Product logo
DocsBlogPricing

@turbot/aws-nist-800-53

Version
5.1.0
Released On
Aug 21, 2023
Depends On

Control Types

Policy Types

Release Notes

5.1.0 (2023-08-21)

What's new?

  • Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

Bug fixes

  • The AWS > NIST 800-53 > EC2 > EC2 stopped instances should be removed in 30 days control would sometimes go into an error state if it was not able to determine the age of a stopped EC2 instance. This is fixed and the control will now move to a skipped state instead.

5.0.1 (2022-10-20)

Bug fixes

  • The AWS > NIST800-53 > S3 buckets should enforce SSL control would sometimes go into an error state if a bucket's policy statement did not contain Principal details. This is fixed and the control will now work as expected.

5.0.0 (2022-09-12)

Control Types

Added

  • AWS > NIST 800-53
  • AWS > NIST 800-53 > ACM
  • AWS > NIST 800-53 > ACM > ACM certificates should be set to expire within 30 days
  • AWS > NIST 800-53 > API Gateway
  • AWS > NIST 800-53 > API Gateway > API Gateway stage cache encryption at rest should be enabled
  • AWS > NIST 800-53 > API Gateway > API Gateway stage logging should be enabled
  • AWS > NIST 800-53 > API Gateway > API Gateway stage should be associated with WAF
  • AWS > NIST 800-53 > API Gateway > API Gateway stage should uses SSL certificate
  • AWS > NIST 800-53 > Account
  • AWS > NIST 800-53 > Account > At least one multi-region AWS CloudTrail should be present in an account
  • AWS > NIST 800-53 > CloudTrail
  • AWS > NIST 800-53 > CloudTrail > At least one trail should be enabled with security best practices
  • AWS > NIST 800-53 > CloudTrail > CloudTrail trail log file validation should be enabled
  • AWS > NIST 800-53 > CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK
  • AWS > NIST 800-53 > CloudTrail > CloudTrail trails should be integrated with CloudWatch logs
  • AWS > NIST 800-53 > CloudWatch
  • AWS > NIST 800-53 > CloudWatch > CloudWatch alarm action should be enabled
  • AWS > NIST 800-53 > CodeBuild
  • AWS > NIST 800-53 > CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
  • AWS > NIST 800-53 > CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values
  • AWS > NIST 800-53 > DMS
  • AWS > NIST 800-53 > DMS > DMS replication instances should not be publicly accessible
  • AWS > NIST 800-53 > DynamoDB
  • AWS > NIST 800-53 > DynamoDB > DynamoDB table auto scaling should be enabled
  • AWS > NIST 800-53 > DynamoDB > DynamoDB table point-in-time recovery should be enabled
  • AWS > NIST 800-53 > DynamoDB > DynamoDB table should be encrypted with AWS KMS
  • AWS > NIST 800-53 > DynamoDB > DynamoDB tables should be in a backup plan
  • AWS > NIST 800-53 > EC2
  • AWS > NIST 800-53 > EC2 > Attached EBS volumes should have delete on termination enabled
  • AWS > NIST 800-53 > EC2 > Attached EBS volumes should have encryption enabled
  • AWS > NIST 800-53 > EC2 > Auto Scaling groups with a load balancer should use health checks
  • AWS > NIST 800-53 > EC2 > Auto Scaling launch config public IP should be disabled
  • AWS > NIST 800-53 > EC2 > EBS default encryption should be enabled
  • AWS > NIST 800-53 > EC2 > EBS snapshots should not be publicly restorable
  • AWS > NIST 800-53 > EC2 > EBS volumes should be in a backup plan
  • AWS > NIST 800-53 > EC2 > EC2 instance detailed monitoring should be enabled
  • AWS > NIST 800-53 > EC2 > EC2 instances should be in a VPC
  • AWS > NIST 800-53 > EC2 > EC2 instances should be managed by AWS Systems Manager
  • AWS > NIST 800-53 > EC2 > EC2 instances should have IAM profile attached
  • AWS > NIST 800-53 > EC2 > EC2 instances should not have a public IP address
  • AWS > NIST 800-53 > EC2 > EC2 instances should use IMDSv2
  • AWS > NIST 800-53 > EC2 > EC2 stopped instances should be removed in 30 days
