mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
fix(sdk): update Trend Micro URLs in AWS metadata files (#10068)
This commit is contained in:
committed by
GitHub
parent
75c7f61513
commit
5830cb63c9
@@ -51,6 +51,10 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
- Update Azure Virtual Machines service metadata to new format [(#9629)](https://github.com/prowler-cloud/prowler/pull/9629)
|
||||
- Cloudflare provider credential validation with specific exceptions [(#9910)](https://github.com/prowler-cloud/prowler/pull/9910)
|
||||
|
||||
### 🐞 Fixed
|
||||
|
||||
- Update AWS checks metadata URLs to replace deprecated Trend Micro CloudOne Conformity (EOL July 2026) with Vision One and remove docs.prowler.com references [(#10068)](https://github.com/prowler-cloud/prowler/pull/10068)
|
||||
|
||||
### 🔐 Security
|
||||
|
||||
- Bumped `py-ocsf-models` to 0.8.1 and `cryptography` to 44.0.3 [(#10059)](https://github.com/prowler-cloud/prowler/pull/10059)
|
||||
|
||||
+1
-1
@@ -27,7 +27,7 @@
|
||||
"https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html",
|
||||
"https://aws.amazon.com/blogs/security/automate-resolution-for-iam-access-analyzer-cross-account-access-findings-on-iam-roles/",
|
||||
"https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AccessAnalyzer/findings.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/AccessAnalyzer/findings.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
-1
@@ -15,7 +15,6 @@
|
||||
"Risk": "Outdated or single-person contacts delay **security notifications**, slow **incident response**, and complicate **account recovery**.\n\nAWS may throttle services during abuse mitigation, reducing **availability**. Missed alerts enable ongoing misuse, risking **data exfiltration** and unauthorized changes (**integrity**).",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console",
|
||||
"https://repost.aws/knowledge-center/update-phone-number",
|
||||
"https://support.stax.io/docs/accounts/update-aws-account-contact-details",
|
||||
"https://maartenbruntink.nl/blog/2022/09/26/aws-account-hygiene-101-mass-updating-alternate-account-contacts/",
|
||||
|
||||
+1
-2
@@ -17,11 +17,10 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact",
|
||||
"https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console",
|
||||
"https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-alternate.html",
|
||||
"https://builder.aws.com/content/2qRw97fe8JFwfk2AbpJ3sYNpNvM/aws-bulk-update-alternate-contacts-across-organization",
|
||||
"https://github.com/aws-samples/aws-account-alternate-contact-with-terraform",
|
||||
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/account-security-alternate-contacts.html",
|
||||
"https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/account-security-alternate-contacts.html",
|
||||
"https://repost.aws/articles/ARDFbpt-bvQ8iuErnqVVcCXQ/managing-aws-organization-alternate-contacts-via-csv"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
-1
@@ -17,7 +17,6 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact",
|
||||
"https://docs.prowler.com/checks/aws/iam-policies/iam_19/",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000234161-1-2-ensure-security-contact-information-is-registered-manual-",
|
||||
"https://www.plerion.com/cloud-knowledge-base/ensure-security-contact-information-is-registered",
|
||||
"https://repost.aws/articles/ARDFbpt-bvQ8iuErnqVVcCXQ/managing-aws-organization-alternate-contacts-via-csv"
|
||||
|
||||
+1
-2
@@ -15,8 +15,7 @@
|
||||
"Risk": "Absence of these questions can limit support-assisted recovery if root credentials or MFA are lost, reducing **availability** and slowing **incident response**. Reliance on KBA also weakens **confidentiality** due to **social engineering**. Treat this as a recovery gap and adopt stronger, phishing-resistant factors.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.prowler.com/checks/aws/iam-policies/iam_15",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/security-challenge-questions.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/security-challenge-questions.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"Risk": "Expired or near-expiry **TLS certificates** can break handshakes, causing **service outages** and failed API calls (**availability**). Emergency fixes raise misconfiguration risk, enabling disabled verification or weak ciphers, which allows **MITM** and data exposure (**confidentiality**/**integrity**).",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ACM/certificate-expires-in-45-days.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/ACM/certificate-expires-in-45-days.html",
|
||||
"https://repost.aws/es/knowledge-center/acm-notification-certificate-renewal",
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
|
||||
"https://repost.aws/questions/QU3sMaeZPMRo2kLcsfJsfuVA/acm-notifications-for-expiring-certificates"
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html",
|
||||
"https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/APIGateway/cloudwatch-logs.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/APIGateway/cloudwatch-logs.html",
|
||||
"https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html",
|
||||
"https://repost.aws/knowledge-center/api-gateway-cloudwatch-logs",
|
||||
"https://repost.aws/knowledge-center/api-gateway-missing-cloudwatch-logs",
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-3",
|
||||
"https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/APIGateway/tracing.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/APIGateway/tracing.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -21,7 +21,7 @@
