feat(config): add compliance guardrails for the SDK config (#11669)

This commit is contained in:
Pedro Martín
2026-06-26 15:14:08 +02:00
committed by GitHub
parent d6f5f060ca
commit fe7e6675e0
137 changed files with 9694 additions and 426 deletions
@@ -46,6 +46,10 @@ When adding a new configurable check to Prowler, update the following files:
For a complete list of checks that already support configuration, see the [Configuration File Tutorial](/user-guide/cli/tutorials/configuration_file).
<Note>
Because a configurable check's verdict depends on the `audit_config` value it reads, a compliance requirement can lose meaning if the scan ran with a looser threshold than the control demands. Compliance frameworks can guard against this with **configuration guardrails**: a requirement declares the strictest configuration it tolerates and is forced to FAIL when the scan's config falls short. See [Configuration Guardrails for Requirements](/developer-guide/security-compliance-framework#configuration-guardrails-for-requirements).
</Note>
## Adding a Parameter to the Provider Schema
Most providers have a typed Pydantic schema in `prowler/config/schema/`, registered in `prowler/config/schema/registry.py`. When a config is loaded and the provider has a registered schema, `validate_provider_config` checks each user-supplied key against it, logs a warning, and drops any field that fails validation. The consumer's `.get(key, default)` then falls back to the built-in default. Providers without a registered schema are passed through unchanged.
@@ -2,6 +2,8 @@
title: 'Creating a New Security Compliance Framework in Prowler'
---
import { VersionBadge } from "/snippets/version-badge.mdx"
This guide explains how to add a new security compliance framework to Prowler, end to end. It covers directory layout, the two supported JSON schemas (universal and legacy), the Pydantic models that validate each framework, check mapping conventions, output formatting, local validation, testing, and the pull request process.
## Introduction
@@ -23,7 +25,7 @@ Requirement coverage feeds the compliance percentage calculations and the metada
| **Universal (recommended for new frameworks)** | Multi-provider frameworks, or single-provider frameworks that benefit from declarative table/PDF rendering | `prowler/compliance/<framework>.json` (top-level) | Available for **every** provider whose key appears in any `requirement.checks` dict |
| **Legacy provider-specific** | Single-provider frameworks with framework-specific attribute classes already declared in the codebase (CIS, ENS, ISO 27001, etc.) | `prowler/compliance/<provider>/<framework>_<version>_<provider>.json` | Available only under that provider |
Auto-discovery happens in `get_bulk_compliance_frameworks_universal(provider)` (`prowler/lib/check/compliance_models.py:915`), which scans **both** the top-level `prowler/compliance/` directory and every per-provider sub-directory. Legacy frameworks are transparently converted to the universal `ComplianceFramework` model via `adapt_legacy_to_universal()` before being returned, so the rest of Prowler — CLI table rendering, CSV/OCSF outputs, PDF generation — works the same regardless of the source schema.
Auto-discovery happens in `get_bulk_compliance_frameworks_universal(provider)` (`prowler/lib/check/compliance_models.py`), which scans **both** the top-level `prowler/compliance/` directory and every per-provider sub-directory. Legacy frameworks are transparently converted to the universal `ComplianceFramework` model via `adapt_legacy_to_universal()` before being returned, so the rest of Prowler — CLI table rendering, CSV/OCSF outputs, PDF generation — works the same regardless of the source schema.
> The legacy entry-point `Compliance.get_bulk(provider)` (used by older code paths) only scans per-provider sub-directories. Universal top-level files are picked up exclusively via the universal loader; this matters if you are wiring a new code path against the legacy API.
@@ -70,13 +72,13 @@ The file is auto-discovered — there is **no** need to register it in any `__in
}
```
A `provider` field at the top level is **optional**. The framework's effective provider list is derived by `ComplianceFramework.get_providers()` (`compliance_models.py:739`) from the union of all keys appearing in `requirement.checks` across all requirements; the explicit `provider` field is used **only as a fallback** when no requirement carries any `checks` key. This is what enables a single file (e.g. `dora_2022_2554.json`) to cover AWS today and add Azure / GCP / etc. tomorrow without restructuring.
A `provider` field at the top level is **optional**. The framework's effective provider list is derived by `ComplianceFramework.get_providers()` (`compliance_models.py`) from the union of all keys appearing in `requirement.checks` across all requirements; the explicit `provider` field is used **only as a fallback** when no requirement carries any `checks` key. This is what enables a single file (e.g. `dora_2022_2554.json`) to cover AWS today and add Azure / GCP / etc. tomorrow without restructuring.
Provider keys inside `requirement.checks` must match the directory names under `prowler/providers/`. The valid keys at present are: `aws`, `azure`, `gcp`, `m365`, `kubernetes`, `iac`, `github`, `googleworkspace`, `alibabacloud`, `cloudflare`, `mongodbatlas`, `nhn`, `openstack`, `oraclecloud`, `llm`. Comparison in `supports_provider()` is case-insensitive, but lowercase is the convention used everywhere in the repository.
### `attributes_metadata`
Declares the shape of the per-requirement `attributes` dict. When this field is present, the root validator `validate_attributes_against_metadata` (`compliance_models.py:669`) enforces the schema at load time and rejects:
Declares the shape of the per-requirement `attributes` dict. When this field is present, the root validator `validate_attributes_against_metadata` (`compliance_models.py`) enforces the schema at load time and rejects:
- Missing keys marked `required: true`.
- Keys present in `attributes` but not declared in `attributes_metadata` (typo / drift guard).
@@ -192,6 +194,7 @@ Per requirement:
- `name`: short title shown alongside the id.
- `attributes`: flat dict; keys must conform to `attributes_metadata`.
- `checks`: dict keyed by provider name (the same lowercase keys listed in the previous section). Each value is a list of Prowler check names that evidence this requirement for that provider. The list **may be empty** and the dict itself defaults to `{}` if omitted; either way the requirement is still loaded and listed by `--list-compliance-requirements`, it just has zero checks to execute. Note: there is **no automatic check-existence validation** at load time — referencing a non-existent check name will silently produce a requirement with no findings. Validate this yourself (see "Validating Your Framework" below).
- `config_requirements`: optional list of configuration guardrails. Each entry asserts that a configurable check referenced by this requirement ran with a configuration strict enough to actually satisfy the requirement; otherwise the requirement is forced to FAIL. See [Configuration Guardrails for Requirements](#configuration-guardrails-for-requirements) for the full schema and semantics. In the universal schema the field name is lowercase (`config_requirements`); legacy files use `ConfigRequirements`.
For MITRE-style frameworks, additional optional fields are available on the requirement: `tactics`, `sub_techniques`, `platforms`, `technique_url` (these are populated automatically when adapting a legacy MITRE JSON to the universal model).
@@ -258,7 +261,7 @@ prowler/lib/outputs/compliance/<framework>/
### JSON schema reference
Every legacy compliance file is a JSON document with the following top-level keys. `Framework`, `Name` and `Provider` are validated non-empty by the root validator `framework_and_provider_must_not_be_empty` (`compliance_models.py:329`).
Every legacy compliance file is a JSON document with the following top-level keys. `Framework`, `Name` and `Provider` are validated non-empty by the root validator `framework_and_provider_must_not_be_empty` (`compliance_models.py`).
| Field | Type | Required | Description |
|---|---|---|---|
@@ -280,10 +283,11 @@ Each entry in `Requirements` describes one control or requirement.
| `Description` | string | Yes | Verbatim description from the source framework. |
| `Attributes` | array | Yes | List of [attribute objects](#attribute-objects). The shape depends on the framework. |
| `Checks` | array of strings | Yes | Prowler check identifiers that automate the requirement. Leave the list empty when the control cannot be automated. |
| `ConfigRequirements` | array of objects | No | Optional [configuration guardrails](#configuration-guardrails-for-requirements). Each entry asserts that a configurable check ran with a configuration strict enough to satisfy the requirement; when it did not, the requirement is forced to FAIL. |
#### Attribute Objects
`Attributes` is parsed against the union declared in `Compliance_Requirement.Attributes` (`compliance_models.py:293`). Pydantic v1 tries each member of the union in declaration order and falls back to `Generic_Compliance_Requirement_Attribute` (the last entry) when nothing else matches — so a brand-new shape that doesn't match any existing class will silently be accepted as Generic, losing its specific fields.
`Attributes` is parsed against the union declared in `Compliance_Requirement.Attributes` (`compliance_models.py`). Pydantic v1 tries each member of the union in declaration order and falls back to `Generic_Compliance_Requirement_Attribute` (the last entry) when nothing else matches — so a brand-new shape that doesn't match any existing class will silently be accepted as Generic, losing its specific fields.
As of today, the registered attribute classes are: `CIS_Requirement_Attribute`, `ENS_Requirement_Attribute`, `ASDEssentialEight_Requirement_Attribute`, `ISO27001_2013_Requirement_Attribute`, `AWS_Well_Architected_Requirement_Attribute`, `KISA_ISMSP_Requirement_Attribute`, `Prowler_ThreatScore_Requirement_Attribute`, `CCC_Requirement_Attribute`, `C5Germany_Requirement_Attribute`, `CSA_CCM_Requirement_Attribute`, and `Generic_Compliance_Requirement_Attribute` (fallback). MITRE-style frameworks use the separate `Mitre_Requirement` model with `Tactics` / `SubTechniques` / `Platforms` / `TechniqueURL` at the requirement top level. The most common shapes are summarized below.
@@ -472,13 +476,188 @@ For NIST-style catalogs that use `Generic_Compliance_Requirement_Attribute`, no
### Legacy-to-universal adapter
At load time, every legacy file is transparently adapted to a `ComplianceFramework` via `adapt_legacy_to_universal()` (`compliance_models.py:819`), which: (a) flattens the first element of `Attributes` into a flat `attributes` dict, (b) wraps `Checks` as `{provider_lower: [...]}`, (c) infers `attributes_metadata` from the matched Pydantic class via `_infer_attribute_metadata()`. The rest of Prowler (CSV/OCSF/PDF output, CLI table) then treats both formats identically.
At load time, every legacy file is transparently adapted to a `ComplianceFramework` via `adapt_legacy_to_universal()` (`compliance_models.py`), which: (a) flattens the first element of `Attributes` into a flat `attributes` dict, (b) wraps `Checks` as `{provider_lower: [...]}`, (c) infers `attributes_metadata` from the matched Pydantic class via `_infer_attribute_metadata()`. The rest of Prowler (CSV/OCSF/PDF output, CLI table) then treats both formats identically.
Loader-error behaviour differs between the two entry points:
- `load_compliance_framework()` (legacy) is **fail-fast**: it calls `sys.exit(1)` on any `ValidationError` (`compliance_models.py:464`).
- `load_compliance_framework()` (legacy) is **fail-fast**: it calls `sys.exit(1)` on any `ValidationError` (`compliance_models.py`).
- `load_compliance_framework_universal()` is more lenient — it logs the error and returns `None`, so `get_bulk_compliance_frameworks_universal()` simply skips the broken file and keeps loading the rest.
## Configuration Guardrails for Requirements
<VersionBadge version="5.32.0" />
Some requirements are only truly satisfied when the configurable checks behind them ran with a configuration strict enough to meet the control. A [configurable check](/developer-guide/configurable-checks) reads thresholds from the scan's `audit_config`, so loosening a value can make the check PASS while the requirement it backs is, in fact, not satisfied.
A worked example: CIS AWS 6.0 requirement 2.11 ("credentials unused for 45 days or more are disabled") maps to `iam_user_accesskey_unused`, which is driven by the `max_unused_access_keys_days` config key. If a user raises that value to `120`, the check passes for a key unused for 90 days — yet the requirement explicitly demands a 45-day threshold, so the PASS is misleading.
Configuration guardrails close that gap. A requirement declares the configuration it expects, and when the scan ran with a configuration too loose to honor it, the requirement is forced to **FAIL** in every compliance output, with the reason surfaced in the finding's extended status.
<Note>
Guardrails are an **optional** safety net for configurable checks. A requirement that maps only to non-configurable checks does not need them. When the field is absent, behavior is unchanged.
</Note>
### Where guardrails are declared
The field is attached to each requirement and exists in both schemas:
- **Legacy** (`prowler/compliance/<provider>/...`): `ConfigRequirements`, a list of objects, validated against the `Compliance_Requirement_ConfigConstraint` Pydantic model (`prowler/lib/check/compliance_models.py`).
- **Universal** (`prowler/compliance/...`): `config_requirements`, the same list of objects as plain dicts on `UniversalComplianceRequirement`.
When a legacy file is adapted to the universal model, `adapt_legacy_to_universal()` copies `ConfigRequirements` into `config_requirements` (`compliance_models.py`), so downstream code only ever reads one shape.
### Constraint schema
Each entry in the list is a single constraint with the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
| `Check` | string | Yes | The configurable check this constraint guards. Should be one of the requirement's `Checks`. Used only to build a human-readable reason. |
| `ConfigKey` | string | Yes | The `audit_config` key the check reads (for example `max_unused_access_keys_days`). |
| `Operator` | enum | Yes | How to compare the applied value against `Value`. One of `lte`, `gte`, `eq`, `in`, `subset`, `superset`. |
| `Value` | bool, int, float, string, or list | Yes | The strictest configuration the requirement tolerates. The accepted Python type depends on the operator (see below). |
| `Provider` | string | No | The provider this constraint applies to (e.g. `aws`). **Required for universal (multi-provider) frameworks**, where the same requirement maps checks across providers — the constraint is only evaluated when the scanned provider matches. Single-provider (legacy) frameworks omit it. |
### Operators
| Operator | Applied value satisfies the guardrail when… | Typical use |
|---|---|---|
| `lte` | `applied <= Value` | Maximum-age / maximum-count thresholds (e.g. `max_unused_access_keys_days <= 45`). |
| `gte` | `applied >= Value` | Minimum-retention / minimum-count thresholds. |
| `eq` | `applied == Value` | Boolean toggles or an exact required value (e.g. `mute_non_default_regions == false`). |
| `in` | `applied` is one of `Value` (a list) | The applied scalar must belong to an allowed set. |
| `subset` | `set(applied) <= set(Value)` | **Allowlist** configs — every applied value must already be permitted. Widening the allowlist with a weaker value (e.g. adding TLS `1.0` to `recommended_minimal_tls_versions`) breaks the guardrail. |
| `superset` | `set(applied) >= set(Value)` | **Denylist** configs — every forbidden value must remain forbidden. Removing an entry from a denylist (e.g. dropping a weak algorithm from `insecure_key_algorithms`) breaks the guardrail. |
<Note>
`subset` / `superset` require both the applied value and `Value` to be lists; any other type is treated as not satisfied. For `eq` against a boolean, declare `Value` as a JSON boolean (`false`, not `0`) — the model keeps booleans distinct from integers.
</Note>
### How guardrails are evaluated
All evaluation lives in one shared module, `prowler/lib/check/compliance_config_eval.py`, consumed by every compliance output (CSV, OCSF, and the CLI tables) and reused by the Prowler App backend so the rule is defined exactly once.
1. The applied configuration is the scan-global `audit_config` (the same mapping for every resource and region), resolved via `get_scan_audit_config()`.
2. For each requirement that declares constraints, `evaluate_config_constraints()` walks the list and returns `(is_compliant, reason)`. The requirement is compliant when **every** explicitly-set key satisfies its constraint.
3. A constraint tagged with a `Provider` that does **not** match the provider being scanned (resolved via `get_scan_provider_type()`) is **skipped**. This scopes a universal framework's constraints to the right provider, so a guardrail authored for an AWS check never affects a GCP or Azure scan of the same requirement. Untagged constraints (legacy single-provider frameworks) always apply.
4. A constraint whose `ConfigKey` is **not present** in `audit_config` is **skipped** — the check's built-in default is assumed to already match what the requirement expects. This is why nothing changes for the default configuration.
5. When a constraint is violated, the finding's status is overridden to `FAIL` and a plain-language explanation is prepended to `status_extended` (via `apply_config_status()`). The message opens with `Configuration not valid for this requirement.` and names the check, the value the scan applied, what the requirement needs and how to fix it. For the table generators, `get_effective_status()` applies the same FAIL roll-up so per-section counts stay consistent.
<Warning>
Guardrails only ever make a result **stricter** (they can turn PASS into FAIL); they never relax a real FAIL into PASS. A requirement with no constraints, or whose keys all use defaults, is reported exactly as before.
</Warning>
### Example: legacy framework
From `prowler/compliance/aws/cis_6.0_aws.json`, requirement 2.11 declares two guardrails — one per configurable check it maps to:
```json title="prowler/compliance/aws/cis_6.0_aws.json"
{
"Id": "2.11",
"Description": "Ensure credentials unused for 45 days or more are disabled.",
"Checks": [
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [ /* ... */ ]
}
```
A boolean guardrail from the same file: requirement 2.5 (IAM Access Analyzer) only holds when regions are not muted, so a scan with `mute_non_default_regions: true` cannot be trusted for it:
```json
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
```
### Example: universal framework
The universal schema uses the lowercase `config_requirements` key with the identical object shape:
```json
{
"id": "MF-2.1",
"name": "Restrict TLS to modern versions",
"description": "Endpoints must negotiate only TLS 1.2 or higher.",
"checks": {
"aws": ["elbv2_listener_ssl_listeners"]
},
"config_requirements": [
{
"Check": "elbv2_listener_ssl_listeners",
"Provider": "aws",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": ["TLS 1.2", "TLS 1.3"]
}
]
}
```
Each constraint declares the `Provider` it targets so the guardrail is only evaluated on scans of that provider — essential for universal frameworks like CSA CCM and DORA, where one requirement maps checks across `aws`, `azure`, `gcp` and more. Because the operator is `subset`, adding `"TLS 1.0"` to `recommended_minimal_tls_versions` widens the allowlist beyond `["TLS 1.2", "TLS 1.3"]` and the requirement is forced to FAIL.
### What the user sees
With a loosened config, the affected requirement's findings report:
```text
Status: FAIL
StatusExtended: Configuration not valid for this requirement. The check
iam_user_accesskey_unused has max_unused_access_keys_days set
to 120, but the requirement needs a value of 45 or lower.
