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 규정에는 시스템에 대한 원격 접근은 원칙적으로 금지하고 불가피한 경우 IP 기반의 접근통제를 통하여 승인된 사용자만 접근할 수 있도록 명시하고 있으나, 시스템에 대한 원격 데스크톱 연결, SSH 접속이 IP주소 등으로 제한되어 있지 않아 모든 PC에서 원격 접속이 가능한 경우","사례 2 : 원격운영관리를 위하여 VPN을 구축하여 운영하고 있으나, VPN에 대한 사용 승인 또는 접속 기간 제한 없이 상시 허용하고 있는 경우","사례 3 : 외부 근무자를 위하여 개인 스마트 기기에 업무용 모바일 앱을 설치하여 운영하고 있으나, 악성코드, 분실·도난 등에 의한 개인정보 유출을 방지하기 위한 적절한 보호대책(백신, 초기화, 암호화 등)을 적용하고 있지 않은 경우","사례 4 : 외부 접속용 VPN에서 사용자별로 원격접근이 가능한 네트워크 구간 및 정보시스템을 제한하지 않아 원격접근 인증을 받은 사용자가 전체 내부망 및 정보시스템에 과도하게 접근이 가능한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "보호구역 이외 장소에서의 정보시스템 관리 및 개인정보 처리는 원칙적으로 금지하고, 재택근무·장애대응·원격협업 등 불가피한 사유로 원격접근을 허용하는 경우 책임자 승인, 접근 단말 지정, 접근 허용범위 및 기간 설정, 강화된 인증, 구간 암호화, 접속단말 보안(백신, 패치 등) 등 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 8,"pass": 5,"total": 26,"manual": 0}},"2.6.7": {"name": "인터넷 접속 통제","checks": {"ec2_elastic_ip_shodan": null,"vpc_flow_logs_enabled": "FAIL","ec2_instance_public_ip": "FAIL","ec2_elastic_ip_unassigned": "FAIL","networkfirewall_in_all_vpc": "FAIL","vpc_subnet_no_public_ip_by_default": "FAIL","vpc_subnet_separate_private_public": "FAIL","workspaces_volume_encryption_enabled": null,"route53_dangling_ip_subdomain_takeover": null,"appstream_fleet_maximum_session_duration": null,"appstream_fleet_session_disconnect_timeout": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"workspaces_vpc_2private_1public_subnets_nat": null,"ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.6.7 인터넷 접속 통제","Subdomain": "2.6. 접근통제","AuditEvidence": ["비업무사이트(P2P 등) 차단정책(비업무사이트 차단시스템 관리화면 등)","인터넷 접속내역 모니터링 이력","인터넷망 차단조치 대상자 목록","망간 자료 전송 절차 및 처리내역(신청·승인내역 등)","네트워크 구성도"],"AuditChecklist": ["주요 직무 수행 및 개인정보 취급 단말기 등 업무용 PC의 인터넷 접속에 대한 통제정책을 수립·이행하고 있는가?","주요 정보시스템(DB서버 등)에서 불필요한 외부 인터넷 접속을 통제하고 있는가?","관련 법령에 따라 인터넷망 차단 의무가 부과된 경우 대상자를 식별하여 안전한 방식으로 인터넷망 차단 조치를 적용하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보 보호법에 따라 인터넷망 차단 조치를 적용하였으나, 개인정보처리시스템의 접근권한 설정 가능자 등 일부 의무대상자에 대하여 인터넷망 차단 조치 적용이 누락된 경우","사례 2 : 개인정보 보호법에 따른 인터넷망 차단 조치 의무대상으로서 인터넷망 차단 조치를 적용하였으나, 다른 서버를 경유한 우회접속이 가능하여 인터넷망 차단 조치가 적용되지 않은 환경에서 개인정보처리시스템에 접속하여 개인정보의 다운로드, 파기 등이 가능한 경우","사례 3 : DMZ 및 내부망에 위치한 일부 서버에서 불필요하게 인터넷으로의 직접 접속이 가능한 경우","사례 4 : 인터넷 PC와 내부 업무용 PC를 물리적 망분리 방식으로 인터넷망 차단 조치를 적용하고 망간 자료전송시스템을 구축·운영하고 있으나, 자료 전송에 대한 승인 절차가 부재하고 자료 전송 내역에 대한 주기적 검토가 이루어지고 있지 않은 경우","사례 5 : 내부 규정에는 개인정보취급자가 P2P 및 웹하드 사이트 접속 시 책임자 승인을 거쳐 특정 기간 동안만 허용하도록 되어 있으나, 승인절차를 거치지 않고 예외 접속이 허용된 사례가 다수 존재하는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "인터넷을 통한 정보 유출, 악성코드 감염, 내부망 침투 등을 예방하기 위하여 주요 정보시스템, 주요 직무 수행 및 개인정보 취급 단말기 등에 대한 인터넷 접속 또는 서비스(P2P, 웹하드, 메신저 등)를 제한하는 등 인터넷 접속 통제 정책을 수립·이행하여야 한다.","checks_status": {"fail": 6,"pass": 1,"total": 19,"manual": 0}},"2.7.1": {"name": "암호정책 적용","checks": {"elb_ssl_listeners": "FAIL","backup_vaults_exist": null,"elbv2_ssl_listeners": "FAIL","ssm_document_secrets": "PASS","backup_vaults_encrypted": "PASS","rds_snapshots_encrypted": "FAIL","elb_insecure_ssl_ciphers": "PASS","s3_bucket_kms_encryption": "FAIL","ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","athena_workgroup_encryption": null,"ec2_ebs_snapshots_encrypted": "FAIL","s3_bucket_default_encryption": "PASS","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","rds_instance_transport_encrypted": "FAIL","cloudtrail_kms_encryption_enabled": "FAIL","neptune_cluster_storage_encrypted": null,"s3_bucket_secure_transport_policy": "FAIL","documentdb_cluster_storage_encrypted": null,"workspaces_volume_encryption_enabled": null,"awslambda_function_no_secrets_in_code": "PASS","glue_database_connections_ssl_enabled": null,"athena_workgroup_enforce_configuration": null,"cloudfront_distributions_https_enabled": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudformation_stack_outputs_find_secrets": "PASS","codebuild_project_no_secrets_in_variables": "PASS","kafka_cluster_encryption_at_rest_uses_cmk": null,"sns_subscription_not_using_http_endpoints": "PASS","sns_topics_kms_encryption_at_rest_enabled": "FAIL","sqs_queues_server_side_encryption_enabled": "PASS","awslambda_function_no_secrets_in_variables": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"glue_etl_jobs_amazon_s3_encryption_enabled": "PASS","acm_certificates_with_secure_key_algorithms": "PASS","cloudwatch_log_group_kms_encryption_enabled": "FAIL","ecs_task_definitions_no_environment_secrets": "PASS","kafka_cluster_in_transit_encryption_enabled": null,"storagegateway_fileshare_encryption_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","glue_etl_jobs_job_bookmark_encryption_enabled": "FAIL","glue_data_catalogs_metadata_encryption_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"dynamodb_accelerator_cluster_encryption_enabled": null,"kafka_cluster_mutual_tls_authentication_enabled": null,"directoryservice_radius_server_security_protocol": null,"glue_development_endpoints_s3_encryption_enabled": null,"glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","autoscaling_find_secrets_ec2_launch_configuration": "PASS","eks_cluster_kms_cmk_encryption_in_secrets_enabled": null,"elasticache_redis_cluster_rest_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"cloudfront_distributions_field_level_encryption_enabled": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"elasticache_redis_cluster_in_transit_encryption_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"sagemaker_training_jobs_intercontainer_encryption_enabled": null,"glue_data_catalogs_connection_passwords_encryption_enabled": "FAIL","glue_development_endpoints_job_bookmark_encryption_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null,"sagemaker_training_jobs_volume_and_output_encryption_enabled": null,"glue_development_endpoints_cloudwatch_logs_encryption_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.7.1 암호정책 적용","Subdomain": "2.7. 암호화 적용","AuditEvidence": ["암호통제 정책(대상, 방식, 알고리즘 등)","암호화 적용현황(저장 및 전송 시)","위험도 분석 결과(내부망에서 주민등록번호 이외의 고유식별정보 암호화 미적용 시)","암호화 솔루션 관리 화면"],"AuditChecklist": ["개인정보 및 주요정보의 보호를 위하여 법적 요구사항을 반영한 암호화 대상, 암호강도, 암호사용 등이 포함된 암호정책을 수립하고 있는가?","암호정책에 따라 개인정보 및 주요정보의 저장, 전송, 전달 시 암호화를 수행하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 정책·지침에 암호통제 관련 법적 요구사항을 고려한 암호화 대상, 암호 강도, 저장 및 전송 시 암호화 방법, 암호화 관련 담당자의 역할 및 책임 등에 관한 사항이 적절히 명시되지 않은 경우","사례 2 : 암호정책을 수립하면서 해당 기업이 적용받는 법규를 잘못 적용하여 암호화 관련 법적 요구사항을 준수하지 못하고 있는 경우(예를 들어, 이용자의 계좌번호를 저장하면서 암호화 미적용)","사례 3 : 개인정보취급자 및 정보주체의 비밀번호에 대하여 일방향 암호화를 적용하였으나, 안전하지 않은 MD5 알고리즘을 사용한 경우","사례 4 : 개인정보처리자가 관련 법규 및 내부 규정에 따라 인터넷 쇼핑몰에 대하여 보안서버를 적용하였으나, 회원정보 조회 및 변경, 비밀번호 찾기, 비밀번호 변경 등 이용자의 개인정보가 전송되는 일부 구간에 암호화 조치가 누락된 경우","사례 5 : 정보시스템 접속용 비밀번호, 인증키 값 등이 시스템 설정파일 및 소스코드 내에 평문으로 저장되어 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제24조의2(주민등록번호 처리의 제한), 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제7조(개인정보의 암호화)"]}],"description": "개인정보 및 주요정보 보호를 위하여 법적 요구사항을 반영한 암호화 대상, 암호 강도, 암호 사용 정책을 수립하고 개인정보 및 주요정보의 저장·전송·전달 시 암호화를 적용하여야 한다.","checks_status": {"fail": 18,"pass": 19,"total": 66,"manual": 0}},"2.7.2": {"name": "암호키 관리","checks": {"kms_cmk_are_used": null,"kms_cmk_rotation_enabled": null,"kms_key_not_publicly_accessible": null,"kms_cmk_not_deleted_unintentionally": null,"rds_instance_certificate_expiration": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","acm_certificates_transparency_logs_enabled": "PASS","directoryservice_ldap_certificate_expiration": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.7.2 암호키 관리","Subdomain": "2.7. 암호화 적용","AuditEvidence": ["암호키 관리정책","암호키 관리대장 및 관리시스템 화면"],"AuditChecklist": ["암호키 생성, 이용, 보관, 배포, 변경, 복구, 파기 등에 관한 절차를 수립·이행하고 있는가?","암호키는 필요시 복구가 가능하도록 별도의 안전한 장소에 보관하고 암호키 사용에 관한 접근권한을 최소화하고 있는가?"],"NonComplianceCases": ["사례 1 : 암호 정책 내에 암호키 관리와 관련된 절차, 방법 등이 명시되어 있지 않아 담당자별로 암호키 관리 수준 및 방법 상이 등 암호키 관리에 취약사항이 존재하는 경우","사례 2 : 내부 규정에 중요 정보를 암호화 할 경우 관련 책임자 승인 하에 암호화 키를 생성하고 암호키 관리대장을 작성하도록 정하고 있으나, 암호키 관리대장에 일부 암호키가 누락되어 있거나 현행화되어 있지 않은 경우","사례 3 : 개발시스템에 적용되어 있는 암호키와 운영시스템에 적용된 암호키가 동일하여, 암호화된 실데이터가 개발시스템을 통해 쉽게 복호화가 가능한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제7조(개인정보의 암호화)"]}],"description": "암호키의 안전한 생성·이용·보관·배포·파기를 위한 관리 절차를 수립·이행하고, 필요 시 복구방안을 마련하여야 한다.","checks_status": {"fail": 1,"pass": 2,"total": 9,"manual": 0}},"2.8.1": {"name": "보안 요구사항 정의","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","accessanalyzer_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","codebuild_project_no_secrets_in_variables": "PASS","codebuild_project_user_controlled_buildspec": "PASS","wellarchitected_workload_no_high_or_medium_risks": "FAIL","codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.1 보안 요구사항 정의","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["정보시스템 인수 기준 및 절차","정보시스템 도입 RFP(제안요청서) 및 구매계약서","개발 산출물(사업수행계획서, 요구사항정의서, 화면설계서, 보안아키텍처 설계서, 시험계획서 등)","시큐어 코딩 표준"],"AuditChecklist": ["정보시스템을 신규로 도입·개발 또는 변경하는 경우 정보보호 및 개인정보보호 측면의 타당성 검토 및 인수 절차를 수립·이행하고 있는가?","정보시스템을 신규로 도입·개발 또는 변경하는 경우 법적 요구사항, 최신 취약점 등을 포함한 보안 요구사항을 명확히 정의하고 설계 단계에서부터 반영하고 있는가?","정보시스템의 안전한 구현을 위한 코딩 표준을 수립하여 적용하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템 인수 전 보안성 검증 기준 및 절차가 마련되어 있지 않은 경우","사례 2 : 신규 시스템 도입 시 기존 운영환경에 대한 영향 및 보안성을 검토하도록 내부 규정을 마련하고 있으나, 최근 도입한 일부 정보시스템에 대하여 인수 시 보안요건에 대해 세부 기준 및 계획이 수립되지 않았으며, 이에 따라 인수 시 보안성검토가 수행되지 않은 경우","사례 3 : 개발 관련 내부 지침에 개발과 관련된 주요 보안 요구사항(인증 및 암호화, 보안로그 등)이 정의되어 있지 않은 경우","사례 4 : ʻ개발표준정의서ʼ에 사용자 패스워드를 안전하지 않은 암호화 알고리즘(MD5, SHA1)으로 사용하도록 되어 있어 관련 법적 요구사항을 적절히 반영하지 않는 경우"],"RelatedRegulations": []}],"description": "정보시스템의 도입·개발·변경 시 정보보호 및 개인정보보호 관련 법적 요구사항, 최신 보안취약점, 안전한 코딩방법 등 보안 요구사항을 정의하고 적용하여야 한다.","checks_status": {"fail": 7,"pass": 7,"total": 16,"manual": 0}},"2.8.2": {"name": "보안 요구사항 검토 및 시험","checks": {"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","accessanalyzer_enabled": "PASS","networkfirewall_in_all_vpc": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","inspector2_active_findings_exist": "FAIL","config_recorder_all_regions_enabled": null,"guardduty_no_high_severity_findings": "FAIL","cloudtrail_cloudwatch_logging_enabled": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","codebuild_project_no_secrets_in_variables": "PASS","codebuild_project_user_controlled_buildspec": "PASS","wellarchitected_workload_no_high_or_medium_risks": "FAIL","codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.2 보안 요구사항 검토 및 시험","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["정보시스템 인수 시험 결과","요구사항 추적 매트릭스","시험 계획서, 시험 결과서","취약점 점검 결과서","개인정보 영향평가서","개인정보 영향평가 개선계획 이행점검 확인서"],"AuditChecklist": ["정보시스템의 도입, 개발, 변경 시 분석 및 설계 단계에서 정의한 보안 요구사항이 효과적으로 적용되었는지를 확인하기 위한 시험을 수행하고 있는가?","정보시스템이 안전한 코딩 기준 등에 따라 안전하게 개발되었는지를 확인하기 위한 취약점 점검이 수행되고 있는가?","시험 및 취약점 점검 과정에서 발견된 문제점이 신속하게 개선될 수 있도록 개선계획 수립, 이행점검 등의 절차를 이행하고 있는가?","공공기관은 관련 법령에 따라 개인정보처리시스템 신규 개발 및 변경 시 분석·설계 단계에서 영향평가기관을 통하여 영향평가를 수행하고 그 결과를 개발 및 변경 시 반영하고 있는가?"],"NonComplianceCases": ["사례 1 : 정보시스템 구현 이후 개발 관련 내부 지침 및 문서에 정의된 보안 요구사항을 시험하지 않고 있는 경우","사례 2 : 응용프로그램 테스트 시나리오 및 기술적 취약점 점검항목에 입력값 유효성 체크 등의 중요 점검항목 일부가 누락된 경우","사례 3 : 구현 또는 시험 과정에서 알려진 기술적 취약점이 존재하는지 여부를 점검하지 않거나, 타당한 사유 또는 승인 없이 확인된 취약점에 대한 개선조치를 이행하지 않은 경우","사례 4 : 공공기관이 5만 명 이상 정보주체의 고유식별정보를 처리하는 등 영향평가 의무 대상 개인정보 파일 및 개인정보처리시스템을 신규로 구축하면서 영향평가를 실시하지 않은 경우","사례 5 : 공공기관이 영향평가를 수행한 후 영향평가기관으로부터 영향평가서를 받은 지 2개월이 지났음에도 불구하고 영향평가서를 개인정보 보호위원회에 제출하지 않은 경우","사례 6 : 신규 시스템 도입 시 기존 운영환경에 대한 영향 및 보안성을 검토(취약점 점검 등)하도록 내부 지침을 마련하고 있으나, 최근 도입한 일부 정보시스템에 대하여 인수 시 취약점 점검 등 보안성검토가 수행되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제33조(개인정보 영향평가)","개인정보 영향평가에 관한 고시"]}],"description": "사전 정의된 보안 요구사항에 따라 정보시스템이 도입 또는 구현되었는지를 검토하기 위하여 법적 요구사항 준수, 최신 보안취약점 점검, 안전한 코딩 구현, 개인정보 영향평가 등의 검토 기준과 절차를 수립·이행하고, 발견된 문제점에 대한 개선조치를 수행하여야 한다.","checks_status": {"fail": 10,"pass": 7,"total": 19,"manual": 0}},"2.8.3": {"name": "시험과 운영 환경 분리","checks": {"codebuild_project_user_controlled_buildspec": "PASS"},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.3 시험과 운영 환경 분리","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["네트워크 구성도(시험환경 구성 포함)","운영 환경과 개발·시험 환경 간 접근통제 적용 현황"],"AuditChecklist": ["정보시스템의 개발 및 시험 시스템을 운영시스템과 분리하고 있는가?","불가피한 사유로 개발과 운영환경의 분리가 어려운 경우 상호검토, 상급자 모니터링, 변경 승인, 책임추적성 확보 등의 보안대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 타당한 사유 또는 승인 없이 별도의 개발환경을 구성하지 않고 운영환경에서 직접 소스코드 변경을 수행하고 있는 경우","사례 2 : 불가피하게 개발시스템과 운영시스템을 분리하지 않고 운영 중에 있으나, 이에 대한 상호 검토 내역, 모니터링 내역 등이 누락되어 있는 경우","사례 3 : 개발시스템이 별도로 구성되어 있으나, 개발환경으로부터 운영환경으로의 접근이 통제되지 않아 개발자들이 개발시스템을 경유하여 불필요하게 운영시스템 접근이 가능한 경우"],"RelatedRegulations": []}],"description": "개발 및 시험 시스템은 운영시스템에 대한 비인가 접근 및 변경의 위험을 감소시키기 위하여 원칙적으로 분리하여야 한다.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.8.4": {"name": "시험 데이터 보안","checks": {"codebuild_project_no_secrets_in_variables": "PASS"},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.4 시험 데이터 보안","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["시험데이터 현황","시험데이터 생성 규칙","운영데이터를 시험환경에 사용한 경우, 관련 승인 이력"],"AuditChecklist": ["정보시스템의 개발 및 시험 과정에서 실제 운영 데이터의 사용을 제한하고 있는가?","불가피하게 운영데이터를 시험 환경에서 사용할 경우 책임자 승인, 접근 및 유출모니터링, 시험 후 데이터 삭제 등의 통제 절차를 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 개발 서버에서 사용할 시험 데이터 생성에 대한 구체적 기준 및 절차가 수립되어 있지 않은 경우","사례 2 : 타당한 사유 및 책임자 승인 없이 실 운영데이터를 가공하지 않고 시험 데이터로 사용하고 있는 경우","사례 3 : 불가피한 사유로 사전 승인을 받아 실 운영데이터를 시험 용도로 사용하면서, 테스트 데이터베이스에 대하여 운영 데이터베이스와 동일한 수준의 접근통제를 적용하고 있지 않은 경우","사례 4 : 실 운영데이터를 테스트 용도로 사용한 후 테스트가 완료되었음에도 실 운영데이터를 테스트 데이터베이스에서 삭제하지 않은 경우"],"RelatedRegulations": []}],"description": "시스템 시험 과정에서 운영데이터의 유출을 예방하기 위하여 시험 데이터의 생성과 이용 및 관리, 파기, 기술적 보호조치에 관한 절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.8.5": {"name": "소스 프로그램 관리","checks": {"ecr_repositories_not_publicly_accessible": "PASS","codeartifact_packages_external_public_publishing_disabled": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.5 소스 프로그램 관리","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["SVN 등 형상관리시스템 운영 현황(접근권한자 목록 등)","소스 프로그램 변경 이력"],"AuditChecklist": ["비인가자에 의한 소스 프로그램 접근을 통제하기 위한 절차를 수립·이행하고 있는가?","소스 프로그램은 장애 등 비상시를 대비하여 운영환경이 아닌 곳에 안전하게 보관하고 있는가?","소스 프로그램에 대한 변경이력을 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 별도의 소스 프로그램 백업 및 형상관리시스템이 구축되어 있지 않으며, 이전 버전의 소스 코드를 운영 서버 또는 개발자 PC에 승인 및 이력관리 없이 보관하고 있는 경우","사례 2 : 형상관리시스템을 구축하여 운영하고 있으나 형상관리시스템 또는 형상관리시스템에 저장된 소스코드에 대한 접근제한, 접근 및 변경이력이 적절히 관리되지 않고 있는 경우","사례 3 : 내부 규정에는 형상관리시스템을 통하여 소스 프로그램 버전관리를 하도록 되어 있으나, 최신 버전의 소스 프로그램은 개발자 PC에만 보관되어 있고 이에 대한 별도의 백업이 수행되고 있지 않은 경우"],"RelatedRegulations": []}],"description": "소스 프로그램은 인가된 사용자만이 접근할 수 있도록 관리하고, 운영환경에 보관하지 않는 것을 원칙으로 하여야 한다.","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.8.6": {"name": "운영환경 이관","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.8.6 운영환경 이관","Subdomain": "2.8. 정보시스템 도입 및 개발 보안","AuditEvidence": ["이관 절차","이관 내역(신청·승인, 시험, 이관 등)"],"AuditChecklist": ["신규 도입·개발 및 변경된 시스템을 운영환경으로 안전하게 이관하기 위한 통제 절차를 수립·이행하고 있는가?","운영환경으로 이관 시 발생할 수 있는 문제에 대한 대응 방안을 마련하고 있는가?","운영환경에는 서비스 실행에 필요한 파일만을 설치하고 있는가?"],"NonComplianceCases": ["사례 1 : 개발·변경이 완료된 소스 프로그램을 운영환경으로 이관 시 검토·승인하는 절차가 마련되어 있지 않은 경우","사례 2 : 운영서버에 서비스 실행에 불필요한 파일(소스코드 또는 배포모듈, 백업본, 개발 관련 문서, 매뉴얼 등)이 존재하는 경우","사례 3 : 내부 지침에 운영환경 이관 시 안전한 이관·복구를 위하여 변경작업 요청서 및 결과서를 작성하도록 정하고 있으나, 관련 문서가 확인되지 않은 경우","사례 4 : 내부 지침에는 모바일 앱을 앱마켓에 배포하는 경우 내부 검토 및 승인을 받도록 하고 있으나, 개발자가 해당 절차를 거치지 않고 임의로 앱마켓에 배포하고 있는 경우"],"RelatedRegulations": []}],"description": "신규 도입·개발 또는 변경된 시스템을 운영환경으로 이관할 때는 통제된 절차를 따라야 하고, 실행코드는 시험 및 사용자 인수 절차에 따라 실행되어야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.9.1": {"name": "변경관리","checks": {"codebuild_project_older_90_days": "FAIL","config_recorder_all_regions_enabled": null,"cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.1 변경관리","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["변경관리 절차","변경관리 수행 내역(신청·승인, 변경 내역 등)","변경에 따른 영향분석 결과"],"AuditChecklist": ["정보시스템 관련 자산(하드웨어, 운영체제, 상용 소프트웨어 패키지 등) 변경에 관한 절차를 수립·이행하고 있는가?","정보시스템 관련 자산 변경을 수행하기 전 성능 및 보안에 미치는 영향을 분석하고 있는가?"],"NonComplianceCases": ["사례 1 : 최근 DMZ 구간 이중화에 따른 변경 작업을 수행하였으나, 변경 후 발생할 수 있는 보안위험성 및 성능 평가에 대한 수행·승인 증거자료가 확인되지 않은 경우","사례 2 : 최근 네트워크 변경 작업을 수행하였으나 관련 검토 및 공지가 충분히 이루어지지 않아 네트워크 구성도 및 일부 접근통제시스템(침입차단시스템, 데이터베이스 접근제어시스템 등)의 접근통제 리스트(ACL)에 적절히 반영되어 있지 않은 경우","사례 3 : 변경관리시스템을 구축하여 정보시스템 입고 또는 변경 시 성능 및 보안에 미치는 영향을 분석 및협의하고 관련 이력을 관리하도록 하고 있으나, 해당 시스템을 통하지 않고도 시스템 변경이 가능하며, 관련 변경사항이 적절히 검토되지 않는 경우"],"RelatedRegulations": []}],"description": "정보시스템 관련 자산의 모든 변경내역을 관리할 수 있도록 절차를 수립·이행하고, 변경 전 시스템의 성능 및 보안에 미치는 영향을 분석하여야 한다.","checks_status": {"fail": 2,"pass": 0,"total": 14,"manual": 0}},"2.9.2": {"name": "성능 및 장애관리","checks": {"rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","elbv2_is_in_multiple_az": "PASS","s3_bucket_no_mfa_delete": "FAIL","vpc_subnet_different_az": "PASS","neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"rds_cluster_backtrack_enabled": null,"cloudtrail_multi_region_enabled": "PASS","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","acm_certificates_expiration_check": "PASS","s3_bucket_cross_region_replication": "FAIL","trustedadvisor_errors_and_warnings": null,"config_recorder_all_regions_enabled": null,"kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"networkfirewall_deletion_protection": null,"rds_instance_certificate_expiration": "PASS","route53_domains_transferlock_enabled": null,"cloudtrail_bucket_requires_mfa_delete": null,"elb_cross_zone_load_balancing_enabled": "PASS","documentdb_cluster_deletion_protection": null,"documentdb_cluster_cloudwatch_log_export": null,"ec2_instance_detailed_monitoring_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","iam_no_expired_server_certificates_stored": null,"kafka_cluster_enhanced_monitoring_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null,"directoryservice_ldap_certificate_expiration": null,"cognito_user_pool_deletion_protection_enabled": null,"trustedadvisor_premium_support_plan_subscribed": null,"directoryservice_directory_monitor_notifications": null,"cloudformation_stacks_termination_protection_enabled": "FAIL","cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.2 성능 및 장애관리","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["성능 및 용량 모니터링 절차","성능 및 용량 모니터링 증거자료(내부보고 결과 등)","장애대응 절차","장애조치보고서"],"AuditChecklist": ["정보시스템의 가용성 보장을 위하여 성능 및 용량을 지속적으로 모니터링할 수 있는 절차를 수립·이행하고 있는가?","정보시스템 성능 및 용량 요구사항(임계치)을 초과하는 경우에 대한 대응절차를 수립 및 이행하고 있는가?","정보시스템 장애를 즉시 인지하고 대응하기 위한 절차를 수립·이행하고 있는가?","장애 발생 시 절차에 따라 조치하고 장애조치보고서 등을 통하여 장애조치내역을 기록하여 관리하고 있는가?","심각도가 높은 장애의 경우 원인분석을 통한 재발방지 대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 성능 및 용량 관리를 위한 대상별 요구사항(임계치 등)을 정의하고 있지 않거나 정기 점검보고서 등에 기록하고 있지 않아 현황을 파악할 수 없는 경우","사례 2 : 성능 또는 용량 기준을 초과하였으나 관련 검토 및 후속조치방안 수립·이행이 이루어지고 있지 않은 경우","사례 3 : 전산장비 장애대응절차를 수립하고 있으나 네트워크 구성 및 외주업체 변경 등의 내·외부 환경변화가 적절히 반영되어 있지 않은 경우","사례 4 : 장애처리절차와 장애유형별 조치방법 간 일관성이 없거나 예상소요시간 산정에 대한 근거가 부족하여 신속·정확하고 체계적인 대응이 어려운 경우"],"RelatedRegulations": []}],"description": "정보시스템의 가용성 보장을 위하여 성능 및 용량 요구사항을 정의하고 현황을 지속적으로 모니터링하여야 하며, 장애 발생 시 효과적으로 대응하기 위한 탐지·기록·분석·복구·보고 등의 절차를 수립·관리하여야 한다.","checks_status": {"fail": 11,"pass": 6,"total": 39,"manual": 0}},"2.9.3": {"name": "백업 및 복구관리","checks": {"ec2_ami_public": null,"backup_plans_exist": "PASS","backup_vaults_exist": null,"backup_vaults_encrypted": "PASS","ec2_ebs_public_snapshot": "PASS","efs_have_backup_enabled": "FAIL","s3_bucket_public_access": null,"backup_reportplans_exist": null,"s3_bucket_kms_encryption": "FAIL","s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"ec2_ebs_snapshots_encrypted": "FAIL","rds_instance_backup_enabled": "PASS","rds_snapshots_public_access": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"s3_bucket_default_encryption": "PASS","rds_cluster_backtrack_enabled": null,"neptune_cluster_backup_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","neptune_cluster_public_snapshot": null,"documentdb_cluster_backup_enabled": null,"documentdb_cluster_public_snapshot": null,"rds_cluster_copy_tags_to_snapshots": "FAIL","s3_bucket_cross_region_replication": "FAIL","rds_instance_copy_tags_to_snapshots": null,"redshift_cluster_automated_snapshot": null,"s3_access_point_public_access_block": "PASS","s3_bucket_policy_public_write_access": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","elasticache_redis_cluster_backup_enabled": null,"ecr_repositories_lifecycle_policy_enabled": "FAIL","directoryservice_directory_snapshots_limit": null,"ec2_ebs_snapshot_account_block_public_access": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.3 백업 및 복구관리","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["백업 및 복구 절차","복구테스트 결과","소산백업 현황"],"AuditChecklist": ["백업 대상, 주기, 방법, 절차 등이 포함된 백업 및 복구절차를 수립·이행하고 있는가?","백업된 정보의 완전성과 정확성, 복구절차의 적절성을 확인하기 위하여 정기적으로복구 테스트를 실시하고 있는가?","중요정보가 저장된 백업매체의 경우 재해·재난에 대처할 수 있도록 백업매체를물리적으로 떨어진 장소에 소산하고 있는가?"],"NonComplianceCases": ["사례 1 : 백업 대상, 주기, 방법, 절차 등이 포함된 백업 및 복구 절차가 수립되어 있지 않은 경우","사례 2 : 백업정책을 수립하고 있으나 법적 요구사항에 따라 장기간(6개월, 3년, 5년 등) 보관이 필요한 백업 대상 정보가 백업 정책에 따라 보관되고 있지 않은 경우","사례 3 : 상위 지침 또는 내부 지침에 따라 별도로 백업하여 관리하도록 명시된 일부 시스템(보안시스템 정책 및 로그 등)에 대한 백업이 이행되고 있지 않은 경우","사례 4 : 상위 지침 또는 내부 지침에는 주기적으로 백업매체에 대한 복구 테스트를 수행하도록 정하고 있으나 복구테스트를 장기간 실시하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치 의무)","개인정보의 안전성 확보조치 기준 제11조(재해·재난 대비 안전조치)"]}],"description": "정보시스템의 가용성과 데이터 무결성을 유지하기 위하여 백업 대상, 주기, 방법, 보관장소, 보관기간, 소산 등의 절차를 수립·이행하여야 한다. 