|
||||
"https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html",
|
||||
"https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000229562-ensure-api-gateway-v2-has-access-logging-enabled",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/APIGateway/api-gateway-stage-access-logging.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/APIGateway/api-gateway-stage-access-logging.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://aws.amazon.com/blogs/big-data/introducing-managed-query-results-for-amazon-athena/",
|
||||
"https://docs.aws.amazon.com/athena/latest/ug/managed-results.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Athena/encryption-enabled.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Athena/encryption-enabled.html",
|
||||
"https://docs.aws.amazon.com/athena/latest/ug/encrypting-managed-results.html",
|
||||
"https://docs.aws.amazon.com/athena/latest/ug/encrypting-query-results-stored-in-s3.html",
|
||||
"https://docs.aws.amazon.com/athena/latest/ug/workgroups-minimum-encryption.html",
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-ec2-auto-scaling-group-capacity-rebalance-enabled",
|
||||
"https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-capacity-rebalancing.html",
|
||||
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/enable-capacity-rebalancing.html",
|
||||
"https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/enable-capacity-rebalancing.html",
|
||||
"https://docs.aws.amazon.com/autoscaling/ec2/userguide/enable-capacity-rebalancing-console-cli.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-1",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/auto-scaling-group-health-check.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/AutoScaling/auto-scaling-group-health-check.html",
|
||||
"https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html#as-add-elb-healthcheck-console"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"Risk": "Without enforced **IMDSv2**, **SSRF** and local escape paths can access **IAM role credentials**, enabling unauthorized API calls.\n\nAttackers could:\n- Exfiltrate data with stolen tokens\n- Move laterally and modify resources, degrading confidentiality and integrity",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/require-imds-v2.html",
|
||||
"https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/require-imds-v2.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-3",
|
||||
"https://aws.plainenglish.io/dont-let-metadata-leak-why-imdsv2-is-a-must-and-how-to-migrate-a88e1e285394"
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-az-console.html",
|
||||
"https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-availability-zone-balanced.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/multiple-availability-zones.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/AutoScaling/multiple-availability-zones.html",
|
||||
"https://docs.aws.amazon.com/autoscaling/ec2/userguide/disaster-recovery-resiliency.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -16,7 +16,7 @@
|
||||
"Risk": "Limited to one instance type per AZ or a single AZ, scaling can stall during **capacity shortages**, hindering **failover** and degrading **availability** (timeouts, backlog growth). Costs may spike if only expensive capacity is available. Reduced diversity increases the likelihood of prolonged outages during zonal or market disruptions.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/asg-multiple-instance-type-az.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/AutoScaling/asg-multiple-instance-type-az.html",
|
||||
"https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-6"
|
||||
],
|
||||
|
||||
+1
-1
@@ -15,7 +15,7 @@
|
||||
"Risk": "Without a launch template, there is no **versioned, auditable baseline** for instance settings, increasing configuration drift. Inconsistent metadata and network options can enable unauthorized access or unstable deployments, degrading confidentiality and availability.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/asg-launch-template.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/AutoScaling/asg-launch-template.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-9",
|
||||
"https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-launch-template.html"
|
||||
],
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html",
|
||||
"https://repost.aws/pt/knowledge-center/lambda-dedicated-vpc",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-in-vpc.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Lambda/function-in-vpc.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-3",
|
||||
"https://stackoverflow.com/questions/55074793/how-can-we-force-aws-lamda-to-run-securely-in-a-vpc",
|
||||
"https://www.techtarget.com/searchCloudComputing/answer/How-do-I-configure-AWS-Lambda-functions-in-a-VPC/"
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-public-access-prohibited.html",
|
||||
"https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Lambda/function-exposed.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -16,7 +16,7 @@
|
||||
"Risk": "An unauthenticated function URL lets anyone invoke code:\n- Confidentiality: data exposure\n- Integrity: unintended changes via over-privileged logic\n- Availability: DoS/denial-of-wallet through high request rates\n\nAttackers can script calls, exfiltrate data, and pivot using the function's permissions.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/iam-auth-function-url.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Lambda/iam-auth-function-url.html",
