Control types for @turbot/aws-nist-800-53
- AWS > NIST 800-53
- AWS > NIST 800-53 > ACM
- AWS > NIST 800-53 > ACM > ACM certificates should be set to expire within 30 days
- AWS > NIST 800-53 > API Gateway
- AWS > NIST 800-53 > API Gateway > API Gateway stage cache encryption at rest should be enabled
- AWS > NIST 800-53 > API Gateway > API Gateway stage logging should be enabled
- AWS > NIST 800-53 > API Gateway > API Gateway stage should be associated with WAF
- AWS > NIST 800-53 > API Gateway > API Gateway stage should uses SSL certificate
- AWS > NIST 800-53 > Account
- AWS > NIST 800-53 > Account > At least one multi-region AWS CloudTrail should be present in an account
- AWS > NIST 800-53 > CloudTrail
- AWS > NIST 800-53 > CloudTrail > At least one trail should be enabled with security best practices
- AWS > NIST 800-53 > CloudTrail > CloudTrail trail log file validation should be enabled
- AWS > NIST 800-53 > CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK
- AWS > NIST 800-53 > CloudTrail > CloudTrail trails should be integrated with CloudWatch logs
- AWS > NIST 800-53 > CloudWatch
- AWS > NIST 800-53 > CloudWatch > CloudWatch alarm action should be enabled
- AWS > NIST 800-53 > CodeBuild
- AWS > NIST 800-53 > CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- AWS > NIST 800-53 > CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values
- AWS > NIST 800-53 > DMS
- AWS > NIST 800-53 > DMS > DMS replication instances should not be publicly accessible
- AWS > NIST 800-53 > DynamoDB
- AWS > NIST 800-53 > DynamoDB > DynamoDB table auto scaling should be enabled
- AWS > NIST 800-53 > DynamoDB > DynamoDB table point-in-time recovery should be enabled
- AWS > NIST 800-53 > DynamoDB > DynamoDB table should be encrypted with AWS KMS
- AWS > NIST 800-53 > DynamoDB > DynamoDB tables should be in a backup plan
- AWS > NIST 800-53 > EC2
- AWS > NIST 800-53 > EC2 > Attached EBS volumes should have delete on termination enabled
- AWS > NIST 800-53 > EC2 > Attached EBS volumes should have encryption enabled
- AWS > NIST 800-53 > EC2 > Auto Scaling groups with a load balancer should use health checks
- AWS > NIST 800-53 > EC2 > Auto Scaling launch config public IP should be disabled
- AWS > NIST 800-53 > EC2 > EBS default encryption should be enabled
- AWS > NIST 800-53 > EC2 > EBS snapshots should not be publicly restorable
- AWS > NIST 800-53 > EC2 > EBS volumes should be in a backup plan
- AWS > NIST 800-53 > EC2 > EC2 instance detailed monitoring should be enabled
- AWS > NIST 800-53 > EC2 > EC2 instances should be in a VPC
- AWS > NIST 800-53 > EC2 > EC2 instances should be managed by AWS Systems Manager
- AWS > NIST 800-53 > EC2 > EC2 instances should have IAM profile attached
- AWS > NIST 800-53 > EC2 > EC2 instances should not have a public IP address
- AWS > NIST 800-53 > EC2 > EC2 instances should use IMDSv2
- AWS > NIST 800-53 > EC2 > EC2 stopped instances should be removed in 30 days
- AWS > NIST 800-53 > EC2 > ELB application and classic load balancer logging should be enabled
- AWS > NIST 800-53 > EC2 > ELB application load balancer deletion protection should be enabled
- AWS > NIST 800-53 > EC2 > ELB application load balancers should be drop HTTP headers
- AWS > NIST 800-53 > EC2 > ELB application load balancers should have Web Application Firewall (WAF) enabled
- AWS > NIST 800-53 > EC2 > ELB application load balancers should redirect HTTP requests to HTTPS
- AWS > NIST 800-53 > EC2 > ELB classic load balancers should have cross-zone load balancing enabled
- AWS > NIST 800-53 > EC2 > ELB classic load balancers should only use SSL or HTTPS listeners