  • AWS > NIST 800-53 > EC2 > ELB application and classic load balancer logging should be enabled
  • AWS > NIST 800-53 > EC2 > ELB application load balancer deletion protection should be enabled
  • AWS > NIST 800-53 > EC2 > ELB application load balancers should be drop HTTP headers
  • AWS > NIST 800-53 > EC2 > ELB application load balancers should have Web Application Firewall (WAF) enabled
  • AWS > NIST 800-53 > EC2 > ELB application load balancers should redirect HTTP requests to HTTPS
  • AWS > NIST 800-53 > EC2 > ELB classic load balancers should have cross-zone load balancing enabled
  • AWS > NIST 800-53 > EC2 > ELB classic load balancers should only use SSL or HTTPS listeners
  • AWS > NIST 800-53 > EC2 > ELB classic load balancers should use SSL certificates
  • AWS > NIST 800-53 > ECS
  • AWS > NIST 800-53 > ECS > ECS task definition container definitions should be checked for host mode
  • AWS > NIST 800-53 > EFS
  • AWS > NIST 800-53 > EFS > EFS file system encryption at rest should be enabled
  • AWS > NIST 800-53 > EFS > EFS file systems should be in a backup plan
  • AWS > NIST 800-53 > EMR
  • AWS > NIST 800-53 > EMR > EMR cluster Kerberos should be enabled
  • AWS > NIST 800-53 > EMR > EMR cluster master nodes should not have public IP addresses
  • AWS > NIST 800-53 > ElastiCache
  • AWS > NIST 800-53 > ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
  • AWS > NIST 800-53 > Elasticsearch
  • AWS > NIST 800-53 > Elasticsearch > ES domain encryption at rest should be enabled
  • AWS > NIST 800-53 > Elasticsearch > ES domains should be in a VPC
  • AWS > NIST 800-53 > Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled
  • AWS > NIST 800-53 > GuardDuty
  • AWS > NIST 800-53 > GuardDuty > GuardDuty findings should be archived
  • AWS > NIST 800-53 > IAM
  • AWS > NIST 800-53 > IAM > Ensure IAM password policy requires a minimum length of 14 or greater
  • AWS > NIST 800-53 > IAM > Ensure IAM policy should not grant full access to service
  • AWS > NIST 800-53 > IAM > IAM groups should have at least one user
  • AWS > NIST 800-53 > IAM > IAM groups, users, and roles should not have any inline policies
  • AWS > NIST 800-53 > IAM > IAM password policies for users should have strong configurations
  • AWS > NIST 800-53 > IAM > IAM policy should not have statements with admin access
  • AWS > NIST 800-53 > IAM > IAM root user MFA should be enabled
  • AWS > NIST 800-53 > IAM > IAM root user hardware MFA should be enabled
  • AWS > NIST 800-53 > IAM > IAM root user should not have access keys
  • AWS > NIST 800-53 > IAM > IAM user MFA should be enabled
  • AWS > NIST 800-53 > IAM > IAM user access keys should be rotated at least every 90 days
  • AWS > NIST 800-53 > IAM > IAM user credentials that have not been used in 90 days should be disabled
  • AWS > NIST 800-53 > IAM > IAM user should not have any inline or attached policies
  • AWS > NIST 800-53 > IAM > IAM users should be in at least one group
  • AWS > NIST 800-53 > IAM > IAM users with console access should have MFA enabled
  • AWS > NIST 800-53 > KMS
  • AWS > NIST 800-53 > KMS > KMS CMK rotation should be enabled
  • AWS > NIST 800-53 > KMS > KMS keys should not be pending deletion
  • AWS > NIST 800-53 > Lambda
  • AWS > NIST 800-53 > Lambda > Lambda functions should be in a VPC
  • AWS > NIST 800-53 > Lambda > Lambda functions should restrict public access
  • AWS > NIST 800-53 > Logs
  • AWS > NIST 800-53 > Logs > Log group encryption at rest should be enabled
  • AWS > NIST 800-53 > Logs > Log group retention period should be at least 365 days
  • AWS > NIST 800-53 > RDS
  • AWS > NIST 800-53 > RDS > Database logging should be enabled
  • AWS > NIST 800-53 > RDS > RDS DB instance and cluster enhanced monitoring should be enabled
  • AWS > NIST 800-53 > RDS > RDS DB instance backup should be enabled