Update it to 45 or lower. <original status_extended>
```
The same `Configuration not valid for this requirement.` message appears identically across the CSV, OCSF, and console-table outputs.
### Authoring guidelines
- Declare a guardrail only for keys whose value actually changes whether the requirement is met. Most configurable checks do not need one.
- Set `Value` to the **strictest** configuration the control tolerates — the same number the control text cites (CIS 45 days, NIST ≤90, and so on).
- Keep `ConfigKey` spelled exactly as the check reads it from `audit_config`; an unknown key is never present in the config and the constraint is silently skipped.
- In a **universal (multi-provider) framework**, always set `Provider` to the provider that owns `Check` — otherwise the guardrail would leak onto scans of the other providers the requirement maps. Legacy single-provider files omit it.
- Pick the operator from the value's role: a max threshold is `lte`, a min threshold is `gte`, a toggle is `eq`, an allowlist is `subset`, a denylist is `superset`.
- An unrecognized operator does **not** block the requirement — a malformed constraint is treated as satisfied rather than failing the whole framework. Validate your JSON with the tests below.
### Testing guardrails
The shared evaluator and the per-output integration are covered by:
- `tests/lib/check/compliance_config_eval_test.py` — operator semantics, skipped-key behavior, and the FAIL override.
- `tests/lib/check/compliance_config_constraint_model_test.py` — model validation (types, operator enum, bool-vs-int).
- `tests/lib/check/compliance_config_requirements_data_test.py` — sanity-checks the guardrails shipped in the JSON catalog.
- Per-output tests under `tests/lib/outputs/compliance/` (CIS AWS/Azure, ENS AWS, OCSF, universal table) confirm the override reaches each format.
Run them with:
```bash
uv run pytest -n auto \
tests/lib/check/compliance_config_eval_test.py \
tests/lib/check/compliance_config_constraint_model_test.py \
tests/lib/check/compliance_config_requirements_data_test.py \
tests/lib/outputs/compliance/
```
## Version handling
Prowler matches frameworks by concatenating `Framework` and `Version`. A missing or empty `Version` collapses several frameworks to the same key and breaks CLI filtering with `--compliance`.
@@ -609,7 +788,7 @@ The following issues are the most common when contributing a compliance framewor
- **`ValidationError: field required` during scan (legacy).** The JSON is missing a required attribute field. Re-check the matching Pydantic model in `prowler/lib/check/compliance_models.py`.
- **All attributes collapse to `Generic_Compliance_Requirement_Attribute` values (legacy).** The Pydantic `Union` is ordered incorrectly, or the JSON matches only the generic shape. Keep the generic model in the last Union position and ensure every required field is present in the JSON.
- **`attributes_metadata validation failed` (universal).** The root validator in `compliance_models.py:669` rejected the file. The error message lists each offending requirement; common causes are unknown attribute keys (typo or missing entry in `attributes_metadata`), enum violations, or missing required keys.
- **`attributes_metadata validation failed` (universal).** The root validator in `compliance_models.py` rejected the file. The error message lists each offending requirement; common causes are unknown attribute keys (typo or missing entry in `attributes_metadata`), enum violations, or missing required keys.
- **`--compliance` filter does not find the framework.** For legacy: the filename does not match `<framework>_<version>_<provider>.json`, the version is empty, or the file lives outside `prowler/compliance/<provider>/`. For universal: the file is not at the top level of `prowler/compliance/` or it loaded as `None` (check logs for the validation error).
- **CLI summary table is empty but the CSV is populated (legacy).** The dispatcher branch in `prowler/lib/outputs/compliance/compliance.py` is missing or its substring match does not catch the framework key.
- **CSV file is missing after the scan (legacy).** The transformer class is not registered in `prowler/lib/outputs/compliance/compliance_output.py`, or `transform()` raises silently. Run the scan with `--log-level DEBUG`.
+1
View File
@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
### 🚀 Added
- Per-requirement configuration validation for compliance frameworks via `ConfigRequirements`, so a requirement is reported as FAIL when its configurable checks ran with a configuration too loose to satisfy it (applied across all compliance outputs: CSV, OCSF, and console tables) [(#11669)](https://github.com/prowler-cloud/prowler/pull/11669)
- `entra_conditional_access_policy_explicitly_targets_azure_devops` check for M365 provider, verifying at least one enabled Conditional Access policy explicitly includes the Azure DevOps cloud application instead of relying on a broad "All cloud apps" policy [(#11182)](https://github.com/prowler-cloud/prowler/pull/11182)
- `entra_conditional_access_policy_no_exclusion_gaps` check for M365 provider, verifying every user, group, role, or application excluded from an enabled Conditional Access policy stays in scope of another enabled policy [(#11577)](https://github.com/prowler-cloud/prowler/pull/11577)
- `stepfunctions_statemachine_encrypted_with_cmk` check for AWS provider, verifying that each Step Functions state machine uses a customer-managed KMS key for encryption at rest rather than the default AWS-owned key [(#11538)](https://github.com/prowler-cloud/prowler/pull/11538)
@@ -109,6 +109,14 @@
],
"Checks": [
"ram_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "ram_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 90
}
]
},
{
@@ -841,6 +849,14 @@
],
"Checks": [
"sls_logstore_retention_period"
],
"ConfigRequirements": [
{
"Check": "sls_logstore_retention_period",
"ConfigKey": "min_log_retention_days",
"Operator": "gte",
"Value": 365
}
]
},
{
@@ -1353,6 +1369,14 @@
],
"Checks": [
"rds_instance_sql_audit_retention"
],
"ConfigRequirements": [
{
"Check": "rds_instance_sql_audit_retention",
"ConfigKey": "min_rds_audit_retention_days",
"Operator": "gte",
"Value": 180
}
]
},
{
@@ -1551,6 +1575,14 @@
],
"Checks": [
"cs_kubernetes_cluster_check_recent"
],
"ConfigRequirements": [
{
"Check": "cs_kubernetes_cluster_check_recent",
"ConfigKey": "max_cluster_check_days",
"Operator": "lte",
"Value": 7
}
]
},
{
@@ -47,6 +47,14 @@
"Checks": [
"ram_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "ram_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 90
}
],
"Attributes": [
{
"Title": "Inactive users disabled for console access",
@@ -399,6 +407,14 @@
"LevelOfRisk": 3,
"Weight": 10
}
],
"ConfigRequirements": [
{
"Check": "cs_kubernetes_cluster_check_weekly",
"ConfigKey": "max_cluster_check_days",
"Operator": "lte",
"Value": 7
}
]
},
{
@@ -695,6 +711,14 @@
"Checks": [
"rds_instance_sql_audit_retention"
],
"ConfigRequirements": [
{
"Check": "rds_instance_sql_audit_retention",
"ConfigKey": "min_rds_audit_retention_days",
"Operator": "gte",
"Value": 180
}
],
"Attributes": [
{
"Title": "RDS SQL audit retention configured",
@@ -13,6 +13,14 @@
"config_recorder_all_regions_enabled",
"inspector2_is_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "1 Patch applications",
@@ -260,6 +268,14 @@
"config_recorder_all_regions_enabled",
"inspector2_is_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "2 Patch operating systems",
@@ -742,6 +758,14 @@
"accessanalyzer_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "4 Restrict administrative privileges",
@@ -37,6 +37,26 @@
"guardduty_is_enabled",
"accessanalyzer_enabled",
"macie_is_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -259,6 +279,20 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -514,6 +548,14 @@
"Checks": [
"accessanalyzer_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -530,6 +572,20 @@
"securityhub_enabled",
"accessanalyzer_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -666,6 +722,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -680,6 +744,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -694,6 +766,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -708,6 +788,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -722,6 +810,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -736,6 +832,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -762,6 +866,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -777,6 +889,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_centrally_managed"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -792,6 +912,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -807,6 +935,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -822,6 +958,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -837,6 +981,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -852,6 +1004,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -867,6 +1027,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -882,6 +1050,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -897,6 +1073,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -912,6 +1096,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -404,6 +404,14 @@
"Checks": [
"accessanalyzer_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -860,6 +868,20 @@
"guardduty_lambda_protection_enabled",
"guardduty_rds_protection_enabled",
"guardduty_ec2_malware_protection_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_delegated_admin_enabled_all_regions",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -894,6 +916,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -964,6 +994,14 @@
"Checks": [
"config_recorder_all_regions_enabled",
"config_recorder_using_aws_service_role"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -20,6 +20,14 @@
"SectionDescription": "This section contains recommendations for configuring ACM resources.",
"Service": "ACM"
}
],
"ConfigRequirements": [
{
"Check": "acm_certificates_expiration_check",
"ConfigKey": "days_to_expire_threshold",
"Operator": "gte",
"Value": 30
}
]
},
{
@@ -29,6 +37,17 @@
"Checks": [
"acm_certificates_with_secure_key_algorithms"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
],
"Attributes": [
{
"ItemId": "ACM.2",
@@ -777,6 +796,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "Config.1",
@@ -892,6 +919,14 @@
"Checks": [
"documentdb_cluster_backup_enabled"
],
"ConfigRequirements": [
{
"Check": "documentdb_cluster_backup_enabled",
"ConfigKey": "minimum_backup_retention_period",
"Operator": "gte",
"Value": 7
}
],
"Attributes": [
{
"ItemId": "DocumentDB.2",
@@ -1959,6 +1994,14 @@
"SectionDescription": "This section contains recommendations for configuring ELB resources.",
"Service": "ELB"
}
],
"ConfigRequirements": [
{
"Check": "elb_is_in_multiple_az",
"ConfigKey": "elb_min_azs",
"Operator": "gte",
"Value": 2
}
]
},
{
@@ -1993,6 +2036,14 @@
"SectionDescription": "This section contains recommendations for configuring ELB resources.",
"Service": "ELB"
}
],
"ConfigRequirements": [
{
"Check": "elbv2_is_in_multiple_az",
"ConfigKey": "elbv2_min_azs",
"Operator": "gte",
"Value": 2
}
]
},
{
@@ -2370,6 +2421,14 @@
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "GuardDuty.1",
@@ -2547,6 +2606,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 90
}
],
"Attributes": [
{
"ItemId": "IAM.8",
@@ -2635,6 +2708,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [
{
"ItemId": "IAM.22",
@@ -2791,6 +2878,40 @@
"SectionDescription": "This section contains recommendations for configuring Lambda resources.",
"Service": "Lambda"
}
],
"ConfigRequirements": [
{
"Check": "awslambda_function_using_supported_runtimes",
"ConfigKey": "obsolete_lambda_runtimes",
"Operator": "superset",
"Value": [
"java8",
"go1.x",
"provided",
"python3.6",
"python2.7",
"python3.7",
"python3.8",
"nodejs4.3",
"nodejs4.3-edge",
"nodejs6.10",
"nodejs",
"nodejs8.10",
"nodejs10.x",
"nodejs12.x",
"nodejs14.x",
"nodejs16.x",
"dotnet5.0",
"dotnet6",
"dotnet7",
"dotnetcore1.0",
"dotnetcore2.0",
"dotnetcore2.1",
"dotnetcore3.1",
"ruby2.5",
"ruby2.7"
]
}
]
},
{
@@ -2951,6 +3072,14 @@
"Checks": [
"neptune_cluster_backup_enabled"
],
"ConfigRequirements": [
{
"Check": "neptune_cluster_backup_enabled",
"ConfigKey": "minimum_backup_retention_period",
"Operator": "gte",
"Value": 7
}
],
"Attributes": [
{
"ItemId": "Neptune.5",
@@ -176,6 +176,14 @@
"iam_user_with_temporary_credentials",
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -585,6 +585,14 @@
"cloudtrail_multi_region_enabled",
"vpc_flow_logs_enabled",
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -646,6 +654,20 @@
"guardduty_no_high_severity_findings",
"macie_is_enabled",
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -778,6 +800,14 @@
"guardduty_is_enabled",
"vpc_flow_logs_enabled",
"apigateway_restapi_authorizers_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+238
View File
@@ -382,6 +382,14 @@
"cloudtrail_multi_region_enabled",
"config_recorder_all_regions_enabled",
"s3_multi_region_access_point_public_access_block"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2234,6 +2242,14 @@
"vpc_different_regions",
"autoscaling_group_multiple_az",
"storagegateway_gateway_fault_tolerant"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2261,6 +2277,14 @@
"organizations_scp_check_deny_regions",
"s3_multi_region_access_point_public_access_block",
"vpc_different_regions"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2308,6 +2332,14 @@
"organizations_scp_check_deny_regions",
"s3_multi_region_access_point_public_access_block",
"vpc_different_regions"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2978,6 +3010,14 @@
"guardduty_is_enabled",
"athena_workgroup_enforce_configuration",
"shield_advanced_protection_in_global_accelerators"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -3481,6 +3521,14 @@
"cloudtrail_cloudwatch_logging_enabled",
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4299,6 +4347,14 @@
"guardduty_no_high_severity_findings",
"guardduty_rds_protection_enabled",
"guardduty_s3_protection_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4920,6 +4976,17 @@
"elbv2_nlb_tls_termination_enabled",
"transfer_server_in_transit_encryption_enabled",
"kafka_cluster_mutual_tls_authentication_enabled"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -4946,6 +5013,17 @@
"elbv2_nlb_tls_termination_enabled",
"transfer_server_in_transit_encryption_enabled",
"kafka_cluster_mutual_tls_authentication_enabled"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -5220,6 +5298,14 @@
"rds_instance_default_admin",
"accessanalyzer_enabled",
"efs_access_point_enforce_user_identity"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -5737,6 +5823,14 @@
"Checks": [
"accessanalyzer_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6100,6 +6194,17 @@
"cloudfront_distributions_origin_traffic_encrypted",
"glue_development_endpoints_job_bookmark_encryption_enabled",
"cloudtrail_kms_encryption_enabled"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -6196,6 +6301,17 @@
"elb_ssl_listeners_use_acm_certificate",
"iam_no_expired_server_certificates_stored",
"rds_instance_certificate_expiration"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -6307,6 +6423,17 @@
"elb_ssl_listeners_use_acm_certificate",
"iam_no_expired_server_certificates_stored",
"rds_instance_certificate_expiration"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -6393,6 +6520,14 @@
"sns_topics_not_publicly_accessible",
"sqs_queues_not_publicly_accessible",
"vpc_peering_routing_tables_with_least_privilege"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6412,6 +6547,14 @@
"ec2_instance_profile_attached",
"accessanalyzer_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6587,6 +6730,17 @@
"kms_cmk_not_multi_region",
"kms_key_not_publicly_accessible",
"ec2_ebs_volume_encryption"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -6809,6 +6963,17 @@
"secretsmanager_not_publicly_accessible",
"secretsmanager_secret_rotated_periodically",
"secretsmanager_secret_unused"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -6842,6 +7007,17 @@
],
"Checks": [
"acm_certificates_with_secure_key_algorithms"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -6915,6 +7091,17 @@
"secretsmanager_secret_rotated_periodically",
"secretsmanager_secret_unused",
"acm_certificates_with_secure_key_algorithms"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -6937,6 +7124,17 @@
"secretsmanager_secret_rotated_periodically",
"secretsmanager_secret_unused",
"acm_certificates_with_secure_key_algorithms"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -8042,6 +8240,14 @@
"cloudtrail_multi_region_enabled",
"cloudtrail_multi_region_enabled_logging_management_events",
"cloudtrail_log_file_validation_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -8810,6 +9016,14 @@
"guardduty_is_enabled",
"cloudtrail_log_file_validation_enabled",
"ssmincidents_enabled_with_plans"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -9732,6 +9946,14 @@
"accessanalyzer_enabled_without_findings",
"cloudfront_distributions_s3_origin_access_control",
"cloudtrail_logs_s3_bucket_access_logging_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -10367,6 +10589,14 @@
"Checks": [
"accessanalyzer_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -10457,6 +10687,14 @@
"ec2_instance_profile_attached",
"iam_role_cross_account_readonlyaccess_policy",
"iam_securityaudit_role_created"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+84
View File
@@ -275,6 +275,17 @@
"acm_certificates_expiration_check",
"acm_certificates_with_secure_key_algorithms",
"acm_certificates_transparency_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -794,6 +805,17 @@
],
"Checks": [
"acm_certificates_with_secure_key_algorithms"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -1504,6 +1526,14 @@
"iam_policy_no_full_access_to_kms",
"iam_policy_no_full_access_to_cloudtrail",
"iam_policy_attached_only_to_group_or_roles"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1666,6 +1696,14 @@
"cloudwatch_changes_to_network_route_tables_alarm_configured",
"cloudwatch_changes_to_vpcs_alarm_configured",
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1791,6 +1829,14 @@
"cloudtrail_threat_detection_enumeration",
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4311,6 +4357,14 @@
],
"Checks": [
"acm_certificates_expiration_check"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_expiration_check",
"ConfigKey": "days_to_expire_threshold",
"Operator": "gte",
"Value": 30
}
]
},
{
@@ -6176,6 +6230,20 @@
"Checks": [
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 90
}
]
},
{
@@ -6272,6 +6340,14 @@
"cloudwatch_log_metric_filter_root_usage",
"cloudwatch_log_metric_filter_sign_in_without_mfa",
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6374,6 +6450,14 @@
"Checks": [
"accessanalyzer_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+30
View File
@@ -75,6 +75,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -265,6 +279,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -736,6 +758,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "3 Logging",
+38
View File
@@ -75,6 +75,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -265,6 +279,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -802,6 +824,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "3 Logging",
@@ -1054,6 +1084,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "4 Monitoring",
+38
View File
@@ -75,6 +75,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -265,6 +279,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -802,6 +824,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "3 Logging",
@@ -1054,6 +1084,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "4 Monitoring",
+38
View File
@@ -75,6 +75,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -265,6 +279,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -756,6 +778,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "3 Logging",
@@ -1008,6 +1038,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "4 Monitoring",
+38
View File
@@ -254,6 +254,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -431,6 +445,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -750,6 +772,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "3 Logging",
@@ -1234,6 +1264,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "4 Monitoring",
+38
View File
@@ -232,6 +232,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -409,6 +423,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "1 Identity and Access Management",