|
||||
"https://www.roastdev.com/post/aws-lambda-url-invocations-with-iam-authentication-and-throttling-limits",
|
||||
"https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html",
|
||||
"https://dev.to/aws-builders/hands-on-aws-lambda-function-url-with-aws-iam-authentication-type-180g",
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://aws.amazon.com/blogs/compute/managing-aws-lambda-runtime-upgrades/",
|
||||
"https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/supported-runtime-environment.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Lambda/supported-runtime-environment.html",
|
||||
"https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -21,7 +21,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Athena/encrypted-with-cmk.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Athena/encrypted-with-cmk.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html",
|
||||
"https://docs.aws.amazon.com/bedrock/latest/userguide/agents-guardrail.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Bedrock/protect-agent-sessions-with-guardrails.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/protect-agent-sessions-with-guardrails.html",
|
||||
"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"Risk": "Without **HIGH** prompt-attack filtering, models are exposed to **prompt injection/jailbreaks**:\n- Confidentiality: coerced disclosure of sensitive data\n- Integrity: policy evasion and manipulated outputs\n- Operations: unintended tool execution and workflow tampering",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/Bedrock/prompt-attack-strength.html",
|
||||
"https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/prompt-attack-strength.html",
|
||||
"https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-injection.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000233535-ensure-prompt-attack-filter-is-configured-at-highest-strength-for-amazon-bedrock-guardrails",
|
||||
"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html"
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-sensitive-filters.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Bedrock/guardrails-with-pii-mask-block.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/guardrails-with-pii-mask-block.html",
|
||||
"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html",
|
||||
"https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFormation/stack-termination-protection.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFormation/stack-termination-protection.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -16,7 +16,7 @@
|
||||
"Risk": "Using the default certificate prevents HTTPS on your own hostnames, breaking hostname validation. Clients may face errors or avoid TLS, impacting **authentication** and **availability**. Control over TLS posture and domain-bound security headers is reduced, weakening **confidentiality** and user trust.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-distro-custom-tls.html",
|
||||
"https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/cloudfront-distro-custom-tls.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-7",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000233491-ensure-cloudfront-distributions-use-custom-ssl-tls-certificates",
|
||||
"https://reintech.io/blog/configure-https-ssl-certificates-cloudfront-distributions"
|
||||
|
||||
+1
-1
@@ -16,7 +16,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-1",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-default-object.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/cloudfront-default-object.html",
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/field-level-encryption-enabled.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/field-level-encryption-enabled.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://repost.aws/knowledge-center/cloudfront-geo-restriction",
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/geo-restriction.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/geo-restriction.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"Risk": "Allowing HTTP exposes traffic to **man-in-the-middle** interception and **session hijacking**, enabling theft of cookies, tokens, or PII. Attackers can **tamper** with responses, inject malware, or perform **downgrade/strip** attacks, undermining confidentiality and integrity.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/security-policy.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/security-policy.html",
|
||||
"https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html"
|
||||
],
|
||||
|
||||
+1
-1
@@ -15,7 +15,7 @@
|
||||
"Risk": "Without **SNI**, distributions use dedicated IP SSL, driving higher costs and inefficient IP usage. Dedicated IPs can strain quotas and hinder scaling, reducing **availability**. Managing IP-bound certificates adds **operational risk** during rotations and expansions.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-sni.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/cloudfront-sni.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-8",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000223557-ensure-cloudfront-sni-enabled",
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-https-dedicated-ip-or-sni.html#cnames-https-sni"
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html",
|
||||
"https://repost.aws/knowledge-center/cloudfront-logging-requests",