- AWS > NIST 800-53 > EC2 > ELB classic load balancers should use SSL certificates
- AWS > NIST 800-53 > ECS
- AWS > NIST 800-53 > ECS > ECS task definition container definitions should be checked for host mode
- AWS > NIST 800-53 > EFS
- AWS > NIST 800-53 > EFS > EFS file system encryption at rest should be enabled
- AWS > NIST 800-53 > EFS > EFS file systems should be in a backup plan
- AWS > NIST 800-53 > EMR
- AWS > NIST 800-53 > EMR > EMR cluster Kerberos should be enabled
- AWS > NIST 800-53 > EMR > EMR cluster master nodes should not have public IP addresses
- AWS > NIST 800-53 > ElastiCache
- AWS > NIST 800-53 > ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- AWS > NIST 800-53 > Elasticsearch
- AWS > NIST 800-53 > Elasticsearch > ES domain encryption at rest should be enabled
- AWS > NIST 800-53 > Elasticsearch > ES domains should be in a VPC
- AWS > NIST 800-53 > Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled
- AWS > NIST 800-53 > GuardDuty
- AWS > NIST 800-53 > GuardDuty > GuardDuty findings should be archived
- AWS > NIST 800-53 > IAM
- AWS > NIST 800-53 > IAM > Ensure IAM password policy requires a minimum length of 14 or greater
- AWS > NIST 800-53 > IAM > Ensure IAM policy should not grant full access to service
- AWS > NIST 800-53 > IAM > IAM groups should have at least one user
- AWS > NIST 800-53 > IAM > IAM groups, users, and roles should not have any inline policies
- AWS > NIST 800-53 > IAM > IAM password policies for users should have strong configurations
- AWS > NIST 800-53 > IAM > IAM policy should not have statements with admin access
- AWS > NIST 800-53 > IAM > IAM root user MFA should be enabled
- AWS > NIST 800-53 > IAM > IAM root user hardware MFA should be enabled
- AWS > NIST 800-53 > IAM > IAM root user should not have access keys
- AWS > NIST 800-53 > IAM > IAM user MFA should be enabled
- AWS > NIST 800-53 > IAM > IAM user access keys should be rotated at least every 90 days
- AWS > NIST 800-53 > IAM > IAM user credentials that have not been used in 90 days should be disabled
- AWS > NIST 800-53 > IAM > IAM user should not have any inline or attached policies
- AWS > NIST 800-53 > IAM > IAM users should be in at least one group
- AWS > NIST 800-53 > IAM > IAM users with console access should have MFA enabled
- AWS > NIST 800-53 > KMS
- AWS > NIST 800-53 > KMS > KMS CMK rotation should be enabled
- AWS > NIST 800-53 > KMS > KMS keys should not be pending deletion
- AWS > NIST 800-53 > Lambda
- AWS > NIST 800-53 > Lambda > Lambda functions should be in a VPC
- AWS > NIST 800-53 > Lambda > Lambda functions should restrict public access
- AWS > NIST 800-53 > Logs
- AWS > NIST 800-53 > Logs > Log group encryption at rest should be enabled
- AWS > NIST 800-53 > Logs > Log group retention period should be at least 365 days
- AWS > NIST 800-53 > RDS
- AWS > NIST 800-53 > RDS > Database logging should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instance and cluster enhanced monitoring should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instance backup should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instance encryption at rest should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instance multiple az should be enabled
- AWS > NIST 800-53 > RDS > RDS DB instances should be in a backup plan
- AWS > NIST 800-53 > RDS > RDS DB instances should have deletion protection enabled
- AWS > NIST 800-53 > RDS > RDS DB instances should prohibit public access
- AWS > NIST 800-53 > RDS > RDS DB snapshots should be encrypted at rest
- AWS > NIST 800-53 > RDS > RDS snapshots should prohibit public access