@@ -728,6 +750,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "3 Logging",
@@ -1212,6 +1242,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "4 Monitoring",
+38
View File
@@ -232,6 +232,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [
{
"Section": "2 Identity and Access Management",
@@ -409,6 +423,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "2 Identity and Access Management",
@@ -728,6 +750,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "4 Logging",
@@ -1212,6 +1242,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "5 Monitoring",
+28
View File
@@ -136,6 +136,20 @@
"ec2_securitygroup_default_restrict_traffic",
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
"ec2_securitygroup_allow_ingress_from_internet_to_all_ports"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -367,6 +381,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+136
View File
@@ -598,6 +598,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -624,6 +632,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -755,6 +771,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -781,6 +805,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -913,6 +945,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -940,6 +980,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -966,6 +1014,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1743,6 +1799,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1821,6 +1885,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1873,6 +1945,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1925,6 +2005,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1951,6 +2039,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1977,6 +2073,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2003,6 +2107,14 @@
],
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2056,6 +2168,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2082,6 +2202,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4310,6 +4438,14 @@
],
"Checks": [
"drs_job_exist"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -37,6 +37,14 @@
"ssm_managed_compliant_patching",
"ssm_managed_instance_compliance_association_compliant",
"ssm_managed_instance_compliance_patch_compliant"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -146,6 +154,20 @@
"inspector2_active_findings_exist",
"securityhub_enabled",
"sns_topics_kms_encryption_at_rest_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -205,6 +227,14 @@
"resourceexplorer_indexes_found",
"ssm_managed_instance_compliance_association_compliant",
"trustedadvisor_premium_support_plan_subscribed"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -349,6 +379,14 @@
"config_recorder_all_regions_enabled",
"inspector2_is_enabled",
"resourceexplorer_indexes_found"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
}
]
@@ -46,6 +46,20 @@
"redshift_cluster_audit_logging",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -115,6 +129,20 @@
"ec2_networkacl_allow_ingress_any_port",
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
"ec2_networkacl_allow_ingress_any_port"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -173,6 +201,14 @@
],
"Checks": [
"cloudwatch_log_group_retention_policy_specific_days_enabled"
],
"ConfigRequirements": [
{
"Check": "cloudwatch_log_group_retention_policy_specific_days_enabled",
"ConfigKey": "log_group_retention_days",
"Operator": "gte",
"Value": 90
}
]
},
{
@@ -198,6 +234,20 @@
"rds_instance_enhanced_monitoring_enabled",
"redshift_cluster_audit_logging",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -251,6 +301,14 @@
"guardduty_is_enabled",
"ssm_managed_compliant_patching",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -336,6 +394,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -373,6 +445,14 @@
"rds_instance_multi_az",
"redshift_cluster_automated_snapshot",
"s3_bucket_object_versioning"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -36,6 +36,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -65,6 +79,20 @@
"redshift_cluster_audit_logging",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -82,6 +110,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -140,6 +182,20 @@
"redshift_cluster_audit_logging",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -191,6 +247,38 @@
"iam_user_access_not_stale_to_sagemaker",
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_access_not_stale_to_bedrock",
"ConfigKey": "max_unused_bedrock_access_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_role_access_not_stale_to_bedrock",
"ConfigKey": "max_unused_bedrock_access_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_access_not_stale_to_sagemaker",
"ConfigKey": "max_unused_sagemaker_access_days",
"Operator": "lte",
"Value": 90
}
]
},
{
@@ -371,6 +459,20 @@
"ec2_networkacl_allow_ingress_any_port",
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
"ec2_networkacl_allow_ingress_any_port"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -507,6 +609,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -575,6 +691,14 @@
],
"Checks": [
"cloudwatch_log_group_retention_policy_specific_days_enabled"
],
"ConfigRequirements": [
{
"Check": "cloudwatch_log_group_retention_policy_specific_days_enabled",
"ConfigKey": "log_group_retention_days",
"Operator": "gte",
"Value": 90
}
]
},
{
@@ -631,6 +755,20 @@
"rds_instance_enhanced_monitoring_enabled",
"redshift_cluster_audit_logging",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -720,6 +858,14 @@
"guardduty_is_enabled",
"ssm_managed_compliant_patching",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -887,6 +1033,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -909,6 +1069,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -927,6 +1101,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -945,6 +1133,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -961,6 +1163,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -995,6 +1205,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1061,6 +1285,14 @@
"guardduty_is_enabled",
"rds_instance_multi_az",
"s3_bucket_object_versioning"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1285,6 +1517,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1307,6 +1547,20 @@
"guardduty_is_enabled",
"redshift_cluster_audit_logging",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1334,6 +1588,20 @@
"guardduty_is_enabled",
"redshift_cluster_audit_logging",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1361,6 +1629,20 @@
"guardduty_is_enabled",
"redshift_cluster_audit_logging",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1388,6 +1670,20 @@
"guardduty_is_enabled",
"redshift_cluster_audit_logging",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1414,6 +1710,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+156
View File
@@ -37,6 +37,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -74,6 +82,20 @@
"cloudtrail_cloudwatch_logging_enabled",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -148,6 +170,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -166,6 +202,20 @@
"guardduty_is_enabled",
"securityhub_enabled",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -183,6 +233,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -237,6 +301,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -254,6 +332,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -367,6 +459,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -386,6 +486,20 @@
"guardduty_is_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -404,6 +518,20 @@
"guardduty_is_enabled",
"securityhub_enabled",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -826,6 +954,20 @@
"cloudwatch_changes_to_vpcs_alarm_configured",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -871,6 +1013,20 @@
"redshift_cluster_audit_logging",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+16
View File
@@ -59,6 +59,14 @@
"cloudwatch_log_metric_filter_security_group_changes",
"cloudwatch_log_metric_filter_unauthorized_api_calls",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -85,6 +93,14 @@
"kms_cmk_rotation_enabled",
"redshift_cluster_audit_logging",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -350,6 +350,20 @@
"cloudtrail_cloudwatch_logging_enabled",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
}
]
@@ -19,6 +19,14 @@
"Checks": [
"cloudtrail_multi_region_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -146,6 +154,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -238,6 +254,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -253,6 +277,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+126
View File
@@ -19,6 +19,20 @@
"Checks": [
"config_recorder_all_regions_enabled",
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -102,6 +116,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -161,6 +189,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -328,6 +370,20 @@
"guardduty_is_enabled",
"cloudwatch_log_metric_filter_authentication_failures",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -373,6 +429,20 @@
"cloudwatch_log_metric_filter_authentication_failures",
"cloudwatch_log_metric_filter_root_usage",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -402,6 +472,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -514,6 +598,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -649,6 +747,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -756,6 +868,20 @@
"s3_bucket_secure_transport_policy",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -311,6 +311,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -875,6 +883,38 @@
"iam_user_access_not_stale_to_sagemaker",
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_access_not_stale_to_bedrock",
"ConfigKey": "max_unused_bedrock_access_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_role_access_not_stale_to_bedrock",
"ConfigKey": "max_unused_bedrock_access_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_access_not_stale_to_sagemaker",
"ConfigKey": "max_unused_sagemaker_access_days",
"Operator": "lte",
"Value": 90
}
]
},
{
@@ -1052,6 +1092,20 @@
"Checks": [
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 90
}
]
},
{
@@ -1261,6 +1315,20 @@
"Checks": [
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 90
}
]
},
{
@@ -20,6 +20,14 @@
"Checks": [
"securityhub_enabled",
"wellarchitected_workload_no_high_or_medium_risks"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -277,6 +285,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -331,6 +347,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -362,6 +386,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -378,6 +410,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -424,6 +464,14 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"guardduty_centrally_managed"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -472,6 +520,14 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"guardduty_centrally_managed"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -490,6 +546,14 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"guardduty_centrally_managed"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1004,6 +1068,14 @@
"organizations_account_part_of_organizations",
"accessanalyzer_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1080,6 +1152,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1111,6 +1191,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1749,6 +1837,14 @@
"vpc_default_security_group_closed",
"vpc_flow_logs_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1211,6 +1211,14 @@
"rds_instance_default_admin",
"redshift_cluster_non_default_database_name"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. Control Measures Requirements",
@@ -1416,6 +1424,14 @@
"iam_user_administrator_access_policy",
"organizations_delegated_administrators"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. Control Measures Requirements",
@@ -1486,6 +1502,14 @@
"ssm_documents_set_as_public",
"vpc_endpoint_services_allowed_principals_trust_boundaries"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. Control Measures Requirements",
@@ -2082,6 +2106,17 @@
"transfer_server_in_transit_encryption_enabled",
"workspaces_volume_encryption_enabled"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
],
"Attributes": [
{
"Domain": "2. Control Measures Requirements",
@@ -2819,6 +2854,20 @@
"wafv2_webacl_rule_logging_enabled",
"wafv2_webacl_with_rules"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. Control Measures Requirements",
@@ -3319,6 +3368,47 @@
"workspaces_volume_encryption_enabled",
"workspaces_vpc_2private_1public_subnets_nat"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
],
"Attributes": [
{
"Domain": "2. Control Measures Requirements",
@@ -3711,6 +3801,14 @@
"s3_bucket_event_notifications_enabled",
"trustedadvisor_errors_and_warnings"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. Control Measures Requirements",
@@ -3829,6 +3927,14 @@
"s3_bucket_object_lock",
"s3_bucket_object_versioning"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. Control Measures Requirements",
@@ -3866,6 +3972,14 @@
"Checks": [
"drs_job_exist"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. Control Measures Requirements",
@@ -1211,6 +1211,14 @@
"rds_instance_default_admin",
"redshift_cluster_non_default_database_name"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. 보호대책 요구사항",
@@ -1416,6 +1424,14 @@
"iam_user_administrator_access_policy",
"organizations_delegated_administrators"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. 보호대책 요구사항",
@@ -1485,6 +1501,14 @@
"ssm_documents_set_as_public",
"vpc_endpoint_services_allowed_principals_trust_boundaries"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. 보호대책 요구사항",
@@ -2084,6 +2108,17 @@
"transfer_server_in_transit_encryption_enabled",
"workspaces_volume_encryption_enabled"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
],
"Attributes": [
{
"Domain": "2. 보호대책 요구사항",
@@ -2822,6 +2857,20 @@
"wafv2_webacl_rule_logging_enabled",
"wafv2_webacl_with_rules"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. 보호대책 요구사항",
@@ -3322,6 +3371,47 @@
"workspaces_volume_encryption_enabled",
"workspaces_vpc_2private_1public_subnets_nat"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
],
"Attributes": [
{
"Domain": "2. 보호대책 요구사항",
@@ -3714,6 +3804,14 @@
"s3_bucket_event_notifications_enabled",
"trustedadvisor_errors_and_warnings"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. 보호대책 요구사항",
@@ -3832,6 +3930,14 @@
"s3_bucket_object_lock",
"s3_bucket_object_versioning"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. 보호대책 요구사항",
@@ -3869,6 +3975,14 @@
"Checks": [
"drs_job_exist"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Domain": "2. 보호대책 요구사항",
@@ -35,6 +35,32 @@
"awslambda_function_not_publicly_accessible",
"ec2_instance_public_ip"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS CloudEndure Disaster Recovery",
@@ -200,6 +226,26 @@
"organizations_scp_check_deny_regions",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "Amazon GuardDuty",
@@ -348,6 +394,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Config",
@@ -393,6 +447,26 @@
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Config",
@@ -444,6 +518,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Config",
@@ -557,6 +639,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Config",
@@ -634,6 +724,26 @@
"inspector2_is_enabled",
"inspector2_active_findings_exist"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Config",
@@ -821,6 +931,26 @@
"inspector2_is_enabled",
"inspector2_active_findings_exist"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Config",
@@ -984,6 +1114,14 @@
"cloudfront_distributions_https_enabled",
"s3_bucket_secure_transport_policy"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS CloudWatch",
@@ -1057,6 +1195,14 @@
"ssm_document_secrets",
"secretsmanager_automatic_rotation_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS CloudHSM",
@@ -1143,6 +1289,14 @@
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434",
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Network Firewall",
@@ -1218,6 +1372,14 @@
"s3_bucket_default_encryption",
"rds_instance_storage_encrypted"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Config",
@@ -1264,6 +1426,20 @@
"securityhub_enabled",
"macie_is_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Config",
@@ -1441,6 +1617,20 @@
"s3_bucket_object_versioning",
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS CloudEndure Disaster Recovery",
@@ -1518,6 +1708,20 @@
"efs_have_backup_enabled",
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS CloudEndure Disaster Recovery",
@@ -1566,6 +1770,20 @@
"drs_job_exist",
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS CloudEndure Disaster Recovery",
@@ -1639,6 +1857,14 @@
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434",
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Shield",
@@ -1686,6 +1912,14 @@
"drs_job_exist",
"rds_instance_backup_enabled"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS CloudEndure Disaster Recovery",
@@ -1743,6 +1977,20 @@
"cloudwatch_log_metric_filter_sign_in_without_mfa",
"cloudwatch_log_metric_filter_unauthorized_api_calls"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS CloudWatch",
@@ -1819,6 +2067,20 @@
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434",
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Config",
@@ -1910,6 +2172,20 @@
"iam_policy_no_full_access_to_cloudtrail",
"iam_policy_no_full_access_to_kms"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS Organizations",
@@ -1993,6 +2269,14 @@
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "Amazon GuardDuty",
@@ -2071,6 +2355,14 @@
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434",
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"AWSService": "AWS IoT Device Defender",
+54
View File
@@ -597,6 +597,14 @@
"accessanalyzer_enabled",
"cloudwatch_log_metric_filter_root_usage"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "3 INCIDENT HANDLING (ARTICLE 21(2), POINT (B), OF DIRECTIVE (EU) 2022/2555)",
@@ -1511,6 +1519,17 @@
"Checks": [
"acm_certificates_with_secure_key_algorithms"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
],
"Attributes": [
{
"Section": "9 CRYPTOGRAPHY (ARTICLE 21(2), POINT (H), OF DIRECTIVE (EU) 2022/2555)",
@@ -1528,6 +1547,17 @@
"route53_domains_privacy_protection_enabled",
"iam_no_expired_server_certificates_stored"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
],
"Attributes": [
{
"Section": "9 CRYPTOGRAPHY (ARTICLE 21(2), POINT (H), OF DIRECTIVE (EU) 2022/2555)",
@@ -1645,6 +1675,14 @@
"efs_access_point_enforce_user_identity",
"efs_not_publicly_accessible"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "11 ACCESS CONTROL (ARTICLE 21(2), POINTS (I) AND (J), OF DIRECTIVE (EU) 2022/2555)",
@@ -1676,6 +1714,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "11 ACCESS CONTROL (ARTICLE 21(2), POINTS (I) AND (J), OF DIRECTIVE (EU) 2022/2555)",
@@ -1726,6 +1772,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "11 ACCESS CONTROL (ARTICLE 21(2), POINTS (I) AND (J), OF DIRECTIVE (EU) 2022/2555)",
@@ -230,6 +230,20 @@
"rds_instance_integration_cloudwatch_logs",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -321,6 +335,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -344,6 +372,14 @@
"guardduty_is_enabled",
"rds_instance_integration_cloudwatch_logs",
"s3_bucket_server_access_logging_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -383,6 +419,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -400,6 +450,20 @@
"cloudtrail_cloudwatch_logging_enabled",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -687,6 +751,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -715,6 +793,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -732,6 +824,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -749,6 +855,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -772,6 +892,20 @@
"guardduty_is_enabled",
"rds_instance_enhanced_monitoring_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -809,6 +943,20 @@
"ec2_networkacl_allow_ingress_any_port",
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
"ec2_networkacl_allow_ingress_any_port"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1028,6 +1176,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1047,6 +1209,20 @@
"securityhub_enabled",
"ssm_managed_compliant_patching",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1064,6 +1240,20 @@
"guardduty_is_enabled",