|
||||
"https://aws.amazon.com/awstv/watch/e895e7811ac/",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/enable-real-time-logging.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/enable-real-time-logging.html",
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html#concept_origin_groups.creating",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-4",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/origin-failover-enabled.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/origin-failover-enabled.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-traffic-to-origin-unencrypted.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/cloudfront-traffic-to-origin-unencrypted.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-9",
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html",
|
||||
"https://docs.aws.amazon.com/whitepapers/latest/secure-content-delivery-amazon-cloudfront/custom-origin-with-cloudfront.html"
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"Risk": "Without **OAC**, S3 objects can be reached outside CloudFront, bypassing edge controls and weakening **confidentiality** and **integrity**.\n- Direct access enables data exfiltration\n- Loss of WAF, rate-limiting, and detailed logging; cost abuse\n- Limited support for signed writes and **SSE-KMS**, increasing tampering risk",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/s3-origin.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/s3-origin.html",
|
||||
"https://repost.aws/knowledge-center/cloudfront-access-to-amazon-s3",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-13",
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html"
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/whitepapers/latest/secure-content-delivery-amazon-cloudfront/s3-origin-with-cloudfront.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-12",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-existing-s3-bucket.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/cloudfront-existing-s3-bucket.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html",
|
||||
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-insecure-origin-ssl-protocols.html",
|
||||
"https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/cloudfront-insecure-origin-ssl-protocols.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000223404-ensure-cloudfront-distributions-are-not-using-deprecated-ssl-protocols"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://repost.aws/questions/QUTY5hPVxgS6Caa3eZHX7-nQ/waf-on-alb-or-cloudfront",
|
||||
"https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-integrated-with-waf.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/cloudfront-integrated-with-waf.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/cloudtrail-bucket-mfa-delete-enabled.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudTrail/cloudtrail-bucket-mfa-delete-enabled.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
-1
@@ -17,7 +17,6 @@
|
||||
"Risk": "Missing or stale CloudWatch delivery weakens visibility and delays detection, impacting confidentiality and integrity. Adversaries can:\n- Hide **privilege escalation**\n- Perform unauthorized **resource changes**\n- Exfiltrate data via API misuse",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.prowler.com/checks/aws/logging-policies/logging_4#aws-console",
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html",
|
||||
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/cloudtrail-logs-encrypted.html",
|
||||
"https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudTrail/cloudtrail-logs-encrypted.html",
|
||||
"https://www.stream.security/rules/ensure-cloudtrail-logs-are-encrypted-at-rest",
|
||||
"https://www.clouddefense.ai/compliance-rules/cis-v130/logging/cis-v130-3-7"
|
||||
],
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html",
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/cloudtrail-log-file-integrity-validation.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudTrail/cloudtrail-log-file-integrity-validation.html",
|
||||
"https://deepwiki.com/acantril/learn-cantrill-io-labs/7.1-cloudtrail-log-file-integrity"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"Risk": "Exposed CloudTrail logs erode **confidentiality** and **integrity**.\n\nAdversaries can harvest API activity to map accounts, roles, and keys, enabling **reconnaissance** and evasion. If write is allowed, logs can be **poisoned** or deleted, thwarting investigations and compromising incident timelines.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/cloudtrail-bucket-publicly-accessible.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudTrail/cloudtrail-bucket-publicly-accessible.html",
|
||||
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
|
||||
"https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-bucket-public-access-prohibited.html",
|
||||
"https://docs.panther.com/alerts/alert-runbooks/built-in-policies/aws-cloudtrail-logs-s3-bucket-not-publicly-accessible"
|
||||
|
||||
+2
-2
@@ -17,8 +17,8 @@
|
||||
"Risk": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.prowler.com/checks/aws/logging-policies/logging_14#terraform",
|
||||
"https://docs.prowler.com/checks/aws/logging-policies/logging_14"
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events",
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-15",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000233431-ensure-cloudwatch-alarms-have-specified-actions-configured-for-the-alarm-state",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatch/cloudwatch-alarm-action.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatch/cloudwatch-alarm-action.html",