아울러 사고 발생 시 적시에 복구할 수 있도록 관리하여야 한다.","checks_status": {"fail": 11,"pass": 8,"total": 37,"manual": 0}},"2.9.4": {"name": "로그 및 접속기록 관리","checks": {"macie_is_enabled": "PASS","elb_logging_enabled": "FAIL","securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","elbv2_logging_enabled": "FAIL","inspector2_is_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","ec2_ebs_public_snapshot": "PASS","eventbridge_bus_exposed": "PASS","rds_snapshots_encrypted": "FAIL","s3_bucket_public_access": null,"s3_bucket_kms_encryption": "FAIL","cloudtrail_insights_exist": null,"s3_bucket_public_list_acl": null,"s3_bucket_public_write_acl": null,"ec2_ebs_snapshots_encrypted": "FAIL","ec2_instance_managed_by_ssm": "FAIL","efs_not_publicly_accessible": "FAIL","guardduty_centrally_managed": "FAIL","rds_snapshots_public_access": "PASS","s3_bucket_default_encryption": "PASS","wafv2_webacl_logging_enabled": "FAIL","iam_securityaudit_role_created": null,"redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","config_recorder_all_regions_enabled": null,"s3_access_point_public_access_block": "PASS","s3_bucket_level_public_access_block": "PASS","eventbridge_bus_cross_account_access": "FAIL","s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"s3_account_level_public_access_blocks": null,"cloudtrail_log_file_validation_enabled": "FAIL","cloudtrail_s3_dataevents_write_enabled": null,"apigatewayv2_api_access_logging_enabled": "FAIL","cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"s3_bucket_server_access_logging_enabled": "FAIL","cloudfront_distributions_logging_enabled": null,"documentdb_cluster_cloudwatch_log_export": null,"ec2_instance_detailed_monitoring_enabled": "FAIL","rds_instance_enhanced_monitoring_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","cloudwatch_cross_account_sharing_disabled": null,"kafka_cluster_enhanced_monitoring_enabled": null,"acm_certificates_transparency_logs_enabled": "PASS","cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"eks_control_plane_logging_all_types_enabled": null,"ec2_ebs_snapshot_account_block_public_access": null,"iam_inline_policy_no_full_access_to_cloudtrail": null,"trustedadvisor_premium_support_plan_subscribed": null,"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"directoryservice_directory_monitor_notifications": null,"eventbridge_schema_registry_cross_account_access": "FAIL","glue_etl_jobs_cloudwatch_logs_encryption_enabled": "FAIL","opensearch_service_domains_audit_logging_enabled": null,"directoryservice_directory_log_forwarding_enabled": null,"ec2_client_vpn_endpoint_connection_logging_enabled": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS","cloudwatch_log_metric_filter_authentication_failures": null,"opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"route53_public_hosted_zones_cloudwatch_logging_enabled": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudtrail_multi_region_enabled_logging_management_events": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","glue_development_endpoints_cloudwatch_logs_encryption_enabled": null,"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled": "PASS","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.4 로그 및 접속기록 관리","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["로그관리 절차","로그기록 내역","로그 저장장치에 대한 접근통제 내역","개인정보 접속기록 내역"],"AuditChecklist": ["서버, 응용프로그램, 보안시스템, 네트워크시스템 등 정보시스템에 대한 로그관리 절차를 수립하고 이에 따라 필요한 로그를 생성하여 보관하고 있는가?","정보시스템의 로그기록은 위·변조 및 도난, 분실되지 않도록 안전하게 보관하고 로그기록에 대한 접근권한은 최소화하여 부여하고 있는가?","개인정보처리시스템에 대한 접속기록은 법적 요구사항을 준수할 수 있도록 필요한 항목을 모두 포함하여 일정기간 안전하게 보관하고 있는가?"],"NonComplianceCases": ["사례 1 : 로그 기록 대상, 방법, 보존기간, 검토 주기, 담당자 등에 대한 세부 기준 및 절차가 수립되어 있지 않은 경우","사례 2 : 보안 이벤트 로그, 응용프로그램 및 서비스 로그(윈도우 2008 서버 이상) 등 중요 로그에 대한 최대 크기를 충분하게 설정하지 않아 내부 기준에 정한 기간 동안 기록·보관되고 있지 않은 경우","사례 3 : 중요 Linux/UNIX 계열 서버에 대한 로그 기록을 별도로 백업하거나 적절히 보호하지 않아 사용자의 명령 실행 기록 및 접속 이력 등을 임의로 삭제할 수 있는 경우","사례 4 : 개인정보처리시스템에 접속한 기록을 확인한 결과 접속자의 계정, 접속 일시, 접속자 IP주소 정보는 남기고 있으나, 처리한 정보주체 정보 및 수행업무(조회, 변경, 삭제, 다운로드 등)와 관련된 정보를 남기고 있지 않은 경우","사례 5 : 로그 서버의 용량의 충분하지 않아서 개인정보처리시스템 접속기록이 2개월 밖에 남아 있지 않은 경우","사례 6 : 개인정보처리자가 정보주체 10만 명의 개인정보를 처리하는 개인정보처리시스템의 개인정보취급자 접속기록을 1년간만 보관하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제8조(접속기록의 보관 및 점검)"]}],"description": "서버, 응용프로그램, 보안시스템, 네트워크시스템 등 정보시스템에 대한 사용자 접속기록, 시스템로그, 권한부여 내역 등의 로그유형, 보존기간, 보존방법 등을 정하고 위·변조, 도난, 분실되지 않도록 안전하게 보존·관리하여야 한다.","checks_status": {"fail": 25,"pass": 15,"total": 81,"manual": 0}},"2.9.5": {"name": "로그 및 접속기록 점검","checks": {"cloudtrail_insights_exist": null,"inspector2_active_findings_exist": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","accessanalyzer_enabled_without_findings": "FAIL","cloudtrail_threat_detection_enumeration": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.5 로그 및 접속기록 점검","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["로그 검토 및 모니터링 절차","로그 검토 및 모니터링 결과(검토 내역, 보고서 등)","개인정보 접속기록 점검 내역","개인정보 다운로드 시 사유 확인 기준 및 결과","이상징후 발견 시 대응 증거자료"],"AuditChecklist": ["정보시스템 관련 오류, 오·남용(비인가접속, 과다조회 등), 부정행위 등 이상징후를 인지할 수 있도록 로그 검토 주기, 대상, 방법 등을 포함한 로그 검토 및 모니터링절차를 수립·이행하고 있는가?","로그 검토 및 모니터링 결과를 책임자에게 보고하고 이상징후 발견 시 절차에 따라 대응하고 있는가?","개인정보처리시스템의 접속기록은 관련 법령에서 정한 주기에 따라 정기적으로 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 중요 정보를 처리하고 있는 정보시스템에 대한 이상접속(휴일 새벽 접속, 우회경로 접속 등) 또는 이상행위(대량 데이터 조회 또는 소량 데이터의 지속적·연속적 조회 등)에 대한 모니터링 및 경고·알림 정책(기준)이 수립되어 있지 않은 경우","사례 2 : 내부 지침 또는 시스템 등에 접근 및 사용에 대한 주기적인 점검·모니터링 기준을 마련하고 있으나 실제 이상접속 및 이상행위에 대한 검토 내역이 확인되지 않은 경우","사례 3 : 개인정보처리자가 개인정보처리시스템의 접속기록 점검 주기를 분기 1회로 정하고 있는 경우","사례 4 : 개인정보처리자의 내부 관리계획에는 1,000명 이상의 정보주체에 대한 개인정보를 다운로드한 경우에는 사유를 확인하도록 기준이 책정되어 있는 상태에서 1,000건 이상의 개인정보 다운로드가 발생하였으나 그 사유를 확인하지 않고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제8조(접속기록의 보관 및 점검)"]}],"description": "정보시스템의 정상적인 사용을 보장하고 사용자 오·남용(비인가접속, 과다조회 등)을 방지하기 위하여 접근 및 사용에 대한 로그 검토기준을 수립하여 주기적으로 점검하며, 문제 발생 시 사후조치를 적시에 수행하여야 한다.","checks_status": {"fail": 6,"pass": 0,"total": 26,"manual": 0}},"2.9.6": {"name": "시간 동기화","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.6 시간 동기화","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["시간 동기화 설정","주요 시스템 시간 동기화 증거자료"],"AuditChecklist": ["정보시스템의 시간을 표준시간으로 동기화하고 있는가?","시간 동기화가 정상적으로 이루어지고 있는지 주기적으로 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 일부 중요 시스템(보안시스템, CCTV 등)의 시각이 표준시와 동기화되어 있지 않으며, 관련 동기화 여부에 대한 주기적 점검이 이행되고 있지 않은 경우","사례 2 : 내부 NTP 서버와 시각을 동기화하도록 설정하고 있으나 일부 시스템의 시각이 동기화되지 않고 있고, 이에 대한 원인분석 및 대응이 이루어지고 있지 않은 경우"],"RelatedRegulations": []}],"description": "로그 및 접속기록의 정확성을 보장하고 신뢰성 있는 로그분석을 위하여 관련 정보시스템의 시각을 표준시각으로 동기화하고 주기적으로 관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.9.7": {"name": "정보자산의 재사용 및 폐기","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.9.7 정보자산의 재사용 및 폐기","Subdomain": "2.9. 시스템 및 서비스 운영관리","AuditEvidence": ["정보자산 폐기 및 재사용 절차","저장매체 관리대장","정보자산 및 저장매체 폐기 증거자료","정보자산 및 저장매체 폐기 관련 위탁계약서"],"AuditChecklist": ["정보자산의 안전한 재사용 및 폐기에 대한 절차를 수립·이행하고 있는가?","정보자산 및 저장매체를 재사용 및 폐기하는 경우 개인정보 및 중요정보를 복구되지 않는 방법으로 처리하고 있는가?","자체적으로 정보자산 및 저장매체를 폐기할 경우 관리대장을 통하여 폐기이력을 남기고 폐기확인 증적을 함께 보관하고 있는가?","외부업체를 통하여 정보자산 및 저장매체를 폐기할 경우 폐기 절차를 계약서에 명시하고 완전히 폐기하였는지 여부를 확인하고 있는가?","정보시스템, PC 등 유지보수, 수리 과정에서 저장매체 교체, 복구 등 발생 시 저장매체 내 정보를 보호하기 위한 대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보취급자 PC를 재사용할 경우 데이터 삭제프로그램을 이용하여 완전삭제 하도록 정책 및 절차가 수립되어 있으나, 실제로는 완전삭제 조치 없이 재사용하거나 기본 포맷만 하고 재사용하고 있는 등 관련 절차가 이행되고 있지 않은 경우","사례 2 : 외부업체를 통하여 저장매체를 폐기하고 있으나, 계약 내용상 안전한 폐기 절차 및 보호대책에 대한 내용이 누락되어 있고 폐기 이행 증거자료 확인 및 실사 등의 관리·감독이 이루어지지 않은 경우","사례 3 : 폐기된 HDD의 일련번호가 아닌 시스템명을 기록하거나 폐기 대장을 작성하지 않아 폐기 이력 및 추적할 수 있는 증거자료를 확인할 수 없는 경우","사례 4 : 회수한 폐기 대상 하드디스크가 완전삭제 되지 않은 상태로 잠금장치가 되지 않은 장소에 방치되고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제21조(개인정보의 파기)","개인정보의 안전성 확보조치 기준 제13조(개인정보의 파기)"]}],"description": "정보자산의 재사용과 폐기 과정에서 개인정보 및 중요정보가 복구·재생되지 않도록 안전한 재사용 및 폐기 절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.1": {"name": "개인정보 수집·이용","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.1 개인정보 수집·이용","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["온라인 개인정보 수집 양식(홈페이지 회원가입 화면, 모바일앱 회원가입 화면, 이벤트 참여 등)","오프라인 개인정보 수집 양식(회원가입신청서 등)","개인정보 수집 동의 기록(회원 데이터베이스 등)","법정대리인 동의 기록","개인정보 처리방침"],"AuditChecklist": ["개인정보를 수집하는 경우 정보주체 동의, 법령상 의무준수, 계약 체결·이행 등 적법 요건에 따라 수집하고 있는가?","정보주체에게 개인정보 수집 동의를 받는 경우 동의방법 및 시점은 적절하게 되어 있는가?","정보주체에게 개인정보 수집 동의를 받는 경우 관련 내용을 명확하게 고지하고 법령에서 정한 중요한 내용에 대해 알아보기 쉽게 표시하고 있는가?","만 14세 미만 아동의 개인정보에 대해 수집·이용·제공 등의 동의를 받는 경우 법정대리인에게 필요한 사항에 대하여 고지하고 동의를 받고 있는가?","법정대리인의 동의를 받기 위하여 필요한 최소한의 개인정보만을 수집하고 있으며, 법정대리인이 자격 요건을 갖추고 있는지 확인하는 절차와 방법을 마련하고 있는가?","만 14세 미만의 아동에게 개인정보 처리와 관련한 사항 등의 고지 시 이해하기 쉬운 양식과 명확하고 알기 쉬운 언어로 표현하고 있는가?","정보주체 및 법정대리인에게 동의를 받은 기록을 보관하고 있는가?","정보주체의 동의 없이 처리할 수 있는 개인정보에 대해서는 그 항목과 처리의 법적 근거를 정보주체의 동의를 받아 처리하는 개인정보와 구분하여 개인정보 처리방침에공개하거나 정보주체에게 알리고 있는가?","정보주체의 동의 없이 개인정보의 추가적인 이용 시 당초 수집 목적과의 관련성, 예측 가능성, 이익 침해 여부, 안전성 확보조치 등의 고려사항에 대한 판단기준을 수립 및 이행하고, 추가적인 이용이 지속적으로 발생하는 경우 고려사항에 대한 판단기준을개인정보 처리방침에 공개하고 이를 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보 보호법을 적용받는 개인정보처리자가 개인정보 수집 동의 시 고지 사항에 ʻ동의 거부 권리 및 동의 거부에 따른 불이익 내용ʼ을 누락한 경우","사례 2 : 개인정보 수집 동의 시 수집하는 개인정보 항목을 구체적으로 명시하지 않고 ʻ~ 등ʼ과 같이 포괄적으로 안내하는 경우","사례 3 : 쇼핑몰 홈페이지에서 회원가입 시 회원가입에 필요한 개인정보 외에 추후 물품 구매 시 필요한 결제·배송 정보를 미리 필수 항목으로 수집하는 경우","사례 4 : Q&A, 게시판을 통하여 비회원의 개인정보(이름, 이메일, 휴대폰번호)를 수집하면서 개인정보 수집 동의 절차를 거치지 않은 경우","사례 5 : 만 14세 미만 아동의 개인정보를 수집하면서 법정대리인의 동의를 받지 않은 경우","사례 6 : 만 14세 미만 아동에 대하여 서비스를 제공하고 있지 않지만, 회원가입 단계에서 입력받는 생년월일을 통하여 나이 체크를 하지 않아 법정대리인 동의 없이 가입된 만 14세 미만 아동 회원이 존재한 경우","사례 7 : 법정대리인의 진위 여부를 확인하는 절차가 미흡하여 미성년자 등 아동의 법정대리인으로 보기 어려운데도 법정대리인 동의가 가능한 경우","사례 8 : 만 14세 미만 아동으로부터 법정대리인 동의를 받는 목적으로 법정대리인의 개인정보(이름, 휴대폰번호)를 수집한 이후 법정대리인의 동의가 장기간 확인되지 않았음에도 이를 파기하지 않고 계속 보유하고 있는 경우","사례 9 : 법정대리인 동의에 근거하여 만 14세 미만 아동의 개인정보를 수집하였으나, 관련 기록을 보존하지 않아 법정대리인 동의와 관련된 사항(법정대리인 이름, 동의 일시 등)을 확인할 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제15조(개인정보의 수집·이용), 제22조(동의를 받는 방법), 제22조의2(아동의 개인정보 보호)","개인정보 처리 방법에 관한 고시"]}],"description": "개인정보는 적법하고 정당하게 수집·이용하여야 하며, 정보주체의 동의를 근거로 수집하는 경우에는 적법한 방법으로 정보주체의 동의를 받아야 한다. 또한 만 14세 미만 아동의 개인정보를 수집하는 경우에는 그 법정대리인의 동의를 받아야 하며 법정대리인이 동의하였는지를 확인하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.2": {"name": "개인정보 수집 제한","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.2 개인정보 수집 제한","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["온라인 개인정보 수집 양식(홈페이지 회원가입 화면, 이벤트 참여 화면 등)","오프라인 개인정보 수집 양식(멤버십 가입신청서 등)","개인정보 처리방침"],"AuditChecklist": ["개인정보를 수집하는 경우 그 목적에 필요한 범위에서 최소한의 정보만을 수집하고 있는가?","정보주체의 동의를 받아 개인정보를 수집하는 경우 필요한 최소한의 정보 외의 개인정보수집에는 동의하지 않을 수 있다는 사실을 구체적으로 알리고 있는가?","정보주체가 수집 목적에 필요한 최소한의 정보 이외의 개인정보 수집에 동의하지않는다는 이유로 서비스 또는 재화의 제공을 거부하지 않도록 하고 있는가?"],"NonComplianceCases": ["사례 1 : 계약의 체결 및 이행을 근거로 정보주체 동의 없이 개인정보를 수집하면서 계약의 체결 및 이행을 위해 반드시 필요하지 않은 개인정보 항목까지 과도하게 수집하는 경우","사례 2 : 정보주체로부터 선택사항에 대한 동의를 받으면서 해당 개인정보 수집에는 동의하지 아니할 수 있다는 사실을 구체적으로 알리지 않은 경우","사례 3 : 회원가입 양식에서 필수와 선택 정보를 구분하여 별도 동의를 받도록 되어 있었으나, 선택정보에 대하여 동의하지 않아도 회원가입이 가능함을 정보주체가 인지할 수 있도록 구체적으로 알리지 않은 경우(개인정보 입력 양식에 개인정보 항목별로 필수, 선택 여부가 표시되어 있지 않은 경우 등)","사례 4 : 홈페이지 회원가입 화면에서 선택사항에 대하여 동의하지 않거나 선택정보를 입력하지 않으면 다음 단계로 넘어가지 않거나 회원가입이 차단되는 경우","사례 5 : 채용 계약 시 채용 예정 직무와 직접 관련이 없는 가족사항 등 과도한 개인정보를 수집하는 경우"],"RelatedRegulations": ["개인정보 보호법 제16조(개인정보의 수집제한), 제22조(동의를 받는 방법)"]}],"description": "개인정보를 수집하는 경우 처리 목적에 필요한 최소한의 개인정보만을 수집하여야 하며, 정보주체가 선택적으로 동의할 수 있는 사항 등에 동의하지 아니한다는 이유로 정보주체에게 재화 또는 서비스의 제공을 거부하지 않아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.3": {"name": "주민등록번호 처리 제한","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.3 주민등록번호 처리 제한","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["개인정보 수집 양식(홈페이지 회원가입 화면, 이벤트 참여, 멤버십 가입신청서 등)","온라인 개인정보 수집 양식(본인확인 등 대체가입수단 제공 화면)","주민등록번호를 처리하는 경우 주민등록번호 처리 근거 증거자료","개인정보 처리방침"],"AuditChecklist": ["주민등록번호는 명확한 법적 근거가 있는 경우에만 처리하고 있는가?","주민등록번호의 수집 근거가 되는 법조항을 구체적으로 식별하고 있는가?","법적 근거에 따라 주민등록번호를 처리하는 경우에도 정보주체가 인터넷 홈페이지를 통하여 회원으로 가입하는 단계에서는 주민등록번호를 사용하지 아니하고도 회원으로 가입할 수 있는 방법을 제공하고 있는가?"],"NonComplianceCases": ["사례 1 : 홈페이지 가입과 관련하여 실명확인 등 단순 회원관리 목적을 위하여 정보주체의 동의에 근거하여 주민등록번호를 수집한 경우","사례 2 : 정보주체의 주민등록번호를 시행규칙이나 지방자치단체의 조례에 근거하여 수집한 경우","사례 3 : 비밀번호 분실 시 본인확인 등의 목적으로 주민등록번호 뒤 6자리를 수집하지만, 관련된 법적 근거가 없는 경우","사례 4 : 채용전형 진행단계에서 법적 근거 없이 입사지원자의 주민등록번호를 수집한 경우","사례 5 : 콜센터에 상품, 서비스 관련 문의 시 본인확인을 위하여 주민등록번호를 수집한 경우","사례 6 : 주민등록번호 수집의 법적 근거가 있다는 사유로 홈페이지 회원가입 단계에서 대체가입수단을 제공하지 않고 주민등록번호를 입력받는 본인확인 및 회원가입 방법만을 제공한 경우"],"RelatedRegulations": ["개인정보 보호법 제24조의2(주민등록번호 처리의 제한)","정보통신망법 제23조의2(주민등록번호의 사용 제한)"]}],"description": "주민등록번호는 법적 근거가 있는 경우를 제외하고는 수집·이용 등 처리할 수 없으며, 주민등록번호의 처리가 허용된 경우라 하더라도 인터넷 홈페이지 등에서 대체수단을 제공하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.4": {"name": "민감정보 및 고유식별정보의 처리 제한","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.4 민감정보 및 고유식별정보의 처리 제한","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["온라인 개인정보 수집 양식(홈페이지 회원가입 화면, 이벤트 참여 등)","오프라인 개인정보 수집 양식(회원가입신청서 등)","개인정보 처리방침"],"AuditChecklist": ["민감정보는 정보주체로부터 별도의 동의를 받거나 관련 법령에 근거가 있는 경우에만처리하고 있는가?","고유식별정보(주민등록번호 제외)는 정보주체로부터 별도의 동의를 받거나 관련 법령에 구체적인 근거가 있는 경우에만 처리하고 있는가?","재화 또는 서비스를 제공하는 과정에서 공개되는 정보에 정보주체의 민감정보가 포함됨으로써 사생활 침해의 위험성이 있다고 판단하는 때에는 재화 또는 서비스의 제공 전에 민감정보의 공개 가능성 및 비공개를 선택하는 방법을 정보주체가 알아보기 쉽게 알리고 있는가?"],"NonComplianceCases": ["사례 1 : 장애인에 대한 요금감면 등 혜택 부여를 위하여 장애 여부 등 건강에 관한 민감정보를 수집하면서 다른 개인정보 항목에 포함하여 일괄 동의를 받은 경우","사례 2 : 회원가입 시 외국인에 한하여 외국인등록번호를 수집하면서 다른 개인정보 항목에 포함하여 일괄 동의를 받은 경우","사례 3 : 민감정보 또는 고유식별정보의 수집에 대해 별도의 동의를 받으면서 고지하여야 할 4가지 사항 중에 일부를 누락하거나 잘못된 내용으로 고지하는 경우(동의 거부 권리 및 동의 거부에 따른 불이익 사항을 고지하지 않은 경우 등)"],"RelatedRegulations": ["개인정보 보호법 제23조(민감정보의 처리제한), 제24조(고유식별정보의 처리 제한)"]}],"description": "민감정보와 고유식별정보(주민등록번호 제외)를 처리하기 위해서는 법령에서 구체적으로 처리를 요구하거나 허용하는 경우를 제외하고는 정보주체의 별도 동의를 받아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.5": {"name": "개인정보 간접수집","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.5 개인정보 간접수집","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["개인정보 제공 관련 계약서(제공하는 자와의 계약 사항)","개인정보 수집출처에 대한 정보주체 통지 내역","개인정보 처리방침"],"AuditChecklist": ["정보주체 이외의 제3자로부터 개인정보를 제공받는 경우 개인정보 수집에 대한 동의획득 책임이 개인정보를 제공하는 자에게 있음을 계약을 통하여 명시하고 있는가?","공개된 매체 및 장소에서 개인정보를 수집하는 경우 정보주체의 공개 목적·범위 및 사회 통념상 동의 의사가 있다고 인정되는 범위 내에서만 수집·이용하고 있는가?","서비스 계약 이행을 위해 필요한 경우로서, 서비스 제공 과정에서 자동수집장치 등에 의하여 수집·생성하는 개인정보의 경우에도 최소수집 원칙을 적용하고 있는가?","정보주체 이외로부터 수집하는 개인정보에 대해 정보주체의 요구가 있는 경우 즉시 필요한 사항을 정보주체에게 알리고 있는가?","정보주체 이외로부터 수집한 개인정보를 처리하는 경우 개인정보의 종류·규모 등이 법적 요건에 해당하는 경우 필요한 사항을 정보주체에게 알리고 있는가?","정보주체에게 수집 출처에 대해 알린 기록을 해당 개인정보의 파기 시까지 보관 및 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 인터넷 홈페이지, SNS에 공개된 개인정보를 수집하고 있는 상태에서 정보주체의 수집 출처 요구에 대한 처리절차가 존재하지 않은 경우","사례 2 : 개인정보 보호법 제17조제1항제1호에 따라 다른 사업자로부터 개인정보 제공동의를 근거로 개인정보를 제공받았으나, 이에 대하여 해당 정보주체에게 3개월 내에 통지하지 않은 경우(다만 제공받은 자가 5만 명 이상 정보주체의 민감정보 또는 고유식별정보를 처리하거나 100만 명 이상 정보주체의 개인정보를 처리하는 경우)","사례 3 : 법적 의무 대상자에 해당되어 개인정보 수집 출처를 정보주체에게 통지하면서 개인정보의 처리목적 또는 동의를 철회할 권리가 있다는 사실 등 필수 통지사항을 일부 누락한 경우","사례 4 : 법적 의무 대상자에 해당되어 개인정보 수집 출처를 정보주체에게 통지하였으나, 수집 출처 통지에 관한 기록을 해당 개인정보의 파기 시까지 보관하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제16조(개인정보의 수집 제한), 제19조(개인정보를 제공받은 자의 이용·제공 제한), 제20조(정보주체 이외로부터 수집한 개인정보의 수집 출처 등 통지)"]}],"description": "정보주체 이외로부터 개인정보를 수집하거나 제3자로부터 제공받는 경우에는 업무에 필요한 최소한의 개인정보를 수집하거나 제공받아야 하며, 법령에 근거하거나 정보주체의 요구가 있으면 개인정보의 수집 출처, 처리목적, 처리정지의 요구권리를 알려야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.6": {"name": "영상정보처리기기 설치·운영","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.6 영상정보처리기기 설치·운영","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["영상정보처리기기 운영 현황","영상정보처리기기 안내판","영상정보처리기기 운영·관리방침","영상정보처리기기 관리화면(계정·권한 내역, 영상정보 보존기간 등)","영상정보처리기기 운영 수탁자와의 계약서 및 점검 이력"],"AuditChecklist": ["공개된 장소에 고정형 영상정보처리기기를 설치·운영할 경우 법적 허용 요건에 해당하는지를 검토하고 있는가?","공공기관 등이 공개된 장소에 고정형 영상정보처리기기를 설치·운영하려는 경우 공청회·설명회 개최 등의 법령에 따른 절차를 거쳐 관계 전문가 및 이해관계자의 의견을 수렴하고 있는가?","고정형 영상정보처리기기 설치·운영 시 정보주체가 쉽게 인식할 수 있도록 안내판 설치 등 필요한 조치를 하고 있는가?","업무를 목적으로 공개된 장소에서 이동형 영상정보처리기기를 운영하는 경우 법적 허용 요건에 해당하는지를 검토하고 있는가?","업무를 목적으로 공개된 장소에서 이동형 영상정보처리기기로 사람 또는 그 사람과 관련된 사물의 영상을 촬영하는 경우 불빛, 소리, 안내판 등의 방법으로 촬영 사실을 표시하고 알리고 있는가?","영상정보처리기기 및 영상정보의 안전한 관리를 위한 영상정보처리기기 운영·관리 방침을 마련하여 시행하고 있는가?","영상정보의 보관 기간을 정하고 있으며, 보관 기간 만료 시 지체 없이 파기하고 있는가?","영상정보처리기기 설치·운영에 관한 사무를 위탁하는 경우 관련 절차 및 요건에 따라 계약서에 반영하고 있는가?"],"NonComplianceCases": ["사례 1 : 영상정보처리기기 안내판의 고지 문구가 일부 누락되어 운영되고 있거나, 영상정보처리기기 운영 및 관리 방침을 수립·운영하고 있지 않은 경우","사례 2 : 영상정보처리기기 운영·관리 방침을 수립 운영하고 있으나, 방침 내용과 달리 보관기간을 준수하지 않고 운영되거나, 영상정보 보호를 위한 접근통제 및 로깅 등 방침에 기술한 사항이 준수되지 않는 등 관리가 미흡한 경우","사례 3 : 영상정보처리기기의 설치·운영 사무를 외부업체에 위탁하고 있으나, 영상정보의 관리 현황 점검에 관한 사항, 손해배상 책임에 관한 사항 등 법령에서 요구하는 내용을 영상정보처리기기 업무 위탁 계약서에 명시하지 않은 경우","사례 4 : 영상정보처리기기의 설치·운영 사무를 외부업체에 위탁하고 있으나, 영상정보처리기기 안내판에 수탁자의 명칭과 연락처를 누락하여 고지한 경우"],"RelatedRegulations": ["개인정보 보호법 제25조(고정형 영상정보처리기기의 설치·운영 제한), 제25조의2(이동형 영상정보처리기기의 운영 제한)"]}],"description": "고정형 영상정보처리기기를 공개된 장소에 설치·운영하거나 이동형 영상정보처리기기를 공개된 장소에서 업무를 목적으로 운영하는 경우 설치 목적 및 위치에 따라 법적 요구사항을 준수하고, 적절한 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.1.7": {"name": "마케팅 목적의 개인정보 수집·이용","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.1.7 마케팅 목적의 개인정보 수집·이용","Subdomain": "3.1. 