"securityhub_enabled",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1079,6 +1269,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1105,6 +1303,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1131,6 +1343,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
}
]
@@ -27,6 +27,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -47,6 +61,38 @@
"iam_user_access_not_stale_to_sagemaker",
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_access_not_stale_to_bedrock",
"ConfigKey": "max_unused_bedrock_access_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_role_access_not_stale_to_bedrock",
"ConfigKey": "max_unused_bedrock_access_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_user_access_not_stale_to_sagemaker",
"ConfigKey": "max_unused_sagemaker_access_days",
"Operator": "lte",
"Value": 90
}
]
},
{
@@ -73,6 +119,20 @@
"rds_instance_integration_cloudwatch_logs",
"redshift_cluster_audit_logging",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -90,6 +150,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -125,6 +199,20 @@
"redshift_cluster_audit_logging",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -270,6 +358,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -399,6 +501,20 @@
"cloudwatch_changes_to_vpcs_alarm_configured",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -421,6 +537,20 @@
"cloudwatch_changes_to_vpcs_alarm_configured",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -534,6 +664,20 @@
"guardduty_is_enabled",
"rds_instance_enhanced_monitoring_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -827,6 +971,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -860,6 +1012,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1110,6 +1276,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1133,6 +1307,20 @@
"ec2_instance_imdsv2_enabled",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1155,6 +1343,20 @@
"cloudwatch_changes_to_vpcs_alarm_configured",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1177,6 +1379,20 @@
"cloudwatch_changes_to_vpcs_alarm_configured",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1194,6 +1410,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1218,6 +1448,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -220,6 +220,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -944,6 +952,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1629,6 +1645,14 @@
"Checks": [
"cloudtrail_multi_region_enabled",
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1828,6 +1852,20 @@
"cloudwatch_changes_to_vpcs_alarm_configured",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1906,6 +1944,20 @@
"cloudwatch_changes_to_vpcs_alarm_configured",
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2290,6 +2342,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2352,6 +2418,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2387,6 +2467,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2466,6 +2560,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2487,6 +2595,20 @@
"guardduty_is_enabled",
"rds_instance_enhanced_monitoring_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2522,6 +2644,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -2904,6 +3040,14 @@
"guardduty_is_enabled",
"ssm_managed_compliant_patching",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4079,6 +4223,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4095,6 +4247,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4149,6 +4309,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4184,6 +4358,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4199,6 +4387,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4270,6 +4466,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4286,6 +4496,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4303,6 +4521,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4320,6 +4546,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4336,6 +4570,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4353,6 +4595,14 @@
"Checks": [
"guardduty_is_enabled",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4369,6 +4619,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4385,6 +4643,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4401,6 +4667,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4418,6 +4692,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4435,6 +4717,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4516,6 +4806,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4558,6 +4856,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4575,6 +4881,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4591,6 +4905,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -4607,6 +4929,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -5683,6 +6013,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -5850,6 +6188,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -5890,6 +6236,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -5907,6 +6261,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -5924,6 +6286,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -5940,6 +6310,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -5956,6 +6334,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -5988,6 +6374,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6012,6 +6406,14 @@
"rds_instance_integration_cloudwatch_logs",
"redshift_cluster_audit_logging",
"s3_bucket_server_access_logging_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6028,6 +6430,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6045,6 +6455,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6062,6 +6480,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6078,6 +6504,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6114,6 +6548,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6130,6 +6572,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6197,6 +6647,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6213,6 +6671,14 @@
],
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6233,6 +6699,14 @@
"cloudwatch_changes_to_network_route_tables_alarm_configured",
"cloudwatch_changes_to_vpcs_alarm_configured",
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -6253,6 +6727,14 @@
"cloudwatch_changes_to_network_route_tables_alarm_configured",
"cloudwatch_changes_to_vpcs_alarm_configured",
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -48,6 +48,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -99,6 +113,20 @@
"guardduty_no_high_severity_findings",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -144,6 +172,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -179,6 +221,26 @@
"cloudwatch_log_metric_filter_unauthorized_api_calls",
"rds_instance_enhanced_monitoring_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -201,6 +263,20 @@
"guardduty_is_enabled",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -218,6 +294,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -243,6 +333,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -265,6 +369,20 @@
"guardduty_is_enabled",
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -291,6 +409,20 @@
"s3_bucket_server_access_logging_enabled",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -316,6 +448,20 @@
"guardduty_is_enabled",
"guardduty_no_high_severity_findings",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -349,6 +495,14 @@
"Checks": [
"config_recorder_all_regions_enabled",
"ec2_instance_managed_by_ssm"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -454,6 +608,20 @@
"guardduty_is_enabled",
"securityhub_enabled",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -471,6 +639,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -488,6 +670,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -523,6 +719,26 @@
"cloudwatch_log_metric_filter_unauthorized_api_calls",
"rds_instance_enhanced_monitoring_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -554,6 +770,26 @@
"cloudwatch_log_metric_filter_unauthorized_api_calls",
"rds_instance_enhanced_monitoring_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -827,6 +1063,20 @@
"sagemaker_notebook_instance_without_direct_internet_access_configured",
"securityhub_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -881,6 +1131,14 @@
"Checks": [
"ec2_instance_managed_by_ssm",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1035,6 +1293,14 @@
"ec2_instance_managed_by_ssm",
"ssm_managed_compliant_patching",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -72,6 +72,20 @@
"securityhub_enabled",
"wellarchitected_workload_no_high_or_medium_risks",
"servicecatalog_portfolio_shared_within_organization_only"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -322,6 +336,26 @@
"wellarchitected_workload_no_high_or_medium_risks",
"organizations_delegated_administrators",
"organizations_tags_policies_enabled_and_attached"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -352,6 +386,26 @@
"vpc_flow_logs_enabled",
"iam_root_mfa_enabled",
"iam_root_credentials_management_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -408,6 +462,20 @@
"accessanalyzer_enabled",
"guardduty_no_high_severity_findings",
"trustedadvisor_errors_and_warnings"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -442,6 +510,26 @@
"organizations_scp_check_deny_regions",
"organizations_tags_policies_enabled_and_attached",
"organizations_delegated_administrators"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -574,6 +662,14 @@
"opensearch_service_domains_encryption_at_rest_enabled",
"redshift_cluster_encrypted_at_rest",
"sns_topics_kms_encryption_at_rest_enabled"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -610,6 +706,17 @@
"iam_inline_policy_allows_privilege_escalation",
"ssm_documents_set_as_public",
"s3_bucket_shadow_resource_vulnerability"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -726,6 +833,14 @@
"iam_role_administratoraccess_policy",
"iam_policy_no_full_access_to_cloudtrail",
"iam_policy_no_full_access_to_kms"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -853,6 +968,14 @@
"iam_customer_unattached_policy_no_administrative_privileges",
"accessanalyzer_enabled",
"cognito_user_pool_password_policy_symbol"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1224,6 +1347,14 @@
"inspector2_active_findings_exist",
"secretsmanager_automatic_rotation_enabled",
"secretsmanager_secret_rotated_periodically"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1265,6 +1396,14 @@
"Checks": [
"ssmincidents_enabled_with_plans",
"drs_job_exist"
],
"ConfigRequirements": [
{
"Check": "drs_job_exist",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1283,6 +1422,14 @@
"inspector2_is_enabled",
"guardduty_is_enabled",
"inspector2_active_findings_exist"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1329,6 +1476,14 @@
"vpc_flow_logs_enabled",
"config_recorder_all_regions_enabled",
"config_recorder_using_aws_service_role"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1540,6 +1695,14 @@
"guardduty_is_enabled",
"inspector2_is_enabled",
"accessanalyzer_enabled_without_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1662,6 +1825,14 @@
"guardduty_rds_protection_enabled",
"guardduty_lambda_protection_enabled",
"guardduty_eks_runtime_monitoring_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+88
View File
@@ -628,6 +628,14 @@
"ssm_managed_compliant_patching",
"ec2_elastic_ip_unassigned"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "2.4",
@@ -643,6 +651,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "2.4.a",
@@ -2413,6 +2429,14 @@
"cloudtrail_log_file_validation_enabled",
"s3_bucket_cross_region_replication"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "10.5",
@@ -2430,6 +2454,14 @@
"s3_bucket_object_versioning",
"cloudtrail_log_file_validation_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "10.5.2",
@@ -2616,6 +2648,14 @@
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "11.4",
@@ -2631,6 +2671,14 @@
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "11.4.a",
@@ -2646,6 +2694,14 @@
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "11.4.b",
@@ -2661,6 +2717,14 @@
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "11.4.c",
@@ -2676,6 +2740,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "11.5",
@@ -2691,6 +2763,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "11.5.a",
@@ -2706,6 +2786,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"ItemId": "11.5.b",
+155
View File
@@ -4403,6 +4403,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. ",
@@ -9281,6 +9289,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "10.4.1.1: Audit logs are reviewed to identify anomalies or suspicious activity. ",
@@ -9363,6 +9379,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "10.4.1: Audit logs are reviewed to identify anomalies or suspicious activity. ",
@@ -9459,6 +9483,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "10.4.2: Audit logs are reviewed to identify anomalies or suspicious activity. ",
@@ -9551,6 +9583,14 @@
"Checks": [
"cloudwatch_log_group_retention_policy_specific_days_enabled"
],
"ConfigRequirements": [
{
"Check": "cloudwatch_log_group_retention_policy_specific_days_enabled",
"ConfigKey": "log_group_retention_days",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "10.5.1: Audit log history is retained and available for analysis. ",
@@ -10179,6 +10219,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "10.6.3: Time-synchronization mechanisms support consistent time settings across all systems. ",
@@ -10343,6 +10391,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "10.7.1: Failures of critical security control systems are detected, reported, and responded to promptly. ",
@@ -10451,6 +10507,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "10.7.2: Failures of critical security control systems are detected, reported, and responded to promptly. ",
@@ -10625,6 +10689,14 @@
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "11.5.1.1: Network intrusions and unexpected file changes are detected and responded to. ",
@@ -10653,6 +10725,14 @@
"Checks": [
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "11.5.1: Network intrusions and unexpected file changes are detected and responded to. ",
@@ -11445,6 +11525,14 @@
"Checks": [
"cloudwatch_log_group_retention_policy_specific_days_enabled"
],
"ConfigRequirements": [
{
"Check": "cloudwatch_log_group_retention_policy_specific_days_enabled",
"ConfigKey": "log_group_retention_days",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "3.2.1: Storage of account data is kept to a minimum. ",
@@ -11567,6 +11655,14 @@
"Checks": [
"cloudwatch_log_group_retention_policy_specific_days_enabled"
],
"ConfigRequirements": [
{
"Check": "cloudwatch_log_group_retention_policy_specific_days_enabled",
"ConfigKey": "log_group_retention_days",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "3.3.1.1: Sensitive authentication data (SAD) is not stored after authorization. ",
@@ -11689,6 +11785,14 @@
"Checks": [
"cloudwatch_log_group_retention_policy_specific_days_enabled"
],
"ConfigRequirements": [
{
"Check": "cloudwatch_log_group_retention_policy_specific_days_enabled",
"ConfigKey": "log_group_retention_days",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "3.3.1.3: Sensitive authentication data (SAD) is not stored after authorization. ",
@@ -11811,6 +11915,14 @@
"Checks": [
"cloudwatch_log_group_retention_policy_specific_days_enabled"
],
"ConfigRequirements": [
{
"Check": "cloudwatch_log_group_retention_policy_specific_days_enabled",
"ConfigKey": "log_group_retention_days",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "3.3.2: Sensitive authentication data (SAD) is not stored after authorization. ",
@@ -11933,6 +12045,14 @@
"Checks": [
"cloudwatch_log_group_retention_policy_specific_days_enabled"
],
"ConfigRequirements": [
{
"Check": "cloudwatch_log_group_retention_policy_specific_days_enabled",
"ConfigKey": "log_group_retention_days",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "3.3.3: Sensitive authentication data (SAD) is not stored after authorization. ",
@@ -13573,6 +13693,17 @@
"Checks": [
"acm_certificates_with_secure_key_algorithms"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
],
"Attributes": [
{
"Section": "3.7.1: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. ",
@@ -15001,6 +15132,14 @@
"Checks": [
"cloudwatch_log_group_retention_policy_specific_days_enabled"
],
"ConfigRequirements": [
{
"Check": "cloudwatch_log_group_retention_policy_specific_days_enabled",
"ConfigKey": "log_group_retention_days",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored. ",
@@ -22504,6 +22643,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "A3.3.1: PCI DSS is incorporated into business-as-usual (BAU) activities. ",
@@ -23000,6 +23147,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Section": "A3.5.1: Suspicious events are identified and responded to. ",
@@ -174,6 +174,20 @@
"iam_user_accesskey_unused",
"iam_user_console_access_unused"
],
"ConfigRequirements": [
{
"Check": "iam_user_accesskey_unused",
"ConfigKey": "max_unused_access_keys_days",
"Operator": "lte",
"Value": 45
},
{
"Check": "iam_user_console_access_unused",
"ConfigKey": "max_console_access_days",
"Operator": "lte",
"Value": 45
}
],
"Attributes": [
{
"Title": "IAM credentials unused disabled",
@@ -336,6 +350,14 @@
"Checks": [
"accessanalyzer_enabled"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Title": "Access Analyzer enabled",
@@ -1541,6 +1563,14 @@
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Title": "AWS Config is enabled",
@@ -1829,6 +1859,14 @@
"Checks": [
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
],
"Attributes": [
{
"Title": "Security Hub enabled",
@@ -185,6 +185,14 @@
"securityhub_enabled",
"vpc_flow_logs_enabled",
"opensearch_service_domains_audit_logging_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -202,6 +202,14 @@
"Checks": [
"config_recorder_all_regions_enabled",
"ec2_instance_managed_by_ssm"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -323,6 +331,14 @@
"iam_role_administratoraccess_policy",
"iam_user_administrator_access_policy",
"iam_user_two_active_access_key"
],
"ConfigRequirements": [
{
"Check": "accessanalyzer_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -563,6 +579,17 @@
"Checks": [
"acm_certificates_expiration_check",
"acm_certificates_with_secure_key_algorithms"
],
"ConfigRequirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
}
]
},
{
@@ -735,6 +762,14 @@
"config_recorder_all_regions_enabled",
"cloudtrail_multi_region_enabled",
"cloudtrail_multi_region_enabled_logging_management_events"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -774,6 +809,14 @@
"guardduty_lambda_protection_enabled",
"guardduty_eks_audit_log_enabled",
"guardduty_eks_runtime_monitoring_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -911,6 +954,20 @@
"cloudwatch_changes_to_network_gateways_alarm_configured",
"cloudwatch_changes_to_network_route_tables_alarm_configured",
"cloudwatch_changes_to_vpcs_alarm_configured"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1014,6 +1071,14 @@
"config_recorder_all_regions_enabled",
"config_recorder_using_aws_service_role",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1060,6 +1125,14 @@
"Checks": [
"guardduty_is_enabled",
"vpc_flow_logs_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1091,6 +1164,14 @@
"Checks": [
"config_recorder_all_regions_enabled",
"cloudtrail_multi_region_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1268,6 +1349,20 @@
"guardduty_is_enabled",
"securityhub_enabled",
"cloudwatch_alarm_actions_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1418,6 +1513,14 @@
"Checks": [
"backup_plans_exist",
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1481,6 +1584,20 @@
"Checks": [
"securityhub_enabled",
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -1498,6 +1615,14 @@
"Checks": [
"inspector2_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+138
View File
@@ -43,6 +43,14 @@
"cloudtrail_s3_dataevents_write_enabled",
"cloudtrail_multi_region_enabled",
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -61,6 +69,26 @@
"guardduty_is_enabled",
"securityhub_enabled",
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -80,6 +108,14 @@
"ssm_managed_compliant_patching",
"guardduty_no_high_severity_findings",
"guardduty_is_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -116,6 +152,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -133,6 +177,14 @@
"Checks": [
"guardduty_is_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -312,6 +364,20 @@
"Checks": [