|
||||
"https://awscli.amazonaws.com/v2/documentation/api/2.0.34/reference/cloudwatch/put-metric-alarm.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"Risk": "With alarm actions disabled, state changes neither notify nor remediate. Incidents can persist unnoticed, enabling unauthorized activity, configuration drift, or capacity exhaustion. Visibility drops, MTTR rises, and confidentiality, integrity, and availability are all at greater risk.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatch/cloudwatch-alarm-action-activated.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatch/cloudwatch-alarm-action-activated.html",
|
||||
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-17"
|
||||
],
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
|
||||
"https://www.clouddefense.ai/compliance-rules/cis-v130/monitoring/cis-v130-4-11",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000084031-ensure-a-log-metric-filter-and-alarm-exist-for-changes-to-network-access-control-lists-nacl-",
|
||||
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchLogs/network-acl-changes-alarm.html",
|
||||
"https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/network-acl-changes-alarm.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000233134-4-11-ensure-network-access-control-list-nacl-changes-are-monitored-manual-"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"Risk": "Short log retention erodes audit evidence. Adversaries can wait out the window, creating gaps in detection, forensics, and compliance reporting. This degrades the **availability** of historical logs and the **integrity** of incident timelines.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchLogs/cloudwatch-logs-retention-period.html",
|
||||
"https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/cloudwatch-logs-retention-period.html",
|
||||
"https://boto3.amazonaws.com/v1/documentation/api/1.26.93/reference/services/logs/client/put_retention_policy.html",
|
||||
"https://medium.com/pareture/aws-cloudwatch-log-group-retention-periods-bb8a2fb9c358",
|
||||
"https://www.blinkops.com/blog/cloudwatch-retention",
|
||||
|
||||
+1
-3
@@ -17,9 +17,7 @@
|
||||
"Risk": "Absent this monitoring, logging can be stopped or altered without notice, eroding visibility.\n\nThat enables covert activity and data exfiltration without audit evidence, harming confidentiality, the integrity of records, and the availability of reliable logs for detection and forensics.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
|
||||
"https://docs.prowler.com/checks/aws/monitoring-policies/monitoring_5",
|
||||
"https://docs.prowler.com/checks/aws/monitoring-policies/monitoring_5#fix---buildtime"
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -21,7 +21,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
|
||||
"https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-signin-failures",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchLogs/console-sign-in-failures-alarm.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/console-sign-in-failures-alarm.html",
|
||||
"https://newsletter.simpleaws.dev/p/cloudtrail-cloudwatch-logs-login-detection-alert"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000228348-ensure-a-log-metric-filter-and-alarm-exist-for-aws-organizations-changes",
|
||||
"https://www.plerion.com/cloud-knowledge-base/ensure-aws-organizations-changes-are-monitored",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchLogs/organizations-changes-alarm.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/organizations-changes-alarm.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchLogs/root-account-usage-alarm.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/root-account-usage-alarm.html",
|
||||
"https://asecure.cloud/a/root_account_login/",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000083624-ensure-a-log-metric-filter-and-alarm-exist-for-usage-of-root-account",
|
||||
"https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-root-account-usage",
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchLogs/console-sign-in-without-mfa.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/console-sign-in-without-mfa.html",
|
||||
"https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v3.0.0_L1.audit:1957056ee174cc38502d5f5f1864333b",
|
||||
"https://www.clouddefense.ai/compliance-rules/gdpr/data-protection/log-metric-filter-console-login-mfa",
|
||||
"https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-no-mfa",
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
|
||||
"https://asecure.cloud/a/unauthorized_api_calls/",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchLogs/authorization-failures-alarm.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/authorization-failures-alarm.html",
|
||||
"https://www.tenable.com/policies/[type]/AC_AWS_0559",
|
||||
"https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-unauthorized-api-calls",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000083561-ensure-a-log-metric-filter-and-alarm-exist-for-unauthorized-api-calls"
|
||||
|
||||
+24
-15
@@ -1,31 +1,40 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "codepipeline_project_repo_private",
|
||||
"CheckTitle": "Ensure that CodePipeline projects do not use public GitHub or GitLab repositories as source.",
|
||||
"CheckType": [],
|
||||