개인정보 수집 시 보호조치","AuditEvidence": ["온라인 개인정보 수집 양식(홈페이지 회원가입 화면, 모바일앱 회원가입 화면, 이벤트 참여 등)","오프라인 개인정보 수집 양식(회원가입신청서 등)","마케팅 동의 기록","광고성 정보전송 수신동의 기록 및 수신동의 의사확인 기록","광고성 정보 발송 시스템 관리자 화면(메일, SMS, 앱 푸시 등)","광고성 정보 발송 문구","개인정보 처리방침"],"AuditChecklist": ["정보주체에게 재화나 서비스를 홍보하거나 판매를 권유하기 위하여 개인정보 처리에 대한 동의를 받는 경우 정보주체가 이를 명확하게 인지할 수 있도록 알리고 별도의 동의를 받고 있는가?","전자적 전송매체를 이용하여 영리목적의 광고성 정보를 전송하는 경우 수신자의 명시적인 사전 동의를 받고 있으며, 2년마다 정기적으로 수신자의 수신동의 여부를 확인하고 있는가?","전자적 전송매체를 이용한 영리목적의 광고성 정보 전송에 대하여 수신자가 수신거부의사를 표시하거나 사전 동의를 철회한 경우 영리목적의 광고성 정보 전송을 중단하도록 하고 있는가?","영리목적의 광고성 정보를 전송하는 경우 전송자의 명칭, 수신거부 방법 등을 구체적으로 밝히고 있으며, 야간시간에는 전송하지 않도록 하고 있는가?"],"NonComplianceCases": ["사례 1 : ʻ홍보 및 마케팅ʼ 목적으로 개인정보를 수집하면서 ʻ부가서비스 제공ʼ, ʻ제휴 서비스 제공ʼ 등과 같이 목적을 모호하게 안내하는 경우 또는 다른 목적으로 수집하는 개인정보와 구분하지 않고 포괄 동의를 받는 경우","사례 2 : 모바일 앱에서 광고성 정보전송(앱 푸시)에 대하여 거부 의사를 밝혔으나, 프로그램 오류 등의 이유로 광고성 앱 푸시가 이루어지는 경우","사례 3 : 온라인 회원가입 화면에서 문자, 이메일에 의한 광고성 정보 전송에 대하여 디폴트로 체크되어 있는 경우","사례 4 : 광고성 정보 수신동의 여부에 대하여 2년마다 확인하지 않은 경우","사례 5 : 영리목적의 광고성 정보를 전자우편으로 전송하면서 제목이 시작되는 부분에 ʻ(광고)ʼ 표시를 하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제22조(동의를 받는 방법)","정보통신망법 제50조(광고성 정보 전송 제한)"]}],"description": "재화나 서비스의 홍보, 판매 권유, 광고성 정보전송 등 마케팅 목적으로 개인정보를 수집 및이용하는 경우 그 목적을 정보주체가 명확하게 인지할 수 있도록 고지하고 동의를 받아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.1": {"name": "개인정보 현황관리","checks": {"macie_is_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL"},"status": "FAIL","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.1 개인정보 현황관리","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["개인정보 현황표","개인정보 흐름표·흐름도","개인정보파일 등록 현황","개인정보파일 관리대장","개인정보 처리방침에 관한 사항을 기록한 개인정보파일","「조세범처벌법」에 따른 범칙행위 조사 및 「관세법」에 따른 범칙행위 조사에 관한 사항을 기록한 개인정보파일","일회성으로 운영되는 파일 등 지속적으로 관리할 필요가 낮다고 인정되어 대통령령으로 정하는 개인정보파일","회의 참석 수당 지급, 자료·물품의 송부, 금전의 정산 등 단순 업무 수행을 위해 운영되는 개인정보파일로서 지속적 관리 필요성이 낮은 개인정보파일","공중위생 등 공공의 안전과 안녕을 위하여 긴급히 필요한 경우로서 일시적으로 처리되는 개인정보파일","그 밖에 일회적 업무 처리만을 위해 수집된 개인정보파일로서 저장되거나 기록되지 않는 개인정보파일","다른 법령에 따라 비밀로 분류된 개인정보파일","국가안전보장과 관련된 정보 분석을 목적으로 수집 또는 제공 요청되는 개인정보파일","영상정보처리기기를 통하여 처리되는 개인영상정보파일","「금융실명거래 및 비밀보장에 관한 법률」에 따른 금융기관이 금융업무 취급을 위하여 보유하는 개인정보파일"],"AuditChecklist": ["수집·보유하고 있는 개인정보의 항목, 보유량, 처리 목적 및 방법, 보유기간 등 현황을 정기적으로 관리하고 있는가?","공공기관이 개인정보파일을 운용하거나 변경하는 경우 관련된 사항을 법률에서 정한 관계기관의 장에게 등록하고 있는가?","공공기관은 개인정보파일의 보유 현황을 개인정보 처리방침에 공개하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보파일을 홈페이지의 개인정보파일 등록 메뉴를 통하여 목록을 관리하고 있으나, 그 중 일부 홈페이지 서비스와 관련된 개인정보파일의 내용이 개인정보 처리방침에 누락되어 있는 경우","사례 2 : 신규 개인정보파일을 구축한 지 2개월이 경과하였으나, 해당 개인정보파일을 개인정보 보호위원회에 등록하지 않은 경우","사례 3 : 개인정보 보호위원회에 등록되어 공개된 개인정보파일의 내용(수집하는 개인정보의 항목 등)이 실제 처리하고 있는 개인정보파일 현황과 상이한 경우","사례 4 : 공공기관이 임직원의 개인정보파일, 통계법에 따라 수집되는 개인정보파일에 대해 개인정보파일 등록 예외사항에 해당되지 않음에도 불구하고 해당 개인정보파일을 개인정보 보호위원회에 등록하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제32조(개인정보파일의 등록 및 공개)"]}],"description": "수집·보유하는 개인정보의 항목, 보유량, 처리 목적 및 방법, 보유기간 등 현황을 정기적으로 관리하여야 하며, 공공기관의 경우 이를 법률에서 정한 관계기관의 장에게 등록하여야 한다.","checks_status": {"fail": 1,"pass": 1,"total": 2,"manual": 0}},"3.2.2": {"name": "개인정보 품질보장","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.2 개인정보 품질보장","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["정보주체 개인정보 수정·변경 양식(온라인, 오프라인)","개인정보 최신성 유지 절차"],"AuditChecklist": ["개인정보를 최신의 상태로 정확하게 유지하기 위한 절차 및 방안을 수립·이행하고있는가?","정보주체가 본인의 개인정보에 대하여 정확성, 완전성 및 최신성을 유지할 수 있는 방법을 제공하고 있는가?"],"NonComplianceCases": ["사례 1 : 인터넷 홈페이지를 통하여 회원정보를 변경할 때는 본인확인 절차를 거치고 있으나, 고객센터 상담원과의 통화를 통한 회원 정보 변경 시에는 본인확인 절차가 미흡하여 회원정보의 불법적인 변경이 가능한 경우","사례 2 : 온라인 회원에 대해서는 개인정보를 변경할 수 있는 방법을 제공하고 있으나, 오프라인 회원에 대해서는 개인정보를 변경할 수 있는 방법을 제공하고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제3조(개인정보 보호 원칙)"]}],"description": "수집된 개인정보는 처리 목적에 필요한 범위에서 개인정보의 정확성·완전성·최신성이 보장되도록 정보주체에게 관리절차를 제공하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.3": {"name": "이용자 단말기 접근 보호","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.3 이용자 단말기 접근 보호","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["앱 접근권한 동의 화면","앱 접근권한 설정 현황"],"AuditChecklist": ["정보주체(이용자)의 이동통신단말장치 내에 저장되어 있는 정보 및 이동통신단말장치에 설치된 기능에 대하여 접근할 수 있는 권한이 필요한 경우 명확하게 인지할 수 있도록 알리고 정보주체(이용자)의 동의를 받고 있는가?","이동통신단말장치 내에서 해당 서비스를 제공하기 위하여 반드시 필요한 접근권한이 아닌 경우, 정보주체(이용자)가 동의하지 않아도 서비스 제공을 거부하지 않도록 하고 있는가?","이동통신단말장치 내에서 해당 접근권한에 대한 정보주체(이용자)의 동의 및 철회방법을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 스마트폰 앱에서 서비스에 불필요함에도 불구하고 주소록, 사진, 문자 등 스마트폰 내 개인정보 영역에 접근할 수 있는 권한을 과도하게 설정한 경우","사례 2 : 정보통신서비스 제공자의 스마트폰 앱에서 스마트폰 내에 저장되어 있는 정보 및 설치된 기능에 접근하면서 접근권한에 대한 고지 및 동의를 받지 않고 있는 경우","사례 3 : 스마트폰 앱의 접근권한에 대한 동의를 받으면서 선택사항에 해당하는 권한을 필수권한으로 고지하여 동의를 받는 경우","사례 4 : 접근권한에 대한 개별동의가 불가능한 안드로이드 6.0 미만 버전을 지원하는 스마트폰 앱을 배포하면서 선택적 접근권한을 함께 설정하여, 선택적 접근권한에 대하여 거부할 수 없도록 하고 있는 경우"],"RelatedRegulations": ["정보통신망법 제22조의2(접근권한에 대한 동의)"]}],"description": "정보주체(이용자)의 이동통신단말장치 내에 저장되어 있는 정보 및 이동통신단말장치에 설치된 기능에 접근이 필요한 경우 이를 명확하게 인지할 수 있도록 알리고 정보주체(이용자)의 동의를 받아야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.4": {"name": "개인정보 목적 외 이용 및 제공","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.4 개인정보 목적 외 이용 및 제공","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["개인정보 목적 외 이용 및 제3자 제공 내역(요청서 등 관련 증거자료 포함)","개인정보 목적 외 이용 및 제3자 제공 대장(공공기관인 경우)","홈페이지 또는 관보 게재 내역(공공기관인 경우)","자료 제공 요청 대응 지침","자료 제공 요청 공문 및 개인정보 제공내역, 대장 등"],"AuditChecklist": ["개인정보는 최초 수집 시 정보주체로부터 동의받은 목적 또는 법령에 근거한 범위 내에서만 이용·제공하고 있는가?","개인정보처리자로부터 개인정보를 제공받은 경우 제공받은 목적의 범위 내에서만 이용·제공하고 있는가?","개인정보를 수집 목적 또는 개인정보처리자로부터 제공받은 목적의 범위를 초과하여 이용하거나 제공하는 경우 정보주체에게 별도의 동의를 받거나 법적 근거가 있는 경우로 제한하고 있는가?","개인정보를 목적 외의 용도로 제3자에게 제공하는 경우 제공받는 자에게 이용목적 및 방법 등을 제한하거나 안전성 확보를 위하여 필요한 조치를 마련하도록 요청하고 있는가?","공공기관이 개인정보를 목적 외의 용도로 이용하거나 제3자에게 제공하는 경우 그 이용 또는 제공의 법적 근거, 목적 및 범위 등에 관하여 필요한 사항을 관보 또는 인터넷 홈페이지 등에 게재하고 있는가?","공공기관 등이 개인정보를 목적 외의 용도로 이용하거나 제3자에게 제공하는 경우 목적 외 이용 및 제3자 제공대장에 기록·관리하는 등 절차를 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 상품배송을 목적으로 수집한 개인정보를 사전에 동의 받지 않은 자사 상품의 통신판매 광고에 이용한 경우","사례 2 : 고객 만족도 조사, 경품 행사에 응모하기 위하여 수집한 개인정보를 자사의 할인판매행사 안내용 광고 발송에 이용한 경우","사례 3 : 공공기관이 다른 법률에 근거하여 민원인의 개인정보를 목적 외로 타 기관에 제공하면서 관련 사항을 관보 또는 인터넷 홈페이지에 게시하지 않은 경우","사례 4 : 공공기관이 범죄 수사의 목적으로 경찰서에 개인정보를 제공하면서 ʻ개인정보 목적 외 이용 및 제3자 제공 대장ʼ에 관련 사항을 기록하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제18조(개인정보의 목적 외 이용·제공 제한), 제19조(개인정보를 제공받은 자의 이용·제공 제한)"]}],"description": "개인정보는 수집 시의 정보주체에게 고지·동의를 받은 목적 또는 법령에 근거한 범위 내에서만 이용 또는 제공하여야 하며, 이를 초과하여 이용·제공하려는 때에는 정보주체의 추가 동의를 받거나 관계 법령에 따른 적법한 경우인지 확인하고 적절한 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.2.5": {"name": "가명정보 처리","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.2.5 가명정보 처리","Subdomain": "3.2. 개인정보 보유 및 이용 시 보호조치","AuditEvidence": ["가명처리·익명처리 적정성 평가 절차 및 결과","가명정보 처리 기록","개인정보 처리방침(가명정보 이용·제공에 관한 사항) 등"],"AuditChecklist": ["가명정보를 처리하는 경우 목적 제한, 가명처리 방법 및 기준, 적정성 검토, 재식별 금지 및 재식별 발생 시 조치사항 등 가명정보를 적정하게 처리하기 위한 절차를 수립하고 있는가?","개인정보를 가명처리하여 이용·제공 시 추가 정보의 사용·결합 없이는 개인을 알아볼 수 없도록 적정한 수준으로 가명처리를 수행하고 있는가?","다른 개인정보처리자와 가명정보를 결합하는 경우 결합전문기관 또는 데이터전문기관을 통해 결합하고 있는가?","가명정보를 처리하는 경우 추가 정보를 삭제 또는 별도로 분리하여 보관·관리, 관련 기록의 작성·보관 등 안전성 확보에 필요한 기술적·관리적 및 물리적 조치를 하고 있는가?","가명정보 처리목적 등을 고려하여 가명정보의 처리 기간을 적정한 기간으로 정하고 있으며, 해당 기간이 경과한 경우 지체 없이 파기하고 있는가?","개인정보를 익명처리하는 경우 시간·비용·기술 등을 합리적으로 고려할 때 다른 정보를 사용하여도 더 이상 특정 개인을 알아볼 수 없도록 적정한 수준으로 익명처리하고 있는가?"],"NonComplianceCases": ["사례 1 : 통계작성 및 과학적 연구를 위하여 정보주체 동의 없이 가명정보를 처리하면서 가명정보 처리에 관한 기록을 남기고 있지 않거나, 또는 개인정보 처리방침에 관련 사항을 공개하지 않은 경우","사례 2 : 가명정보와 동일한 데이터베이스 내에 추가 정보를 분리하지 않고 보관하고 있거나, 또는 가명 정보와 추가 정보에 대한 접근권한이 적절히 분리되지 않은 경우","사례 3 : 개인정보를 가명처리하여 활용하고 있으나 적정한 수준의 가명처리가 수행되지 않아 추가 정보의 사용 없이도 다른 정보와의 결합 등을 통하여 특정 개인을 알아볼 수 있는 가능성이 존재하는 경우","사례 4 : 테스트 데이터 생성, 외부 공개 등을 위하여 개인정보를 익명처리하였으나, 특이치 등으로 인하여 특정 개인에 대한 식별가능성이 존재하는 등 익명처리가 적정하게 수행되었다고 보기 어려운 경우"],"RelatedRegulations": ["개인정보 보호법 제2조(정의), 제28조의2(가명정보의 처리 등), 제28조의3(가명정보의 결합 제한), 제28조의4(가명정보에 대한 안전조치의무 등), 제28조의5(가명정보 처리 시 금지의무 등), 제28조의7(적용범위), 제58조의2(적용제외)"]}],"description": "가명정보를 처리하는 경우 목적제한, 결합제한, 안전조치, 금지의무 등 법적 요건을 준수하고 적정 수준의 가명처리를 보장할 수 있도록 가명처리 절차를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.1": {"name": "개인정보 제3자 제공","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.3.1 개인정보 제3자 제공","Subdomain": "3.3. 개인정보 제공 시 보호조치","AuditEvidence": ["온라인 개인정보 제3자 제공 관련 양식(홈페이지 회원가입 화면, 개인정보 제3자 제공 동의 화면 등)","오프라인 개인정보 제3자 제공 관련 양식(회원가입신청서, 개인정보 제3자 제공 동의서 등)","제3자 제공 내역","개인정보 처리방침"],"AuditChecklist": ["개인정보를 제3자에게 제공하는 경우 정보주체 동의, 법령상 의무준수 등 적법 요건을 명확히 식별하고 이를 준수하고 있는가?","정보주체에게 개인정보 제3자 제공 동의를 받는 경우 관련 사항을 명확하게 고지하고 다른 동의사항과 구분하여 적법하게 동의를 받고 있는가?","정보주체에게 개인정보 제3자 제공 동의를 받는 경우 관련 내용을 명확하게 고지하고 법령에서 정한 중요한 내용에 대해 명확히 표시하여 알아보기 쉽게 하고 있는가?","개인정보를 제3자에게 제공하는 경우 제공 목적에 맞는 최소한의 개인정보 항목으로 제한하고 있는가?","개인정보를 제3자에게 제공하는 경우 안전한 절차와 방법을 통해 제공하고 제공 내역을 기록하여 보관하고 있는가?","제3자에게 개인정보의 접근을 허용하는 경우 개인정보를 안전하게 보호하기 위한 보호절차에 따라 통제하고 있는가?","정보주체의 동의 없이 개인정보의 추가적인 제공 시 당초 수집 목적과의 관련성, 예측가능성, 이익 침해 여부, 안전성 확보조치 등의 고려사항에 대한 판단기준을 수립 및 이행하고, 추가적인 제공이 지속적으로 발생하는 경우 고려사항에 대한 판단기준을개인정보 처리방침에 공개하고 이를 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보처리자가 개인정보 제3자 제공 동의를 받을 때 정보주체에게 고지하는 사항 중에 일부 사항(동의 거부권, 제공하는 항목 등)을 누락한 경우","사례 2 : 개인정보를 제3자에게 제공하는 과정에서 제3자 제공 동의 여부를 적절히 확인하지 못하여 동의하지 않은 정보주체의 개인정보가 함께 제공된 경우","사례 3 : 개인정보를 제공 동의를 받을 때, 제공받는 자를 특정하지 않고 ʻ~ 등ʼ과 같이 포괄적으로 안내하고 동의를 받은 경우","사례 4 : 회원 가입 단계에서 선택사항으로 제3자 제공 동의를 받고 있으나, 제3자 제공에 동의하지 않으면 회원 가입 절차가 더 이상 진행되지 않도록 되어 있는 경우","사례 5 : 제공받는 자의 이용 목적과 관련 없이 지나치게 많은 개인정보를 제공하는 경우"],"RelatedRegulations": ["개인정보 보호법 제17조(개인정보의 제공), 제22조(동의를 받는 방법)","개인정보 처리 방법에 관한 고시"]}],"description": "개인정보를 제3자에게 제공하는 경우 법적 근거에 의하거나 정보주체의 동의를 받아야 하며, 제3자에게 개인정보의 접근을 허용하는 등 제공 과정에서 개인정보를 안전하게 보호하기 위한 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.2": {"name": "개인정보 처리 업무 위탁","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.3.2 개인정보 처리 업무 위탁","Subdomain": "3.3. 개인정보 제공 시 보호조치","AuditEvidence": ["개인정보 처리방침(개인정보 처리업무 위탁 관련 공개 내역)","개인정보 수집 양식","개인정보 처리 위탁 계약서","재화 또는 서비스 홍보·판매 권유 업무 위탁 관련 정보주체 통지 내역"],"AuditChecklist": ["개인정보 처리업무를 제3자에게 위탁(재위탁 포함)하는 경우 인터넷 홈페이지 등에 위탁하는 업무의 내용과 수탁자를 현행화하여 공개하고 있는가?","재화 또는 서비스를 홍보하거나 판매를 권유하는 업무를 위탁하는 경우에는 서면, 전자우편, 문자전송 등의 방법으로 위탁하는 업무의 내용과 수탁자를 정보주체에게 알리고 있는가?"],"NonComplianceCases": ["사례 1 : 홈페이지 개인정보 처리방침에 개인정보 처리업무 위탁 사항을 공개하고 있으나, 일부 수탁자와 위탁하는 업무의 내용이 누락된 경우","사례 2 : 재화 또는 서비스를 홍보하거나 판매를 권유하는 업무를 위탁하면서, 위탁하는 업무의 내용과 수탁자를 서면등의 방법으로 정보주체에게 알리지 않고 개인정보 처리방침에 공개하는 것으로 갈음한 경우","사례 3 : 기존 개인정보 처리업무 수탁자와의 계약 해지에 따라 개인정보 처리업무 수탁자가 변경되었으나, 이에 대하여 개인정보 처리방침에 지체 없이 반영하지 않은 경우","사례 4 : 개인정보 처리업무를 위탁받은 자가 해당 업무를 제3자에게 재위탁을 하고 있지만, 재위탁에 관한 사항을 인터넷 홈페이지 등에 공개하고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제26조(업무위탁에 따른 개인정보의 처리 제한)"]}],"description": "개인정보 처리업무를 제3자에게 위탁하는 경우 위탁하는 업무의 내용과 수탁자 등 관련사항을 공개하여야 한다. 또한 재화 또는 서비스를 홍보하거나 판매를 권유하는 업무를 위탁하는 경우 위탁하는 업무의 내용과 수탁자를 정보주체에게 알려야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.3": {"name": "영업의 양도 등에 따른 개인정보 이전","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.3.3 영업의 양도 등에 따른 개인정보 이전","Subdomain": "3.3. 개인정보 제공 시 보호조치","AuditEvidence": ["개인정보 이전 관련 정보주체 고지 내역(영업 양수도 시)","개인정보 처리방침"],"AuditChecklist": ["영업의 전부 또는 일부의 양도·합병 등으로 개인정보를 다른 사람에게 이전하는 경우 필요한 사항을 사전에 정보주체에게 알리고 있는가?","개인정보를 이전받는 자는 법적 통지 요건에 해당될 경우 개인정보를 이전받은 사실 등 필요한 사항을 정보주체에게 지체 없이 알리고 있는가?","개인정보를 이전받는 자는 이전 당시의 본래 목적으로만 개인정보를 이용하거나 제3자에게 제공하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보처리자가 영업 양수를 통하여 개인정보를 이전받으면서 양도자가 개인정보 이전 사실을 알리지 않았음에도 개인정보 이전 사실을 정보주체에게 알리지 않은 경우","사례 2 : 영업 양수도 등에 의하여 개인정보를 이전받으면서 정보주체가 이전을 원하지 않은 경우 조치할 수 있는 방법과 절차를 마련하지 않거나, 이를 정보주체에게 알리지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제27조(영업양도 등에 따른 개인정보의 이전 제한)"]}],"description": "영업의 양도·합병 등으로 개인정보를 이전하거나 이전받는 경우 정보주체 통지 등 적절한 보호조치를 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.3.4": {"name": "개인정보 국외이전","checks": {"s3_bucket_cross_region_replication": "FAIL"},"status": "FAIL","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.3.4 개인정보 국외이전","Subdomain": "3.3. 개인정보 제공 시 보호조치","AuditEvidence": ["개인정보 국외 이전 관련 동의 양식","개인정보 국외 이전 관련 계약서","개인정보 처리방침","개인정보 국외 처리위탁·보관 관련 통지 또는 공개 내역"],"AuditChecklist": ["개인정보를 국외로 이전하는 경우 정보주체에게 국외 이전에 관한 고지 사항을 모두 알리고 별도 동의를 받거나, 인증 또는 인정 등 적법 요건을 준수하고 있는가?","정보주체와의 계약의 체결 및 이행을 위한 개인정보의 국외 처리위탁·보관에 대해 정보주체에게 알리는 경우 필요한 사항을 모두 포함하여 적절한 방법으로 알리고 있는가?","개인정보 보호 관련 법령 준수 및 개인정보 보호 등에 관한 사항을 포함하여 국외 이전에 관한 계약을 체결하고 있는가?","개인정보를 국외로 이전하는 경우 개인정보 보호를 위하여 필요한 조치를 취하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보를 처리하는 과정에서 국외 사업자에게 개인정보 제3자 제공이 발생하였으나, 인증, 대상국 인정 등 동의 예외 요건에 해당되지 않음에도 불구하고 개인정보 국외 이전에 대한 별도 동의를 받지 않은 경우","사례 2 : 국외 클라우드 서비스(국외 리전)를 이용하여 개인정보 처리위탁 및 보관을 하면서 이전되는 국가, 이전 방법 등 관련 사항을 개인정보 처리방침에 공개하거나 정보주체에게 알리지 않은 경우","사례 3 : 개인정보 국외 이전에 대한 동의를 받으면서 이전받는 자의 명칭(업체명)만 고지하고 이전되는 국가 등에 대하여 알리지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제28조의8(개인정보의 국외 이전), 제28조의9(개인정보의 국외 이전 중지 명령), 제28조의10(상호주의), 제28조의11(준용규정)","개인정보 국외 이전 운영 등에 관한 규정"]}],"description": "개인정보를 국외로 이전하는 경우 국외 이전에 대한 동의, 관련 사항에 대한 공개 등 적절한 보호조치를 수립·이행하여야 한다.","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.4.1": {"name": "개인정보 파기","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.4.1 개인정보 파기","Subdomain": "3.4. 개인정보 파기 시 보호조치","AuditEvidence": ["개인정보 보유기간 및 파기 관련 규정","개인정보 파기 결과(회원 데이터베이스 등)","개인정보 파기관리대장"],"AuditChecklist": ["개인정보의 보유기간 및 파기와 관련된 내부 정책을 수립하고 있는가?","개인정보의 처리목적이 달성되거나 보유기간이 경과한 경우 지체 없이 해당 개인정보를 파기하고 있는가?","개인정보를 파기할 때에는 복구·재생되지 않도록 안전한 방법으로 파기하고 있는가?","개인정보 파기에 대한 기록을 남기고 관리하고 있는가?"],"NonComplianceCases": ["사례 1 : 회원 탈퇴 등 목적이 달성되거나 보유기간이 경과된 경우 회원 데이터베이스에서는 해당 개인정보를 파기하였으나, CRM·DW 등 연계된 개인정보처리시스템에 복제되어 저장되어 있는 개인정보를 파기하지 않은 경우","사례 2 : 특정 기간 동안 이벤트를 하면서 수집된 개인정보에 대하여 이벤트가 종료된 이후에도 파기 기준이 수립되어 있지 않거나 파기가 이루어지고 있지 않은 경우","사례 3 : 콜센터에서 수집되는 민원처리 관련 개인정보(상담이력, 녹취 등)를 전자상거래법을 근거로 3년간 보존하고 있으나, 3년이 경과한 후에도 파기하지 않고 보관하고 있는 경우","사례 4 : 블록체인 등 기술적 특성으로 인하여 목적이 달성된 개인정보의 완전 파기가 어려워 완전파기 대신 익명처리를 하였으나, 익명처리가 적절하게 수행되지 않아 일부 개인정보의 재식별 등 복원이 가능한 경우"],"RelatedRegulations": ["개인정보 보호법 제21조(개인정보의 파기)","개인정보의 안전성 확보조치 기준 제13조(개인정보의 파기)"]}],"description": "개인정보의 보유기간 및 파기 관련 내부 정책을 수립하고 개인정보의 보유기간 경과, 처리목적 달성 등 파기 시점이 도달한 때에는 파기의 안전성 및 완전성이 보장될 수 있는 방법으로 지체 없이 파기하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.4.2": {"name": "처리목적 달성 후 보유 시 조치","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.4.2 처리목적 달성 후 보유 시 조치","Subdomain": "3.4. 개인정보 파기 시 보호조치","AuditEvidence": ["개인정보 보유기간 및 파기 관련 규정","분리 데이터베이스 현황(테이블 구조 등)","분리 데이터베이스 접근권한 현황"],"AuditChecklist": ["개인정보의 보유기간 경과 또는 처리목적 달성 후에도 관련 법령 등에 따라 파기하지 않고 보존하는 경우, 관련 법령에 따른 최소한의 기간으로 한정하여 최소한의 정보만을 보존하도록 관리하고 있는가?","개인정보의 보유기간 경과 또는 처리목적 달성 후에도 관련 법령 등에 따라 파기하지 않고 보존하는 경우 해당 개인정보 또는 개인정보파일을 다른 개인정보와 분리하여 저장·관리하고 있는가?","분리 보관하고 있는 개인정보에 대하여 법령에서 정한 목적 범위 내에서만 처리 가능하도록 관리하고 있는가?","분리 보관하고 있는 개인정보에 대하여 접근권한을 최소한의 인원으로 제한하고 있는가?"],"NonComplianceCases": ["사례 1 : 탈퇴회원 정보를 파기하지 않고 전자상거래법에 따라 일정기간 보관하면서 Flag값만 변경하여 다른 회원정보와 동일한 테이블에 보관하고 있는 경우","사례 2 : 전자상거래법에 따른 소비자 불만 및 분쟁처리에 관한 기록에 대해 관련 법적 요건을 잘못 적용하여 3년이 아닌 5년간 보존하도록 정하고 있는 경우","사례 3 : 분리 데이터베이스를 구성하였으나 접근권한을 별도로 설정하지 않아 업무상 접근이 불필요한 인원도 분리 데이터베이스에 자유롭게 접근이 가능한 경우","사례 4 : 탈퇴회원 정보를 파기하지 않고 전자상거래법에 따라 계약 또는 청약철회, 대금결제 및 재화 공급에 관한 기록을 분리하여 보존하였으나, 전자상거래법에 따른 보존의무가 없는 선택정보까지 과도하게 보존한 경우"],"RelatedRegulations": ["개인정보 보호법 제21조(개인정보의 파기)"]}],"description": "개인정보의 보유기간 경과 또는 처리목적 달성 후에도 관련 법령 등에 따라 파기하지 않고 보존하는 경우에는 해당 목적에 필요한 최소한의 항목으로 제한하고 다른 개인정보와 분리하여 저장·관리하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.1": {"name": "개인정보 처리방침 공개","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.5.1 개인정보 처리방침 공개","Subdomain": "3.5. 정보주체 권리보호","AuditEvidence": ["개인정보 처리방침","개인정보 처리방침 개정 관련 공지 내역(게시판 등)"],"AuditChecklist": ["개인정보 처리방침을 법령에서 요구하는 내용을 모두 포함하여 알기 쉬운 용어로 구체적이고 명확하게 작성하였는가?","개인정보 처리방침을 정보주체가 쉽게 확인할 수 있도록 인터넷 홈페이지 등에 지속적으로 현행화하여 공개하고 있는가?","개인정보 처리방침이 변경되는 경우 사유 및 변경 내용을 지체 없이 공지하고 정보주체가 언제든지 변경된 사항을 쉽게 알아 볼 수 있도록 조치하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보 처리방침에 공개되어 있는 개인정보 수집, 제3자 제공 내역이 실제 수집 및 제공하는 내역과 다른 경우","사례 2 : 개인정보 보호책임자의 변경, 수탁자 변경 등 개인정보 처리방침 공개 내용 중에 변경사항이 발생하였음에도 이를 반영하여 변경하지 않은 경우","사례 3 : 개인정보 처리방침이 공개는 되어 있으나, 명칭이 ʻ개인정보 처리방침ʼ이 아니라 ʻ개인정보 보호정책ʼ으로 되어 있고 글자 크기, 색상 등을 활용하여 정보주체가 쉽게 찾을 수 있도록 되어 있지 않은 경우","사례 4 : 개인정보 처리방침이 몇 차례 개정되었으나, 예전에 작성된 개인정보 처리방침의 내용을 확인할 수 있도록 공개되어 있지 않은 경우","사례 5 : 전자상거래법, 상법 등 다른 법령에 따라 개인정보를 파기하지 아니하고 일정기간 보관하고 있으나, 이에 따른 보존근거와 보존하는 개인정보 항목을 개인정보 처리방침에 공개하지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제30조(개인정보 처리방침의 수립 및 공개), 제30조의2(개인정보 처리방침의 평가 및 개선권고)"]}],"description": "개인정보의 처리 목적 등 필요한 사항을 모두 포함하여 정보주체가 알기 쉽도록 개인정보 처리방침을 수립하고, 이를 정보주체가 언제든지 쉽게 확인할 수 있도록 적절한 방법에 따라 공개하고 지속적으로 현행화하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.2": {"name": "정보주체 권리보장","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.5.2 정보주체 권리보장","Subdomain": "3.5. 정보주체 권리보호","AuditEvidence": ["개인정보 처리방침","개인정보 열람등요구 처리 절차, 관련 양식","개인정보 열람등요구 시 조치 내역","회원 탈퇴 및 동의 철회 절차"],"AuditChecklist": ["정보주체 또는 그 대리인이 개인정보에 대한 열람, 정정·삭제, 처리정지 및 동의 철회 등(이하 '열람등요구'라 함)을 개인정보 수집방법·절차보다 어렵지 아니하도록 권리 행사 방법및 절차를 마련하여 공개하고 있는가?","정보주체 또는 그 대리인이 개인정보 열람등요구를 하는 경우 기간 내에 열람등요구에 따른 필요한 조치를 하고 있는가?","정보주체 또는 그 대리인이 개인정보 수집·이용·제공 등의 동의를 철회하는 경우 지체 없이 수집된 개인정보를 파기하는 등 필요한 조치를 취하고 있는가?","정보주체의 열람등요구에 대한 조치에 불복이 있는 경우 이의를 제기할 수 있도록 필요한 절차를 마련하여 안내하고 있는가?","정보주체의 열람등요구 및 처리 결과에 대하여 기록을 남기고 있는가?","정보통신망에서 사생활 침해 또는 명예훼손 등 타인의 권리를 침해한 경우 침해를 받은 자가 정보통신서비스 제공자에게 정보의 삭제 요청 등을 할 수 있는 절차를 마련하여 시행하고 있는가?"],"NonComplianceCases": ["사례 1 : 개인정보의 열람, 정정·삭제, 처리정지 요구 방법을 정보주체가 알 수 있도록 공개하지 않은 경우","사례 2 : 개인정보의 열람 요구에 대하여 정당한 사유의 통지 없이 열람 요구를 접수받은 날로부터 10일을 초과하여 회신하고 있는 경우","사례 3 : 개인정보의 열람 민원에 대한 처리 내역 기록 및 보관이 이루어지지 않은 경우","사례 4 : 정보주체 당사자 또는 정당한 대리인이 맞는지에 대한 확인 절차 없이 열람 통지가 이루어지는 경우","사례 5 : 개인정보의 정정·삭제 요구에 대하여 정정·삭제 요구를 접수받은 날로부터 10일을 초과하여 회신하는 경우","사례 6 : 회원 가입 시에는 온라인을 통하여 쉽게 회원 가입이 가능하였으나, 회원 탈퇴 시에는 신분증 등 추가 서류를 제출하게 하거나 오프라인 방문을 통해서만 가능하도록 하는 경우"],"RelatedRegulations": ["개인정보 보호법 제34조의2(노출된 개인정보의 삭제·차단), 제35조(개인정보의 열람), 제35조의2(개인정보의 전송 요구), 제36조(개인정보의 정정·삭제), 제37조(개인정보의 처리정지 등), 제37조의2(자동화된 결정에 대한 정보주체의 권리 등), 제38조(권리행사의 방법 및 절차)","정보통신망법 제44조(정보통신망에서의 권리보호), 제44조의2(정보의 삭제요청 등), 제44조의3(임의의 임시조치)"]}],"description": "정보주체가 개인정보의 열람, 정정·삭제, 처리정지, 이의제기, 동의철회 등 요구를 수집 방법·절차보다 쉽게 할 수 있도록 권리행사 방법 및 절차를 수립·이행하고, 정보주체의 요구를 받은 경우 지체 없이 처리하고 관련 기록을 남겨야 한다. 또한 정보주체의 사생활 침해, 명예훼손 등 타인의 권리를 침해하는 정보가 유통되지 않도록 삭제요청, 임시조치 등의 기준을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"3.5.3": {"name": "정보주체에 대한 통지","checks": {},"status": "PASS","attributes": [{"Domain": "3. 개인정보 처리 단계별 요구사항","Section": "3.5.3 정보주체에 대한 통지","Subdomain": "3.5. 