diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index da6a8a336e..ffb83b7bb5 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -18,6 +18,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Add organization ID parameter for MongoDB Atlas provider [(#9167)](https://github.com/prowler-cloud/prowler/pull/9167) - Add multiple compliance improvements [(#9145)](https://github.com/prowler-cloud/prowler/pull/9145) - Added validation for invalid checks, services, and categories in `load_checks_to_execute` function [(#8971)](https://github.com/prowler-cloud/prowler/pull/8971) +- NIST CSF 2.0 compliance framework for the AWS provider [(#9185)](https://github.com/prowler-cloud/prowler/pull/9185) ### Changed - Update AWS Direct Connect service metadata to new format [(#8855)](https://github.com/prowler-cloud/prowler/pull/8855) diff --git a/prowler/compliance/aws/nist_csf_2.0_aws.json b/prowler/compliance/aws/nist_csf_2.0_aws.json new file mode 100644 index 0000000000..3430763879 --- /dev/null +++ b/prowler/compliance/aws/nist_csf_2.0_aws.json @@ -0,0 +1,1612 @@ +{ + "Framework": "NIST-CSF", + "Name": "National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) v2.0", + "Version": "2.0", + "Provider": "AWS", + "Description": "The NIST Cybersecurity Framework (CSF) 2.0 offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization regardless of its size, sector, or maturity to better understand, assess, prioritize, and communicate its cybersecurity efforts. The framework's core functions are organized into six key areas: Govern (new), Identify, Protect, Detect, Respond, and Recover. Together, these functions provide a comprehensive lifecycle approach to managing cybersecurity risk.", + "Requirements": [ + { + "Id": "oc_1", + "Name": "GV.OC-1", + "Description": "The organization's role in the supply chain is identified and communicated.", + "Attributes": [ + { + "ItemId": "oc_1", + "Section": "Govern (GV)", + "SubSection": "Organizational Context (GV.OC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "oc_2", + "Name": "GV.OC-2", + "Description": "Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed.", + "Attributes": [ + { + "ItemId": "oc_2", + "Section": "Govern (GV)", + "SubSection": "Organizational Context (GV.OC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "config_recorder_all_regions_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "oc_3", + "Name": "GV.OC-3", + "Description": "The organization's place in critical infrastructure and its industry sector is identified and communicated.", + "Attributes": [ + { + "ItemId": "oc_3", + "Section": "Govern (GV)", + "SubSection": "Organizational Context (GV.OC)", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "rm_1", + "Name": "GV.RM-1", + "Description": "Organizational cybersecurity risk management strategy is established, communicated, and maintained.", + "Attributes": [ + { + "ItemId": "rm_1", + "Section": "Govern (GV)", + "SubSection": "Risk Management Strategy (GV.RM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "rm_2", + "Name": "GV.RM-2", + "Description": "Organizational risk tolerance is determined and clearly expressed.", + "Attributes": [ + { + "ItemId": "rm_2", + "Section": "Govern (GV)", + "SubSection": "Risk Management Strategy (GV.RM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "rm_3", + "Name": "GV.RM-3", + "Description": "The organization's determination of risk tolerance is informed by its role in critical infrastructure, sector-specific risk analysis, or organizational risk analysis.", + "Attributes": [ + { + "ItemId": "rm_3", + "Section": "Govern (GV)", + "SubSection": "Risk Management Strategy (GV.RM)", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "sc_1", + "Name": "GV.SC-1", + "Description": "Cybersecurity supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.", + "Attributes": [ + { + "ItemId": "sc_1", + "Section": "Govern (GV)", + "SubSection": "Cybersecurity Supply Chain Risk Management (GV.SC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "config_recorder_all_regions_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "sc_2", + "Name": "GV.SC-2", + "Description": "Supply chain risk management processes are established, managed, and agreed to by organizational stakeholders.", + "Attributes": [ + { + "ItemId": "sc_2", + "Section": "Govern (GV)", + "SubSection": "Cybersecurity Supply Chain Risk Management (GV.SC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "sc_3", + "Name": "GV.SC-3", + "Description": "Suppliers and third-party partners are evaluated, assessed, and monitored using cybersecurity supply chain risk management processes.", + "Attributes": [ + { + "ItemId": "sc_3", + "Section": "Govern (GV)", + "SubSection": "Cybersecurity Supply Chain Risk Management (GV.SC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "config_recorder_all_regions_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "sc_4", + "Name": "GV.SC-4", + "Description": "Supply chain risk management processes are continuously improved.", + "Attributes": [ + { + "ItemId": "sc_4", + "Section": "Govern (GV)", + "SubSection": "Cybersecurity Supply Chain Risk Management (GV.SC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "rr_1", + "Name": "GV.RR-1", + "Description": "Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners.", + "Attributes": [ + { + "ItemId": "rr_1", + "Section": "Govern (GV)", + "SubSection": "Roles, Responsibilities, and Authorities (GV.RR)", + "Service": "iam" + } + ], + "Checks": [ + "iam_aws_attached_policy_no_administrative_privileges", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_inline_policy_no_administrative_privileges", + "iam_no_root_access_key", + "cloudtrail_multi_region_enabled" + ] + }, + { + "Id": "rr_2", + "Name": "GV.RR-2", + "Description": "Cybersecurity responsibilities are established and communicated.", + "Attributes": [ + { + "ItemId": "rr_2", + "Section": "Govern (GV)", + "SubSection": "Roles, Responsibilities, and Authorities (GV.RR)", + "Service": "iam" + } + ], + "Checks": [ + "iam_aws_attached_policy_no_administrative_privileges", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_inline_policy_no_administrative_privileges", + "cloudtrail_multi_region_enabled" + ] + }, + { + "Id": "rr_3", + "Name": "GV.RR-3", + "Description": "Senior executives are accountable for cybersecurity risk.", + "Attributes": [ + { + "ItemId": "rr_3", + "Section": "Govern (GV)", + "SubSection": "Roles, Responsibilities, and Authorities (GV.RR)", + "Service": "aws" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "cloudtrail_multi_region_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "po_1", + "Name": "GV.PO-1", + "Description": "Cybersecurity policy is established, communicated, and enforced.", + "Attributes": [ + { + "ItemId": "po_1", + "Section": "Govern (GV)", + "SubSection": "Policies, Processes, and Procedures (GV.PO)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled", + "iam_password_policy_reuse_24", + "securityhub_enabled" + ] + }, + { + "Id": "po_2", + "Name": "GV.PO-2", + "Description": "Cybersecurity policy is updated as needed to reflect changes in organizational priorities, threat landscape, or technology.", + "Attributes": [ + { + "ItemId": "po_2", + "Section": "Govern (GV)", + "SubSection": "Policies, Processes, and Procedures (GV.PO)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "config_recorder_all_regions_enabled", + "cloudwatch_log_metric_filter_policy_changes" + ] + }, + { + "Id": "po_3", + "Name": "GV.PO-3", + "Description": "Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.", + "Attributes": [ + { + "ItemId": "po_3", + "Section": "Govern (GV)", + "SubSection": "Policies, Processes, and Procedures (GV.PO)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "config_recorder_all_regions_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "po_4", + "Name": "GV.PO-4", + "Description": "Governance and risk management processes address cybersecurity risks.", + "Attributes": [ + { + "ItemId": "po_4", + "Section": "Govern (GV)", + "SubSection": "Policies, Processes, and Procedures (GV.PO)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "po_5", + "Name": "GV.PO-5", + "Description": "Processes for managing cybersecurity requirements for suppliers and third-party partners are established.", + "Attributes": [ + { + "ItemId": "po_5", + "Section": "Govern (GV)", + "SubSection": "Policies, Processes, and Procedures (GV.PO)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "config_recorder_all_regions_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ov_1", + "Name": "GV.OV-1", + "Description": "Cybersecurity risk management strategy outcomes are reviewed to inform and adjust organizational priorities.", + "Attributes": [ + { + "ItemId": "ov_1", + "Section": "Govern (GV)", + "SubSection": "Oversight (GV.OV)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ov_2", + "Name": "GV.OV-2", + "Description": "Cybersecurity risk management performance is measured and reported.", + "Attributes": [ + { + "ItemId": "ov_2", + "Section": "Govern (GV)", + "SubSection": "Oversight (GV.OV)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "config_recorder_all_regions_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ov_3", + "Name": "GV.OV-3", + "Description": "Cybersecurity risk management strategy and practices are reviewed and adjusted to adapt to changes in the threat landscape, technologies, or mission, business, or system environments.", + "Attributes": [ + { + "ItemId": "ov_3", + "Section": "Govern (GV)", + "SubSection": "Oversight (GV.OV)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ov_4", + "Name": "GV.OV-4", + "Description": "Cybersecurity risk management processes are reviewed to ensure they meet legal and regulatory requirements.", + "Attributes": [ + { + "ItemId": "ov_4", + "Section": "Govern (GV)", + "SubSection": "Oversight (GV.OV)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "config_recorder_all_regions_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "am_1", + "Name": "ID.AM-1", + "Description": "Physical devices and systems within the organization are inventoried.", + "Attributes": [ + { + "ItemId": "am_1", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled", + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "am_2", + "Name": "ID.AM-2", + "Description": "Software platforms and applications within the organization are inventoried.", + "Attributes": [ + { + "ItemId": "am_2", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "am_3", + "Name": "ID.AM-3", + "Description": "Organizational communication and data flows are mapped.", + "Attributes": [ + { + "ItemId": "am_3", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_restapi_logging_enabled", + "cloudtrail_multi_region_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "am_5", + "Name": "ID.AM-5", + "Description": "Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.", + "Attributes": [ + { + "ItemId": "am_5", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "aws" + } + ], + "Checks": [] + }, + { + "Id": "am_6", + "Name": "ID.AM-6", + "Description": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.", + "Attributes": [ + { + "ItemId": "am_6", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "iam" + } + ], + "Checks": [] + }, + { + "Id": "be_5", + "Name": "ID.BE-5", + "Description": "Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)", + "Attributes": [ + { + "ItemId": "be_5", + "Section": "Identify (ID)", + "SubSection": "Business Environment (ID.BE)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ra_1", + "Name": "ID.RA-1", + "Description": "Asset vulnerabilities are identified and documented.", + "Attributes": [ + { + "ItemId": "ra_1", + "Section": "Identify (ID)", + "SubSection": "Risk Assessment (ID.RA)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "ra_2", + "Name": "ID.RA-2", + "Description": "Cyber threat intelligence is received from information sharing forums and sources.", + "Attributes": [ + { + "ItemId": "ra_2", + "Section": "Identify (ID)", + "SubSection": "Risk Assessment (ID.RA)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ra_3", + "Name": "ID.RA-3", + "Description": "Threats, both internal and external, are identified and documented.", + "Attributes": [ + { + "ItemId": "ra_3", + "Section": "Identify (ID)", + "SubSection": "Risk Assessment (ID.RA)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ra_5", + "Name": "ID.RA-5", + "Description": "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.", + "Attributes": [ + { + "ItemId": "ra_5", + "Section": "Identify (ID)", + "SubSection": "Risk Assessment (ID.RA)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "config_recorder_all_regions_enabled", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes", + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", + "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_sign_in_without_mfa", + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", + "cloudwatch_log_metric_filter_policy_changes", + "cloudwatch_log_metric_filter_root_usage", + "cloudwatch_log_metric_filter_security_group_changes", + "cloudwatch_log_metric_filter_unauthorized_api_calls", + "rds_instance_enhanced_monitoring_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "id_sc_4", + "Name": "ID.SC-4", + "Description": "Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.", + "Attributes": [ + { + "ItemId": "id_sc_4", + "Section": "Identify (ID)", + "SubSection": "Supply Chain Risk Management (ID.SC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "config_recorder_all_regions_enabled", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes", + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", + "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_sign_in_without_mfa", + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", + "cloudwatch_log_metric_filter_policy_changes", + "cloudwatch_log_metric_filter_root_usage", + "cloudwatch_log_metric_filter_security_group_changes", + "cloudwatch_log_metric_filter_unauthorized_api_calls", + "rds_instance_enhanced_monitoring_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ac_1", + "Name": "PR.AC-1", + "Description": "Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.", + "Attributes": [ + { + "ItemId": "ac_1", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_reuse_24", + "iam_aws_attached_policy_no_administrative_privileges", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_inline_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_accesskey_unused", + "iam_user_console_access_unused", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3", + "Name": "PR.AC-3", + "Description": "Remote access is managed.", + "Attributes": [ + { + "ItemId": "ac_3", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "ac_4", + "Name": "PR.AC-4", + "Description": "Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.", + "Attributes": [ + { + "ItemId": "ac_4", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_aws_attached_policy_no_administrative_privileges", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_inline_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_user_accesskey_unused", + "iam_user_console_access_unused" + ] + }, + { + "Id": "ac_5", + "Name": "PR.AC-5", + "Description": "Network integrity is protected (e.g., network segregation, network segmentation).", + "Attributes": [ + { + "ItemId": "ac_5", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "ac_6", + "Name": "PR.AC-6", + "Description": "Identities are proofed and bound to credentials and asserted in interactions.", + "Attributes": [ + { + "ItemId": "ac_6", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "ac_7", + "Name": "PR.AC-7", + "Description": "Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks).", + "Attributes": [ + { + "ItemId": "ac_7", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ds_1", + "Name": "PR.DS-1", + "Description": "Data-at-rest is protected.", + "Attributes": [ + { + "ItemId": "ds_1", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "ec2_ebs_volume_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "s3_bucket_default_encryption", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "ds_2", + "Name": "PR.DS-2", + "Description": "Data-in-transit is protected.", + "Attributes": [ + { + "ItemId": "ds_2", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "ds_3", + "Name": "PR.DS-3", + "Description": "Assets are formally