"CheckTitle": "CodePipeline pipeline should use private repository source with authenticated connection",
|
||||
"CheckType": [
|
||||
"Software and Configuration Checks/AWS Security Best Practices"
|
||||
],
|
||||
"ServiceName": "codepipeline",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"ResourceIdTemplate": "arn:partition:codepipeline:region:account-id:pipeline-name",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "Other",
|
||||
"ResourceType": "AwsCodePipelinePipeline",
|
||||
"ResourceGroup": "devops",
|
||||
"Description": "Ensure that CodePipeline projects do not use public GitHub or GitLab repositories as source.",
|
||||
"Risk": "Using public Git repositories in CodePipeline projects could expose sensitive deployment configurations and increase the risk of supply chain attacks.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/codepipeline/latest/userguide/connections-github.html",
|
||||
"Description": "**CodePipeline pipeline** should configure its **source stage** to use a **private repository** with authenticated connection rather than a public GitHub or GitLab repository. This ensures deployment configurations, build artifacts, and CI/CD logic remain protected from unauthorized access.",
|
||||
"Risk": "Using **public repositories** as pipeline sources exposes deployment configurations, infrastructure code, and CI/CD workflows to anyone on the internet. \n\nThis increases the risk of **supply chain attacks**, **credential exposure**, and **intellectual property theft**. Adversaries can study deployment patterns, identify security gaps, inject malicious code, or leverage exposed secrets to compromise **confidentiality**, **integrity**, and **availability** of production systems.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html",
|
||||
"https://docs.aws.amazon.com/dtconsole/latest/userguide/connections.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws codestar-connections create-connection --provider-type GitHub|GitLab --connection-name <connection-name>",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"CLI": "aws codestar-connections create-connection --provider-type GitHub --connection-name my-github-connection\naws codepipeline update-pipeline --pipeline file://pipeline-config.json",
|
||||
"NativeIaC": "```yaml\n# CloudFormation: Configure pipeline with private repository via CodeStar Connection\nResources:\n MyConnection:\n Type: AWS::CodeStarConnections::Connection\n Properties:\n ConnectionName: my-github-connection\n ProviderType: GitHub # or GitLab\n\n MyPipeline:\n Type: AWS::CodePipeline::Pipeline\n Properties:\n Stages:\n - Name: Source\n Actions:\n - Name: SourceAction\n ActionTypeId:\n Category: Source\n Owner: AWS\n Provider: CodeStarSourceConnection\n Version: 1\n Configuration:\n ConnectionArn: !GetAtt MyConnection.ConnectionArn\n FullRepositoryId: myorg/myrepo # Private repository\n BranchName: main\n```",
|
||||
"Other": "1. In the AWS Console, navigate to **Developer Tools** → **Connections**\n2. Click **Create connection**\n3. Choose provider (GitHub or GitLab) and click **Connect**\n4. Authorize AWS to access your private repositories\n5. Navigate to **CodePipeline** → **Pipelines** and select your pipeline\n6. Click **Edit**\n7. In the **Source** stage, click **Edit action**\n8. Change **Action provider** to **GitHub (Version 2)** or **GitLab**\n9. Select **Connection** and choose the connection created in step 4\n10. Configure **Repository name** (private repo) and **Branch name**\n11. Click **Done** and **Save** the pipeline",
|
||||
"Terraform": "```hcl\n# Terraform: Configure pipeline with private repository via CodeStar Connection\nresource \"aws_codestarconnections_connection\" \"github\" {\n name = \"my-github-connection\"\n provider_type = \"GitHub\" # or \"GitLab\"\n}\n\nresource \"aws_codepipeline\" \"example\" {\n name = \"my-pipeline\"\n role_arn = aws_iam_role.codepipeline.arn\n\n stage {\n name = \"Source\"\n\n action {\n name = \"Source\"\n category = \"Source\"\n owner = \"AWS\"\n provider = \"CodeStarSourceConnection\"\n version = \"1\"\n output_artifacts = [\"source_output\"]\n\n configuration = {\n ConnectionArn = aws_codestarconnections_connection.github.arn\n FullRepositoryId = \"myorg/myrepo\" # Private repository\n BranchName = \"main\"\n }\n }\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Use private Git repositories for CodePipeline sources and ensure proper authentication is configured using AWS CodeStar Connections. Consider using AWS CodeCommit or other private repository solutions for sensitive code.",
|
||||
"Url": "https://docs.aws.amazon.com/codepipeline/latest/userguide/connections"
|
||||
"Text": "Configure CodePipeline source stages to use **private repositories** with **AWS CodeStar Connections** for GitHub or GitLab.\n\nApply **least privilege** to connection permissions, enable **branch protection**, require **code review**, use **signed commits**, and monitor pipeline execution logs. Consider **AWS CodeCommit** for fully managed private Git hosting with native IAM integration.",
|
||||
"Url": "https://hub.prowler.com/check/codepipeline_project_repo_private"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"supply-chain-security",
|
||||
"secrets-management"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "This check supports both GitHub and GitLab repositories through CodeStar Connections"
|
||||
"Notes": "This check evaluates CodePipeline source actions that use GitHub or GitLab providers. It detects public repositories by checking repository visibility settings via CodeStar Connections API."