정보주체 권리보호","AuditEvidence": ["개인정보 이용·제공 내역 통지 기록","개인정보 이용·제공 내역 통지 양식 및 문구"],"AuditChecklist": ["법적 의무 대상자에 해당하는 경우 개인정보 이용·제공 내역 또는 그 내역을 확인할 수 있는 정보시스템에 접속하는 방법을 정보주체에게 주기적으로 통지하고 있는가?","개인정보 이용·제공 내역 통지 항목은 법적 요구항목을 모두 포함하고 있는가?"],"NonComplianceCases": ["사례 1 : 전년도 말 기준 직전 3개월 간 일일 평균 저장·관리하고 있는 개인정보가 100만명 이상으로서 개인정보 이용제공 내역 통지 의무 대상자에 해당 됨에도 불구하고 금년도에 개인정보 이용 및내역을 통지하지 않은 경우","사례 2 : 개인정보 이용·제공 내역을 개별 정보주체에게 직접적으로 통지하는 대신 홈페이지에서 단순 팝업창이나 별도 공지사항으로 안내만 한 경우"],"RelatedRegulations": ["개인정보 보호법 제20조의2(개인정보 이용·제공 내역의 통지)"]}],"description": "개인정보의 이용·제공 내역 등 정보주체에게 통지하여야 할 사항을 파악하여 그 내용을 주기적으로 통지하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.1": {"name": "보안시스템 운영","checks": {"kms_cmk_are_used": null,"macie_is_enabled": "PASS","securityhub_enabled": "PASS","fms_policy_compliant": null,"guardduty_is_enabled": "PASS","inspector2_is_enabled": "FAIL","elbv2_waf_acl_attached": "FAIL","kms_cmk_rotation_enabled": null,"ec2_securitygroup_not_used": "FAIL","guardduty_centrally_managed": "FAIL","wafv2_webacl_logging_enabled": "FAIL","ssm_managed_compliant_patching": "FAIL","kms_key_not_publicly_accessible": null,"ssmincidents_enabled_with_plans": null,"inspector2_active_findings_exist": "FAIL","cloudfront_distributions_using_waf": null,"cognito_user_pool_waf_acl_attached": null,"trustedadvisor_errors_and_warnings": null,"apigateway_restapi_waf_acl_attached": "FAIL","config_recorder_all_regions_enabled": null,"guardduty_no_high_severity_findings": "FAIL","ec2_securitygroup_from_launch_wizard": "FAIL","ec2_networkacl_allow_ingress_any_port": "FAIL","organizations_delegated_administrators": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","secretsmanager_automatic_rotation_enabled": "FAIL","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_instance_port_ldap_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","cloudwatch_log_metric_filter_sign_in_without_mfa": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","shield_advanced_protection_in_global_accelerators": null,"ec2_instance_internet_facing_with_instance_profile": "FAIL","shield_advanced_protection_in_route53_hosted_zones": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_authentication_failures": null,"shield_advanced_protection_in_associated_elastic_ips": null,"shield_advanced_protection_in_classic_load_balancers": null,"shield_advanced_protection_in_cloudfront_distributions": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","shield_advanced_protection_in_internet_facing_load_balancers": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.1 보안시스템 운영","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["보안시스템 구성","네트워크 구성","보안시스템 운영절차","방화벽 정책","방화벽 정책 설정·변경 요청서","보안시스템 예외자 목록","보안시스템별 관리 화면(방화벽, IPS, 서버접근제어, DLP, DRM 등)","보안시스템 정책 검토 이력"],"AuditChecklist": ["조직에서 운영하고 있는 보안시스템에 대한 운영절차를 수립·이행하고 있는가?","보안시스템 관리자 등 접근이 허용된 인원을 최소화하고 비인가자의 접근을 엄격하게 통제하고 있는가?","보안시스템별로 정책의 신규 등록, 변경, 삭제 등을 위한 공식적인 절차를 수립 및 이행하고 있는가?","보안시스템의 예외 정책 등록에 대하여 절차에 따라 관리하고 있으며, 예외 정책 사용자에 대하여 최소한의 권한으로 관리하고 있는가?","보안시스템에 설정된 정책의 타당성 여부를 주기적으로 검토하고 있는가?","개인정보처리시스템에 대한 불법적인 접근 및 개인정보 유출 방지를 위하여 관련 법령에서 정한 기능을 수행하는 보안시스템을 설치하여 운영하고 있는가?"],"NonComplianceCases": ["사례 1 : 침입차단시스템 보안정책에 대한 정기 검토가 수행되지 않아 불필요하거나 과도하게 허용된 정책이 다수 존재하는 경우","사례 2 : 보안시스템 보안정책의 신청, 변경, 삭제, 주기적 검토에 대한 절차 및 기준이 없거나, 절차는 있으나 이를 준수하지 않은 경우","사례 3 : 보안시스템의 관리자 지정 및 권한 부여 현황에 대한 관리감독이 적절히 이행되고 있지 않은 경우","사례 4 : 내부 지침에는 정보보호담당자가 보안시스템의 보안정책 변경 이력을 기록·보관하도록 정하고 있으나, 정책관리대장을 주기적으로 작성하지 않고 있거나 정책관리대장에 기록된 보안정책과 실제 운영 중인 시스템의 보안정책이 상이한 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "보안시스템 유형별로 관리자 지정, 최신 정책 업데이트, 룰셋 변경, 이벤트 모니터링 등의 운영절차를 수립·이행하고 보안시스템별 정책적용 현황을 관리하여야 한다.","checks_status": {"fail": 16,"pass": 39,"total": 75,"manual": 0}},"2.10.2": {"name": "클라우드 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.2 클라우드 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["클라우드 서비스 관련 계약서 및 SLA","클라우드 서비스 위험분석 결과","클라우드 서비스 보안통제 정책","클라우드 서비스 관리자 권한 부여 현황","클라우드 서비스 구성도","클라우드 서비스 보안설정 현황","클라우드 서비스 보안설정 적정성 검토 이력"],"AuditChecklist": ["클라우드 서비스 제공자와 정보보호 및 개인정보보호에 대한 책임과 역할을 명확히정의하고 이를 계약서(SLA 등)에 반영하고 있는가?","클라우드 서비스 이용 시 서비스 유형에 따른 보안위험을 평가하여 비인가 접근,설정오류 등을 방지할 수 있도록 보안 구성 및 설정 기준, 보안설정 변경 및 승인 절차, 안전한 접속방법, 권한 체계 등 보안 통제 정책을 수립·이행하고 있는가?","클라우드 서비스 관리자 권한은 역할에 따라 최소화하여 부여하고 관리자 권한에 대한비인가 접근, 권한 오·남용 등을 방지할 수 있도록 강화된 인증, 암호화, 접근통제, 감사기록 등 보호대책을 적용하고 있는가?","클라우드 서비스의 보안 설정 변경, 운영 현황 등을 모니터링하고 그 적절성을 정기적으로검토하고 있는가?"],"NonComplianceCases": ["사례 1 : 클라우드 서비스 계약서 내에 보안에 대한 책임 및 역할 등에 대한 사항이 포함되어 있지 않은 경우","사례 2 : 클라우드 서비스의 보안설정을 변경할 수 있는 권한이 업무상 반드시 필요하지 않은 직원들에게 과도하게 부여되어 있는 경우","사례 3 : 내부 지침에는 클라우드 내 사설 네트워크의 접근통제 룰(Rule) 변경 시 보안책임자 승인을 받도록 하고 있으나, 승인절차를 거치지 않고 등록·변경된 접근제어 룰이 다수 발견된 경우","사례 4 : 클라우드 서비스의 보안설정 오류로 내부 로그 파일이 인터넷을 통하여 공개되어 있는 경우"],"RelatedRegulations": []}],"description": "클라우드 서비스 이용 시 서비스 유형(SaaS, PaaS, IaaS 등)에 따른 비인가 접근, 설정 오류 등에 따라 중요정보와 개인정보가 유·노출되지 않도록 관리자 접근 및 보안 설정 등에 대한 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.3": {"name": "공개서버 보안","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","ssm_document_secrets": "PASS","elbv2_waf_acl_attached": "FAIL","elb_insecure_ssl_ciphers": "PASS","apigateway_restapi_public": "FAIL","lightsail_database_public": null,"lightsail_instance_public": null,"elbv2_insecure_ssl_ciphers": "PASS","lightsail_static_ip_unused": null,"networkfirewall_in_all_vpc": "FAIL","ec2_instance_imdsv2_enabled": "PASS","elbv2_desync_mitigation_mode": "FAIL","awslambda_function_inside_vpc": "FAIL","awslambda_function_url_public": null,"ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","ssm_managed_compliant_patching": "FAIL","inspector2_active_findings_exist": "FAIL","acm_certificates_expiration_check": "PASS","awslambda_function_url_cors_policy": null,"cloudfront_distributions_using_waf": null,"vpc_subnet_separate_private_public": "FAIL","apigateway_restapi_waf_acl_attached": "FAIL","apigatewayv2_api_authorizers_enabled": "FAIL","awslambda_function_no_secrets_in_code": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","apigateway_restapi_authorizers_enabled": "PASS","cloudfront_distributions_https_enabled": null,"ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","apigateway_restapi_public_with_authorizer": "FAIL","ec2_instance_port_ftp_exposed_to_internet": "PASS","ec2_instance_port_rdp_exposed_to_internet": "PASS","ec2_instance_port_ssh_exposed_to_internet": "PASS","awslambda_function_no_secrets_in_variables": "PASS","awslambda_function_not_publicly_accessible": "PASS","ec2_instance_port_cifs_exposed_to_internet": "PASS","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","route53_domains_privacy_protection_enabled": null,"ec2_instance_port_kafka_exposed_to_internet": "PASS","ec2_instance_port_mysql_exposed_to_internet": "PASS","ec2_instance_port_redis_exposed_to_internet": "PASS","ec2_instance_port_oracle_exposed_to_internet": "PASS","ec2_instance_port_telnet_exposed_to_internet": "PASS","apigateway_restapi_client_certificate_enabled": "FAIL","ec2_instance_port_mongodb_exposed_to_internet": "PASS","ec2_securitygroup_allow_wide_open_public_ipv4": "PASS","ec2_instance_port_kerberos_exposed_to_internet": "PASS","ec2_instance_port_cassandra_exposed_to_internet": "PASS","ec2_instance_port_memcached_exposed_to_internet": "PASS","ec2_instance_port_sqlserver_exposed_to_internet": "PASS","kafka_cluster_mutual_tls_authentication_enabled": null,"ec2_instance_port_postgresql_exposed_to_internet": "PASS","ec2_securitygroup_with_many_ingress_egress_rules": "PASS","autoscaling_find_secrets_ec2_launch_configuration": "PASS","ec2_instance_internet_facing_with_instance_profile": "FAIL","cloudfront_distributions_using_deprecated_ssl_protocols": null,"ec2_securitygroup_allow_ingress_from_internet_to_any_port": "PASS","ec2_instance_port_elasticsearch_kibana_exposed_to_internet": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.3 공개서버 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["네트워크 구성도","웹사이트 정보공개 절차 및 내역(신청·승인·게시 이력 등)","개인정보 및 중요정보 노출 여부 점검 이력"],"AuditChecklist": ["공개서버를 운영하는 경우 이에 대한 보호대책을 수립·이행하고 있는가?","공개서버는 내부 네트워크와 분리된 DMZ 영역에 설치하고 침입차단시스템 등 보안시스템을 통하여 보호하고 있는가?","공개서버에 개인정보 및 중요정보를 게시하거나 저장하여야 할 경우 책임자 승인 등 허가 및 게시절차를 수립·이행하고 있는가?","조직의 중요정보가 웹사이트 및 웹서버를 통하여 노출되고 있는지 여부를 주기적으로 확인하여 중요정보 노출을 인지한 경우 이를 즉시 차단하는 등의 조치를 취하고 있는가?"],"NonComplianceCases": ["사례 1 : 인터넷에 공개된 웹사이트의 취약점으로 인하여 구글 검색을 통하여 열람 권한이 없는 타인의 개인정보에 접근할 수 있는 경우","사례 2 : 웹사이트에 개인정보를 게시하는 경우 승인 절차를 거치도록 내부 규정이 마련되어 있으나, 이를 준수하지 않고 개인정보가 게시된 사례가 다수 존재한 경우","사례 3 : 게시판 등의 웹 응용프로그램에서 타인이 작성한 글을 임의로 수정·삭제하거나 비밀번호로 보호된 글을 열람할 수 있는 경우"],"RelatedRegulations": []}],"description": "외부 네트워크에 공개되는 서버의 경우 내부 네트워크와 분리하고 취약점 점검, 접근통제, 인증, 정보 수집·저장·공개 절차 등 강화된 보호대책을 수립·이행하여야 한다.","checks_status": {"fail": 19,"pass": 47,"total": 76,"manual": 0}},"2.10.4": {"name": "전자거래 및 핀테크 보안","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.4 전자거래 및 핀테크 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["전자거래 및 핀테크 서비스 보호대책","결제시스템 연계 시 보안성 검토 결과"],"AuditChecklist": ["전자거래 및 핀테크 서비스를 제공하는 경우 거래의 안전성과 신뢰성 확보를 위한보호대책을 수립·이행하고 있는가?","전자거래 및 핀테크 서비스 제공을 위하여 결제시스템 등 외부 시스템과 연계하는 경우 송수신되는 관련 정보의 보호를 위한 대책을 수립·이행하고 안전성을 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 전자결제대행업체와 위탁 계약을 맺고 연계를 하였으나, 적절한 인증 및 접근제한 없이 특정 URL을 통하여 결제 관련 정보가 모두 평문으로 전송되는 경우","사례 2 : 전자결제대행업체와 외부 연계 시스템이 전용망으로 연결되어 있으나, 해당 연계 시스템에서 내부 업무 시스템으로의 접근이 침입차단시스템 등으로 적절히 통제되지 않고 있는 경우","사례 3 : 내부 지침에는 외부 핀테크 서비스 연계 시 정보보호팀의 보안성 검토를 받도록 되어 있으나, 최근에 신규 핀테크 서비스를 연계하면서 일정상 이유로 보안성 검토를 수행하지 않은 경우"],"RelatedRegulations": []}],"description": "전자거래 및 핀테크 서비스 제공 시 정보유출이나 데이터 조작·사기 등의 침해사고 예방을 위하여 인증·암호화 등의 보호대책을 수립하고, 결제시스템 등 외부 시스템과 연계할 경우 안전성을 점검하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.5": {"name": "정보전송 보안","checks": {"elb_ssl_listeners": "FAIL","elbv2_ssl_listeners": "FAIL","elb_insecure_ssl_ciphers": "PASS","elbv2_insecure_ssl_ciphers": "PASS","rds_instance_transport_encrypted": "FAIL","s3_bucket_secure_transport_policy": "FAIL","glue_database_connections_ssl_enabled": null,"cloudfront_distributions_https_enabled": null,"sns_subscription_not_using_http_endpoints": "PASS","kafka_cluster_in_transit_encryption_enabled": null,"apigateway_restapi_client_certificate_enabled": "FAIL","kafka_cluster_mutual_tls_authentication_enabled": null,"directoryservice_radius_server_security_protocol": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"elasticache_redis_cluster_in_transit_encryption_enabled": null,"opensearch_service_domains_https_communications_enforced": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.5 정보전송 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["정보전송 협약서 또는 계약서","정보전송 기술표준","정보전송 관련 구성도, 인터페이스 정의서"],"AuditChecklist": ["외부 조직에 개인정보 및 중요정보를 전송할 경우 안전한 전송 정책을 수립하고 있는가?","업무상 조직 간 개인정보 및 중요정보를 상호교환하는 경우 안전한 전송을 위한 협약체결 등 보호대책을 수립·이행하고 있는가?"],"NonComplianceCases": ["사례 1 : 대외 기관과 연계 시 전용망 또는 VPN을 적용하고 중계서버와 인증서 적용 등을 통하여 안전하게 정보를 전송하고 있으나, 외부 기관별 연계 시기, 방식, 담당자 및 책임자, 연계 정보, 법적 근거 등에 대한 현황관리가 적절히 이루어지지 않고 있는 경우","사례 2 : 중계과정에서의 암호 해제 구간 또는 취약한 암호화 알고리즘(DES, 3DES) 사용 등에 대한 보안성 검토, 보안표준 및 조치방안 수립 등에 대한 협의가 이행되고 있지 않은 경우"],"RelatedRegulations": []}],"description": "다른 조직에 개인정보 및 중요정보를 전송할 경우 안전한 전송 정책을 수립하고 조직 간 합의를 통하여 관리 책임, 전송방법, 개인정보 및 중요정보 보호를 위한 기술적 보호조치 등을 협약하고 이행하여야 한다.","checks_status": {"fail": 5,"pass": 3,"total": 17,"manual": 0}},"2.10.6": {"name": "업무용 단말기기 보안","checks": {"workspaces_volume_encryption_enabled": null,"appstream_fleet_maximum_session_duration": null,"appstream_fleet_session_disconnect_timeout": null,"workspaces_vpc_2private_1public_subnets_nat": null,"appstream_fleet_session_idle_disconnect_timeout": null,"appstream_fleet_default_internet_access_disabled": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.6 업무용 단말기기 보안","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["업무용 단말기 보안통제 지침 및 절차","업무용 단말기 등록현황","업무용 단말기 보안설정","업무용 단말기 기기인증 및 승인 이력","업무용 단말기 보안점검 현황"],"AuditChecklist": ["PC, 노트북, 가상PC, 태블릿 등 업무에 사용되는 단말기에 대하여 기기인증, 승인, 접근범위 설정, 기기 보안설정 등의 보안 통제 정책을 수립·이행하고 있는가?","업무용 단말기를 통하여 개인정보 및 중요정보가 유출되는 것을 방지하기 위하여 자료공유프로그램 사용 금지, 공유설정 제한, 무선망 이용 통제 등의 정책을 수립 및 이행하고 있는가?","업무용 모바일 기기의 분실, 도난 등으로 인한 개인정보 및 중요정보의 유·노출을 방지하기 위하여 보안대책을 적용하고 있는가?","업무용 단말기기에 대한 접근통제 대책의 적절성에 대하여 주기적으로 점검하고 있는가?"],"NonComplianceCases": ["사례 1 : 업무적인 목적으로 노트북, 태블릿PC 등 모바일 기기를 사용하고 있으나, 업무용 모바일 기기에 대한 허용 기준, 사용 범위, 승인 절차, 인증 방법 등에 대한 정책이 수립되어 있지 않은 경우","사례 2 : 모바일 기기 보안관리 지침에서는 모바일 기기의 업무용 사용을 원칙적으로 금지하고 필요시 승인 절차를 통하여 제한된 기간 동안 허가된 모바일 기기만 사용하도록 정하고 있으나, 허가된 모바일 기기가 식별·관리되지 않고 승인되지 않은 모바일 기기에서도 내부 정보시스템 접속이 가능한 경우","사례 3 : 개인정보 처리업무에 이용되는 모바일 기기에 대하여 비밀번호 설정 등 도난·분실에 대한 보호대책이 적용되어 있지 않은 경우","사례 4 : 내부 규정에서는 업무용 단말기의 공유폴더 사용을 금지하고 있으나, 이에 대한 주기적인 점검이 이루어지고 있지 않아 다수의 업무용 단말기에서 과도하게 공유폴더를 설정하여 사용하고 있는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "PC, 모바일 기기 등 단말기기를 업무 목적으로 네트워크에 연결할 경우 기기 인증 및 승인, 접근 범위, 기기 보안설정 등의 접근통제 대책을 수립하고 주기적으로 점검하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 6,"manual": 0}},"2.10.7": {"name": "보조저장매체 관리","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.7 보조저장매체 관리","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["보조저장매체(USB, CD 등) 차단 정책","보조저장매체 관리대장","보조저장매체 실태점검 이력"],"AuditChecklist": ["외장하드, USB메모리, CD 등 보조저장매체 취급(사용), 보관, 폐기, 재사용에 대한 정책 및 절차를 수립·이행하고 있는가?","보조저장매체 보유현황, 사용 및 관리실태를 주기적으로 점검하고 있는가?","주요 정보시스템이 위치한 통제구역, 중요 제한구역 등에서 보조저장매체 사용을 제한하고 있는가?","보조저장매체를 통한 악성코드 감염 및 중요정보 유출 방지를 위한 대책을 마련하고 있는가?","개인정보 또는 중요정보가 포함된 보조저장매체를 잠금장치가 있는 안전한 장소에 보관하고 있는가?"],"NonComplianceCases": ["사례 1 : 통제구역인 서버실에서의 보조저장매체 사용을 제한하는 정책을 수립하여 운영하고 있으나, 예외 승인 절차를 준수하지 않고 보조저장매체를 사용한 이력이 다수 확인되었으며, 보조저장매체 관리실태에 대한 주기적 점검이 실시되지 않아 보조저장매체 관리대장의 현행화가 미흡한 경우","사례 2 : 개인정보가 포함된 보조저장매체를 잠금장치가 있는 안전한 장소에 보관하지 않고 사무실 서랍 등에 방치하고 있는 경우","사례 3 : 보조저장매체 통제 솔루션을 도입·운영하고 있으나, 일부 사용자에 대하여 적절한 승인 절차 없이 예외처리되어 쓰기 등이 허용된 경우","사례 4 : 전산실에 위치한 일부 공용 PC 및 전산장비에서 일반 USB메모리에 대한 쓰기가 가능한 상황이나 매체 반입 및 사용 제한, 사용이력 기록 및 검토 등 통제가 적용되고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제10조(물리적 안전조치)"]}],"description": "보조저장매체를 통하여 개인정보 또는 중요정보의 유출이 발생하거나 악성코드가 감염되지 않도록 관리 절차를 수립·이행하고, 개인정보 또는 중요정보가 포함된 보조저장 매체는 안전한 장소에 보관하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.10.8": {"name": "패치관리","checks": {"ssm_managed_compliant_patching": "FAIL","kafka_cluster_uses_latest_version": null,"ec2_instance_account_imdsv2_enabled": null,"redshift_cluster_automatic_upgrades": null,"eks_cluster_uses_a_supported_version": null,"ec2_instance_older_than_specific_days": "FAIL","rds_instance_deprecated_engine_version": "PASS","rds_cluster_minor_version_upgrade_enabled": "PASS","dms_instance_minor_version_upgrade_enabled": null,"rds_instance_minor_version_upgrade_enabled": "PASS","awslambda_function_using_supported_runtimes": "FAIL","elasticache_redis_cluster_auto_minor_version_upgrades": null,"cloudfront_distributions_using_deprecated_ssl_protocols": null,"opensearch_service_domains_updated_to_the_latest_service_software_version": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.8 패치관리","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["패치 적용 관리 정책·절차","시스템별 패치 적용 현황","패치 적용 관련 영향도 분석 결과"],"AuditChecklist": ["서버, 네트워크시스템, 보안시스템, PC 등 자산별 특성 및 중요도에 따라 운영체제(OS)와 소프트웨어의 패치관리 정책 및 절차를 수립·이행하고 있는가?","주요 서버, 네트워크시스템, 보안시스템 등의 경우 설치된 OS, 소프트웨어 패치 적용 현황을 주기적으로 관리하고 있는가?","서비스 영향도 등에 따라 취약점을 조치하기 위한 최신의 패치 적용이 어려운 경우 보완대책을 마련하고 있는가?","주요 서버, 네트워크시스템, 보안시스템 등의 경우 공개 인터넷 접속을 통한 패치를 제한하고 있는가?","패치관리시스템을 활용하는 경우 접근통제 등 충분한 보호대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 일부 시스템에서 타당한 사유나 책임자 승인 없이 OS패치가 장기간 적용되고 있지 않은 경우","사례 2 : 일부 시스템에 서비스 지원이 종료(EOS)된 OS버전을 사용 중이나, 이에 따른 대응계획이나 보완대책이 수립되어 있지 않은 경우","사례 3 : 상용 소프트웨어 및 OS에 대해서는 최신 패치가 적용되고 있으나, 오픈소스 프로그램(openssl, openssh, Apache 등)에 대해서는 최신 패치를 확인하고 적용하는 절차 및 담당자가 지정되어 있지 않아 최신 보안패치가 적용되고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제9조(악성프로그램 등 방지)"]}],"description": "소프트웨어, 운영체제, 보안시스템 등의 취약점으로 인한 침해사고를 예방하기 위하여 최신 패치를 적용하여야 한다. 다만 서비스 영향을 검토하여 최신 패치 적용이 어려울 경우 별도의 보완대책을 마련하여 이행하여야 한다.","checks_status": {"fail": 3,"pass": 3,"total": 14,"manual": 0}},"2.10.9": {"name": "악성코드 통제","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.10.9 악성코드 통제","Subdomain": "2.10. 시스템 및 서비스 보안관리","AuditEvidence": ["악성프로그램 대응 지침·절차·매뉴얼","백신프로그램 설치 현황","백신프로그램 설정 화면","악성프로그램 대응 이력(대응 보고서 등)"],"AuditChecklist": ["바이러스, 웜, 트로이목마, 랜섬웨어 등의 악성코드로부터 정보시스템 및 업무용단말기 등을 보호하기 위하여 보호대책을 수립·이행하고 있는가?","백신 소프트웨어 등 보안프로그램을 통하여 최신 악성코드 예방·탐지 활동을 지속적으로 수행하고 있는가?","백신 소프트웨어 등 보안프로그램은 최신의 상태로 유지하고 필요시 긴급 보안 업데이트를 수행하고 있는가?","악성코드 감염 발견 시 악성코드 확산 및 피해 최소화 등의 대응절차를 수립·이행하고있는가?"],"NonComplianceCases": ["사례 1 : 일부 PC 및 서버에 백신이 설치되어 있지 않거나, 백신 엔진이 장기간 최신 버전으로 업데이트되지 않은 경우","사례 2 : 백신 프로그램의 환경설정(실시간 검사, 예약검사, 업데이트 설정 등)을 이용자가 임의로 변경할 수 있음에도 그에 따른 추가 보호대책이 수립되어 있지 않은 경우","사례 3 : 백신 중앙관리시스템에 접근통제 등 보호대책이 미비하여 중앙관리시스템을 통한 침해사고발생 가능성이 있는 경우 또는 백신 패턴에 대한 무결성 검증을 하지 않아 악의적인 사용자에 의한 악성코드 전파 가능성이 있는 경우","사례 4 : 일부 내부망 PC 및 서버에서 다수의 악성코드 감염이력이 확인되었으나, 감염 현황, 감염 경로 및 원인 분석, 그에 따른 조치내역 등이 확인되지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제9조(악성프로그램 등 방지)"]}],"description": "바이러스·웜·트로이목마·랜섬웨어 등의 악성코드로부터 개인정보 및 중요정보, 정보시스템 및 업무용 단말기 등을 보호하기 위하여 악성코드 예방·탐지·대응 등의 보호대책을 수립 및 이행하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.11.1": {"name": "사고 예방 및 대응체계 구축","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.1 사고 예방 및 대응체계 구축","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["침해사고 대응 지침·절차·매뉴얼","침해사고 대응 조직도 및 비상연락망","보안관제서비스 계약서(SLA 등)"],"AuditChecklist": ["침해사고 및 개인정보 유출사고를 예방하고 사고 발생 시 신속하고 효과적으로 대응하기 위한 체계와 절차를 마련하고 있는가?","보안관제서비스 등 외부 기관을 통하여 침해사고 대응체계를 구축·운영하는 경우 침해사고 대응절차의 세부사항을 계약서에 반영하고 있는가?","침해사고의 모니터링, 대응 및 처리를 위하여 외부전문가, 전문업체, 전문기관 등과의 협조체계를 수립하고 있는가?"],"NonComplianceCases": ["사례 1 : 침해사고에 대비한 침해사고 대응 조직 및 대응 절차를 명확히 정의하고 있지 않은 경우","사례 2 : 내부 지침 및 절차에 침해사고 단계별(사고 전, 인지, 처리, 복구, 보고 등) 대응 절차를 수립하여 명시하고 있으나, 침해사고 발생 시 사고 유형 및 심각도에 따른 신고·통지 절차, 대응 및 복구 절차의 일부 또는 전부를 수립하고 있지 않은 경우","사례 3 : 침해사고 대응 조직도 및 비상연락망 등을 현행화하지 않고 있거나, 담당자별 역할과 책임이 명확히 정의되어 있지 않은 경우","사례 4 : 침해사고 신고·통지 및 대응 협조를 위한 대외기관 연락처에 기관명, 홈페이지, 연락처 등이 잘못 명시되어 있거나, 일부 기관 관련 정보가 누락 또는 현행화되지 않은 경우","사례 5 : 외부 보안관제 전문업체 등 유관기관에 침해사고 탐지 및 대응을 위탁하여 운영하고 있으나, 침해사고 대응에 대한 상호 간 관련 역할 및 책임 범위가 계약서나 SLA에 명확하게 정의되지 않은 경우","사례 6 : 침해사고 대응절차를 수립하였으나, 개인정보 침해 신고 기준, 시점 등이 법적 요구사항을 준수하지 못하는 경우"],"RelatedRegulations": ["개인정보 보호법 제34조(개인정보의 유출 등의 통지·신고)","정보통신망법 제48조의3(침해사고의 신고 등), 제48조의4(침해사고의 원인분석 등)"]}],"description": "침해사고 및 개인정보 유출 등을 예방하고 사고 발생 시 신속하고 효과적으로 대응할 수 있도록 내·외부 침해시도의 탐지·대응·분석 및 공유를 위한 체계와 절차를 수립하고, 관련 외부기관 및 전문가들과 협조체계를 구축하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.11.2": {"name": "취약점 점검 및 조치","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","ssm_document_secrets": "PASS","inspector2_is_enabled": "FAIL","ec2_instance_imdsv2_enabled": "PASS","guardduty_centrally_managed": "FAIL","ec2_instance_secrets_user_data": "PASS","ec2_launch_template_no_secrets": "PASS","inspector2_active_findings_exist": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","awslambda_function_no_secrets_in_code": "PASS","cloudwatch_log_group_no_secrets_in_logs": "FAIL","ecr_registry_scan_images_on_push_enabled": "PASS","cloudformation_stack_outputs_find_secrets": "PASS","codebuild_project_no_secrets_in_variables": "PASS","awslambda_function_no_secrets_in_variables": "PASS","ecs_task_definitions_no_environment_secrets": "PASS","ecr_repositories_scan_images_on_push_enabled": "FAIL","trustedadvisor_premium_support_plan_subscribed": null,"autoscaling_find_secrets_ec2_launch_configuration": "PASS","ecr_repositories_scan_vulnerabilities_in_latest_image": null,"codebuild_project_source_repo_url_no_sensitive_credentials": "PASS"},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.2 취약점 점검 및 조치","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["취약점 점검 계획서","취약점 점검 결과보고서(웹, 모바일 앱, 서버, 네트워크시스템, 보안시스템, DBMS 등)","취약점 점검 이력","취약점 조치계획서","취약점 조치완료보고서","모의해킹 계획서·결과보고서"],"AuditChecklist": ["정보시스템 취약점 점검 절차를 수립하고, 정기적으로 점검을 수행하고 있는가?","발견된 취약점에 대한 조치를 수행하고, 그 결과를 책임자에게 보고하고 있는가?","최신 보안취약점 발생 여부를 지속적으로 파악하고, 정보시스템에 미치는 영향을 분석하여 조치하고 있는가?","취약점 점검 이력을 기록관리하여 전년도에 도출된 취약점이 재발생하는 등의 문제점에 대하여 보호대책을 마련하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 규정에 연 1회 이상 주요 시스템에 대한 기술적 취약점 점검을 하도록 정하고 있으나, 주요 시스템 중 일부가 취약점 점검 대상에서 누락된 경우","사례 2 : 취약점 점검에서 발견된 취약점에 대한 보완조치를 이행하지 않았거나, 단기간 내에 조치할 수 없는 취약점에 대한 타당성 검토 및 승인 이력이 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제4조(내부 관리계획의 수립·시행 및 점검), 제6조(접근통제)"]}],"description": "정보시스템의 취약점이 노출되어 있는지를 확인하기 위하여 정기적으로 취약점 점검을 수행하고, 발견된 취약점에 대해서는 신속하게 조치하여야 한다. 또한 최신 보안취약점의 발생 여부를 지속적으로 파악하고, 정보시스템에 미치는 영향을 분석하여 조치하여야 한다.","checks_status": {"fail": 6,"pass": 14,"total": 23,"manual": 0}},"2.11.3": {"name": "이상행위 분석 및 모니터링","checks": {"securityhub_enabled": "PASS","fms_policy_compliant": null,"vpc_flow_logs_enabled": "FAIL","cloudtrail_insights_exist": null,"networkfirewall_in_all_vpc": "FAIL","trustedadvisor_errors_and_warnings": null,"guardduty_no_high_severity_findings": "FAIL","cloudtrail_threat_detection_enumeration": null,"cloudwatch_log_group_no_secrets_in_logs": "FAIL","cloudwatch_log_metric_filter_root_usage": null,"cloudwatch_cross_account_sharing_disabled": null,"cloudwatch_changes_to_vpcs_alarm_configured": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","cloudwatch_log_metric_filter_policy_changes": null,"cloudwatch_log_metric_filter_sign_in_without_mfa": null,"cloudwatch_changes_to_network_acls_alarm_configured": null,"cloudwatch_log_metric_filter_security_group_changes": null,"cloudwatch_log_metric_filter_unauthorized_api_calls": null,"cloudwatch_log_metric_filter_authentication_failures": null,"cloudwatch_log_metric_filter_aws_organizations_changes": null,"cognito_user_pool_client_prevent_user_existence_errors": null,"cloudwatch_changes_to_network_gateways_alarm_configured": null,"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null,"cloudwatch_changes_to_network_route_tables_alarm_configured": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null,"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null,"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.3 이상행위 분석 및 모니터링","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["이상행위 분석 및 모니터링 현황","이상행위 발견 시 대응 증거자료"],"AuditChecklist": ["내·외부에 의한 침해시도, 개인정보유출 시도, 부정행위 등 이상행위를 탐지할 수 있도록 주요 정보시스템, 응용프로그램, 네트워크, 보안시스템 등에서 발생한 네트워크 트래픽,데이터 흐름, 이벤트 로그 등을 수집하여 분석 및 모니터링하고 있는가?","침해시도, 개인정보유출시도, 부정행위 등의 여부를 판단하기 위한 기준 및 임계치를 정의하고 이에 따라 이상행위의 판단 및 조사 등 후속 조치가 적시에 이루어지고 있는가?"],"NonComplianceCases": ["사례 1 : 외부로부터의 서버, 네트워크, 데이터베이스, 보안시스템에 대한 침해 시도를 인지할 수 있도록 하는 상시 또는 정기적 모니터링 체계 및 절차를 마련하고 있지 않은 경우","사례 2 : 외부 보안관제 전문업체 등 외부 기관에 침해시도 모니터링 업무를 위탁하고 있으나, 위탁업체가 제공한 관련 보고서를 검토한 이력이 확인되지 않거나, 위탁 대상에서 제외된 시스템에 대한 자체 모니터링 체계를 갖추고 있지 않은 경우","사례 3 : 내부적으로 정의한 임계치를 초과하는 이상 트래픽이 지속적으로 발견되고 있으나, 이에 대한 대응조치가 이루어지고 있지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제6조(접근통제)"]}],"description": "내·외부에 의한 침해시도, 개인정보유출 시도, 부정행위 등을 신속하게 탐지·대응할 수 있도록 네트워크 및 데이터 흐름 등을 수집하여 분석하며, 모니터링 및 점검 결과에 따른 사후조치는 적시에 이루어져야 한다.","checks_status": {"fail": 6,"pass": 1,"total": 28,"manual": 0}},"2.11.4": {"name": "사고 대응 훈련 및 개선","checks": {"ssmincidents_enabled_with_plans": null},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.4 사고 대응 훈련 및 개선","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["침해사고 및 개인정보 유출사고 대응 모의훈련 계획서","침해사고 및 개인정보 유출사고 대응 모의훈련 결과서","침해사고 대응 절차"],"AuditChecklist": ["침해사고 및 개인정보 유출사고 대응 절차에 관한 모의훈련계획을 수립하고 이에 따라 연 1회 이상 주기적으로 훈련을 실시하고 있는가?","침해사고 및 개인정보 유출사고 훈련 결과를 반영하여 침해사고 및 개인정보 유출사고 대응체계를 개선하고 있는가?"],"NonComplianceCases": ["사례 1 : 침해사고 모의훈련을 수행하지 않았거나 관련 계획서 및 결과보고서가 확인되지 않은 경우","사례 2 : 연간 침해사고 모의훈련 계획을 수립하였으나 타당한 사유 또는 승인 없이 해당 기간 내에 실시하지 않은 경우","사례 3 : 모의훈련을 계획하여 실시하였으나, 관련 내부 지침에 정한 절차 및 서식에 따라 수행하지 않은 경우"],"RelatedRegulations": []}],"description": "침해사고 및 개인정보 유출사고 대응 절차를 임직원과 이해관계자가 숙지하도록 시나리오에 따른 모의훈련을 연 1회 이상 실시하고 훈련결과를 반영하여 대응체계를 개선하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"2.11.5": {"name": "사고 대응 및 복구","checks": {},"status": "PASS","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.11.5 사고 대응 및 복구","Subdomain": "2.11. 