- AWS > NIST 800-53 > Redshift
- AWS > NIST 800-53 > Redshift > Amazon Redshift enhanced VPC routing should be enabled
- AWS > NIST 800-53 > Redshift > Redshift cluster audit logging and encryption should be enabled
- AWS > NIST 800-53 > Redshift > Redshift cluster encryption in transit should be enabled
- AWS > NIST 800-53 > Redshift > Redshift clusters should prohibit public access
- AWS > NIST 800-53 > Region
- AWS > NIST 800-53 > Region > AWS Security Hub should be enabled for an AWS Account
- AWS > NIST 800-53 > Region > At least one enabled trail should be present in a region
- AWS > NIST 800-53 > Region > GuardDuty should be enabled
- AWS > NIST 800-53 > S3
- AWS > NIST 800-53 > S3 > All S3 buckets should log S3 data events in CloudTrail
- AWS > NIST 800-53 > S3 > S3 bucket cross-region replication should be enabled
- AWS > NIST 800-53 > S3 > S3 bucket default encryption should be enabled
- AWS > NIST 800-53 > S3 > S3 bucket logging should be enabled
- AWS > NIST 800-53 > S3 > S3 bucket object lock should be enabled
- AWS > NIST 800-53 > S3 > S3 bucket versioning should be enabled
- AWS > NIST 800-53 > S3 > S3 buckets should enforce SSL
- AWS > NIST 800-53 > S3 > S3 buckets should prohibit public read access
- AWS > NIST 800-53 > S3 > S3 buckets should prohibit public write access
- AWS > NIST 800-53 > S3 > S3 public access should be blocked at account and bucket levels
- AWS > NIST 800-53 > S3 > S3 public access should be blocked at account level
- AWS > NIST 800-53 > S3 > S3 public access should be blocked at bucket levels
- AWS > NIST 800-53 > SNS
- AWS > NIST 800-53 > SNS > SNS topics should be encrypted at rest
- AWS > NIST 800-53 > SSM
- AWS > NIST 800-53 > SSM > SSM managed instance associations should be compliant
- AWS > NIST 800-53 > SSM > SSM managed instance patching should be compliant
- AWS > NIST 800-53 > SageMaker
- AWS > NIST 800-53 > SageMaker > SageMaker endpoint configuration encryption should be enabled
- AWS > NIST 800-53 > SageMaker > SageMaker notebook instance encryption should be enabled
- AWS > NIST 800-53 > SageMaker > SageMaker notebook instances should not have direct internet access
- AWS > NIST 800-53 > Secrets Manager
- AWS > NIST 800-53 > Secrets Manager > Secrets Manager secrets should be rotated as per the rotation schedule
- AWS > NIST 800-53 > Secrets Manager > Secrets Manager secrets should have automatic rotation enabled
- AWS > NIST 800-53 > VPC
- AWS > NIST 800-53 > VPC > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
- AWS > NIST 800-53 > VPC > VPC default security group should not allow inbound and outbound traffic
- AWS > NIST 800-53 > VPC > VPC flow logs should be enabled
- AWS > NIST 800-53 > VPC > VPC internet gateways should be attached to authorized vpc
- AWS > NIST 800-53 > VPC > VPC route table should restrict public access to IGW
- AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- AWS > NIST 800-53 > VPC > VPC subnet auto assign public IP should be disabled
- AWS > NIST 800-53 > WAF
- AWS > NIST 800-53 > WAF > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
AWS > NIST 800-53
NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. The controls defined in this standard are customizable and address a diverse set of security and privacy requirements.\n
AWS > NIST 800-53 > ACM
This section contains recommendations for configuring ACM resources and options.
AWS > NIST 800-53 > ACM > ACM certificates should be set to expire within 30 days
Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM.\n
AWS > NIST 800-53 > API Gateway
This section contains recommendations for configuring API Gateway resources and options.