managed throughout removal, transfers, and disposition.", + "Attributes": [ + { + "ItemId": "ds_3", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ec2_elastic_ip_unassigned" + ] + }, + { + "Id": "ds_4", + "Name": "PR.DS-4", + "Description": "Adequate capacity to ensure availability is maintained.", + "Attributes": [ + { + "ItemId": "ds_4", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ds_5", + "Name": "PR.DS-5", + "Description": "Protections against data leaks are implemented.", + "Attributes": [ + { + "ItemId": "ds_5", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "ec2_ebs_public_snapshot", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_server_access_logging_enabled", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ds_6", + "Name": "PR.DS-6", + "Description": "Integrity checking mechanisms are used to verify software, firmware, and information integrity.", + "Attributes": [ + { + "ItemId": "ds_6", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "ds_7", + "Name": "PR.DS-7", + "Description": "The development and testing environment(s) are separate from the production environment.", + "Attributes": [ + { + "ItemId": "ds_7", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled", + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "elbv2_deletion_protection", + "ssm_managed_compliant_patching", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "ds_8", + "Name": "PR.DS-8", + "Description": "Integrity checking mechanisms are used to verify hardware integrity.", + "Attributes": [ + { + "ItemId": "ds_8", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "securityhub_enabled" + ] + }, + { + "Id": "ip_1", + "Name": "PR.IP-1", + "Description": "A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).", + "Attributes": [ + { + "ItemId": "ip_1", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "ip_2", + "Name": "PR.IP-2", + "Description": "A System Development Life Cycle to manage systems is implemented.", + "Attributes": [ + { + "ItemId": "ip_2", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "ip_3", + "Name": "PR.IP-3", + "Description": "Configuration change control processes are in place.", + "Attributes": [ + { + "ItemId": "ip_3", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "elb" + } + ], + "Checks": [ + "elbv2_deletion_protection" + ] + }, + { + "Id": "ip_4", + "Name": "PR.IP-4", + "Description": "Backups of information are conducted, maintained, and tested periodically.", + "Attributes": [ + { + "ItemId": "ip_4", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "rds_instance_backup_enabled", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ip_7", + "Name": "PR.IP-7", + "Description": "Protection processes are improved.", + "Attributes": [ + { + "ItemId": "ip_7", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "ec2" + } + ], + "Checks": [] + }, + { + "Id": "ip_8", + "Name": "PR.IP-8", + "Description": "Effectiveness of protection technologies is shared.", + "Attributes": [ + { + "ItemId": "ip_8", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "eks_cluster_not_publicly_accessible", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ip_9", + "Name": "PR.IP-9", + "Description": "Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.", + "Attributes": [ + { + "ItemId": "ip_9", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ip_12", + "Name": "PR.IP-12", + "Description": "A vulnerability management plan is developed and implemented.", + "Attributes": [ + { + "ItemId": "ip_12", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled", + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "ma_2", + "Name": "PR.MA-2", + "Description": "Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.", + "Attributes": [ + { + "ItemId": "ma_2", + "Section": "Protect (PR)", + "SubSection": "Maintenance (PR.MA)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled" + ] + }, + { + "Id": "pt_1", + "Name": "PR.PT-1", + "Description": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.", + "Attributes": [ + { + "ItemId": "pt_1", + "Section": "Protect (PR)", + "SubSection": "Protective Technology (PR.PT)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_restapi_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "pt_3", + "Name": "PR.PT-3", + "Description": "The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.", + "Attributes": [ + { + "ItemId": "pt_3", + "Section": "Protect (PR)", + "SubSection": "Protective Technology (PR.PT)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "iam_aws_attached_policy_no_administrative_privileges", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_inline_policy_no_administrative_privileges", + "iam_no_root_access_key", + "awslambda_function_url_public", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks" + ] + }, + { + "Id": "pt_4", + "Name": "PR.PT-4", + "Description": "Communications and control networks are protected.", + "Attributes": [ + { + "ItemId": "pt_4", + "Section": "Protect (PR)", + "SubSection": "Protective Technology (PR.PT)", + "Service": "aws" + } + ], + "Checks": [ + "awslambda_function_not_publicly_accessible", + "rds_instance_no_public_access", + "redshift_cluster_public_access", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "pt_5", + "Name": "PR.PT-5", + "Description": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.", + "Attributes": [ + { + "ItemId": "pt_5", + "Section": "Protect (PR)", + "SubSection": "Protective Technology (PR.PT)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ae_1", + "Name": "DE.AE-1", + "Description": "A baseline of network operations and expected data flows for users and systems is established and managed.", + "Attributes": [ + { + "ItemId": "ae_1", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_restapi_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "ec2_securitygroup_default_restrict_traffic", + "vpc_flow_logs_enabled", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "ae_2", + "Name": "DE.AE-2", + "Description": "Detected events are analyzed to understand attack targets and methods.", + "Attributes": [ + { + "ItemId": "ae_2", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ae_3", + "Name": "DE.AE-3", + "Description": "Event data are collected and correlated from multiple sources and sensors.", + "Attributes": [ + { + "ItemId": "ae_3", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_restapi_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ae_4", + "Name": "DE.AE-4", + "Description": "Impact of events is determined.", + "Attributes": [ + { + "ItemId": "ae_4", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ae_5", + "Name": "DE.AE-5", + "Description": "Incident alert thresholds are established.", + "Attributes": [ + { + "ItemId": "ae_5", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured" + ] + }, + { + "Id": "cm_1", + "Name": "DE.CM-1", + "Description": "The network is monitored to detect potential cybersecurity events.", + "Attributes": [ + { + "ItemId": "cm_1", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_restapi_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "cm_2", + "Name": "DE.CM-2", + "Description": "The physical environment is monitored to detect potential cybersecurity events.", + "Attributes": [ + { + "ItemId": "cm_2", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "config_recorder_all_regions_enabled", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes", + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", + "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_sign_in_without_mfa", + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", + "cloudwatch_log_metric_filter_policy_changes", + "cloudwatch_log_metric_filter_root_usage", + "cloudwatch_log_metric_filter_security_group_changes", + "cloudwatch_log_metric_filter_unauthorized_api_calls", + "rds_instance_enhanced_monitoring_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cm_3", + "Name": "DE.CM-3", + "Description": "Personnel activity is monitored to detect potential cybersecurity events.", + "Attributes": [ + { + "ItemId": "cm_3", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "guardduty_is_enabled", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cm_4", + "Name": "DE.CM-4", + "Description": "Malicious code is detected.", + "Attributes": [ + { + "ItemId": "cm_4", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cm_5", + "Name": "DE.CM-5", + "Description": "Unauthorized mobile code is detected.", + "Attributes": [ + { + "ItemId": "cm_5", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "elbv2_waf_acl_attached", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "cm_6", + "Name": "DE.CM-6", + "Description": "External service provider activity is monitored to detect potential cybersecurity events.", + "Attributes": [ + { + "ItemId": "cm_6", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "guardduty_is_enabled", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cm_7", + "Name": "DE.CM-7", + "Description": "Monitoring for unauthorized personnel, connections, devices, and software is performed.", + "Attributes": [ + { + "ItemId": "cm_7", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_restapi_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "dp_4", + "Name": "DE.DP-4", + "Description": "Event detection information is communicated.", + "Attributes": [ + { + "ItemId": "dp_4", + "Section": "Detect (DE)", + "SubSection": "Detection Processes (DE.DP)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "elbv2_waf_acl_attached", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "dp_5", + "Name": "DE.DP-5", + "Description": "Detection processes are continuously improved.", + "Attributes": [ + { + "ItemId": "dp_5", + "Section": "Detect (DE)", + "SubSection": "Detection Processes (DE.DP)", + "Service": "ec2" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled" + ] + }, + { + "Id": "an_2", + "Name": "RS.AN-2", + "Description": "The impact of the incident is understood.", + "Attributes": [ + { + "ItemId": "an_2", + "Section": "Respond (RS)", + "SubSection": "Analysis (RS.AN)", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "mi_3", + "Name": "RS.MI-3", + "Description": "Newly identified vulnerabilities are mitigated or documented as accepted risks.", + "Attributes": [ + { + "ItemId": "mi_3", + "Section": "Respond (RS)", + "SubSection": "Mitigation (RS.MI)", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "rp_1", + "Name": "RS.RP-1", + "Description": "Response plan is executed during or after an incident.", + "Attributes": [ + { + "ItemId": "rp_1", + "Section": "Respond (RS)", + "SubSection": "Response Planning (RS.RP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "rc_rp_1", + "Name": "RC.RP-1", + "Description": "Recovery plan is executed during or after a cybersecurity incident.", + "Attributes": [ + { + "ItemId": "rc_rp_1", + "Section": "Recover (RC)", + "SubSection": "Recovery Planning (RC.RP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + } + ] +} +