|
||||
}
|
||||
|
||||
+1
-1
@@ -16,7 +16,7 @@
|
||||
"Risk": "Without **automated lifecycle policies**, backups become inconsistent and error-prone, reducing availability and weakening recovery objectives. Missing retention rules cause premature deletion or snapshot sprawl, increasing cost and exposing stale data. Lack of cross-Region/account copies limits resilience to regional outages and malicious deletion.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DLM/ebs-snapshot-automation.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/DLM/ebs-snapshot-automation.html",
|
||||
"https://repost.aws/articles/ARmYgZmA8MRQi89pWd9D7eFw/how-to-create-a-automate-backup-aws-data-lifecycle-management-using-snapshots",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html#dlm-elements"
|
||||
],
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-6",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DMS/auto-minor-version-upgrade.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/DMS/auto-minor-version-upgrade.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DMS/multi-az.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/DMS/multi-az.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-1",
|
||||
"https://docs.aws.amazon.com/amazonq/detector-library/terraform/restrict-public-access-dms-terraform/",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DMS/publicly-accessible.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/DMS/publicly-accessible.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000233448-ensure-dms-instances-are-not-publicly-accessible"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.amazonaws.cn/en_us/documentdb/latest/developerguide/what-is.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/sufficient-backup-retention-period.html#",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement-staging/knowledge-base/aws/DocumentDB/sufficient-backup-retention-period.html#",
|
||||
"https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/aws-enabledocdbclusterbackupretentionperiod.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-4",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DocumentDB/enable-profiler.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/DocumentDB/enable-profiler.html",
|
||||
"https://docs.aws.amazon.com/cli/latest/reference/docdb/create-db-cluster.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://support.icompaas.com/support/solutions/articles/62000233689-ensure-documentdb-clusters-has-deletion-protection-enabled",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DocumentDB/deletion-protection.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/DocumentDB/deletion-protection.html",
|
||||
"https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-delete.html",
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5"
|
||||
],
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DAX/encryption-enabled.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/DAX/encryption-enabled.html",
|
||||
"https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/dynamodb.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
-1
@@ -17,7 +17,6 @@
|
||||
"Risk": "Relying on the default service-owned key reduces control over **confidentiality**: no custom key policies, limited auditability, and no independent rotation or disablement. This weakens least-privilege enforcement and incident response, and can impede meeting mandates that require customer-controlled keys.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.prowler.com/checks/aws/general-policies/ensure-that-dynamodb-tables-are-encrypted#terraform",
|
||||
"https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/",
|
||||
"https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EBS/configure-default-encryption.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EBS/configure-default-encryption.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EBS/public-snapshots.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EBS/public-snapshots.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default",
|
||||
"https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EBS/snapshot-encrypted.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EBS/snapshot-encrypted.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EBS/ebs-encrypted.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EBS/ebs-encrypted.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/ebs/latest/userguide/ebs-snapshots.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EBS/ebs-volumes-recent-snapshots.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EBS/ebs-volumes-recent-snapshots.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#set-imdsv2-account-defaults",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/require-imds-v2.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/require-imds-v2.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -16,7 +16,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/instance-detailed-monitoring.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/instance-detailed-monitoring.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html#enable-detailed-monitoring-instance"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"Risk": "Permitting **IMDSv1** or optional tokens lets SSRF or compromised workloads retrieve **temporary IAM credentials**, impacting confidentiality and integrity. Stolen role creds can drive **privilege escalation**, unauthorized data access, and lateral movement across AWS resources.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/require-imds-v2.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/require-imds-v2.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000234166-5-7-ensure-that-the-ec2-metadata-service-only-allows-imdsv2-automated-",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#configuring-instance-metadata-options"
|
||||
],
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"Risk": "Unmanaged instances lack centralized patching, inventory, and secure remote access. This increases exposure to brute force on SSH/RDP, delayed patching, and poor visibility. Exploits can enable lateral movement and persistence, degrading confidentiality, integrity, and availability.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/SSM/ssm-managed-instances.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/SSM/ssm-managed-instances.html",
|
||||