사고 예방 및 대응","AuditEvidence": ["침해사고 대응 절차","침해사고 대응보고서","침해사고 관리대장","개인정보 유출신고서","비상연락망"],"AuditChecklist": ["침해사고 및 개인정보 유출의 징후 또는 발생을 인지한 경우 정의된 침해사고 대응절차에 따라 신속하게 대응 및 보고가 이루어지고 있는가?","개인정보 침해사고 발생 시 관련 법령에 따라 정보주체 통지 및 관계기관 신고 절차를 이행하고 있는가?","침해사고가 종결된 후 사고의 원인을 분석하여 그 결과를 보고하고 관련 조직 및인력과 공유하고 있는가?","침해사고 분석을 통하여 얻은 정보를 활용하여 유사 사고가 재발하지 않도록 대책을 수립하고 필요한 경우 침해사고 대응절차 등을 변경하고 있는가?"],"NonComplianceCases": ["사례 1 : 내부 침해사고 대응지침에는 침해사고 발생 시 내부 정보보호위원회 및 이해관계 부서에게 보고하도록 정하고 있으나, 침해사고 발생 시 담당 부서에서 자체적으로 대응 조치 후 정보보호위원회 및 이해관계 부서에 보고하지 않은 경우","사례 2 : 최근 DDoS 공격으로 의심되는 침해사고로 인하여 서비스 일부가 중단된 사례가 있으나, 이에 대한 원인분석 및 재발방지 대책이 수립되지 않은 경우","사례 3 : 외부 해킹에 의해 개인정보 유출사고가 발생하였으나, 유출된 개인정보 건수가 소량이라는 이유로 72시간 이내에 통지 및 신고가 이루어지지 않은 경우","사례 4 : 담당자의 실수에 의해 인터넷 홈페이지 게시판을 통해 1천명 이상 정보주체에 대한 개인정보 유출이 발생하였으나, 해당 정보주체에 대한 유출 통지가 이루어지지 않은 경우"],"RelatedRegulations": ["개인정보 보호법 제34조(개인정보의 유출 등의 통지·신고)","정보통신망법 제48조의3(침해사고의 신고 등), 제48조의4(침해사고의 원인분석 등)"]}],"description": "침해사고 및 개인정보 유출 징후나 발생을 인지한 때에는 법적 통지 및 신고 의무를 준수하여야 하며, 절차에 따라 신속하게 대응 및 복구하고 사고분석 후 재발방지 대책을 수립하여 대응체계에 반영하여야 한다.","checks_status": {"fail": 0,"pass": 0,"total": 0,"manual": 0}},"2.12.1": {"name": "재해·재난 대비 안전조치","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","s3_bucket_object_lock": "FAIL","vpc_different_regions": null,"efs_have_backup_enabled": "FAIL","elbv2_is_in_multiple_az": "PASS","vpc_subnet_different_az": "PASS","backup_reportplans_exist": null,"neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","documentdb_cluster_backup_enabled": null,"s3_bucket_cross_region_replication": "FAIL","kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"redshift_cluster_automated_snapshot": null,"elb_cross_zone_load_balancing_enabled": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","documentdb_cluster_cloudwatch_log_export": null,"elasticache_redis_cluster_backup_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.12.1 재해·재난 대비 안전조치","Subdomain": "2.12. 재해 복구","AuditEvidence": ["IT 재해 복구 지침·절차","IT 재해 복구 계획(RTO, RPO 정의 포함)","비상연락망","개인정보처리시스템 위기대응 매뉴얼"],"AuditChecklist": ["조직의 핵심 서비스(업무) 연속성을 위협할 수 있는 IT 재해 유형을 식별하고, 유형별 피해규모 및 업무에 미치는 영향을 분석하여 핵심 IT 서비스(업무) 및 시스템을식별하고 있는가?","핵심 IT 서비스 및 시스템의 중요도 및 특성에 따른 복구 목표시간, 복구 목표시점을 정의하고 있는가?","재해·재난 발생 시에도 핵심 서비스 및 시스템의 연속성을 보장할 수 있도록 복구 전략 및 대책, 비상시 복구 조직, 비상연락체계, 복구 절차 등 재해 복구 계획을 수립 및 이행하고 있는가?"],"NonComplianceCases": ["사례 1 : IT 재해 복구 절차서 내에 IT 재해 복구 조직 및 역할 정의, 비상연락체계, 복구 절차 및 방법 등 중요한 내용이 누락되어 있는 경우","사례 2 : 비상사태 발생 시 정보시스템의 연속성 확보 및 피해 최소화를 위하여 백업센터를 구축하여 운영하고 있으나, 관련 정책에 백업센터를 활용한 재해 복구 절차 등이 수립되어 있지 않아 재해 복구 시험 및 복구가 효과적으로 진행되기 어려운 경우","사례 3 : 서비스 운영과 관련된 일부 중요 시스템에 대한 복구 목표시간이 정의되어 있지 않으며, 이에 대한 적절한 복구 대책을 마련하고 있지 않은 경우","사례 4 : 재해 복구 관련 지침서 등에 IT 서비스 또는 시스템에 대한 복구 우선순위, 복구 목표시간, 복구 목표시점 등이 정의되어 있지 않은 경우","사례 5 : 현실적 대책 없이 복구 목표시간을 과도 또는 과소하게 설정하고 있거나, 복구 목표시점과 백업정책(대상, 주기 등)이 적절히 연계되지 않아 복구 효과성을 보장할 수 없는 경우"],"RelatedRegulations": ["개인정보 보호법 제29조(안전조치의무)","개인정보의 안전성 확보조치 기준 제11조(재해·재난 대비 안전조치)"]}],"description": "자연재해, 통신·전력 장애, 해킹 등 조직의 핵심 서비스 및 시스템의 운영 연속성을 위협할 수 있는 재해 유형을 식별하고, 유형별 예상 피해규모 및 영향을 분석하여야 한다. 또한 복구 목표시간, 복구 목표시점을 정의하고 복구 전략 및 대책, 비상시 복구 조직, 비상연락체계, 복구 절차 등 재해 복구체계를 구축하여야 한다.","checks_status": {"fail": 14,"pass": 5,"total": 33,"manual": 0}},"2.12.2": {"name": "재해 복구 시험 및 개선","checks": {"drs_job_exist": "FAIL","backup_plans_exist": "PASS","rds_cluster_multi_az": "FAIL","elb_is_in_multiple_az": "FAIL","rds_instance_multi_az": "FAIL","s3_bucket_object_lock": "FAIL","vpc_different_regions": null,"efs_have_backup_enabled": "FAIL","elbv2_is_in_multiple_az": "PASS","vpc_subnet_different_az": "PASS","backup_reportplans_exist": null,"neptune_cluster_multi_az": null,"elbv2_deletion_protection": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_lifecycle_enabled": "FAIL","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"autoscaling_group_multiple_az": null,"dms_instance_multi_az_enabled": null,"ec2_ebs_volume_snapshots_exists": "FAIL","rds_cluster_deletion_protection": "FAIL","rds_instance_deletion_protection": "FAIL","documentdb_cluster_backup_enabled": null,"s3_bucket_cross_region_replication": "FAIL","kms_cmk_not_deleted_unintentionally": null,"neptune_cluster_deletion_protection": null,"redshift_cluster_automated_snapshot": null,"elb_cross_zone_load_balancing_enabled": "PASS","lightsail_instance_automated_snapshots": null,"dlm_ebs_snapshot_lifecycle_policy_exists": "FAIL","documentdb_cluster_cloudwatch_log_export": null,"elasticache_redis_cluster_backup_enabled": null,"elasticache_redis_cluster_multi_az_enabled": null},"status": "FAIL","attributes": [{"Domain": "2. 보호대책 요구사항","Section": "2.12.2 재해 복구 시험 및 개선","Subdomain": "2.12. 재해 복구","AuditEvidence": ["IT 재해 복구 절차서","IT 재해 복구 시험 계획서","IT 재해 복구 시험 결과서"],"AuditChecklist": ["수립된 IT 재해 복구체계의 실효성을 판단하기 위하여 재해 복구 시험계획을 수립 및 이행하고 있는가?","시험결과, 정보시스템 환경변화, 법률 등에 따른 변화를 반영할 수 있도록 복구전략 및 대책을 정기적으로 검토·보완하고 있는가?"],"NonComplianceCases": ["사례 1 : 재해 복구 훈련을 계획·시행하지 않았거나 관련 계획서 및 결과보고서가 확인되지 않은 경우","사례 2 : 재해 복구 훈련 계획을 수립하였으나, 타당한 사유 또는 승인 없이 계획대로 실시하지 않았거나 관련 결과보고가 확인되지 않은 경우","사례 3 : 재해 복구 훈련을 계획하여 실시하였으나, 내부 관련 지침에 정한 절차 및 서식에 따라 이행되지 않아 수립한 재해 복구 절차의 적정성 및 효과성을 평가하기 위한 훈련으로 보기 어려운 경우"],"RelatedRegulations": []}],"description": "재해 복구 전략 및 대책의 적정성을 정기적으로 시험하여 시험결과, 정보시스템 환경변화, 법규 등에 따른 변화를 반영하여 복구전략 및 대책을 보완하여야 한다.","checks_status": {"fail": 14,"pass": 5,"total": 33,"manual": 0}}},"requirements_passed": 10,"requirements_failed": 27,"requirements_manual": 64,"total_requirements": 101,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "f9e5248f-1b1d-4256-b2a1-3b571315c190","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "cis_1.4_aws","framework": "CIS","version": "1.4","description": "The CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 1 and 2 provides prescriptive guidance for configuring security options for a subset of Amazon Web Services. It has an emphasis on foundational, testable, and architecture agnostic settings","region": "eu-west-1","requirements": {"1.1": {"name": "1.1","checks": {"account_maintain_current_contact_details": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info","Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.","DefaultValue": null,"AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, review and verify the current details. 4. Under `Contact Information`, review and verify the current details.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.","RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. 4. Next to the field that you need to update, choose `Edit`. 5. After you have entered your changes, choose `Save changes`. 6. After you have made your changes, choose `Done`. 7. To edit your contact information, under `Contact Information`, choose `Edit`. 8. For the fields that you want to change, type your updated information, and then choose `Update`.","AdditionalInformation": ""}],"description": "Maintain current contact details","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.2": {"name": "1.2","checks": {"account_security_contact_information_is_registered": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if security contact information is present:**From Console:**1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.","RemediationProcedure": "Perform the following to establish security contact information:**From Console:**1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.","AdditionalInformation": ""}],"description": "Ensure security contact information is registered","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.3": {"name": "1.3","checks": {"account_security_questions_are_registered_in_the_aws_account": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "","Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS account as the 'root' user 2. On the top right you will see the __ 3. Click on the __ 4. From the drop-down menu Click `My Account`5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.","RemediationProcedure": "**From Console:**1. Login to the AWS Account as the 'root' user 2. Click on the __ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`6. Click on each `Question` - From the drop-down select an appropriate question- Click on the `Answer` section- Enter an appropriate answer - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location","AdditionalInformation": ""}],"description": "Ensure security questions are registered in the AWS account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.4": {"name": "1.4","checks": {"iam_no_root_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/","Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .**From Command Line:**Run the following command: ```aws iam get-account-summary | grep \"AccountAccessKeysPresent\"``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.","RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys**From Console:**1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on __ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active- Click on `Make Inactive` - (Temporarily disable Key - may be needed again)- Click `Delete` - (Deleted keys cannot be recovered)","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region."}],"description": "Ensure no 'root' user account access key exists","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.5": {"name": "1.5","checks": {"iam_root_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on `Credential Report`5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `` user, ensure the `mfa_active` field is set to `TRUE` .**From Command Line:**1. Run the following command: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.When you are finished, the virtual MFA device starts generating one-time passwords.In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.","AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions."}],"description": "Ensure MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.6": {"name": "1.6","checks": {"iam_root_hardware_mfa_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root","Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:1. Run the following command to determine if the 'root' account has MFA setup: ```aws iam get-account-summary | grep \"AccountMFAEnabled\" ```The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```aws iam list-virtual-mfa-devices``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation: `\"SerialNumber\": \"arn:aws:iam::__:mfa/root-account-mfa-device\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.","RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.Remediation for this recommendation is not available through AWS CLI.","AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions."}],"description": "Ensure hardware MFA is enabled for the 'root' user account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.7": {"name": "1.7","checks": {"iam_avoid_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html","Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.**From Command Line:**Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '' ```Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.","RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.","AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user."}],"description": "Eliminate use of the 'root' user for administrative and daily tasks","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.8": {"name": "1.8","checks": {"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.**From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"**From Command Line:** ```aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy requires minimum length of 14 or greater","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.9": {"name": "1.9","checks": {"iam_password_policy_reuse_24": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy","Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24**From Command Line:** ``` aws iam get-account-password-policy``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.","RemediationProcedure": "Perform the following to set the password policy as prescribed:**From Console:**1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24` **From Command Line:** ```aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.","AdditionalInformation": ""}],"description": "Ensure IAM password policy prevents password reuse","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.1": {"name": "3.1","checks": {"cloudtrail_multi_region_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events","Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane- You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`**From Command Line:** ```aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true```` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name  ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`","ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html","AssessmentStatus": "Automated","RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated onAWS global services- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account","RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented- Click `Add new trail` - Enter a trail name in the `Trail name` box- Set the `Apply trail to all regions` option to `Yes` - Specify an S3 bucket name in the `S3 bucket` box- Click `Create`4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.**From Command Line:** ``` aws cloudtrail create-trail --name  --bucket-name  --is-multi-region-trailaws cloudtrail update-trail --name  --is-multi-region-trail ```Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.","AdditionalInformation": ""}],"description": "Ensure CloudTrail is enabled in all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.2": {"name": "3.2","checks": {"cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.","DefaultValue": null,"AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled` **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.","RemediationProcedure": "Perform the following to enable log file validation on a given trail:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`7. Click `Save changes` **From Command Line:** ``` aws cloudtrail update-trail --name  --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn  --start-time  --end-time  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail log file validation is enabled","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.3": {"name": "3.3","checks": {"cloudtrail_logs_s3_bucket_is_not_publicly_accessible": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html","Description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails`3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties`6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.`9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 2. Ensure the `AllUsers` principal is not granted privileges to that `` : ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that ``: ```aws s3api get-bucket-acl --bucket  --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 4. Get the S3 Bucket Policy ```aws s3api get-bucket-policy --bucket ``` 5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}**Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.","RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User`6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.","AdditionalInformation": ""}],"description": "Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"3.4": {"name": "3.4","checks": {"cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html","Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Under `Trails` , click on the CloudTrail you wish to evaluate 3. Under the `CloudWatch Logs` section. 4. Ensure a `CloudWatch Logs` log group is configured and listed. 5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.**From Command Line:**1. Run the following command to get a listing of existing trails: ```aws cloudtrail describe-trails ``` 2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property. 3. Using the noted value of the `Name` property, run the following command: ```aws cloudtrail get-trail-status --name  ``` 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.If the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.","ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.","RemediationProcedure": "Perform the following to establish the prescribed state:**From Console:**1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Select the `Trail` the needs to be updated. 3. Scroll down to `CloudWatch Logs` 4. Click `Edit` 5. Under `CloudWatch Logs` click the box `Enabled` 6. Under `Log Group` pick new or select an existing log group 7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group. 8. Under `IAM Role` pick new or select an existing. 9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role. 10. Click `Save changes.**From Command Line:** ``` aws cloudtrail update-trail --name  --cloudwatch-logs-log-group-arn  --cloudwatch-logs-role-arn  ```","AdditionalInformation": ""}],"description": "Ensure CloudTrail trails are integrated with CloudWatch Logs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.5": {"name": "3.5","checks": {"config_recorder_all_regions_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html","Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.","DefaultValue": null,"AuditProcedure": "Process to evaluate AWS Config configuration per region**From Console:**1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.- Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.**From Command Line:**1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])Sample Output:``` {\"ConfigurationRecorders\": [{\"recordingGroup\": {\"allSupported\": true,\"resourceTypes\": [],\"includeGlobalResourceTypes\": true},\"roleARN\": \"arn:aws:iam:::role/service-role/\",\"name\": \"default\"}] } ```3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`","ImpactStatement": "It is recommended AWS Config be enabled in all regions.","AssessmentStatus": "Automated","RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.","RemediationProcedure": "To implement AWS Config configuration:**From Console:**1. Select the region you want to focus on in the top right of the console 2. Click `Services`3. Click `Config`4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account**From Command Line:**1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name  ```","AdditionalInformation": ""}],"description": "Ensure AWS Config is enabled in all regions","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.6": {"name": "3.6","checks": {"cloudtrail_logs_s3_bucket_access_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html","Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.","DefaultValue": null,"AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:**From Console:**1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `` _ click on `Logging`8. Ensure `Enabled` is checked.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ```aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket  ``` Ensure command does not returns empty output.Sample Output for a bucket with logging enabled:``` {\"LoggingEnabled\": {\"TargetPrefix\": \"\",\"TargetBucket\": \"\"} } ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.","RemediationProcedure": "Perform the following to enable S3 bucket logging:**From Console:**1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:`  click on `Logging`5. Configure bucket logging- Click on the `Enabled` checkbox- Select Target Bucket from list- Enter a Target Prefix 6. Click `Save`.**From Command Line:**1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region  --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``: ``` {\"LoggingEnabled\": {\"TargetBucket\": \"\",\"TargetPrefix\": \"\",\"TargetGrants\": [{\"Grantee\": {\"Type\": \"AmazonCustomerByEmail\",\"EmailAddress\": \"\"},\"Permission\": \"FULL_CONTROL\"}]}} ``` 3. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket  --bucket-logging-status file:// ```","AdditionalInformation": ""}],"description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.7": {"name": "3.7","checks": {"cloudtrail_kms_encryption_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html","Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.**From Command Line:**1. Run the following command: ```aws cloudtrail describe-trails``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.","ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.","AssessmentStatus": "Automated","RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.","RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:**From Console:**1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`6. Select an existing CMK from the `KMS key Id` drop-down menu- Note: Ensure the CMK is located in the same region as the S3 bucket- Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes` **From Command Line:** ``` aws cloudtrail update-trail --name  --kms-id  aws kms put-key-policy --key-id  --policy  ```","AdditionalInformation": "3 statements which need to be added to the CMK policy:1\\. Enable Cloudtrail to describe CMK properties ``` 