  • AWS > NIST 800-53 > RDS > RDS DB instance encryption at rest should be enabled
  • AWS > NIST 800-53 > RDS > RDS DB instance multiple az should be enabled
  • AWS > NIST 800-53 > RDS > RDS DB instances should be in a backup plan
  • AWS > NIST 800-53 > RDS > RDS DB instances should have deletion protection enabled
  • AWS > NIST 800-53 > RDS > RDS DB instances should prohibit public access
  • AWS > NIST 800-53 > RDS > RDS DB snapshots should be encrypted at rest
  • AWS > NIST 800-53 > RDS > RDS snapshots should prohibit public access
  • AWS > NIST 800-53 > Redshift
  • AWS > NIST 800-53 > Redshift > Amazon Redshift enhanced VPC routing should be enabled
  • AWS > NIST 800-53 > Redshift > Redshift cluster audit logging and encryption should be enabled
  • AWS > NIST 800-53 > Redshift > Redshift cluster encryption in transit should be enabled
  • AWS > NIST 800-53 > Redshift > Redshift clusters should prohibit public access
  • AWS > NIST 800-53 > Region
  • AWS > NIST 800-53 > Region > AWS Security Hub should be enabled for an AWS Account
  • AWS > NIST 800-53 > Region > At least one enabled trail should be present in a region
  • AWS > NIST 800-53 > Region > GuardDuty should be enabled
  • AWS > NIST 800-53 > S3
  • AWS > NIST 800-53 > S3 > All S3 buckets should log S3 data events in CloudTrail
  • AWS > NIST 800-53 > S3 > S3 bucket cross-region replication should be enabled
  • AWS > NIST 800-53 > S3 > S3 bucket default encryption should be enabled
  • AWS > NIST 800-53 > S3 > S3 bucket logging should be enabled
  • AWS > NIST 800-53 > S3 > S3 bucket object lock should be enabled
  • AWS > NIST 800-53 > S3 > S3 bucket versioning should be enabled
  • AWS > NIST 800-53 > S3 > S3 buckets should enforce SSL
  • AWS > NIST 800-53 > S3 > S3 buckets should prohibit public read access
  • AWS > NIST 800-53 > S3 > S3 buckets should prohibit public write access
  • AWS > NIST 800-53 > S3 > S3 public access should be blocked at account and bucket levels
  • AWS > NIST 800-53 > S3 > S3 public access should be blocked at account level
  • AWS > NIST 800-53 > S3 > S3 public access should be blocked at bucket levels
  • AWS > NIST 800-53 > SNS
  • AWS > NIST 800-53 > SNS > SNS topics should be encrypted at rest
  • AWS > NIST 800-53 > SSM
  • AWS > NIST 800-53 > SSM > SSM managed instance associations should be compliant
  • AWS > NIST 800-53 > SSM > SSM managed instance patching should be compliant
  • AWS > NIST 800-53 > SageMaker
  • AWS > NIST 800-53 > SageMaker > SageMaker endpoint configuration encryption should be enabled
  • AWS > NIST 800-53 > SageMaker > SageMaker notebook instance encryption should be enabled
  • AWS > NIST 800-53 > SageMaker > SageMaker notebook instances should not have direct internet access
  • AWS > NIST 800-53 > Secrets Manager
  • AWS > NIST 800-53 > Secrets Manager > Secrets Manager secrets should be rotated as per the rotation schedule
  • AWS > NIST 800-53 > Secrets Manager > Secrets Manager secrets should have automatic rotation enabled
  • AWS > NIST 800-53 > VPC
  • AWS > NIST 800-53 > VPC > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
  • AWS > NIST 800-53 > VPC > VPC default security group should not allow inbound and outbound traffic
  • AWS > NIST 800-53 > VPC > VPC flow logs should be enabled
  • AWS > NIST 800-53 > VPC > VPC internet gateways should be attached to authorized vpc
  • AWS > NIST 800-53 > VPC > VPC route table should restrict public access to IGW
  • AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
  • AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
  • AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
  • AWS > NIST 800-53 > VPC > VPC subnet auto assign public IP should be disabled
  • AWS > NIST 800-53 > WAF
  • AWS > NIST 800-53 > WAF > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)

Policy Types

Added

  • AWS > NIST 800-53