AWS > NIST 800-53 > API Gateway > API Gateway stage cache encryption at rest should be enabled
To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache.\n
AWS > NIST 800-53 > API Gateway > API Gateway stage logging should be enabled
API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API.\n
AWS > NIST 800-53 > API Gateway > API Gateway stage should be associated with WAF
Ensure if an Amazon API Gateway API stage is using a WAF Web ACL. This rule is non complaint if an AWS WAF Web ACL is not used.\n
AWS > NIST 800-53 > API Gateway > API Gateway stage should uses SSL certificate
Ensure if a REST API stage uses a Secure Sockets Layer (SSL) certificate. This rule is complaint if the REST API stage does not have an associated SSL certificate.\n
AWS > NIST 800-53 > Account
This section contains recommendations for configuring resources and options on an account.\n
AWS > NIST 800-53 > Account > At least one multi-region AWS CloudTrail should be present in an account
AWS CloudTrail records AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from where the calls were made, and when the calls occurred. CloudTrail will deliver log files from all AWS Regions to your S3 bucket if MULTI_REGION_CLOUD_TRAIL_ENABLED is enabled.\n
AWS > NIST 800-53 > CloudTrail
This section contains recommendations for configuring CloudTrail resources and options.
AWS > NIST 800-53 > CloudTrail > At least one trail should be enabled with security best practices
This rule helps ensure the use of AWS recommended security best practices for AWS CloudTrail, by checking for the enablement of multiple settings. These include the use of log encryption, log validation, and enabling AWS CloudTrail in multiple regions.\n
AWS > NIST 800-53 > CloudTrail > CloudTrail trail log file validation should be enabled
Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.\n
AWS > NIST 800-53 > CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK
To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.\n
AWS > NIST 800-53 > CloudTrail > CloudTrail trails should be integrated with CloudWatch logs
Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides\ndetails of API call activity within your AWS account.\n
AWS > NIST 800-53 > CloudWatch
This section contains recommendations for configuring CloudWatch resources and options.
AWS > NIST 800-53 > CloudWatch > CloudWatch alarm action should be enabled
Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods.\n
AWS > NIST 800-53 > CodeBuild
This section contains recommendations for configuring CodeBuild resources and options.
AWS > NIST 800-53 > CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
Ensure the GitHub or Bitbucket source repository URL does not contain personal access tokens, user name and password within AWS Codebuild project environments.\n
AWS > NIST 800-53 > CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values
Ensure authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY do not exist within AWS CodeBuild project environments. Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access.\n
AWS > NIST 800-53 > DMS
This section contains recommendations for configuring DMS resources and options.
AWS > NIST 800-53 > DMS > DMS replication instances should not be publicly accessible
Manage access to the AWS Cloud by ensuring DMS replication instances cannot be publicly accessed.\n
AWS > NIST 800-53 > DynamoDB
This section contains recommendations for configuring DynamoDB resources and options.
AWS > NIST 800-53 > DynamoDB > DynamoDB table auto scaling should be enabled
Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns.\n
AWS > NIST 800-53 > DynamoDB > DynamoDB table point-in-time recovery should be enabled
Enable this rule to check that information has been backed up. It also maintains the backups by ensuring that point-in-time recovery is enabled in Amazon DynamoDB.\n
AWS > NIST 800-53 > DynamoDB > DynamoDB table should be encrypted with AWS KMS
Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data.\n
AWS > NIST 800-53 > DynamoDB > DynamoDB tables should be in a backup plan
To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan.\n
AWS > NIST 800-53 > EC2
This section contains recommendations for configuring EC2 resources and options.