"https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/ec2-instance-too-old.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/ec2-instance-too-old.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-cifs-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-cifs-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"Risk": "Exposed **FTP** invites Internet brute force and transmits in cleartext, enabling credential theft and packet sniffing (**confidentiality**).\n\nAttackers can upload/alter files (**integrity**) and abuse services for malware staging or DoS (**availability**). Publicly reachable hosts are rapidly probed by scanners.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-ftp-access.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-ftp-access.html",
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-mysql-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-mysql-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-oracle-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-oracle-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-postgresql-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-postgresql-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000233789-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-3389-rdp-",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-rdp-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-rdp-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000233806-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-6379-redis-",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-redis-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-redis-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000223371-ensure-no-security-groups-allow-ingress-from-0-0-0-0-0-or-0-to-windows-sql-server-ports-1433-or-14",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-mssql-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-mssql-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-ssh-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-ssh-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-telnet-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-telnet-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/ec2-instance-using-iam-roles.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/ec2-instance-using-iam-roles.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"Risk": "Publicly addressed instances are Internet-scannable, enabling direct probing and brute-force of exposed services and management ports. This increases risks of unauthorized access, remote code execution, and data exfiltration (**confidentiality, integrity**), and allows direct DDoS targeting, degrading **availability**.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/aws-ec2-public-ip.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/aws-ec2-public-ip.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/security-group-ingress-any.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-ingress-any.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-ssh-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-ssh-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-rdp-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-rdp-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-ftp-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-ftp-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-mysql-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-mysql-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-postgresql-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-postgresql-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://support.icompaas.com/support/solutions/articles/62000233790-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-23-telnet-",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/unrestricted-telnet-access.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-telnet-access.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -15,7 +15,7 @@
|
||||
"Risk": "Wizard-generated groups often include **overly permissive rules** (e.g., `0.0.0.0/0` to admin ports), expanding exposure. Attackers can run **port scans** and **brute-force** to gain entry, then **lateral movement** and **data exfiltration**, impacting **confidentiality** and **integrity**; broad egress aids command-and-control.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/security-group-prefixed-with-launch-wizard.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-prefixed-with-launch-wizard.html",
|
||||
"https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -15,7 +15,7 @@
|
||||
"Risk": "Orphaned security groups may later be attached with **overly permissive rules** without review, enabling unintended inbound or lateral access that compromises **confidentiality** and **integrity**. They also create **configuration drift**, increasing the chance of misapplied access controls.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/default-security-group-unrestricted.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/default-security-group-unrestricted.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html"
|
||||
],
|
||||
"Remediation": {
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/security-group-rules-counts.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-rules-counts.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -20,7 +20,7 @@
|
||||
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/lp_creation.html",
|
||||
"https://aws.plainenglish.io/automation-deletion-untagged-container-image-in-amazon-ecr-using-ecr-lifecycle-policy-995eae2f5b8d",
|
||||
"https://blog.stackademic.com/title-implementing-lifecycle-policies-in-aws-ecr-a-practical-guide-3860b612b477",
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/lifecycle-policy-in-use.html"
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/ECR/lifecycle-policy-in-use.html"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@
|
||||
"Risk": "Without **scan on push**, images with known CVEs can enter registries and reach runtime unnoticed, undermining **integrity** and **confidentiality** through exploitable packages. Attackers may achieve code execution and lateral movement. Delayed detection increases operational risk and extends remediation timelines.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/scan-on-push.html",
|
||||
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/ECR/scan-on-push.html",
|
||||
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic-enabling.html",
|
||||
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
|
||||
],
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user