"guardduty_is_enabled",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -331,6 +397,20 @@
"securityhub_enabled",
"ec2_instance_managed_by_ssm",
"ssm_managed_compliant_patching"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -367,6 +447,20 @@
"guardduty_is_enabled",
"apigateway_restapi_logging_enabled",
"ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22"
],
"ConfigRequirements": [
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -399,6 +493,20 @@
"cloudwatch_log_group_retention_policy_specific_days_enabled",
"vpc_flow_logs_enabled",
"guardduty_no_high_severity_findings"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -426,6 +534,20 @@
"redshift_cluster_automated_snapshot",
"s3_bucket_object_versioning",
"securityhub_enabled"
],
"ConfigRequirements": [
{
"Check": "guardduty_is_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -463,6 +585,14 @@
],
"Checks": [
"config_recorder_all_regions_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
@@ -600,6 +730,14 @@
"rds_cluster_integration_cloudwatch_logs",
"glue_etl_jobs_logging_enabled",
"stepfunctions_statemachine_logging_enabled"
],
"ConfigRequirements": [
{
"Check": "config_recorder_all_regions_enabled",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
+77
View File
@@ -2681,6 +2681,17 @@
"app_function_latest_runtime_version",
"mysql_flexible_server_minimum_tls_version_12",
"sqlserver_recommended_minimal_tls_version"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
@@ -2705,6 +2716,17 @@
"app_function_latest_runtime_version",
"mysql_flexible_server_minimum_tls_version_12",
"sqlserver_recommended_minimal_tls_version"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
@@ -3903,6 +3925,17 @@
"app_ensure_php_version_is_latest",
"storage_ensure_minimum_tls_version_12",
"storage_smb_protocol_version_is_latest"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
@@ -4352,6 +4385,17 @@
"sqlserver_recommended_minimal_tls_version",
"sqlserver_tde_encrypted_with_cmk",
"sqlserver_tde_encryption_enabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
@@ -5743,6 +5787,17 @@
"storage_ensure_minimum_tls_version_12",
"sqlserver_tde_encrypted_with_cmk",
"sqlserver_tde_encryption_enabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
@@ -5770,6 +5825,17 @@
"storage_ensure_minimum_tls_version_12",
"sqlserver_tde_encrypted_with_cmk",
"sqlserver_tde_encryption_enabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
@@ -6513,6 +6579,17 @@
"mysql_flexible_server_minimum_tls_version_12",
"sqlserver_recommended_minimal_tls_version",
"storage_ensure_minimum_tls_version_12"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
+29
View File
@@ -56,6 +56,25 @@
"app_ensure_using_http20",
"app_ftp_deployment_disabled",
"app_function_ftps_deployment_disabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
},
{
"Check": "storage_smb_channel_encryption_with_secure_algorithm",
"ConfigKey": "recommended_smb_channel_encryption_algorithms",
"Operator": "subset",
"Value": [
"AES-256-GCM"
]
}
]
},
{
@@ -726,6 +745,16 @@
],
"Checks": [
"storage_smb_channel_encryption_with_secure_algorithm"
],
"ConfigRequirements": [
{
"Check": "storage_smb_channel_encryption_with_secure_algorithm",
"ConfigKey": "recommended_smb_channel_encryption_algorithms",
"Operator": "subset",
"Value": [
"AES-256-GCM"
]
}
]
},
{
@@ -253,6 +253,18 @@
"References": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications:https://learn.microsoft.com/en-us/azure/defender-for-cloud/how-to-manage-attack-path:https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-attack-path",
"DefaultValue": ""
}
],
"ConfigRequirements": [
{
"Check": "defender_attack_path_notifications_properly_configured",
"ConfigKey": "defender_attack_path_minimal_risk_level",
"Operator": "in",
"Value": [
"Low",
"Medium",
"High"
]
}
]
},
{
@@ -375,6 +387,16 @@
"Checks": [
"storage_smb_channel_encryption_with_secure_algorithm"
],
"ConfigRequirements": [
{
"Check": "storage_smb_channel_encryption_with_secure_algorithm",
"ConfigKey": "recommended_smb_channel_encryption_algorithms",
"Operator": "subset",
"Value": [
"AES-256-GCM"
]
}
],
"Attributes": [
{
"Section": "10 Storage Services",
@@ -2614,6 +2614,18 @@
"References": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications:https://learn.microsoft.com/en-us/azure/defender-for-cloud/how-to-manage-attack-path:https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-attack-path",
"DefaultValue": ""
}
],
"ConfigRequirements": [
{
"Check": "defender_attack_path_notifications_properly_configured",
"ConfigKey": "defender_attack_path_minimal_risk_level",
"Operator": "in",
"Value": [
"Low",
"Medium",
"High"
]
}
]
},
{
@@ -3006,6 +3018,16 @@
"Checks": [
"storage_smb_channel_encryption_with_secure_algorithm"
],
"ConfigRequirements": [
{
"Check": "storage_smb_channel_encryption_with_secure_algorithm",
"ConfigKey": "recommended_smb_channel_encryption_algorithms",
"Operator": "subset",
"Value": [
"AES-256-GCM"
]
}
],
"Attributes": [
{
"Section": "9 Storage Services",
+22
View File
@@ -767,6 +767,17 @@
"mysql_flexible_server_minimum_tls_version_12",
"mysql_flexible_server_ssl_connection_enabled",
"postgresql_flexible_server_enforce_ssl_enabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
@@ -819,6 +830,17 @@
"mysql_flexible_server_ssl_connection_enabled",
"postgresql_flexible_server_enforce_ssl_enabled",
"databricks_workspace_cmk_encryption_enabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
}
]
+33
View File
@@ -1133,6 +1133,17 @@
"defender_ensure_defender_for_dns_is_on",
"sqlserver_tde_encryption_enabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
],
"Attributes": [
{
"Section": "6 SECURITY IN NETWORK AND INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE (ARTICLE 21(2), POINT (E), OF DIRECTIVE (EU) 2022/2555)",
@@ -1164,6 +1175,17 @@
"network_udp_internet_access_restricted",
"network_watcher_enabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
],
"Attributes": [
{
"Section": "6 SECURITY IN NETWORK AND INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE (ARTICLE 21(2), POINT (E), OF DIRECTIVE (EU) 2022/2555)",
@@ -1887,6 +1909,17 @@
"sqlserver_tde_encrypted_with_cmk",
"sqlserver_tde_encryption_enabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
],
"Attributes": [
{
"Section": "12 ASSET MANAGEMENT (ARTICLE 21(2), POINT (I), OF DIRECTIVE (EU) 2022/2555)",
@@ -440,6 +440,25 @@
"postgresql_flexible_server_enforce_ssl_enabled",
"mysql_flexible_server_ssl_connection_enabled",
"mysql_flexible_server_minimum_tls_version_12"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
},
{
"Check": "storage_smb_channel_encryption_with_secure_algorithm",
"ConfigKey": "recommended_smb_channel_encryption_algorithms",
"Operator": "subset",
"Value": [
"AES-256-GCM"
]
}
]
},
{
+22
View File
@@ -266,6 +266,17 @@
"sqlserver_tde_encryption_enabled",
"sqlserver_unrestricted_inbound_access",
"storage_secure_transfer_required_is_enabled"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
@@ -310,6 +321,17 @@
"sqlserver_recommended_minimal_tls_version",
"storage_ensure_minimum_tls_version_12",
"network_subnet_nsg_associated"
],
"ConfigRequirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
+204
View File
@@ -229,7 +229,16 @@
"oraclecloud": [
"cloudguard_enabled"
]
},
"config_requirements": [
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "A&A-04",
@@ -334,7 +343,23 @@
"oraclecloud": [
"cloudguard_enabled"
]
},
"config_requirements": [
{
"Check": "config_recorder_all_regions_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "AIS-04",
@@ -978,7 +1003,16 @@
"defender_ensure_defender_for_server_is_on",
"vm_backup_enabled"
]
},
"config_requirements": [
{
"Check": "drs_job_exist",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "BCR-11",
@@ -1416,7 +1450,30 @@
"events_rule_security_list_changes",
"events_rule_vcn_changes"
]
},
"config_requirements": [
{
"Check": "config_recorder_all_regions_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "CEK-03",
@@ -1659,7 +1716,18 @@
"filestorage_file_system_encrypted_with_cmk",
"objectstorage_bucket_encrypted_with_cmk"
]
},
"config_requirements": [
{
"Check": "storage_smb_channel_encryption_with_secure_algorithm",
"Provider": "azure",
"ConfigKey": "recommended_smb_channel_encryption_algorithms",
"Operator": "subset",
"Value": [
"AES-256-GCM"
]
}
]
},
{
"id": "CEK-04",
@@ -1802,7 +1870,29 @@
"dns_rsasha1_in_use_to_key_sign_in_dnssec",
"dns_rsasha1_in_use_to_zone_sign_in_dnssec"
]
},
"config_requirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"Provider": "aws",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
},
{
"Check": "sqlserver_recommended_minimal_tls_version",
"Provider": "azure",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
"id": "CEK-08",
@@ -2345,7 +2435,16 @@
"alibabacloud": [
"securitycenter_all_assets_agent_installed"
]
},
"config_requirements": [
{
"Check": "config_recorder_all_regions_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DSP-02",
@@ -2583,7 +2682,16 @@
"alibabacloud": [
"securitycenter_all_assets_agent_installed"
]
},
"config_requirements": [
{
"Check": "config_recorder_all_regions_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DSP-04",
@@ -2997,7 +3105,19 @@
"oraclecloud": [
"compute_instance_in_transit_encryption_enabled"
]
},
"config_requirements": [
{
"Check": "sqlserver_recommended_minimal_tls_version",
"Provider": "azure",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
}
]
},
{
"id": "DSP-16",
@@ -3403,7 +3523,23 @@
"oraclecloud": [
"cloudguard_enabled"
]
},
"config_requirements": [
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "IAM-02",
@@ -6255,7 +6391,16 @@
"cloudguard_enabled",
"events_rule_cloudguard_problems"
]
},
"config_requirements": [
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "LOG-02",
@@ -6558,7 +6703,23 @@
"events_notification_topic_and_subscription_exists",
"events_rule_local_user_authentication"
]
},
"config_requirements": [
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "LOG-04",
@@ -7602,7 +7763,16 @@
"events_rule_cloudguard_problems",
"events_notification_topic_and_subscription_exists"
]
},
"config_requirements": [
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "SEF-03",
@@ -7880,7 +8050,23 @@
"oraclecloud": [
"cloudguard_enabled"
]
},
"config_requirements": [
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "SEF-08",
@@ -8461,7 +8647,16 @@
"oraclecloud": [
"cloudguard_enabled"
]
},
"config_requirements": [
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "TVM-05",
@@ -8729,7 +8924,16 @@
"oraclecloud": [
"cloudguard_enabled"
]
},
"config_requirements": [
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "UEM-08",
+170
View File
@@ -215,7 +215,37 @@
"securitycenter_vulnerability_scan_enabled",
"actiontrail_multi_region_enabled"
]
},
"config_requirements": [
{
"Check": "accessanalyzer_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "config_recorder_all_regions_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_delegated_admin_enabled_all_regions",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DORA-Art7",
@@ -299,7 +329,38 @@
"ecs_unattached_disk_encrypted",
"ecs_instance_no_legacy_network"
]
},
"config_requirements": [
{
"Check": "acm_certificates_with_secure_key_algorithms",
"Provider": "aws",
"ConfigKey": "insecure_key_algorithms",
"Operator": "superset",
"Value": [
"RSA-1024",
"P-192"
]
},
{
"Check": "sqlserver_recommended_minimal_tls_version",
"Provider": "azure",
"ConfigKey": "recommended_minimal_tls_versions",
"Operator": "subset",
"Value": [
"1.2",
"1.3"
]
},
{
"Check": "storage_smb_channel_encryption_with_secure_algorithm",
"Provider": "azure",
"ConfigKey": "recommended_smb_channel_encryption_algorithms",
"Operator": "subset",
"Value": [
"AES-256-GCM"
]
}
]
},
{
"id": "DORA-Art8",
@@ -344,7 +405,16 @@
"securitycenter_all_assets_agent_installed",
"ram_user_console_access_unused"
]
},
"config_requirements": [
{
"Check": "accessanalyzer_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DORA-Art9",
@@ -580,7 +650,23 @@
"ecs_instance_endpoint_protection_installed",
"cs_kubernetes_cloudmonitor_enabled"
]
},
"config_requirements": [
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DORA-Art11",
@@ -732,7 +818,16 @@
"securitycenter_all_assets_agent_installed",
"ecs_instance_latest_os_patches_applied"
]
},
"config_requirements": [
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DORA-Art14",
@@ -901,7 +996,23 @@
"securitycenter_notification_enabled_high_risk",
"securitycenter_vulnerability_scan_enabled"
]
},
"config_requirements": [
{
"Check": "guardduty_delegated_admin_enabled_all_regions",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DORA-Art19",
@@ -1017,7 +1128,16 @@
"cs_kubernetes_cluster_check_recent",
"cs_kubernetes_cluster_check_weekly"
]
},
"config_requirements": [
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DORA-Art25",
@@ -1079,7 +1199,23 @@
"ecs_instance_latest_os_patches_applied",
"ecs_instance_no_legacy_network"
]
},
"config_requirements": [
{
"Check": "config_recorder_all_regions_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DORA-Art28",
@@ -1144,7 +1280,16 @@
"oss_bucket_not_publicly_accessible",
"actiontrail_oss_bucket_not_publicly_accessible"
]
},
"config_requirements": [
{
"Check": "accessanalyzer_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DORA-Art30",
@@ -1200,7 +1345,16 @@
"ram_policy_attached_only_to_group_or_roles",
"ram_no_root_access_key"
]
},
"config_requirements": [
{
"Check": "accessanalyzer_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
},
{
"id": "DORA-Art45",
@@ -1245,7 +1399,23 @@
"actiontrail_multi_region_enabled",
"sls_logstore_retention_period"
]
},
"config_requirements": [
{
"Check": "guardduty_is_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
},
{
"Check": "securityhub_enabled",
"Provider": "aws",
"ConfigKey": "mute_non_default_regions",
"Operator": "eq",
"Value": false
}
]
}
]
}
+22
View File
@@ -924,6 +924,14 @@
"cloudsql_instance_automated_backups",
"cloudstorage_bucket_log_retention_policy_lock",
"cloudstorage_bucket_sufficient_retention_period"
],
"ConfigRequirements": [
{
"Check": "cloudstorage_bucket_sufficient_retention_period",
"ConfigKey": "storage_min_retention_days",
"Operator": "gte",
"Value": 30
}
]
},
{
@@ -5841,6 +5849,20 @@
"Checks": [
"iam_sa_user_managed_key_unused",
"iam_service_account_unused"
],
"ConfigRequirements": [
{
"Check": "iam_sa_user_managed_key_unused",
"ConfigKey": "max_unused_account_days",
"Operator": "lte",
"Value": 90
},
{
"Check": "iam_service_account_unused",
"ConfigKey": "max_unused_account_days",
"Operator": "lte",
"Value": 90
}
]
},
{
@@ -820,6 +820,14 @@
"Checks": [
"apiserver_audit_log_maxage_set"
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxage_set",
"ConfigKey": "audit_log_maxage",
"Operator": "gte",
"Value": 30
}
],
"Attributes": [
{
"Section": "1 Control Plane Components",
@@ -858,6 +866,14 @@
"DefaultValue": "By default, auditing is not enabled.",
"References": "https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/concepts/cluster-administration/audit/:https://github.com/kubernetes/features/issues/22"
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxbackup_set",
"ConfigKey": "audit_log_maxbackup",
"Operator": "gte",
"Value": 10
}
]
},
{
@@ -881,6 +897,14 @@
"DefaultValue": "By default, auditing is not enabled.",
"References": "https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/concepts/cluster-administration/audit/:https://github.com/kubernetes/features/issues/22"
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxsize_set",
"ConfigKey": "audit_log_maxsize",
"Operator": "gte",
"Value": 100
}
]
},
{
@@ -1109,6 +1133,18 @@
"DefaultValue": "By default the Kubernetes API server supports a wide range of TLS ciphers",
"References": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites"
}
],
"ConfigRequirements": [
{
"Check": "apiserver_strong_ciphers_only",
"ConfigKey": "apiserver_strong_ciphers",
"Operator": "subset",
"Value": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
]
}
]
},
{
@@ -2069,6 +2105,23 @@
"DefaultValue": "By default the Kubernetes API server supports a wide range of TLS ciphers",
"References": ""
}
],
"ConfigRequirements": [
{
"Check": "kubelet_strong_ciphers_only",
"ConfigKey": "kubelet_strong_ciphers",
"Operator": "subset",
"Value": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256"
]
}
]
},
{
@@ -820,6 +820,14 @@
"Checks": [
"apiserver_audit_log_maxage_set"
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxage_set",
"ConfigKey": "audit_log_maxage",
"Operator": "gte",
"Value": 30
}
],
"Attributes": [
{
"Section": "1 Control Plane Components",
@@ -858,6 +866,14 @@
"References": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/:https://github.com/kubernetes/enhancements/issues/22",
"DefaultValue": "By default, auditing is not enabled."
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxbackup_set",
"ConfigKey": "audit_log_maxbackup",
"Operator": "gte",
"Value": 10
}
]
},
{
@@ -881,6 +897,14 @@
"References": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/:https://github.com/kubernetes/enhancements/issues/22",
"DefaultValue": "By default, auditing is not enabled."
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxsize_set",
"ConfigKey": "audit_log_maxsize",
"Operator": "gte",
"Value": 100
}
]
},
{
@@ -1109,6 +1133,18 @@
"References": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites",
"DefaultValue": "By default the Kubernetes API server supports a wide range of TLS ciphers"
}
],
"ConfigRequirements": [
{
"Check": "apiserver_strong_ciphers_only",
"ConfigKey": "apiserver_strong_ciphers",
"Operator": "subset",
"Value": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
]
}
]
},
{
@@ -2112,6 +2148,23 @@
"References": "",
"DefaultValue": "By default the Kubernetes API server supports a wide range of TLS ciphers"
}
],
"ConfigRequirements": [
{
"Check": "kubelet_strong_ciphers_only",
"ConfigKey": "kubelet_strong_ciphers",
"Operator": "subset",
"Value": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256"
]
}
]
},
{
@@ -820,6 +820,14 @@
"Checks": [
"apiserver_audit_log_maxage_set"
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxage_set",
"ConfigKey": "audit_log_maxage",
"Operator": "gte",
"Value": 30
}
],
"Attributes": [
{
"Section": "1 Control Plane Components",
@@ -858,6 +866,14 @@
"References": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/:https://github.com/kubernetes/enhancements/issues/22",
"DefaultValue": "By default, auditing is not enabled."
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxbackup_set",
"ConfigKey": "audit_log_maxbackup",
"Operator": "gte",
"Value": 10
}
]
},
{
@@ -881,6 +897,14 @@
"References": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/:https://github.com/kubernetes/enhancements/issues/22",
"DefaultValue": "By default, auditing is not enabled."
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxsize_set",
"ConfigKey": "audit_log_maxsize",
"Operator": "gte",
"Value": 100
}
]
},
{
@@ -1109,6 +1133,18 @@
"References": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites",
"DefaultValue": "By default the Kubernetes API server supports a wide range of TLS ciphers"
}
],
"ConfigRequirements": [
{
"Check": "apiserver_strong_ciphers_only",
"ConfigKey": "apiserver_strong_ciphers",
"Operator": "subset",
"Value": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
]
}
]
},
{
@@ -2090,6 +2126,23 @@
"References": "",
"DefaultValue": "By default the Kubernetes API server supports a wide range of TLS ciphers"
}
],
"ConfigRequirements": [
{
"Check": "kubelet_strong_ciphers_only",
"ConfigKey": "kubelet_strong_ciphers",
"Operator": "subset",
"Value": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256"
]
}
]
},
{
@@ -843,6 +843,14 @@
"Checks": [
"apiserver_audit_log_maxage_set"
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxage_set",
"ConfigKey": "audit_log_maxage",
"Operator": "gte",
"Value": 30
}
],
"Attributes": [
{
"Section": "1 Control Plane Components",
@@ -881,6 +889,14 @@
"References": "https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/concepts/cluster-administration/audit/:https://github.com/kubernetes/features/issues/22",
"DefaultValue": "By default, auditing is not enabled."
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxbackup_set",
"ConfigKey": "audit_log_maxbackup",
"Operator": "gte",
"Value": 10
}
]
},
{
@@ -904,6 +920,14 @@
"References": "https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/concepts/cluster-administration/audit/:https://github.com/kubernetes/features/issues/22",
"DefaultValue": "By default, auditing is not enabled."