AWS > NIST 800-53 > EC2 > Attached EBS volumes should have delete on termination enabled
This rule ensures that Amazon Elastic Block Store volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances are marked for deletion when an instance is terminated.\n
AWS > NIST 800-53 > EC2 > Attached EBS volumes should have encryption enabled
Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.\n
AWS > NIST 800-53 > EC2 > Auto Scaling groups with a load balancer should use health checks
The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability.\n
AWS > NIST 800-53 > EC2 > Auto Scaling launch config public IP should be disabled
Ensure if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. This rule is non complaint if the Launch Configuration for an Auto Scaling group has AssociatePublicIpAddress set to 'true'.\n
AWS > NIST 800-53 > EC2 > EBS default encryption should be enabled
To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.\n
AWS > NIST 800-53 > EC2 > EBS snapshots should not be publicly restorable
Manage access to the AWS Cloud by ensuring EBS snapshots are not publicly restorable.\n
AWS > NIST 800-53 > EC2 > EBS volumes should be in a backup plan
To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan.\n
AWS > NIST 800-53 > EC2 > EC2 instance detailed monitoring should be enabled
Enable this rule to help improve Amazon Elastic Compute Cloud (Amazon EC2) instance monitoring on the Amazon EC2 console, which displays monitoring graphs with a 1-minute period for the instance.\n
AWS > NIST 800-53 > EC2 > EC2 instances should be in a VPC
Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection.\n
AWS > NIST 800-53 > EC2 > EC2 instances should be managed by AWS Systems Manager
An inventory of the software platforms and applications within the organization is possible by managing Amazon Elastic Compute Cloud (Amazon EC2) instances with AWS Systems Manager.\n
AWS > NIST 800-53 > EC2 > EC2 instances should have IAM profile attached
Ensure if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it. This rule is non compliant if no IAM profile is attached to the Amazon EC2 instance.\n
AWS > NIST 800-53 > EC2 > EC2 instances should not have a public IP address
Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed.\n
AWS > NIST 800-53 > EC2 > EC2 instances should use IMDSv2
Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata.\n
AWS > NIST 800-53 > EC2 > EC2 stopped instances should be removed in 30 days
Enable this rule to help with the baseline configuration of Amazon Elastic Compute Cloud (Amazon EC2) instances by checking whether Amazon EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards.\n
AWS > NIST 800-53 > EC2 > ELB application and classic load balancer logging should be enabled
Elastic Load Balancing activity is a central point of communication within an environment.\n
AWS > NIST 800-53 > EC2 > ELB application load balancer deletion protection should be enabled
This rule ensures that Elastic Load Balancing has deletion protection enabled.\n
AWS > NIST 800-53 > EC2 > ELB application load balancers should be drop HTTP headers
Ensure that your Elastic Load Balancers (ELB) are configured to drop http headers.\n
AWS > NIST 800-53 > EC2 > ELB application load balancers should have Web Application Firewall (WAF) enabled
Ensure AWS WAF is enabled on Elastic Load Balancers (ELB) to help protect web applications.\n
AWS > NIST 800-53 > EC2 > ELB application load balancers should redirect HTTP requests to HTTPS
To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS.\n
AWS > NIST 800-53 > EC2 > ELB classic load balancers should have cross-zone load balancing enabled
Enable cross-zone load balancing for your Elastic Load Balancers (ELBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone.\n
AWS > NIST 800-53 > EC2 > ELB classic load balancers should only use SSL or HTTPS listeners
Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.\n
AWS > NIST 800-53 > EC2 > ELB classic load balancers should use SSL certificates
Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing.\n
AWS > NIST 800-53 > ECS
This section contains recommendations for configuring ECS resources and options.
AWS > NIST 800-53 > ECS > ECS task definition container definitions should be checked for host mode
Check if Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has 'privileged' or 'user' container definitions.The rule is NON_COMPLIANT for task definitions with host network mode and container definitions of privileged=false or empty and user=root or empty.\n
AWS > NIST 800-53 > EFS
This section contains recommendations for configuring EFS resources and options.
AWS > NIST 800-53 > EFS > EFS file system encryption at rest should be enabled
Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).\n
AWS > NIST 800-53 > EFS > EFS file systems should be in a backup plan
To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan.\n
AWS > NIST 800-53 > EMR
This section contains recommendations for configuring EMR resources and options.
AWS > NIST 800-53 > EMR > EMR cluster Kerberos should be enabled
The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters.\n
AWS > NIST 800-53 > EMR > EMR cluster master nodes should not have public IP addresses
Manage access to the AWS Cloud by ensuring Amazon EMR cluster master nodes cannot be publicly accessed.\n
AWS > NIST 800-53 > ElastiCache
This section contains recommendations for configuring ElastiCache resources and options.
AWS > NIST 800-53 > ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
When automatic backups are enabled, Amazon ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss.\n
AWS > NIST 800-53 > Elasticsearch
This section contains recommendations for configuring Elasticsearch resources and options.