{\"Sid\": \"Allow CloudTrail access\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:DescribeKey\",\"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` 
{\"Sid\": \"Allow CloudTrail to encrypt logs\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"cloudtrail.amazonaws.com\"},\"Action\": \"kms:GenerateDataKey*\",\"Resource\": \"*\",\"Condition\": {\"StringLike\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": [\"arn:aws:cloudtrail:*:aws-account-id:trail/*\"]}} } ``` 3\\. Granting decrypt permissions ``` 
{\"Sid\": \"Enable CloudTrail log decrypt permissions\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"arn:aws:iam::aws-account-id:user/username\"},\"Action\": \"kms:Decrypt\",\"Resource\": \"*\",\"Condition\": {\"Null\": {\"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"}} } ```"}],"description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"3.8": {"name": "3.8","checks": {"kms_cmk_rotation_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final","Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the `General configuration` panel open the tab `Key rotation` 5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"**From Command Line:**1. Run the following command to get a list of all keys and their associated `KeyIds````aws kms list-keys ``` 2. For each key, note the KeyId and run the following command ``` describe-key --key-id  ``` 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command ```aws kms get-key-rotation-status --key-id  ``` 4. Ensure `KeyRotationEnabled` is set to `true` 5. Repeat steps 2 - 4 for all remaining CMKs","ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.","AssessmentStatus": "Automated","RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` . 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the \"General configuration\" panel open the tab \"Key rotation\" 5. Check the \"Automatically rotate this KMS key every year.\" checkbox**From Command Line:**1. Run the following command to enable key rotation: ```aws kms enable-key-rotation --key-id  ```","AdditionalInformation": ""}],"description": "Ensure rotation for customer created symmetric CMKs is enabled","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.9": {"name": "3.9","checks": {"vpc_flow_logs_enabled": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html","Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.**From Command Line:**1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region  --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.","ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html","AssessmentStatus": "Automated","RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.","RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:**From Console:**1. Sign into the management console 2. Select `Services` then `VPC`3. In the left navigation pane, select `Your VPCs`4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`9. Click `Create Log Flow`10. Click on `CloudWatch Logs Group` **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.**From Command Line:**1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Sid\": \"test\",\"Effect\": \"Allow\",\"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\"Action\": \"sts:AssumeRole\"}] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action\":[\"logs:CreateLogGroup\",\"logs:CreateLogStream\",\"logs:DescribeLogGroups\",\"logs:DescribeLogStreams\",\"logs:PutLogEvents\",\"logs:GetLogEvents\",\"logs:FilterLogEvents\"],\"Resource\": \"*\"}] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name  --assume-role-policy-document file://role_policy_document.json``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name  --policy-document file://iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam:::policy/ --group-name  ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region  ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids  --traffic-type REJECT --log-group-name  --deliver-logs-permission-arn  ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.","AdditionalInformation": ""}],"description": "Ensure VPC flow logging is enabled in all VPCs","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"4.1": {"name": "4.1","checks": {"cloudwatch_log_metric_filter_unauthorized_api_calls": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with \"Name\":` note ``- From value associated with \"CloudWatchLogsLogGroupArn\" note Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this `` that you captured in step 1:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```4. Note the \"filterName\" `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.","AssessmentStatus": "Automated","RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for unauthorized API calls","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.2": {"name": "4.2","checks": {"cloudwatch_log_metric_filter_sign_in_without_mfa": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all `CloudTrails`:``` aws cloudtrail describe-trails ```- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region `CloudTrail` is active``` aws cloudtrail get-trail-status --name  ```Ensure in the output that `IsLogging` is set to `TRUE`- Ensure identified Multi-region 'Cloudtrail' captures all Management Events``` aws cloudtrail get-event-selectors --trail-name  ```Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `` taken from audit step 1.Use Command: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account."}],"description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.3": {"name": "4.3","checks": {"cloudwatch_log_metric_filter_root_usage": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**- ensures that activities from all regions (used as well as unused) are monitored- ensures that activities on all supported global services are monitored- ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for usage of 'root' account","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.4": {"name": "4.4","checks": {"cloudwatch_log_metric_filter_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails:`aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `` --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for IAM policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.5": {"name": "4.5","checks": {"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.6": {"name": "4.6","checks": {"cloudwatch_log_metric_filter_authentication_failures": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.7": {"name": "4.7","checks": {"cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.8": {"name": "4.8","checks": {"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for S3 bucket policy changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.9": {"name": "4.9","checks": {"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for AWS Config configuration changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"5.1": {"name": "5.1","checks": {"ec2_networkacl_allow_ingress_any_port": "FAIL","ec2_networkacl_allow_ingress_tcp_port_22": "FAIL","ec2_networkacl_allow_ingress_tcp_port_3389": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison","Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "**From Console:**Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "**From Console:**Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:- Select the network ACL- Click the `Inbound Rules` tab- Click `Edit inbound rules`- Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule- Click `Save`","AdditionalInformation": ""}],"description": "Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 3,"pass": 0,"total": 3,"manual": 0}},"5.2": {"name": "5.2","checks": {"ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule","Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.","ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.","AssessmentStatus": "Automated","RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.","RemediationProcedure": "Perform the following to implement the prescribed state:1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`","AdditionalInformation": ""}],"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports","checks_status": {"fail": 0,"pass": 3,"total": 3,"manual": 0}},"5.3": {"name": "5.3","checks": {"ec2_securitygroup_default_restrict_traffic": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group","Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if the account is configured as prescribed:Security Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules existSecurity Group Members1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'","ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.","AssessmentStatus": "Automated","RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.","RemediationProcedure": "Security Group MembersPerform the following to implement the prescribed state:1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security groupSecurity Group State1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rulesRecommended:IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"","AdditionalInformation": ""}],"description": "Ensure the default security group of every VPC restricts all traffic","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"5.4": {"name": "5.4","checks": {"vpc_peering_routing_tables_with_least_privilege": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "5. Networking","References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html","Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.","DefaultValue": null,"AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.**From Command Line:**1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a __ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.","RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.**From Command Line:**1. For each __ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id  --destination-cidr-block  ```2. Create a new compliant route: ``` aws ec2 create-route --route-table-id  --destination-cidr-block  --vpc-peering-connection-id  ```","AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table."}],"description": "Ensure routing tables for VPC peering are \"least access\"","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.10": {"name": "1.10","checks": {"iam_user_mfa_enabled_console_access": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users","Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:**From Console:**1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8``` 2. The output of this command will produce a table similar to the following: ```user,password_enabled,mfa_activeelise,false,falsebrandon,true,truerakesh,false,falsehelene,false,falseparas,true,trueanitha,false,false``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`","ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.","AssessmentStatus": "Automated","RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.","RemediationProcedure": "Perform the following to enable MFA:**From Console:**1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following: - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords.8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.9. Click `Assign MFA`.","AdditionalInformation": "**Forced IAM User Self-Service Remediation**Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts."}],"description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.11": {"name": "1.11","checks": {"iam_user_no_setup_initial_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html","Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM`4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.**From Command Line:**1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```aws iam generate-credential-report ``` ```aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_dateelise,false,true,2015-04-16T15:14:00+00:00,false,N/Abrandon,true,true,N/A,false,N/Arakesh,false,false,N/A,false,N/Ahelene,false,true,2015-11-18T17:47:00+00:00,false,N/Aparas,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.","RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:**From Console:**1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. As an Administrator - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User- Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.**From Command Line:** ``` aws iam delete-access-key --access-key-id  --user-name  ```","AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\""}],"description": "Do not setup access keys during initial user setup for all IAM users that have a console password","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.12": {"name": "1.12","checks": {"iam_user_accesskey_unused": null,"iam_user_console_access_unused": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if unused credentials exist:**From Console:**1. Login to the AWS Management Console 2. Click `Services`3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`8. Check and ensure that `Console last sign-in` is less than 45 days ago.**Note** - `Never` means the user has never logged in.9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.**From Command Line:****Download Credential Report:**1. Run the following commands: ```aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^' ```**Ensure unused credentials do not exist:**2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.","RemediationProcedure": "**From Console:**Perform the following to manage Unused Password (IAM user console access)1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`9. Under Console Access select `Disable` 10.Click `Apply`Perform the following to deactivate Access Keys:1. Login to the AWS Management Console: 2. Click `Services`3. Click `IAM`4. Click on `Users`5. Click on `Security Credentials`6. Select any access keys that are over 45 days old and that have been used and - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and - Click the X to `Delete`","AdditionalInformation": " is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days."}],"description": "Ensure credentials unused for 45 days or greater are disabled","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.13": {"name": "1.13","checks": {"iam_user_two_active_access_key": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)","DefaultValue": null,"AuditProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.**From Command Line:**1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name  ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.- Repeat steps no. 2 and 3 for each IAM user in your AWS account.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.","RemediationProcedure": "**From Console:**1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.**From Command Line:**1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user**Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id  --status Inactive --user-name  ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name  ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.","AdditionalInformation": ""}],"description": "Ensure there is only one active access key available for any single IAM user","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.14": {"name": "1.14","checks": {"iam_rotate_access_key_90_days": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html","Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.