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxsize_set",
"ConfigKey": "audit_log_maxsize",
"Operator": "gte",
"Value": 100
}
]
},
{
@@ -1132,6 +1156,18 @@
"References": "https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites",
"DefaultValue": "By default the Kubernetes API server supports a wide range of TLS ciphers"
}
],
"ConfigRequirements": [
{
"Check": "apiserver_strong_ciphers_only",
"ConfigKey": "apiserver_strong_ciphers",
"Operator": "subset",
"Value": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
]
}
]
},
{
@@ -2092,6 +2128,23 @@
"References": "",
"DefaultValue": "By default the Kubernetes API server supports a wide range of TLS ciphers"
}
],
"ConfigRequirements": [
{
"Check": "kubelet_strong_ciphers_only",
"ConfigKey": "kubelet_strong_ciphers",
"Operator": "subset",
"Value": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256"
]
}
]
},
{
@@ -8268,6 +8268,14 @@
"Checks": [
"apiserver_audit_log_maxage_set"
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxage_set",
"ConfigKey": "audit_log_maxage",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "10.5.1: Audit log history is retained and available for analysis.",
@@ -10054,6 +10062,14 @@
"Checks": [
"apiserver_audit_log_maxage_set"
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxage_set",
"ConfigKey": "audit_log_maxage",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "3.3.1.3: Sensitive authentication data (SAD) is not stored after authorization.",
@@ -10250,6 +10266,14 @@
"Checks": [
"apiserver_audit_log_maxage_set"
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxage_set",
"ConfigKey": "audit_log_maxage",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "3.3.3: Sensitive authentication data (SAD) is not stored after authorization.",
@@ -13004,6 +13028,14 @@
"Checks": [
"apiserver_audit_log_maxage_set"
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxage_set",
"ConfigKey": "audit_log_maxage",
"Operator": "gte",
"Value": 365
}
],
"Attributes": [
{
"Section": "5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.",
@@ -1083,6 +1083,23 @@
"LevelOfRisk": 4,
"Weight": 100
}
],
"ConfigRequirements": [
{
"Check": "kubelet_strong_ciphers_only",
"ConfigKey": "kubelet_strong_ciphers",
"Operator": "subset",
"Value": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256"
]
}
]
},
{
@@ -1199,6 +1216,14 @@
"Checks": [
"apiserver_audit_log_maxage_set"
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxage_set",
"ConfigKey": "audit_log_maxage",
"Operator": "gte",
"Value": 30
}
],
"Attributes": [
{
"Title": "API Server audit log retention configured",
@@ -1227,6 +1252,14 @@
"LevelOfRisk": 3,
"Weight": 10
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxbackup_set",
"ConfigKey": "audit_log_maxbackup",
"Operator": "gte",
"Value": 10
}
]
},
{
@@ -1245,6 +1278,14 @@
"LevelOfRisk": 2,
"Weight": 8
}
],
"ConfigRequirements": [
{
"Check": "apiserver_audit_log_maxsize_set",
"ConfigKey": "audit_log_maxsize",
"Operator": "gte",
"Value": 100
}
]
},
{
+70
View File
@@ -565,6 +565,68 @@
"References": "https://learn.microsoft.com/en-us/powershell/module/exchange/get-malwarefilterpolicy?view=exchange-ps:https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide:https://learn.microsoft.com/en-us/office/compatibility/office-file-format-reference",
"DefaultValue": "The following extensions are blocked by default:ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z"
}
],
"ConfigRequirements": [
{
"Check": "defender_malware_policy_comprehensive_attachments_filter_applied",
"ConfigKey": "recommended_blocked_file_types",
"Operator": "superset",
"Value": [
"ace",
"ani",
"apk",
"app",
"appx",
"arj",
"bat",
"cab",
"cmd",
"com",
"deb",
"dex",
"dll",
"docm",
"elf",
"exe",
"hta",
"img",
"iso",
"jar",
"jnlp",
"kext",
"lha",
"lib",
"library",
"lnk",
"lzh",
"macho",
"msc",
"msi",
"msix",
"msp",
"mst",
"pif",
"ppa",
"ppam",
"reg",
"rev",
"scf",
"scr",
"sct",
"sys",
"uif",
"vb",
"vbe",
"vbs",
"vxd",
"wsc",
"wsf",
"wsh",
"xll",
"xz",
"z"
]
}
]
},
{
@@ -1209,6 +1271,14 @@
"References": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime",
"DefaultValue": "The default configuration for user sign-in frequency is a rolling window of 90 days."
}
],
"ConfigRequirements": [
{
"Check": "entra_admin_users_sign_in_frequency_enabled",
"ConfigKey": "sign_in_frequency",
"Operator": "lte",
"Value": 4
}
]
},
{
+78
View File
@@ -582,6 +582,68 @@
"References": "https://learn.microsoft.com/en-us/powershell/module/exchange/get-malwarefilterpolicy?view=exchange-ps:https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide:https://learn.microsoft.com/en-us/office/compatibility/office-file-format-reference",
"DefaultValue": "53 extensions are blocked by default."
}
],
"ConfigRequirements": [
{
"Check": "defender_malware_policy_comprehensive_attachments_filter_applied",
"ConfigKey": "recommended_blocked_file_types",
"Operator": "superset",
"Value": [
"ace",
"ani",
"apk",
"app",
"appx",
"arj",
"bat",
"cab",
"cmd",
"com",
"deb",
"dex",
"dll",
"docm",
"elf",
"exe",
"hta",
"img",
"iso",
"jar",
"jnlp",
"kext",
"lha",
"lib",
"library",
"lnk",
"lzh",
"macho",
"msc",
"msi",
"msix",
"msp",
"mst",
"pif",
"ppa",
"ppam",
"reg",
"rev",
"scf",
"scr",
"sct",
"sys",
"uif",
"vb",
"vbe",
"vbs",
"vxd",
"wsc",
"wsf",
"wsh",
"xll",
"xz",
"z"
]
}
]
},
{
@@ -1949,6 +2011,14 @@
"References": "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide",
"DefaultValue": "AuditEnabled: True for all mailboxes except Resource Mailboxes, Public Folder Mailboxes, and DiscoverySearch Mailbox"
}
],
"ConfigRequirements": [
{
"Check": "exchange_user_mailbox_auditing_enabled",
"ConfigKey": "audit_log_age",
"Operator": "gte",
"Value": 90
}
]
},
{
@@ -2110,6 +2180,14 @@
"References": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips",
"DefaultValue": "MailTipsAllTipsEnabled: True, MailTipsExternalRecipientsTipsEnabled: False, MailTipsGroupMetricsEnabled: True, MailTipsLargeAudienceThreshold: 25"
}
],
"ConfigRequirements": [
{
"Check": "exchange_organization_mailtips_enabled",
"ConfigKey": "recommended_mailtips_large_audience_threshold",
"Operator": "lte",
"Value": 25
}
]
},
{
@@ -819,6 +819,14 @@
"LevelOfRisk": 4,
"Weight": 100
}
],
"ConfigRequirements": [
{
"Check": "entra_admin_users_sign_in_frequency_enabled",
"ConfigKey": "sign_in_frequency",
"Operator": "lte",
"Value": 4
}
]
},
{
@@ -964,6 +972,68 @@
"LevelOfRisk": 2,
"Weight": 8
}
],
"ConfigRequirements": [
{
"Check": "defender_malware_policy_comprehensive_attachments_filter_applied",
"ConfigKey": "recommended_blocked_file_types",
"Operator": "superset",
"Value": [
"ace",
"ani",
"apk",
"app",
"appx",
"arj",
"bat",
"cab",
"cmd",
"com",
"deb",
"dex",
"dll",
"docm",
"elf",
"exe",
"hta",
"img",
"iso",
"jar",
"jnlp",
"kext",
"lha",
"lib",
"library",
"lnk",
"lzh",
"macho",
"msc",
"msi",
"msix",
"msp",
"mst",
"pif",
"ppa",
"ppam",
"reg",
"rev",
"scf",
"scr",
"sct",
"sys",
"uif",
"vb",
"vbe",
"vbs",
"vxd",
"wsc",
"wsf",
"wsh",
"xll",
"xz",
"z"
]
}
]
},
{
@@ -25,6 +25,14 @@
"CheckText": "From the Admin Console: 1. Select Security >> Global Session Policy. 2. In the Default Policy, verify a rule is configured at Priority 1 that is not named \"Default Rule\". 3. Click the edit icon next to the Priority 1 rule. 4. Verify the \"Maximum Okta global session idle time\" is set to 15 minutes. If \"Maximum Okta global session idle time\" is not set to 15 minutes, this is a finding.",
"FixText": "From the Admin Console: 1. Go to Security >> Global Session Policy. 2. Select the Default Policy. 3. In the Rules table, make these updates: - Click \"Add rule\". - Set \"Maximum Okta global session idle time\" to 15 minutes."
}
],
"ConfigRequirements": [
{
"Check": "signon_global_session_idle_timeout_15min",
"ConfigKey": "okta_max_session_idle_minutes",
"Operator": "lte",
"Value": 15
}
]
},
{
@@ -46,6 +54,14 @@
"CheckText": "From the Admin Console: 1. Select Applications >> Applications >> Okta Admin Console. 2. In the Sign On tab, under \"Okta Admin Console session\", verify the \"Maximum app session idle time\" is set to 15 minutes. If the \"Maximum app session idle time\" is not set to 15 minutes, this is a finding.",
"FixText": "From the Admin Console: 1. Select Applications >> Applications >> Okta Admin Console. 2. In the Sign On tab, under \"Okta Admin Console session\", set the \"Maximum app session idle time\" to 15 minutes."
}
],
"ConfigRequirements": [
{
"Check": "application_admin_console_session_idle_timeout_15min",
"ConfigKey": "okta_admin_console_idle_timeout_max_minutes",
"Operator": "lte",
"Value": 15
}
]
},
{
@@ -69,6 +85,14 @@
"CheckText": "If Okta Services rely on external directory services for user sourcing, this is not applicable, and the connected directory services must perform this function. Go to Workflows >> Automations and verify that an Automation has been created to disable accounts after 35 days of inactivity. If the Okta configuration does not automatically disable accounts after a 35-day period of account inactivity, this is a finding.",
"FixText": "From the Admin Console: 1. Go to Workflow >> Automations and select \"Add Automation\". 2. Create a name for the Automation (e.g., \"User Inactivity\"). 3. Click \"Add Condition\" and select \"User Inactivity in Okta\". 4. In the duration field, enter 35 days and click \"Save\". 5 Click the edit button next to \"Select Schedule\". 6. Configure the \"Schedule\" field for \"Run Daily\" and set the \"Time\" field to an organizationally defined time to run this automation. Click \"Save\". 7. Click the edit button next to \"Select group membership\". 8. In the \"Applies to\" field, select the group \"Everyone\" by typing it into the field. Click \"Save\". 9. Click \"Add Action\" and select \"Change User lifecycle state in Okta\". 10. In the \"Change user state to\" field, select \"Suspended\" and click \"Save\". 11. Click the \"Inactive\" button near the top of the section screen and select \"Activate\"."
}
],
"ConfigRequirements": [
{
"Check": "user_inactivity_automation_35d_enabled",
"ConfigKey": "okta_user_inactivity_max_days",
"Operator": "lte",
"Value": 35
}
]
},
{
@@ -395,6 +419,14 @@
"CheckText": "From the Admin Console: 1. Select Security >> Global Session Policy. 2. In the Default Policy, verify a rule is configured at Priority 1 that is not named \"Default Rule\". 3. Click the \"Edit\" icon next to the Priority 1 rule. 4. Verify \"Maximum Okta global session lifetime\" is set to 18 hours. If the above is not set, this is a finding.",
"FixText": "From the Admin Console: 1. Go to Security >> Global Session Policy. 2. Select the Default Policy. 3. In the Rules table, make these updates: - Click \"Add rule\". - Set \"Maximum Okta global session lifetime\" to 18 hours."
}
],
"ConfigRequirements": [
{
"Check": "signon_global_session_lifetime_18h",
"ConfigKey": "okta_max_session_lifetime_minutes",
"Operator": "lte",
"Value": 1080
}
]
},
{
+404
View File
@@ -0,0 +1,404 @@
"""Shared evaluation of a requirement's configuration constraints.
Some compliance requirements only hold if the configurable checks they map to
ran with a configuration strict enough for the requirement. For example CIS AWS
6.0 requirement 2.11 ("credentials unused for 45 days or more are disabled")
maps `iam_user_accesskey_unused` (config `max_unused_access_keys_days`); if the
user loosens that to 120 days the check can PASS while the requirement is, in
fact, not satisfied.
A requirement declares its expectations via ``ConfigRequirements`` (a list of
``{Check, ConfigKey, Operator, Value}``). The configuration a scan applied is a
single, scan-global mapping (the provider's ``audit_config``), so the rules are
evaluated against that mapping directly. This module is consumed by the SDK
compliance outputs (CSV + CLI table) and by the Prowler App backend so the rule
lives in one place.
"""
from typing import Any, Optional
# Leading sentence of the message prepended to a finding's ``status_extended``
# when its requirement's config constraints are not satisfied and the status is
# forced to FAIL. It opens every config-not-valid message, so it doubles as a
# stable marker for detecting the case programmatically.
CONFIG_NOT_VALID_PREFIX = "Configuration not valid for this requirement."
def _format_value(value: Any) -> str:
"""Render a constraint value for a user-facing message (lists comma-joined)."""
if isinstance(value, (list, tuple, set)):
return ", ".join(str(item) for item in value)
return str(value)
def _describe_violation(
check: Any, config_key: Any, applied: Any, operator: str, expected: Any
) -> str:
"""Return a product-friendly explanation of why a config violates a constraint.
The message names the check and config key, the value the scan applied, what
the requirement needs, and how to fix it, in plain language rather than the
operator/value pair.
Args:
check: the check the requirement maps to (e.g. ``iam_user_accesskey_unused``).
config_key: the config option that was too loose (e.g. ``max_unused_access_keys_days``).
applied: the value the scan actually applied.
operator: the constraint operator (``lte``/``gte``/``eq``/``in``/``subset``/``superset``).
expected: the value the requirement expects.
Returns:
A full, human-readable message ending with an actionable fix.
"""
applied_str = _format_value(applied)
expected_str = _format_value(expected)
needs, fix = {
"lte": (
f"a value of {expected_str} or lower",
f"Update it to {expected_str} or lower.",
),
"gte": (
f"a value of {expected_str} or higher",
f"Update it to {expected_str} or higher.",
),
"eq": (
f"it set to {expected_str}",
f"Update it to {expected_str}.",
),
"in": (
f"it set to one of {expected_str}",
f"Update it to one of {expected_str}.",
),
"subset": (
f"it limited to {expected_str}",
f"Remove any value that is not in {expected_str}.",
),
"superset": (
f"it to include {expected_str}",
f"Make sure it includes {expected_str}.",
),
}.get(operator, (f"a different value (expected {operator} {expected_str})", ""))
message = (
f"{CONFIG_NOT_VALID_PREFIX} The check {check} has {config_key} set to "
f"{applied_str}, but the requirement needs {needs}."
)
return f"{message} {fix}".strip()
def _check_operator(applied: Any, operator: str, expected: Any) -> bool:
"""Return whether ``applied`` satisfies ``operator`` against ``expected``."""
try:
if operator == "lte":
return applied <= expected
if operator == "gte":
return applied >= expected
if operator == "eq":
return applied == expected
if operator == "in":
return applied in expected
if operator in ("subset", "superset"):
# Set comparisons for list-valued configs (allowlists / denylists).
# Both sides must be collections; anything else is not satisfiable.
if not isinstance(applied, (list, tuple, set)) or not isinstance(
expected, (list, tuple, set)
):
return False
applied_set, expected_set = set(applied), set(expected)
if operator == "subset":
return applied_set <= expected_set
return applied_set >= expected_set
except TypeError:
# Mismatched/unhashable types → treat as not satisfied.
return False
# Unknown operator: do not block the requirement on a malformed constraint.
return True
def evaluate_config_constraints(
config_requirements: Optional[list[Any]],
audit_config: Optional[dict[str, Any]],
provider_type: Optional[str] = None,
) -> tuple[bool, str]:
"""Evaluate a requirement's config constraints against the scan's config.
Args:
config_requirements: list of constraints, each a mapping (or object with
the same attributes) holding ``Check``, ``ConfigKey``, ``Operator``,
``Value`` and an optional ``Provider``. ``None``/empty means the
requirement has no config expectations.
audit_config: the scan-global configuration mapping (the provider's
``audit_config``, i.e. ``{config_key: value}``). The applied config
is identical across every resource and region of a scan.
provider_type: the provider being scanned (e.g. ``aws``). A constraint
tagged with a ``Provider`` is only evaluated when it matches this
value; this scopes universal (multi-provider) framework constraints
to the right provider. ``None`` disables provider scoping (every
constraint is evaluated), which is the correct behaviour for
single-provider frameworks.
Returns:
``(is_compliant, reason)``. ``is_compliant`` is ``True`` when there are
no constraints or every explicitly-set value satisfies its constraint.
When a configured value violates a constraint, returns ``(False, reason)``
describing the first violation. A constraint whose ``ConfigKey`` was not
explicitly set is skipped (the check's default is assumed to match what
the requirement expects).
"""
if not config_requirements:
return True, ""
audit_config = audit_config or {}
for constraint in config_requirements:
# Accept both dicts (API template) and objects (Pydantic model).
if isinstance(constraint, dict):
check = constraint.get("Check")
config_key = constraint.get("ConfigKey")
operator = constraint.get("Operator")
expected = constraint.get("Value")
provider = constraint.get("Provider")
else:
check = getattr(constraint, "Check", None)
config_key = getattr(constraint, "ConfigKey", None)
operator = getattr(constraint, "Operator", None)
expected = getattr(constraint, "Value", None)
provider = getattr(constraint, "Provider", None)
# Constraint scoped to another provider → not applicable to this scan.
# Compared case-insensitively (and trimmed) so a constraint authored as
# e.g. "AWS" still scopes to the "aws" scan instead of being silently
# bypassed by a casing/format mismatch.
if (
provider
and provider_type
and str(provider).strip().lower() != str(provider_type).strip().lower()
):
continue
if config_key not in audit_config:
# Config not explicitly set → default is assumed adequate.
continue
applied = audit_config[config_key]
if not _check_operator(applied, operator, expected):
reason = _describe_violation(check, config_key, applied, operator, expected)
return False, reason
return True, ""
def get_scan_audit_config() -> dict[str, Any]:
"""Return the scan-global applied configuration (the provider's audit_config).
The applied config is identical across every resource and region of a scan,
so every compliance output evaluates constraints against this single mapping.
Imported lazily to avoid a circular import with the provider package and to
keep this module usable from contexts without a global provider.
Returns:
The provider's ``audit_config`` mapping, or ``{}`` when no global
provider is set (``AttributeError``) or the provider package cannot be
imported (``ImportError``).
"""
try:
from prowler.providers.common.provider import Provider
return Provider.get_global_provider().audit_config or {}
except (AttributeError, ImportError):
# No global provider set, or provider package unavailable.
return {}
def get_scan_provider_type() -> str:
"""Return the provider being scanned (e.g. ``aws``) for constraint scoping.
Imported lazily to avoid a circular import with the provider package and to
keep this module usable from contexts without a global provider.
Returns:
The provider's ``type`` (e.g. ``aws``), or ``""`` when no global provider
is set (``AttributeError``) or the provider package cannot be imported
(``ImportError``); an empty string disables provider scoping.
"""
try:
from prowler.providers.common.provider import Provider
return Provider.get_global_provider().type or ""
except (AttributeError, ImportError):
# No global provider set, or provider package unavailable.
return ""
def _requirement_id(requirement: Any) -> Optional[str]:
"""Return a requirement's id across the legacy (``Id``) and universal (``id``) models."""
return getattr(requirement, "Id", None) or getattr(requirement, "id", None)
def _requirement_constraints(requirement: Any) -> Optional[list]:
"""Return a requirement's config constraints across both model flavours.
Legacy ``Compliance_Requirement`` exposes ``ConfigRequirements`` (a list of
Pydantic models); ``UniversalComplianceRequirement`` exposes
``config_requirements`` (a list of dicts). ``evaluate_config_constraints``
handles both element types.