AWS > NIST 800-53 > Elasticsearch > ES domain encryption at rest should be enabled
Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elasticsearch Service (Amazon ES) domains\n
AWS > NIST 800-53 > Elasticsearch > ES domains should be in a VPC
Manage access to the AWS Cloud by ensuring Amazon Elasticsearch Service (Amazon ES) Domains are within an Amazon Virtual Private Cloud (Amazon VPC).\n
AWS > NIST 800-53 > Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled
Ensure node-to-node encryption for Amazon Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC).\n
AWS > NIST 800-53 > GuardDuty
This section contains recommendations for configuring GuardDuty resources and options.
AWS > NIST 800-53 > GuardDuty > GuardDuty findings should be archived
Amazon GuardDuty helps you understand the impact of an incident by classifying findings by severity: low, medium, and high.\n
AWS > NIST 800-53 > IAM
This section contains recommendations for configuring IAM resources and options.
AWS > NIST 800-53 > IAM > Ensure IAM password policy requires a minimum length of 14 or greater
Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters.\n
AWS > NIST 800-53 > IAM > Ensure IAM policy should not grant full access to service
Checks if AWS Identity and Access Management (IAM) policies grant permissions to all actions on individual AWS resources. The rule is non complaint if the managed IAM policy allows full access to at least 1 AWS service.\n
AWS > NIST 800-53 > IAM > IAM groups should have at least one user
AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user.\n
AWS > NIST 800-53 > IAM > IAM groups, users, and roles should not have any inline policies
Ensure an AWS Identity and Access Management (IAM) user, IAM role or IAM group does not have an inline policy to control access to systems and assets.\n
AWS > NIST 800-53 > IAM > IAM password policies for users should have strong configurations
The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy.\n\nIAM password policy is considered to have a strong configuration when:\n- Minimum password length is greater than or equal to 14 characters\n- Require at least one uppercase letter from the Latin alphabet (A-Z)\n- Require at least one lowercase letter from the Latin alphabet (a-z)\n- Require at least one number\n- Require at least one non-alphanumeric character\n- Password should expire in at least 90 days\n- Remember at least the last 24 passwords and prevent reuse\n
AWS > NIST 800-53 > IAM > IAM policy should not have statements with admin access
AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing 'Effect': 'Allow' with 'Action': '*'
over 'Resource': '*'
.\n
AWS > NIST 800-53 > IAM > IAM root user MFA should be enabled
Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user.\n
AWS > NIST 800-53 > IAM > IAM root user hardware MFA should be enabled
Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the root user.\n
AWS > NIST 800-53 > IAM > IAM root user should not have access keys
Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role.\n
AWS > NIST 800-53 > IAM > IAM user MFA should be enabled
Enable this rule to restrict access to resources in the AWS Cloud.\n
AWS > NIST 800-53 > IAM > IAM user access keys should be rotated at least every 90 days
The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy.\n
AWS > NIST 800-53 > IAM > IAM user credentials that have not been used in 90 days should be disabled
AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period.\n
AWS > NIST 800-53 > IAM > IAM user should not have any inline or attached policies
This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets.\n
AWS > NIST 800-53 > IAM > IAM users should be in at least one group
AWS Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring IAM users are members of at least one group.\n
AWS > NIST 800-53 > IAM > IAM users with console access should have MFA enabled
Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password.\n
AWS > NIST 800-53 > KMS
This section contains recommendations for configuring KMS resources and options.
AWS > NIST 800-53 > KMS > KMS CMK rotation should be enabled
Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.\n
AWS > NIST 800-53 > KMS > KMS keys should not be pending deletion
To help protect data at rest, ensure necessary customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (AWS KMS).\n
AWS > NIST 800-53 > Lambda
This section contains recommendations for configuring Lambda resources and options.
AWS > NIST 800-53 > Lambda > Lambda functions should be in a VPC
Deploy AWS Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC.\n
AWS > NIST 800-53 > Lambda > Lambda functions should restrict public access
Manage access to resources in the AWS Cloud by ensuring AWS Lambda functions cannot be publicly accessed.\n
AWS > NIST 800-53 > Logs
This section contains recommendations for configuring Logs resources and options.