**From Command Line:**``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.","RemediationProcedure": "Perform the following to rotate access keys:**From Console:**1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`4. As an Administrator - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User- Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`7. Update programmatic call with new Access Key credentials**From Command Line:**1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```At this point, the user has two active access keys.2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```","AdditionalInformation": ""}],"description": "Ensure access keys are rotated every 90 days or less","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.15": {"name": "1.15","checks": {"iam_policy_attached_only_to_group_or_roles": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html","Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.","DefaultValue": null,"AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:1. Run the following to get a list of IAM users: ```aws iam list-users --query 'Users[*].UserName' --output text``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```aws iam list-attached-user-policies --user-name aws iam list-user-policies --user-name ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.","RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group` Perform the following to add a user to a given group:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`3. Select the group to add a user to 4. Click `Add Users To Group`5. Select the users to be added to the group 6. Click `Add Users` Perform the following to remove a direct association between a user and policy:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:- Select the user- Click on the `Permissions` tab- Expand `Permissions policies` - Click `X` for each policy; then click Detach or Remove (depending on policy type)","AdditionalInformation": ""}],"description": "Ensure IAM Users Receive Permissions Only Through Groups","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.16": {"name": "1.16","checks": {"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam","Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.","DefaultValue": null,"AuditProcedure": "Perform the following to determine what policies are created:**From Command Line:**1. Run the following to get a list of IAM policies: ```aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```aws iam get-policy-version --policy-arn  --version-id  ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.","RemediationProcedure": "**From Console:**Perform the following to detach the policy that has full administrative privileges:1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first `Detach`5. Select all Users, Groups, Roles that have this policy attached 6. Click `Detach Policy`7. In the policy action menu, select `Detach` **From Command Line:**Perform the following to detach the policy that has full administrative privileges as found in the audit step:1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.```aws iam list-entities-for-policy --policy-arn  ``` 2. Detach the policy from all IAM Users: ```aws iam detach-user-policy --user-name  --policy-arn  ``` 3. Detach the policy from all IAM Groups: ```aws iam detach-group-policy --group-name  --policy-arn  ``` 4. Detach the policy from all IAM Roles: ```aws iam detach-role-policy --role-name  --policy-arn  ```","AdditionalInformation": ""}],"description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached","checks_status": {"fail": 0,"pass": 0,"total": 2,"manual": 0}},"1.17": {"name": "1.17","checks": {"iam_support_role_created": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html","Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.","DefaultValue": null,"AuditProcedure": "**From Command Line:**1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'If it returns empty refer to the remediation below.","ImpactStatement": "All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.","AssessmentStatus": "Automated","RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.","RemediationProcedure": "**From Command Line:**1. Create an IAM role for managing incidents with AWS:- Create a trust relationship policy document that allows  to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"\"},\"Action\": \"sts:AssumeRole\"}]} ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name  --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name  ```","AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account."}],"description": "Ensure a support role has been created to manage incidents with AWS Support","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.18": {"name": "1.18","checks": {"ec2_instance_profile_attached": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html","Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.","DefaultValue": null,"AuditProcedure": "Where an instance is associated with a Role:For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.Where an Instance Contains Embedded Credentials:- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.Where an Instance Application Contains Embedded Credentials:- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.","RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.","AdditionalInformation": ""}],"description": "Ensure IAM instance roles are used for AWS resource access from instances","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.19": {"name": "1.19","checks": {"iam_no_expired_server_certificates_stored": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html","Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.","DefaultValue": null,"AuditProcedure": "**From Console:**Getting the certificates expiration information via AWS Management Console is not currently supported.To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**Run list-server-certificates command to list all the IAM-stored server certificates:``` aws iam list-server-certificates ```The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):``` {\"ServerCertificateMetadataList\": [{\"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\"ServerCertificateName\": \"MyServerCertificate\",\"Expiration\": \"2018-07-10T23:59:59Z\",\"Path\": \"/\",\"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\"UploadDate\": \"2018-06-10T11:56:08Z\"}] } ```Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.","ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.","AssessmentStatus": "Automated","RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.","RemediationProcedure": "**From Console:**Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).**From Command Line:**To delete Expired Certificate run following command by replacing  with the name of the certificate to delete:``` aws iam delete-server-certificate --server-certificate-name  ```When the preceding command is successful, it does not return any output.","AdditionalInformation": ""}],"description": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"1.20": {"name": "1.20","checks": {"accessanalyzer_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "1. Identity and Access Management","References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html","Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region**From Command Line:**1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`3. Repeat the steps above for each active region.If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.","RemediationProcedure": "**From Console:**Perform the following to enable IAM Access analyzer for IAM policies:1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.7. Choose `Create Analyzer`. 8. Repeat these step for each active region**From Command Line:**Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name  --type  ``` Repeat this command above for each active region.**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.","AdditionalInformation": ""}],"description": "Ensure that IAM Access analyzer is enabled for all regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"1.21": {"name": "1.21","checks": {"iam_check_saml_providers_sts": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "1. Identity and Access Management","References": "","Description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.","DefaultValue": null,"AuditProcedure": "For multi-account AWS environments with an external identity provider... 1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click `Services`4. Click `IAM`5. Click `Identity providers` 6. Verify the configurationThen..., determine all accounts that should not have local users present. For each account...1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are presentFor multi-account AWS environments implementing AWS Organizations without an external identity provider... 1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`5. Click `IAM`6. Click `Users` 7. Confirm that no IAM users representing individuals are present","ImpactStatement": "","AssessmentStatus": "Manual","RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.","RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.","AdditionalInformation": ""}],"description": "Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.10": {"name": "3.10","checks": {"cloudtrail_s3_dataevents_write_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/` 2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine. 3. Review `General details` 4. Confirm that `Multi-region trail` is set to `Yes` 5. Scroll down to `Data events` 6. Confirm that it reads: Data events: S3 Bucket Name: All current and future S3 buckets Read: Enabled Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.**From Command Line:**1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions: ``` aws cloudtrail list-trails ``` 2. The command output will be a list of all the trail names to include. \"TrailARN\": \"arn:aws:cloudtrail:::trail/\", \"Name\": \"\", \"HomeRegion\": \"\" 3. Next run 'get-trail- command to determine Multi-region. ``` aws cloudtrail get-trail --name  --region  ``` 4. The command output should include: \"IsMultiRegionTrail\": true, 5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. \"Type\": \"AWS::S3::Object\",\"Values\": [\"arn:aws:s3\" 7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered. If Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled. 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.**From Command Line:**1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for write events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"3.11": {"name": "3.11","checks": {"cloudtrail_s3_dataevents_read_enabled": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "3. Logging","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html","Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.**From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region  --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region  --trail-name  --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.**From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region  --trail-name  --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.","AdditionalInformation": ""}],"description": "Ensure that Object-level logging for read events is enabled for S3 bucket","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.10": {"name": "4.10","checks": {"cloudwatch_log_metric_filter_security_group_changes": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"\" --filter-name \"\" --metric-transformations metricName= \"\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"\" ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"\" --protocol  --notification-endpoint \"\" ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"\" --metric-name \"\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"\" ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for security group changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.11": {"name": "4.11","checks": {"cloudwatch_changes_to_network_acls_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.12": {"name": "4.12","checks": {"cloudwatch_changes_to_network_gateways_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``: ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for changes to network gateways","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.13": {"name": "4.13","checks": {"cloudwatch_changes_to_network_route_tables_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for route table changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for route table changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.14": {"name": "4.14","checks": {"cloudwatch_changes_to_vpcs_alarm_configured": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","DefaultValue": null,"AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:1. Identify the log group name configured for use with active multi-region CloudTrail:- List all CloudTrails: `aws cloudtrail describe-trails`- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`- From value associated with CloudWatchLogsLogGroupArn note ``Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:::log-group:NewGroup:*`, `` would be `NewGroup`- Ensure Identified Multi region CloudTrail is active`aws cloudtrail get-trail-status --name `ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events`aws cloudtrail get-event-selectors --trail-name `Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`2. Get a list of all associated metric filters for this ``:``` aws logs describe-metric-filters --log-group-name \"\" ```3. Ensure the output from the above command contains the following:``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```4. Note the `` value associated with the `filterPattern` found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4.``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ```6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.``` Example of valid \"SubscriptionArn\": \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name  ```**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ```**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored"}],"description": "Ensure a log metric filter and alarm exist for VPC changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"4.15": {"name": "4.15","checks": {"cloudwatch_log_metric_filter_aws_organizations_changes": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "4. Monitoring","References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html","Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.","DefaultValue": null,"AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:::log-group:NewGroup:*,  would be NewGroup- Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name  ``` Ensure `IsLogging` is set to `TRUE`- Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name  ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.2. Get a list of all associated metric filters for this : ``` aws logs describe-metric-filters --log-group-name \"\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `` value associated with the filterPattern found in step 3.5. Get a list of CloudWatch alarms and filter on the `` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== ``]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":``` \"arn:aws:sns::::\" ```","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.","RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name  --filter-name `` --metric-transformations metricName= `` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name  ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn  --protocol  --notification-endpoint  ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `` --metric-name `` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions  ```","AdditionalInformation": ""}],"description": "Ensure a log metric filter and alarm exists for AWS Organizations changes","checks_status": {"fail": 0,"pass": 0,"total": 1,"manual": 0}},"2.1.1": {"name": "2.1.1","checks": {"s3_bucket_default_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html:https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources","Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select a Bucket. 3. Click on 'Properties'. 4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. Run command to list buckets ``` aws s3 ls ``` 2. For each bucket, run``` aws s3api get-bucket-encryption --bucket  ``` 3. Verify that either``` \"SSEAlgorithm\": \"AES256\" ```or``` \"SSEAlgorithm\": \"aws:kms\"```is displayed.","ImpactStatement": "Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select a Bucket. 3. Click on 'Properties'. 4. Click edit on `Default Encryption`. 5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 6. Click `Save` 7. Repeat for all the buckets in your AWS account lacking encryption.**From Command Line:**Run either``` aws s3api put-bucket-encryption --bucket  --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}' ```or``` aws s3api put-bucket-encryption --bucket  --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}' ```**Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.","AdditionalInformation": "S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does **not** encrypt objects previously stored within the bucket."}],"description": "Ensure all S3 buckets employ encryption-at-rest","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.2": {"name": "2.1.2","checks": {"s3_bucket_secure_transport_policy": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html","Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.","DefaultValue": null,"AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{\"Sid\": ,\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}' ``` `` and `` will be specific to your account5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket  | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.**From Console** using AWS Policy Generator:1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` =  5. Generate Policy 6. Copy the text and add it to the Bucket Policy.**From Command Line:**1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket  --query Policy --output text > policy.json ```2. Modify the policy.json file by adding in this statement: ``` {\"Sid\": \",\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"s3:*\",\"Resource\": \"arn:aws:s3:::/*\",\"Condition\": {\"Bool\": {\"aws:SecureTransport\": \"false\"}}} ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket  --policy file://policy.json ```","AdditionalInformation": ""}],"description": "Ensure S3 Bucket Policy is set to deny HTTP requests","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.3": {"name": "2.1.3","checks": {"s3_bucket_no_mfa_delete": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html","Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","DefaultValue": null,"AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket**From Console:**1. Login to the S3 console at `https://console.aws.amazon.com/s3/`2. Click the `Check` box next to the Bucket name you want to confirm3. In the window under `Properties`4. Confirm that Versioning is `Enabled`5. Confirm that MFA Delete is `Enabled`**From Command Line:**1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```Output example: ```  EnabledEnabled ```If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.","RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.**From Command line:**1. Run the s3api put-bucket-versioning command``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```","AdditionalInformation": ""}],"description": "Ensure MFA Delete is enabled on S3 buckets","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}},"2.1.4": {"name": "2.1.4","checks": {"macie_is_enabled": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 2","Section": "2.1. Simple Storage Service (S3)","References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html","Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.","DefaultValue": null,"AuditProcedure": "Perform the following steps to determine if Macie is running:**From Console:** 1. Login to the Macie console at https://console.aws.amazon.com/macie/ 2. In the left hand pane click on By job under findings. 