"""
return getattr(requirement, "ConfigRequirements", None) or getattr(
requirement, "config_requirements", None
)
def build_requirement_config_status(
requirements: list[Any],
audit_config: Optional[dict[str, Any]] = None,
provider_type: Optional[str] = None,
) -> dict[str, tuple[bool, str]]:
"""Map every requirement id to its ``(is_compliant, reason)`` config verdict.
Only requirements that actually declare constraints are included; callers use
``dict.get(req_id)`` (returning ``None`` no constraints no override).
Args:
requirements: the framework's requirements (legacy or universal models).
audit_config: the applied config; resolved via ``get_scan_audit_config``
when omitted.
provider_type: the provider being scanned, for constraint scoping;
resolved via ``get_scan_provider_type`` when omitted.
Returns:
A mapping ``{requirement_id: (is_compliant, reason)}`` containing only the
requirements that declare config constraints.
"""
if audit_config is None:
audit_config = get_scan_audit_config()
if provider_type is None:
provider_type = get_scan_provider_type()
status = {}
for requirement in requirements:
constraints = _requirement_constraints(requirement)
if constraints:
status[_requirement_id(requirement)] = evaluate_config_constraints(
constraints, audit_config, provider_type
)
return status
def resolve_requirement_config_status(
requirement: Any,
audit_config: dict[str, Any],
cache: dict,
provider_type: Optional[str] = None,
) -> tuple[bool, str]:
"""Return a requirement's ``(is_compliant, reason)`` verdict, memoised in ``cache``.
For table generators that iterate findings × compliances and only encounter
each requirement lazily.
Args:
requirement: the requirement (legacy or universal model).
audit_config: the scan-global applied config.
cache: a dict keyed by requirement id, reused across the whole table
build to memoise verdicts.
provider_type: the provider being scanned, for constraint scoping;
resolved via ``get_scan_provider_type`` when omitted.
Returns:
The ``(is_compliant, reason)`` verdict; ``(True, "")`` when the
requirement declares no constraints.
"""
req_id = _requirement_id(requirement)
if req_id not in cache:
constraints = _requirement_constraints(requirement)
if constraints:
if provider_type is None:
provider_type = get_scan_provider_type()
cache[req_id] = evaluate_config_constraints(
constraints, audit_config, provider_type
)
else:
cache[req_id] = (True, "")
return cache[req_id]
def apply_config_status(
status: str,
status_extended: str,
config_status: Optional[tuple[bool, str]],
) -> tuple[str, str]:
"""Override a finding's ``(status, status_extended)`` when its config is invalid.
A requirement whose configurable checks ran with a config too loose to trust
is forced to ``FAIL`` regardless of the finding's own status, with the reason
prepended to ``status_extended``.
Args:
status: the finding's original status (e.g. ``PASS`` / ``FAIL``).
status_extended: the finding's extended status message.
config_status: the ``(is_compliant, reason)`` tuple from
``build_requirement_config_status``/``resolve_requirement_config_status``,
or ``None`` when the requirement declares no constraints.
Returns:
The ``(status, status_extended)`` to report: unchanged when the config is
valid (or ``config_status`` is ``None``); otherwise ``FAIL`` with the
reason prepended to ``status_extended``.
"""
if not config_status or config_status[0]:
return status, status_extended
return (
"FAIL",
f"{config_status[1]} {status_extended}".strip(),
)
def get_effective_status(
status: str,
config_status: Optional[tuple[bool, str]],
) -> str:
"""Return the effective status for table aggregation.
Args:
status: the finding's original status.
config_status: the ``(is_compliant, reason)`` tuple, or ``None`` when the
requirement declares no constraints.
Returns:
``FAIL`` when ``config_status`` marks the config invalid; otherwise the
finding's original ``status``.
"""
if not config_status or config_status[0]:
return status
return "FAIL"
def accumulate_overview_status(
index: int,
status: str,
pass_indices: set,
fail_indices: set,
muted_indices: set,
) -> None:
"""Record a finding in the overview totals once, with FAIL precedence over PASS (sets mutated in place)."""
if status == "Muted":
muted_indices.add(index)
elif status == "FAIL":
fail_indices.add(index)
pass_indices.discard(index)
elif status == "PASS" and index not in fail_indices:
pass_indices.add(index)
def accumulate_group_status(
index: int,
status: str,
counts: dict,
seen: dict,
) -> None:
"""Count a finding once per group, upgrading a counted PASS to FAIL on conflict (mutates ``counts``/``seen``)."""
previous = seen.get(index)
if previous is None:
seen[index] = status
counts[status] += 1
elif previous == "PASS" and status == "FAIL":
seen[index] = "FAIL"
counts["PASS"] -= 1
counts["FAIL"] += 1
+94 -2
View File
@@ -3,7 +3,7 @@ import json
import os
import sys
from enum import Enum
from typing import Optional, Union
from typing import Any, Literal, Optional, Union
from pydantic.v1 import BaseModel, Field, ValidationError, root_validator
@@ -170,6 +170,79 @@ class ISO27001_2013_Requirement_Attribute(BaseModel):
Check_Summary: str
# Base Compliance Model
class Compliance_Requirement_ConfigConstraint(BaseModel):
"""A constraint a requirement places on a configurable check's config.
Declares that the configurable check ``Check`` must have run with
``ConfigKey`` satisfying ``Operator`` ``Value`` for the requirement's
result to be trusted. Example: ``max_unused_access_keys_days <= 45``.
``Provider`` scopes the constraint to a single provider. It is required for
universal (multi-provider) frameworks, where the same requirement maps
checks across providers and a constraint must only apply when that provider
is the one being scanned. Single-provider frameworks may omit it (the
framework's provider is already the one being scanned).
Operators:
- ``lte``/``gte``/``eq``: scalar comparisons (e.g. a max-age or min-retention
threshold, or a boolean toggle).
- ``in``: the applied scalar must be one of ``Value`` (a list).
- ``subset``: the applied list must be a subset of ``Value`` for allowlist
configs (e.g. ``recommended_minimal_tls_versions``); widening the allowlist
with a weaker value (e.g. TLS ``1.0``) breaks the constraint.
- ``superset``: the applied list must be a superset of ``Value`` for
denylist configs (e.g. ``insecure_key_algorithms``); removing a forbidden
value from the denylist breaks the constraint.
"""
Check: str
ConfigKey: str
Operator: Literal["lte", "gte", "eq", "in", "subset", "superset"]
# ``bool`` must precede ``int`` so pydantic v1 keeps booleans (e.g. a
# ``mute_non_default_regions == false`` constraint) instead of coercing
# them to 0/1.
Value: Union[bool, int, float, str, list[Any]]
# Provider this constraint applies to (e.g. ``aws``), matched
# case-insensitively. ``None`` applies whenever the requirement runs
# (single-provider frameworks).
Provider: Optional[str] = None
@root_validator
@classmethod
def validate_value_matches_operator(cls, values): # noqa: F841
"""Ensure ``Value``'s type is consistent with ``Operator``.
Without this, a mistyped value (e.g. ``gte`` with a list, or ``subset``
with a scalar) is not rejected at load time and ``_check_operator``
silently treats it as *not satisfied*, forcing the requirement to a
spurious config-not-valid FAIL. Validating here turns that into a
clear error when the framework is loaded.
"""
operator = values.get("Operator")
value = values.get("Value")
# If Operator/Value failed their own validation they are absent here.
if operator is None or value is None:
return values
if operator in ("in", "subset", "superset"):
if not isinstance(value, list):
raise ValueError(
f"operator '{operator}' requires a list Value, got {type(value).__name__}"
)
elif operator in ("lte", "gte"):
# bool is an int subclass but is never a valid numeric threshold.
if isinstance(value, bool) or not isinstance(value, (int, float)):
raise ValueError(
f"operator '{operator}' requires a numeric Value, got {value!r}"
)
elif operator == "eq":
if not isinstance(value, (bool, int, float, str)):
raise ValueError(
f"operator 'eq' requires a scalar Value, got {type(value).__name__}"
)
return values
# MITRE Requirement Attribute for AWS
class Mitre_Requirement_Attribute_AWS(BaseModel):
"""MITRE Requirement Attribute"""
@@ -217,6 +290,9 @@ class Mitre_Requirement(BaseModel):
list[Mitre_Requirement_Attribute_GCP],
]
Checks: list[str]
# MITRE checks may also declare config constraints; without this field
# Pydantic silently drops them during parsing.
ConfigRequirements: Optional[list[Compliance_Requirement_ConfigConstraint]] = None
# KISA-ISMS-P Requirement Attribute
@@ -303,7 +379,6 @@ class STIG_Requirement_Attribute(BaseModel):
FixText: Optional[str] = None
# Base Compliance Model
# TODO: move this to compliance folder
class Compliance_Requirement(BaseModel):
"""Compliance_Requirement holds the base model for every requirement within a compliance framework"""
@@ -329,6 +404,7 @@ class Compliance_Requirement(BaseModel):
]
]
Checks: list[str]
ConfigRequirements: Optional[list[Compliance_Requirement_ConfigConstraint]] = None
class Compliance(BaseModel):
@@ -701,6 +777,10 @@ class UniversalComplianceRequirement(BaseModel):
name: Optional[str] = None
attributes: dict = Field(default_factory=dict)
checks: dict[str, list[str]] = Field(default_factory=dict)
# Typed with the same constraint model as legacy so the operator/value
# validation also covers universal frameworks. evaluate_config_constraints
# accepts both dicts and model objects, so downstream consumers are unaffected.
config_requirements: Optional[list[Compliance_Requirement_ConfigConstraint]] = None
tactics: Optional[list] = None
sub_techniques: Optional[list] = None
platforms: Optional[list] = None
@@ -894,6 +974,11 @@ def adapt_legacy_to_universal(legacy: Compliance) -> ComplianceFramework:
# For MITRE, promote special fields and store raw attributes
raw_attrs = [attr.dict() for attr in req.Attributes]
attrs = {"_raw_attributes": raw_attrs}
config_requirements = (
[c.dict() for c in req.ConfigRequirements]
if getattr(req, "ConfigRequirements", None)
else None
)
universal_requirements.append(
UniversalComplianceRequirement(
id=req.Id,
@@ -901,6 +986,7 @@ def adapt_legacy_to_universal(legacy: Compliance) -> ComplianceFramework:
name=req.Name,
attributes=attrs,
checks=req_checks,
config_requirements=config_requirements,
tactics=req.Tactics,
sub_techniques=req.SubTechniques,
platforms=req.Platforms,
@@ -913,6 +999,11 @@ def adapt_legacy_to_universal(legacy: Compliance) -> ComplianceFramework:
attrs = req.Attributes[0].dict()
else:
attrs = {}
config_requirements = (
[c.dict() for c in req.ConfigRequirements]
if getattr(req, "ConfigRequirements", None)
else None
)
universal_requirements.append(
UniversalComplianceRequirement(
id=req.Id,
@@ -920,6 +1011,7 @@ def adapt_legacy_to_universal(legacy: Compliance) -> ComplianceFramework:
name=req.Name,
attributes=attrs,
checks=req_checks,
config_requirements=config_requirements,
)
)
@@ -2,6 +2,13 @@ from colorama import Fore, Style
from tabulate import tabulate
from prowler.config.config import orange_color
from prowler.lib.check.compliance_config_eval import (
accumulate_group_status,
accumulate_overview_status,
get_effective_status,
get_scan_audit_config,
resolve_requirement_config_status,
)
def get_asd_essential_eight_table(
@@ -19,11 +26,13 @@ def get_asd_essential_eight_table(
"Status": [],
"Muted": [],
}
pass_count = []
fail_count = []
muted_count = []
pass_count = set()
fail_count = set()
muted_count = set()
section_seen = {}
provider = ""
audit_config = get_scan_audit_config()
config_status_cache = {}
for index, finding in enumerate(findings):
check = bulk_checks_metadata[finding.check_metadata.CheckID]
check_compliances = check.Compliance
@@ -31,6 +40,12 @@ def get_asd_essential_eight_table(
if compliance.Framework == "ASD-Essential-Eight":
provider = compliance.Provider
for requirement in compliance.Requirements:
config_status = resolve_requirement_config_status(
requirement, audit_config, config_status_cache
)
effective_status = get_effective_status(
finding.status, config_status
)
for attribute in requirement.Attributes:
section = attribute.Section
if section not in sections:
@@ -39,29 +54,15 @@ def get_asd_essential_eight_table(
"PASS": 0,
"Muted": 0,
}
section_seen[section] = set()
section_seen[section] = {}
# Overview totals: count each finding once per framework
if finding.muted:
if index not in muted_count:
muted_count.append(index)
elif finding.status == "FAIL":
if index not in fail_count:
fail_count.append(index)
elif finding.status == "PASS":
if index not in pass_count:
pass_count.append(index)
# Per-section counts: count each finding once per section
# it belongs to (a finding can map to several sections).
if index not in section_seen[section]:
section_seen[section].add(index)
if finding.muted:
sections[section]["Muted"] += 1
elif finding.status == "FAIL":
sections[section]["FAIL"] += 1
elif finding.status == "PASS":
sections[section]["PASS"] += 1
status = "Muted" if finding.muted else effective_status
accumulate_overview_status(
index, status, pass_count, fail_count, muted_count
)
accumulate_group_status(
index, status, sections[section], section_seen[section]
)
sections = dict(sorted(sections.items()))
for section in sections:
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.asd_essential_eight.models import (
ASDEssentialEightAWSModel,
@@ -36,10 +40,19 @@ class ASDEssentialEightAWS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = ASDEssentialEightAWSModel(
Provider=finding.provider,
@@ -63,8 +76,8 @@ class ASDEssentialEightAWS(ComplianceOutput):
Requirements_Attributes_AuditProcedure=attribute.AuditProcedure,
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_References=attribute.References,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.aws_well_architected.models import (
AWSWellArchitectedModel,
@@ -36,10 +40,18 @@ class AWSWellArchitected(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AWSWellArchitectedModel(
Provider=finding.provider,
@@ -58,8 +70,8 @@ class AWSWellArchitected(ComplianceOutput):
Requirements_Attributes_AssessmentMethod=attribute.AssessmentMethod,
Requirements_Attributes_Description=attribute.Description,
Requirements_Attributes_ImplementationGuidanceUrl=attribute.ImplementationGuidanceUrl,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+26 -25
View File
@@ -2,6 +2,13 @@ from colorama import Fore, Style
from tabulate import tabulate
from prowler.config.config import orange_color
from prowler.lib.check.compliance_config_eval import (
accumulate_group_status,
accumulate_overview_status,
get_effective_status,
get_scan_audit_config,
resolve_requirement_config_status,
)
def get_c5_table(
@@ -18,12 +25,14 @@ def get_c5_table(
"Status": [],
"Muted": [],
}
pass_count = []
fail_count = []
muted_count = []
pass_count = set()
fail_count = set()
muted_count = set()
sections = {}
section_seen = {}
provider = ""
audit_config = get_scan_audit_config()
config_status_cache = {}
for index, finding in enumerate(findings):
check = bulk_checks_metadata[finding.check_metadata.CheckID]
check_compliances = check.Compliance
@@ -31,34 +40,26 @@ def get_c5_table(
if compliance.Framework == "C5":
provider = compliance.Provider
for requirement in compliance.Requirements:
config_status = resolve_requirement_config_status(
requirement, audit_config, config_status_cache
)
effective_status = get_effective_status(
finding.status, config_status
)
for attribute in requirement.Attributes:
section = attribute.Section
if section not in sections:
sections[section] = {"FAIL": 0, "PASS": 0, "Muted": 0}
section_seen[section] = set()
section_seen[section] = {}
# Overview totals: count each finding once per framework
if finding.muted:
if index not in muted_count:
muted_count.append(index)
elif finding.status == "FAIL":
if index not in fail_count:
fail_count.append(index)
elif finding.status == "PASS":
if index not in pass_count:
pass_count.append(index)
# Per-section counts: count each finding once per section
# it belongs to (a finding can map to several sections).
if index not in section_seen[section]:
section_seen[section].add(index)
if finding.muted:
sections[section]["Muted"] += 1
elif finding.status == "FAIL":
sections[section]["FAIL"] += 1
elif finding.status == "PASS":
sections[section]["PASS"] += 1
status = "Muted" if finding.muted else effective_status
accumulate_overview_status(
index, status, pass_count, fail_count, muted_count
)
accumulate_group_status(
index, status, sections[section], section_seen[section]
)
sections = dict(sorted(sections.items()))
for section in sections:
+15 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.c5.models import AWSC5Model
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,19 @@ class AWSC5(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AWSC5Model(
Provider=finding.provider,
@@ -52,8 +65,8 @@ class AWSC5(ComplianceOutput):
Requirements_Attributes_Type=attribute.Type,
Requirements_Attributes_AboutCriteria=attribute.AboutCriteria,
Requirements_Attributes_ComplementaryCriteria=attribute.ComplementaryCriteria,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+15 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.c5.models import AzureC5Model
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,19 @@ class AzureC5(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AzureC5Model(
Provider=finding.provider,
@@ -52,8 +65,8 @@ class AzureC5(ComplianceOutput):
Requirements_Attributes_Type=attribute.Type,
Requirements_Attributes_AboutCriteria=attribute.AboutCriteria,
Requirements_Attributes_ComplementaryCriteria=attribute.ComplementaryCriteria,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+15 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.c5.models import GCPC5Model
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,19 @@ class GCPC5(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = GCPC5Model(
Provider=finding.provider,
@@ -52,8 +65,8 @@ class GCPC5(ComplianceOutput):
Requirements_Attributes_Type=attribute.Type,
Requirements_Attributes_AboutCriteria=attribute.AboutCriteria,
Requirements_Attributes_ComplementaryCriteria=attribute.ComplementaryCriteria,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+26 -25
View File
@@ -2,6 +2,13 @@ from colorama import Fore, Style
from tabulate import tabulate
from prowler.config.config import orange_color
from prowler.lib.check.compliance_config_eval import (
accumulate_group_status,
accumulate_overview_status,
get_effective_status,
get_scan_audit_config,
resolve_requirement_config_status,
)
def get_ccc_table(
@@ -18,12 +25,14 @@ def get_ccc_table(
"Status": [],
"Muted": [],
}
pass_count = []
fail_count = []
muted_count = []
pass_count = set()
fail_count = set()
muted_count = set()
sections = {}
section_seen = {}
provider = ""
audit_config = get_scan_audit_config()
config_status_cache = {}
for index, finding in enumerate(findings):
check = bulk_checks_metadata[finding.check_metadata.CheckID]
check_compliances = check.Compliance
@@ -31,34 +40,26 @@ def get_ccc_table(
if compliance.Framework == "CCC":
provider = compliance.Provider
for requirement in compliance.Requirements:
config_status = resolve_requirement_config_status(
requirement, audit_config, config_status_cache
)
effective_status = get_effective_status(
finding.status, config_status
)
for attribute in requirement.Attributes:
section = attribute.Section
if section not in sections:
sections[section] = {"FAIL": 0, "PASS": 0, "Muted": 0}
section_seen[section] = set()
section_seen[section] = {}
# Overview totals: count each finding once per framework
if finding.muted:
if index not in muted_count:
muted_count.append(index)
elif finding.status == "FAIL":
if index not in fail_count:
fail_count.append(index)
elif finding.status == "PASS":
if index not in pass_count:
pass_count.append(index)