AWS > NIST 800-53 > Logs > Log group encryption at rest should be enabled
To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Group\n
AWS > NIST 800-53 > Logs > Log group retention period should be at least 365 days
Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.\n
AWS > NIST 800-53 > RDS
This section contains recommendations for configuring RDS resources and options.
AWS > NIST 800-53 > RDS > Database logging should be enabled
To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled.\n
AWS > NIST 800-53 > RDS > RDS DB instance and cluster enhanced monitoring should be enabled
Enable Amazon Relational Database Service (Amazon RDS) to help monitor Amazon RDS availability. This provides detailed visibility into the health of your Amazon RDS database instances.\n
AWS > NIST 800-53 > RDS > RDS DB instance backup should be enabled
The backup feature of Amazon RDS creates backups of your databases and transaction logs.\n
AWS > NIST 800-53 > RDS > RDS DB instance encryption at rest should be enabled
To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances.\n
AWS > NIST 800-53 > RDS > RDS DB instance multiple az should be enabled
Multi-AZ support in Amazon Relational Database Service (Amazon RDS) provides enhanced availability and durability for database instances.\n
AWS > NIST 800-53 > RDS > RDS DB instances should be in a backup plan
To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan.\n
AWS > NIST 800-53 > RDS > RDS DB instances should have deletion protection enabled
Ensure Amazon Relational Database Service (Amazon RDS) instances have deletion protection enabled.\n
AWS > NIST 800-53 > RDS > RDS DB instances should prohibit public access
Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public.\n
AWS > NIST 800-53 > RDS > RDS DB snapshots should be encrypted at rest
Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots.\n
AWS > NIST 800-53 > RDS > RDS snapshots should prohibit public access
Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public.\n
AWS > NIST 800-53 > Redshift
This section contains recommendations for configuring Redshift resources and options.
AWS > NIST 800-53 > Redshift > Amazon Redshift enhanced VPC routing should be enabled
Ensure if Amazon Redshift cluster has enhancedVpcRouting
enabled. The rule is non compliant if enhancedVpcRouting
is not enabled or if the configuration.enhancedVpcRouting field is false
.\n
AWS > NIST 800-53 > Redshift > Redshift cluster audit logging and encryption should be enabled
To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.\n
AWS > NIST 800-53 > Redshift > Redshift cluster encryption in transit should be enabled
Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients.\n
AWS > NIST 800-53 > Redshift > Redshift clusters should prohibit public access
Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public.\n
AWS > NIST 800-53 > Region
This section contains recommendations for configuring resources and options on a region.\n
AWS > NIST 800-53 > Region > AWS Security Hub should be enabled for an AWS Account
AWS Security Hub helps to monitor unauthorized personnel, connections, devices, and software. AWS Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple AWS services.\n
AWS > NIST 800-53 > Region > At least one enabled trail should be present in a region
AWS CloudTrail can help in non-repudiation by recording AWS Management Console actions and API calls. You can identify the users and AWS accounts that called an AWS service, the source IP address where the calls generated, and the timings of the calls. Details of captured data are seen within AWS CloudTrail Record Contents.\n
AWS > NIST 800-53 > Region > GuardDuty should be enabled
Amazon GuardDuty can help to monitor and detect potential cybersecurity events by using threat intelligence feeds.\n
AWS > NIST 800-53 > S3
This section contains recommendations for configuring S3 resources and options.