3. Confirm that you have a Job setup for your S3 BucketsWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.","ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.","AssessmentStatus": "Manual","RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.","RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie**From Console:**1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`2. Click `Get started`.3. Click `Enable Macie`.Setup a repository for sensitive data discovery results1. In the Left pane, under Settings, click `Discovery results`.2. Make sure `Create bucket` is selected.3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.4. Click on `Advanced`.5. Block all public access, make sure `Yes` is selected.6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.7. Click on `Save`Create a job to discover sensitive data1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.2. Select the `check box` for each bucket that you want Macie to analyze as part of the job3. Click `Create job`.3. Click `Quick create`.4. For the Name and description step, enter a name and, optionally, a description of the job.5. Then click `Next`.6. For the Review and create step, click `Submit`.Review your findings1. In the left pane, click `Findings`.2. To view the details of a specific finding, choose any field other than the check box for the finding.If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.","AdditionalInformation": ""}],"description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.1.5": {"name": "2.1.5","checks": {"s3_bucket_level_public_access_block": "PASS","s3_account_level_public_access_blocks": null},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.1. Simple Storage Service (S3)","References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html","Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.","DefaultValue": null,"AuditProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket  ``` Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"BlockPublicAcls\": true,\"IgnorePublicAcls\": true,\"BlockPublicPolicy\": true,\"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.**If utilizing Block Public Access (account settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.**From Command Line:**To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id  --region `Output if Block Public access is enabled:``` {\"PublicAccessBlockConfiguration\": {\"IgnorePublicAcls\": true, \"BlockPublicPolicy\": true, \"BlockPublicAcls\": true, \"RestrictPublicBuckets\": true} } ```If the output reads `false` for the separate configuration settings then proceed to the remediation.","ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.","AssessmentStatus": "Automated","RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.","RemediationProcedure": "**If utilizing Block Public Access (bucket settings)****From Console:**1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.**From Command Line:**1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket  --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```**If utilizing Block Public Access (account settings)****From Console:**If the output reads `true` for the separate configuration settings then it is set on the account.1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.**From Command Line:**To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id  ```","AdditionalInformation": ""}],"description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'","checks_status": {"fail": 0,"pass": 1,"total": 2,"manual": 0}},"2.2.1": {"name": "2.2.1","checks": {"ec2_ebs_volume_encryption": "PASS"},"status": "PASS","attributes": [{"Profile": "Level 1","Section": "2.2. Elastic Compute Cloud (EC2)","References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/","Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.**Note:** EBS volume encryption is configured per region.","ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.","AssessmentStatus": "Automated","RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.","RemediationProcedure": "**From Console:**1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.**Note:** EBS volume encryption is configured per region.**From Command Line:**1. Run``` aws --region  ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.**Note:** EBS volume encryption is configured per region.","AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically."}],"description": "Ensure EBS Volume Encryption is Enabled in all Regions","checks_status": {"fail": 0,"pass": 1,"total": 1,"manual": 0}},"2.3.1": {"name": "2.3.1","checks": {"rds_instance_storage_encrypted": "FAIL"},"status": "FAIL","attributes": [{"Profile": "Level 1","Section": "2.3. Relational Database Service (RDS)","References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/","Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.","DefaultValue": null,"AuditProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.**From Command Line:**1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions","ImpactStatement": "","AssessmentStatus": "Automated","RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.","RemediationProcedure": "**From Console:**1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.**From Command Line:**1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region  --db-snapshot-identifier  --db-instance-identifier  ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region  ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region  --source-db-snapshot-identifier  --target-db-snapshot-identifier  --copy-tags --kms-key-id  ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region  --db-instance-identifier  --db-snapshot-identifier  ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region  --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region  --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted' ```","AdditionalInformation": ""}],"description": "Ensure that encryption is enabled for RDS Instances","checks_status": {"fail": 1,"pass": 0,"total": 1,"manual": 0}}},"requirements_passed": 48,"requirements_failed": 10,"requirements_manual": 0,"total_requirements": 58,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}},{"model": "api.complianceoverview","pk": "fb07e872-c61f-4749-96d2-da2b68993ae5","fields": {"tenant": "12646005-9067-4d2a-a098-8bb378604362","inserted_at": "2024-11-15T13:14:10.043Z","compliance_id": "gxp_21_cfr_part_11_aws","framework": "GxP-21-CFR-Part-11","version": "","description": "GxP refers to the regulations and guidelines that are applicable to life sciences organizations that make food and medical products. Medical products that fall under this include medicines, medical devices, and medical software applications. The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers. It's also to ensure the integrity of data that's used to make product-related safety decisions.","region": "eu-west-1","requirements": {"11.30": {"name": "11.30 Controls for open systems","checks": {"elb_ssl_listeners": "FAIL","kms_cmk_rotation_enabled": null,"ec2_ebs_volume_encryption": "PASS","ec2_ebs_default_encryption": "PASS","elbv2_insecure_ssl_ciphers": "PASS","s3_bucket_default_encryption": "PASS","efs_encryption_at_rest_enabled": "FAIL","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL","sns_topics_kms_encryption_at_rest_enabled": "FAIL","dynamodb_tables_kms_cmk_encryption_enabled": null,"cloudwatch_log_group_kms_encryption_enabled": "FAIL","apigateway_restapi_client_certificate_enabled": "FAIL","sagemaker_notebook_instance_encryption_enabled": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"opensearch_service_domains_node_to_node_encryption_enabled": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.30","Section": "11.30 Controls for open systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.","checks_status": {"fail": 9,"pass": 4,"total": 21,"manual": 0}},"11.200": {"name": "11.200 Electronic signature components and controls","checks": {"iam_root_mfa_enabled": null,"iam_no_root_access_key": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"iam_user_mfa_enabled_console_access": null,"iam_password_policy_minimum_length_14": null},"status": "PASS","attributes": [{"Type": null,"ItemId": "11.200","Section": "11.200 Electronic signature components and controls","Service": "aws","SubGroup": null,"SubSection": null}],"description": "(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.","checks_status": {"fail": 0,"pass": 0,"total": 12,"manual": 0}},"11.10-a": {"name": "11.10(a)","checks": {"rds_instance_multi_az": "FAIL","elbv2_deletion_protection": "FAIL","ec2_instance_managed_by_ssm": "FAIL","rds_instance_backup_enabled": "PASS","s3_bucket_object_versioning": "FAIL","dynamodb_tables_pitr_enabled": null,"ssm_managed_compliant_patching": "FAIL","rds_instance_deletion_protection": "FAIL","redshift_cluster_automated_snapshot": null,"ec2_instance_older_than_specific_days": "FAIL","cloudtrail_log_file_validation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-a","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.","checks_status": {"fail": 8,"pass": 1,"total": 13,"manual": 0}},"11.10-c": {"name": "11.10(c)","checks": {"s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","s3_bucket_object_versioning": "FAIL","s3_bucket_default_encryption": "PASS","rds_instance_storage_encrypted": "FAIL","redshift_cluster_audit_logging": null,"redshift_cluster_public_access": null,"cloudtrail_kms_encryption_enabled": "FAIL","s3_bucket_secure_transport_policy": "FAIL","s3_bucket_policy_public_write_access": "PASS","sagemaker_notebook_instance_encryption_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-c","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.","checks_status": {"fail": 5,"pass": 3,"total": 14,"manual": 0}},"11.10-d": {"name": "11.10(d)","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"rds_instance_no_public_access": "PASS","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"secretsmanager_automatic_rotation_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"iam_customer_attached_policy_no_administrative_privileges": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-d","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting system access to authorized individuals.","checks_status": {"fail": 4,"pass": 8,"total": 38,"manual": 0}},"11.10-e": {"name": "11.10(e)","checks": {"elb_logging_enabled": "FAIL","elbv2_logging_enabled": "FAIL","vpc_flow_logs_enabled": "FAIL","redshift_cluster_audit_logging": null,"cloudtrail_multi_region_enabled": "PASS","apigateway_restapi_logging_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","opensearch_service_domains_cloudwatch_logging_enabled": null,"cloudwatch_log_group_retention_policy_specific_days_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-d","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.","checks_status": {"fail": 7,"pass": 2,"total": 14,"manual": 0}},"11.10-g": {"name": "11.10(g)","checks": {"iam_root_mfa_enabled": null,"ec2_instance_public_ip": "FAIL","iam_no_root_access_key": null,"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"ec2_ebs_volume_encryption": "PASS","iam_user_accesskey_unused": null,"ec2_ebs_default_encryption": "PASS","iam_password_policy_number": null,"iam_password_policy_symbol": null,"ec2_instance_imdsv2_enabled": "PASS","rds_snapshots_public_access": "PASS","awslambda_function_url_public": null,"ec2_instance_profile_attached": "PASS","iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_root_hardware_mfa_enabled": null,"iam_rotate_access_key_90_days": null,"rds_instance_no_public_access": "PASS","efs_encryption_at_rest_enabled": "FAIL","iam_user_console_access_unused": null,"redshift_cluster_public_access": null,"iam_user_mfa_enabled_console_access": null,"s3_bucket_policy_public_write_access": "PASS","ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"iam_password_policy_minimum_length_14": null,"s3_account_level_public_access_blocks": null,"secretsmanager_automatic_rotation_enabled": "FAIL","awslambda_function_not_publicly_accessible": "PASS","dynamodb_tables_kms_cmk_encryption_enabled": null,"ec2_securitygroup_default_restrict_traffic": "FAIL","iam_policy_attached_only_to_group_or_roles": null,"iam_inline_policy_no_administrative_privileges": null,"iam_aws_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_encryption_at_rest_enabled": null,"iam_customer_attached_policy_no_administrative_privileges": null,"opensearch_service_domains_node_to_node_encryption_enabled": null,"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "PASS","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-g","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.","checks_status": {"fail": 5,"pass": 10,"total": 44,"manual": 0}},"11.10-h": {"name": "11.10(h)","checks": {"ec2_instance_managed_by_ssm": "FAIL","ssm_managed_compliant_patching": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-h","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.","checks_status": {"fail": 2,"pass": 0,"total": 3,"manual": 0}},"11.10-k": {"name": "11.10(k)","checks": {"ec2_ebs_public_snapshot": "PASS","s3_bucket_public_access": null,"rds_snapshots_public_access": "PASS","rds_instance_no_public_access": "PASS","redshift_cluster_public_access": null,"cloudtrail_multi_region_enabled": "PASS","s3_bucket_policy_public_write_access": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL","cloudtrail_s3_dataevents_read_enabled": null,"ec2_networkacl_allow_ingress_any_port": "FAIL","emr_cluster_master_nodes_no_public_ip": null,"cloudtrail_s3_dataevents_write_enabled": null,"s3_bucket_server_access_logging_enabled": "FAIL","rds_instance_integration_cloudwatch_logs": "FAIL","ec2_securitygroup_default_restrict_traffic": "FAIL","sagemaker_notebook_instance_without_direct_internet_access_configured": null},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.10-k","Section": "11.10 Controls for closed systems","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.","checks_status": {"fail": 5,"pass": 5,"total": 17,"manual": 0}},"11.300-b": {"name": "11.300(b)","checks": {"iam_user_accesskey_unused": null,"iam_password_policy_number": null,"iam_password_policy_symbol": null,"iam_password_policy_lowercase": null,"iam_password_policy_uppercase": null,"iam_rotate_access_key_90_days": null,"iam_user_console_access_unused": null,"iam_password_policy_minimum_length_14": null,"secretsmanager_automatic_rotation_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.300-b","Section": "11.300 Controls for identification codes/passwords","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).","checks_status": {"fail": 1,"pass": 0,"total": 10,"manual": 0}},"11.300-d": {"name": "11.300(d)","checks": {"securityhub_enabled": "PASS","guardduty_is_enabled": "PASS","cloudtrail_multi_region_enabled": "PASS","cloudtrail_cloudwatch_logging_enabled": "FAIL"},"status": "FAIL","attributes": [{"Type": null,"ItemId": "11.300-d","Section": "11.300 Controls for identification codes/passwords","Service": "aws","SubGroup": null,"SubSection": null}],"description": "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.","checks_status": {"fail": 1,"pass": 3,"total": 4,"manual": 0}}},"requirements_passed": 1,"requirements_failed": 10,"requirements_manual": 0,"total_requirements": 11,"scan": "0191e280-9d2f-71c8-9b18-487a23ba185e"}}]
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 49f0428d2c..7dd13ded60 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -1,6 +1,20 @@
 # Prowler SDK Changelog
 
 All notable changes to the **Prowler SDK** are documented in this file.
+
+## [v5.13.0] (Prowler UNRELEASED)
+
+### Added
+
+### Changed
+
+### Fixed
+
+## [v5.12.1] (Prowler v5.12.1)
+
+### Fixed
+- Replaced old check id with new ones for compliance files [(#8682)](https://github.com/prowler-cloud/prowler/pull/8682)
+
 ## [v5.12.0] (Prowler v5.12.0)
 
 ### Added
diff --git a/prowler/compliance/aws/aws_foundational_technical_review_aws.json b/prowler/compliance/aws/aws_foundational_technical_review_aws.json
index 53308bac9d..63194e9bbc 100644
--- a/prowler/compliance/aws/aws_foundational_technical_review_aws.json
+++ b/prowler/compliance/aws/aws_foundational_technical_review_aws.json
@@ -364,8 +364,8 @@
         "ec2_ami_public",
         "ec2_instance_public_ip",
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
diff --git a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json
index b27a5b6712..a88eef5bf9 100644
--- a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json
+++ b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json
@@ -721,8 +721,8 @@
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
diff --git a/prowler/compliance/aws/iso27001_2022_aws.json b/prowler/compliance/aws/iso27001_2022_aws.json
index b5ec188523..e2b83d2e3d 100644
--- a/prowler/compliance/aws/iso27001_2022_aws.json
+++ b/prowler/compliance/aws/iso27001_2022_aws.json
@@ -1510,8 +1510,8 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -1604,8 +1604,8 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -1698,8 +1698,8 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
diff --git a/prowler/compliance/aws/kisa_isms_p_2023_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_aws.json
index bd9b256c37..664883a6f8 100644
--- a/prowler/compliance/aws/kisa_isms_p_2023_aws.json
+++ b/prowler/compliance/aws/kisa_isms_p_2023_aws.json
@@ -1558,8 +1558,8 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -1682,7 +1682,7 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601",
@@ -1814,7 +1814,7 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306",
@@ -1917,7 +1917,7 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23",
@@ -3024,8 +3024,8 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -4588,4 +4588,4 @@
       ]
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json
index 33ca1364f4..611dbcef94 100644
--- a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json
+++ b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json
@@ -1557,8 +1557,8 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -1682,7 +1682,7 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601",
@@ -1816,7 +1816,7 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306",
@@ -1919,7 +1919,7 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23",
@@ -3028,8 +3028,8 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -4603,4 +4603,4 @@
       ]
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/prowler/compliance/aws/mitre_attack_aws.json b/prowler/compliance/aws/mitre_attack_aws.json
index 04feda7d97..e26353f3bb 100644
--- a/prowler/compliance/aws/mitre_attack_aws.json
+++ b/prowler/compliance/aws/mitre_attack_aws.json
@@ -107,8 +107,8 @@
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -1024,8 +1024,8 @@
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -1470,8 +1470,8 @@
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -1650,8 +1650,8 @@
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
@@ -1902,8 +1902,8 @@
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
diff --git a/prowler/compliance/aws/prowler_threatscore_aws.json b/prowler/compliance/aws/prowler_threatscore_aws.json
index 4763f40ddd..10aba3b67e 100644
--- a/prowler/compliance/aws/prowler_threatscore_aws.json
+++ b/prowler/compliance/aws/prowler_threatscore_aws.json
@@ -553,8 +553,8 @@
       "Description": "Ensure that ec2 security groups do not allow ingress from internet to common ports",
       "Checks": [
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
diff --git a/prowler/compliance/aws/rbi_cyber_security_framework_aws.json b/prowler/compliance/aws/rbi_cyber_security_framework_aws.json
index 1d41fda2b2..399c43d6d0 100644
--- a/prowler/compliance/aws/rbi_cyber_security_framework_aws.json
+++ b/prowler/compliance/aws/rbi_cyber_security_framework_aws.json
@@ -66,7 +66,7 @@
         "elbv2_ssl_listeners",
         "ssm_documents_set_as_public",
         "vpc_subnet_no_public_ip_by_default",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306",
         "s3_account_level_public_access_blocks"
diff --git a/prowler/compliance/aws/soc2_aws.json b/prowler/compliance/aws/soc2_aws.json
index 0160111ef0..6d6d87b216 100644
--- a/prowler/compliance/aws/soc2_aws.json
+++ b/prowler/compliance/aws/soc2_aws.json
@@ -253,8 +253,8 @@
         "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports",
-        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_ftp_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",