# Per-section counts: count each finding once per section
# it belongs to (a finding can map to several sections).
if index not in section_seen[section]:
section_seen[section].add(index)
if finding.muted:
sections[section]["Muted"] += 1
elif finding.status == "FAIL":
sections[section]["FAIL"] += 1
elif finding.status == "PASS":
sections[section]["PASS"] += 1
status = "Muted" if finding.muted else effective_status
accumulate_overview_status(
index, status, pass_count, fail_count, muted_count
)
accumulate_group_status(
index, status, sections[section], section_seen[section]
)
sections = dict(sorted(sections.items()))
for section in sections:
+15 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.ccc.models import CCC_AWSModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,19 @@ class CCC_AWS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = CCC_AWSModel(
Provider=finding.provider,
@@ -56,8 +69,8 @@ class CCC_AWS(ComplianceOutput):
Requirements_Attributes_Recommendation=attribute.Recommendation,
Requirements_Attributes_SectionThreatMappings=attribute.SectionThreatMappings,
Requirements_Attributes_SectionGuidelineMappings=attribute.SectionGuidelineMappings,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.ccc.models import CCC_AzureModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,19 @@ class CCC_Azure(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = CCC_AzureModel(
Provider=finding.provider,
@@ -56,8 +69,8 @@ class CCC_Azure(ComplianceOutput):
Requirements_Attributes_Recommendation=attribute.Recommendation,
Requirements_Attributes_SectionThreatMappings=attribute.SectionThreatMappings,
Requirements_Attributes_SectionGuidelineMappings=attribute.SectionGuidelineMappings,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+15 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.ccc.models import CCC_GCPModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,19 @@ class CCC_GCP(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = CCC_GCPModel(
Provider=finding.provider,
@@ -56,8 +69,8 @@ class CCC_GCP(ComplianceOutput):
Requirements_Attributes_Recommendation=attribute.Recommendation,
Requirements_Attributes_SectionThreatMappings=attribute.SectionThreatMappings,
Requirements_Attributes_SectionGuidelineMappings=attribute.SectionGuidelineMappings,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+40 -31
View File
@@ -2,6 +2,13 @@ from colorama import Fore, Style
from tabulate import tabulate
from prowler.config.config import orange_color
from prowler.lib.check.compliance_config_eval import (
accumulate_group_status,
accumulate_overview_status,
get_effective_status,
get_scan_audit_config,
resolve_requirement_config_status,
)
def get_cis_table(
@@ -23,9 +30,11 @@ def get_cis_table(
"Level 2": [],
"Muted": [],
}
pass_count = []
fail_count = []
muted_count = []
pass_count = set()
fail_count = set()
muted_count = set()
audit_config = get_scan_audit_config()
config_status_cache = {}
for index, finding in enumerate(findings):
check = bulk_checks_metadata[finding.check_metadata.CheckID]
check_compliances = check.Compliance
@@ -34,6 +43,12 @@ def get_cis_table(
if compliance.Framework == "CIS" and version_in_name in compliance.Version:
provider = compliance.Provider
for requirement in compliance.Requirements:
config_status = resolve_requirement_config_status(
requirement, audit_config, config_status_cache
)
effective_status = get_effective_status(
finding.status, config_status
)
for attribute in requirement.Attributes:
section = attribute.Section
# Check if Section exists
@@ -46,43 +61,37 @@ def get_cis_table(
}
section_muted_seen[section] = set()
section_split_seen[section] = {
"Level 1": set(),
"Level 2": set(),
"Level 1": {},
"Level 2": {},
}
status = "Muted" if finding.muted else effective_status
accumulate_overview_status(
index, status, pass_count, fail_count, muted_count
)
if finding.muted:
# Overview total: count each finding once per framework
if index not in muted_count:
muted_count.append(index)
# Per-section Muted: count each finding once per section
# it belongs to (a finding can map to several sections).
if index not in section_muted_seen[section]:
section_muted_seen[section].add(index)
sections[section]["Muted"] += 1
else:
if finding.status == "FAIL" and index not in fail_count:
fail_count.append(index)
elif finding.status == "PASS" and index not in pass_count:
pass_count.append(index)
if "Level 1" in attribute.Profile:
if (
not finding.muted
and index not in section_split_seen[section]["Level 1"]
):
section_split_seen[section]["Level 1"].add(index)
if finding.status == "FAIL":
sections[section]["Level 1"]["FAIL"] += 1
else:
sections[section]["Level 1"]["PASS"] += 1
if not finding.muted:
accumulate_group_status(
index,
effective_status,
sections[section]["Level 1"],
section_split_seen[section]["Level 1"],
)
elif "Level 2" in attribute.Profile:
if (
not finding.muted
and index not in section_split_seen[section]["Level 2"]
):
section_split_seen[section]["Level 2"].add(index)
if finding.status == "FAIL":
sections[section]["Level 2"]["FAIL"] += 1
else:
sections[section]["Level 2"]["PASS"] += 1
if not finding.muted:
accumulate_group_status(
index,
effective_status,
sections[section]["Level 2"],
section_split_seen[section]["Level 2"],
)
# Add results to table
sections = dict(sorted(sections.items()))
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cis.models import AlibabaCloudCISModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,18 @@ class AlibabaCloudCIS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AlibabaCloudCISModel(
Provider=finding.provider,
@@ -59,8 +71,8 @@ class AlibabaCloudCIS(ComplianceOutput):
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_DefaultValue=attribute.DefaultValue,
Requirements_Attributes_References=attribute.References,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+15 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cis.models import AWSCISModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,19 @@ class AWSCIS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AWSCISModel(
Provider=finding.provider,
@@ -59,8 +72,8 @@ class AWSCIS(ComplianceOutput):
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_DefaultValue=attribute.DefaultValue,
Requirements_Attributes_References=attribute.References,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cis.models import AzureCISModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,18 @@ class AzureCIS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AzureCISModel(
Provider=finding.provider,
@@ -59,8 +71,8 @@ class AzureCIS(ComplianceOutput):
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_DefaultValue=attribute.DefaultValue,
Requirements_Attributes_References=attribute.References,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+14 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cis.models import GCPCISModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,18 @@ class GCPCIS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = GCPCISModel(
Provider=finding.provider,
@@ -58,8 +70,8 @@ class GCPCIS(ComplianceOutput):
Requirements_Attributes_AuditProcedure=attribute.AuditProcedure,
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_References=attribute.References,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cis.models import GithubCISModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,18 @@ class GithubCIS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = GithubCISModel(
Provider=finding.provider,
@@ -58,8 +70,8 @@ class GithubCIS(ComplianceOutput):
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_References=attribute.References,
Requirements_Attributes_DefaultValue=attribute.DefaultValue,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cis.models import GoogleWorkspaceCISModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,18 @@ class GoogleWorkspaceCIS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = GoogleWorkspaceCISModel(
Provider=finding.provider,
@@ -58,8 +70,8 @@ class GoogleWorkspaceCIS(ComplianceOutput):
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_DefaultValue=attribute.DefaultValue,
Requirements_Attributes_References=attribute.References,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cis.models import KubernetesCISModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,18 @@ class KubernetesCIS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = KubernetesCISModel(
Provider=finding.provider,
@@ -59,8 +71,8 @@ class KubernetesCIS(ComplianceOutput):
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_References=attribute.References,
Requirements_Attributes_DefaultValue=attribute.DefaultValue,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+14 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cis.models import M365CISModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,18 @@ class M365CIS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = M365CISModel(
Provider=finding.provider,
@@ -59,8 +71,8 @@ class M365CIS(ComplianceOutput):
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_DefaultValue=attribute.DefaultValue,
Requirements_Attributes_References=attribute.References,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cis.models import OracleCloudCISModel
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
@@ -34,10 +38,18 @@ class OracleCloudCIS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = OracleCloudCISModel(
Provider=finding.provider,
@@ -59,8 +71,8 @@ class OracleCloudCIS(ComplianceOutput):
Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
Requirements_Attributes_DefaultValue=attribute.DefaultValue,
Requirements_Attributes_References=attribute.References,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.cisa_scuba.models import (
GoogleWorkspaceCISASCuBAModel,
@@ -36,10 +40,18 @@ class GoogleWorkspaceCISASCuBA(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = GoogleWorkspaceCISASCuBAModel(
Provider=finding.provider,
@@ -52,8 +64,8 @@ class GoogleWorkspaceCISASCuBA(ComplianceOutput):
Requirements_Attributes_SubSection=attribute.SubSection,
Requirements_Attributes_Service=attribute.Service,
Requirements_Attributes_Type=attribute.Type,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+22 -10
View File
@@ -2,6 +2,11 @@ from colorama import Fore, Style
from tabulate import tabulate
from prowler.config.config import orange_color
from prowler.lib.check.compliance_config_eval import (
get_effective_status,
get_scan_audit_config,
resolve_requirement_config_status,
)
def get_ens_table(
@@ -25,9 +30,11 @@ def get_ens_table(
"Opcional": [],
"Muted": [],
}
pass_count = []
fail_count = []
muted_count = []
pass_count = set()
fail_count = set()
muted_count = set()
audit_config = get_scan_audit_config()
config_status_cache = {}
for index, finding in enumerate(findings):
check = bulk_checks_metadata[finding.check_metadata.CheckID]
check_compliances = check.Compliance
@@ -35,6 +42,12 @@ def get_ens_table(
if compliance.Framework == "ENS":
provider = compliance.Provider
for requirement in compliance.Requirements:
config_status = resolve_requirement_config_status(
requirement, audit_config, config_status_cache
)
effective_status = get_effective_status(
finding.status, config_status
)
for attribute in requirement.Attributes:
marco_categoria = f"{attribute.Marco}/{attribute.Categoria}"
# Check if Marco/Categoria exists
@@ -50,25 +63,24 @@ def get_ens_table(
marco_muted_seen[marco_categoria] = set()
if finding.muted:
# Overview total: count each finding once per framework
if index not in muted_count:
muted_count.append(index)
muted_count.add(index)
# Per-marco Muted: count each finding once per marco
# it belongs to (a finding can map to several marcos).
if index not in marco_muted_seen[marco_categoria]:
marco_muted_seen[marco_categoria].add(index)
marcos[marco_categoria]["Muted"] += 1
else:
if finding.status == "FAIL":
if effective_status == "FAIL":
if attribute.Tipo != "recomendacion":
if index not in fail_count:
fail_count.append(index)
fail_count.add(index)
pass_count.discard(index)
# Mark every marco the finding belongs to as
# NO CUMPLE, not just the first one seen.
marcos[marco_categoria][
"Estado"
] = f"{Fore.RED}NO CUMPLE{Style.RESET_ALL}"
elif finding.status == "PASS" and index not in pass_count:
pass_count.append(index)
elif effective_status == "PASS" and index not in fail_count:
pass_count.add(index)
if attribute.Nivel == "opcional":
marcos[marco_categoria]["Opcional"] += 1
elif attribute.Nivel == "alto":
+15 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
from prowler.lib.outputs.compliance.ens.models import AWSENSModel
@@ -34,10 +38,19 @@ class AWSENS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AWSENSModel(
Provider=finding.provider,
@@ -60,8 +73,8 @@ class AWSENS(ComplianceOutput):
Requirements_Attributes_Dependencias=",".join(
attribute.Dependencias
),
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
from prowler.lib.outputs.compliance.ens.models import AzureENSModel
@@ -34,10 +38,19 @@ class AzureENS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AzureENSModel(
Provider=finding.provider,
@@ -60,8 +73,8 @@ class AzureENS(ComplianceOutput):
Requirements_Attributes_Dependencias=",".join(
attribute.Dependencias
),
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
+15 -2
View File
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
from prowler.lib.outputs.compliance.ens.models import GCPENSModel
@@ -34,10 +38,19 @@ class GCPENS(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = GCPENSModel(
Provider=finding.provider,
@@ -60,8 +73,8 @@ class GCPENS(ComplianceOutput):
Requirements_Attributes_Dependencias=",".join(
attribute.Dependencias
),
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
ResourceName=finding.resource_name,
CheckId=finding.check_id,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
from prowler.lib.outputs.compliance.generic.models import GenericComplianceModel
@@ -35,11 +39,24 @@ class GenericCompliance(ComplianceOutput):
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
def compliance_row(requirement, attribute, finding=None):
# Read attribute fields defensively: GenericCompliance is the
# last-resort renderer for any framework, and provider-specific
# schemas (e.g. CIS, ENS, ISO27001) do not declare the universal
# Section/SubSection/SubGroup/Service/Type/Comment fields.
status, status_extended = (
apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
if finding
else ("MANUAL", "Manual check")
)
return GenericComplianceModel(
Provider=(finding.provider if finding else compliance.Provider.lower()),
Description=compliance.Description,
@@ -56,8 +73,8 @@ class GenericCompliance(ComplianceOutput):
Requirements_Attributes_Service=getattr(attribute, "Service", None),
Requirements_Attributes_Type=getattr(attribute, "Type", None),
Requirements_Attributes_Comment=getattr(attribute, "Comment", None),
Status=finding.status if finding else "MANUAL",
StatusExtended=(finding.status_extended if finding else "Manual check"),
Status=status,
StatusExtended=status_extended,
ResourceId=finding.resource_uid if finding else "manual_check",
ResourceName=finding.resource_name if finding else "Manual check",
CheckId=finding.check_id if finding else "manual",
@@ -2,6 +2,11 @@ from colorama import Fore, Style
from tabulate import tabulate
from prowler.config.config import orange_color
from prowler.lib.check.compliance_config_eval import (
get_effective_status,
get_scan_audit_config,
resolve_requirement_config_status,
)
def get_generic_compliance_table(
@@ -15,6 +20,8 @@ def get_generic_compliance_table(
pass_count = []
fail_count = []
muted_count = []
audit_config = get_scan_audit_config()
config_status_cache = {}
for index, finding in enumerate(findings):
check = bulk_checks_metadata[finding.check_metadata.CheckID]
check_compliances = check.Compliance
@@ -25,13 +32,25 @@ def get_generic_compliance_table(
and compliance.Version in compliance_framework.upper()
and compliance.Provider.upper() in compliance_framework.upper()
):
effective_status = finding.status
for requirement in compliance.Requirements:
if finding.check_id in requirement.Checks:
config_status = resolve_requirement_config_status(
requirement, audit_config, config_status_cache
)
if (
get_effective_status(finding.status, config_status)
== "FAIL"
):
effective_status = "FAIL"
break
if finding.muted:
if index not in muted_count:
muted_count.append(index)
else:
if finding.status == "FAIL" and index not in fail_count:
if effective_status == "FAIL" and index not in fail_count:
fail_count.append(index)
elif finding.status == "PASS" and index not in pass_count:
elif effective_status == "PASS" and index not in pass_count:
pass_count.append(index)
if (
len(fail_count) + len(pass_count) + len(muted_count) > 1
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
from prowler.lib.outputs.compliance.iso27001.models import AWSISO27001Model
@@ -34,10 +38,18 @@ class AWSISO27001(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AWSISO27001Model(
Provider=finding.provider,
@@ -52,8 +64,8 @@ class AWSISO27001(ComplianceOutput):
Requirements_Attributes_Objetive_ID=attribute.Objetive_ID,
Requirements_Attributes_Objetive_Name=attribute.Objetive_Name,
Requirements_Attributes_Check_Summary=attribute.Check_Summary,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
CheckId=finding.check_id,
Muted=finding.muted,
@@ -1,4 +1,8 @@
from prowler.config.config import timestamp
from prowler.lib.check.compliance_config_eval import (
apply_config_status,
build_requirement_config_status,
)
from prowler.lib.check.compliance_models import Compliance
from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
from prowler.lib.outputs.compliance.iso27001.models import AzureISO27001Model
@@ -34,10 +38,18 @@ class AzureISO27001(ComplianceOutput):
Returns:
- None
"""
requirement_config_status = build_requirement_config_status(
compliance.Requirements
)
for finding in findings:
for requirement in compliance.Requirements:
# Source of truth: framework JSON, not finding.compliance snapshot (avoids CSV/UI count drift).
if finding.check_id in requirement.Checks:
row_status, row_status_extended = apply_config_status(
finding.status,
finding.status_extended,
requirement_config_status.get(requirement.Id),
)
for attribute in requirement.Attributes:
compliance_row = AzureISO27001Model(
Provider=finding.provider,
@@ -52,8 +64,8 @@ class AzureISO27001(ComplianceOutput):
Requirements_Attributes_Objetive_ID=attribute.Objetive_ID,
Requirements_Attributes_Objetive_Name=attribute.Objetive_Name,
Requirements_Attributes_Check_Summary=attribute.Check_Summary,
Status=finding.status,
StatusExtended=finding.status_extended,
Status=row_status,
StatusExtended=row_status_extended,
ResourceId=finding.resource_uid,
CheckId=finding.check_id,
Muted=finding.muted,

Some files were not shown because too many files have changed in this diff Show More