AWS > NIST 800-53 > S3 > All S3 buckets should log S3 data events in CloudTrail
The collection of Simple Storage Service (Amazon S3) data events helps in detecting any anomalous activity. The details include AWS account information that accessed an Amazon S3 bucket, IP address, and time of event.\n
AWS > NIST 800-53 > S3 > S3 bucket cross-region replication should be enabled
Amazon Simple Storage Service (Amazon S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability.\n
AWS > NIST 800-53 > S3 > S3 bucket default encryption should be enabled
To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets.\n
AWS > NIST 800-53 > S3 > S3 bucket logging should be enabled
Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events.\n
AWS > NIST 800-53 > S3 > S3 bucket object lock should be enabled
Ensure that your Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.\n
AWS > NIST 800-53 > S3 > S3 bucket versioning should be enabled
Amazon Simple Storage Service (Amazon S3) bucket versioning helps keep multiple variants of an object in the same Amazon S3 bucket.\n
AWS > NIST 800-53 > S3 > S3 buckets should enforce SSL
To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL).\n
AWS > NIST 800-53 > S3 > S3 buckets should prohibit public read access
Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets.\n
AWS > NIST 800-53 > S3 > S3 buckets should prohibit public write access
Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets.\n
AWS > NIST 800-53 > S3 > S3 public access should be blocked at account and bucket levels
Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.\n
AWS > NIST 800-53 > S3 > S3 public access should be blocked at account level
Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.\n
AWS > NIST 800-53 > S3 > S3 public access should be blocked at bucket levels
Ensure if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible. This rule is non compliant if an Amazon S3 bucket is not listed in the excludedPublicBuckets parameter and bucket level settings are public.\n
AWS > NIST 800-53 > SNS
This section contains recommendations for configuring SNS resources and options.
AWS > NIST 800-53 > SNS > SNS topics should be encrypted at rest
To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS).\n
AWS > NIST 800-53 > SSM
This section contains recommendations for configuring SSM resources and options.
AWS > NIST 800-53 > SSM > SSM managed instance associations should be compliant
Use AWS Systems Manager Associations to help with inventory of software platforms and applications within an organization.\n
AWS > NIST 800-53 > SSM > SSM managed instance patching should be compliant
Enable this rule to help with identification and documentation of Amazon Elastic Compute Cloud (Amazon EC2) vulnerabilities.\n
AWS > NIST 800-53 > SageMaker
This section contains recommendations for configuring SageMaker resources and options.
AWS > NIST 800-53 > SageMaker > SageMaker endpoint configuration encryption should be enabled
To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint.\n
AWS > NIST 800-53 > SageMaker > SageMaker notebook instance encryption should be enabled
To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook.\n
AWS > NIST 800-53 > SageMaker > SageMaker notebook instances should not have direct internet access
Manage access to resources in the AWS Cloud by ensuring that Amazon SageMaker notebooks do not allow direct internet access.\n
AWS > NIST 800-53 > Secrets Manager
This section contains recommendations for configuring Secrets Manager resources and options.
AWS > NIST 800-53 > Secrets Manager > Secrets Manager secrets should be rotated as per the rotation schedule
This rule ensures that AWS Secrets Manager secrets have rotated successfully according to the rotation schedule. Rotating secrets on a regular schedule can shorten the period that a secret is active, and potentially reduce the business impact if it is compromised.\n
AWS > NIST 800-53 > Secrets Manager > Secrets Manager secrets should have automatic rotation enabled
This rule ensures AWS Secrets Manager secrets have rotation enabled. Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised.\n
AWS > NIST 800-53 > VPC
This section contains recommendations for configuring VPC resources and options.
AWS > NIST 800-53 > VPC > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
Redundant Site-to-Site VPN tunnels can be implemented to achieve resilience requirements.\n
AWS > NIST 800-53 > VPC > VPC default security group should not allow inbound and outbound traffic
Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources.\n
AWS > NIST 800-53 > VPC > VPC flow logs should be enabled
The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces\nin your Amazon Virtual Private Cloud (Amazon VPC).\n
AWS > NIST 800-53 > VPC > VPC internet gateways should be attached to authorized vpc
Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC).\n
AWS > NIST 800-53 > VPC > VPC route table should restrict public access to IGW
Ensure if there are public routes in the route table to an Internet Gateway (IGW). The rule is non complaint if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0'.\n
AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources.\n
AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) Security Groups.\n
AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups.\n
AWS > NIST 800-53 > VPC > VPC subnet auto assign public IP should be disabled
Ensure if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The control is complaint if Amazon VPC does not have subnets that are assigned a public IP address. The control. is non complaint if Amazon VPC has subnets that are assigned a public IP address.\n
AWS > NIST 800-53 > WAF
This section contains recommendations for configuring WAF resources and options.
AWS > NIST 800-53 > WAF > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
To help with logging and monitoring within your environment, enable AWS WAF (V2) logging on regional and global web ACLs.\n