AWS Checks

The included AWS checks are listed below. For more information about each check, see the link provided.

Checks
aws-api-gateway-enable-access-logging
API Gateway stages for V1 and V2 should have access logging enabled
aws-api-gateway-enable-cache-encryption
API Gateway must have cache enabled
aws-api-gateway-enable-tracing
API Gateway must have X-Ray tracing enabled
aws-api-gateway-no-public-access
No public access to API Gateway methods
aws-api-gateway-use-secure-tls-policy
API Gateway domain name uses outdated SSL/TLS protocols.
aws-athena-enable-at-rest-encryption
Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted
aws-athena-no-encryption-override
Athena workgroups should enforce configuration to prevent client disabling encryption
aws-autoscaling-enable-at-rest-encryption
Launch configuration with unencrypted block device.
aws-autoscaling-no-public-ip
A resource has a public IP address.
aws-cloudfront-enable-logging
Cloudfront distribution should have Access Logging configured
aws-cloudfront-enable-waf
CloudFront distribution does not have a WAF in front.
aws-cloudfront-enforce-https
CloudFront distribution allows unencrypted (HTTP) communications.
aws-cloudfront-use-secure-tls-policy
CloudFront distribution uses outdated SSL/TLS protocols.
aws-cloudtrail-enable-all-regions
Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed
aws-cloudtrail-enable-at-rest-encryption
Cloudtrail should be encrypted at rest to secure access to sensitive trail data
aws-cloudtrail-enable-log-validation
Cloudtrail log validation should be enabled to prevent tampering of log data
aws-cloudwatch-log-group-customer-key
CloudWatch log groups should be encrypted using CMK
aws-codebuild-enable-encryption
CodeBuild Project artifacts encryption should not be disabled
aws-config-aggregate-all-regions
Config configuration aggregator should be using all regions for source
aws-documentdb-enable-log-export
DocumentDB logs export should be enabled
aws-documentdb-enable-storage-encryption
DocumentDB storage must be encrypted
aws-documentdb-encryption-customer-key
DocumentDB encryption should use Customer Managed Keys
aws-dynamodb-enable-at-rest-encryption
DAX Cluster should always encrypt data at rest
aws-dynamodb-enable-recovery
Point in time recovery should be enabled to protect DynamoDB table
aws-dynamodb-table-customer-key
DynamoDB tables should use at rest encryption with a Customer Managed Key
aws-ebs-enable-volume-encryption
EBS volumes must be encrypted
aws-ebs-encryption-customer-key
EBS volume encryption should use Customer Managed Keys
aws-ec2-enforce-http-token-imds
aws_instance should activate session tokens for Instance Metadata Service.
aws-ec2-no-secrets-in-user-data
User data for EC2 instances must not contain sensitive AWS keys
aws-ecr-enable-image-scans
ECR repository has image scans disabled.
aws-ecr-enforce-immutable-repository
ECR images tags shouldn’t be mutable.
aws-ecr-no-public-access
ECR repository policy must block public access
aws-ecr-repository-customer-key
ECR Repository should use customer managed keys to allow more control
aws-ecs-enable-container-insight
ECS clusters should have container insights enabled
aws-ecs-enable-in-transit-encryption
ECS Task Definitions with EFS volumes should use in-transit encryption
aws-ecs-no-plaintext-secrets
Task definition defines sensitive environment variable(s).
aws-efs-enable-at-rest-encryption
EFS Encryption has not been enabled
aws-eks-enable-control-plane-logging
EKS Clusters should have cluster control plane logging turned on
aws-eks-encrypt-secrets
EKS should have the encryption of secrets enabled
aws-eks-no-public-cluster-access
EKS Clusters should have the public access disabled
aws-eks-no-public-cluster-access-to-cidr
EKS cluster should not have open CIDR range for public access
aws-elastic-search-enable-domain-logging
Domain logging should be enabled for Elastic Search domains
aws-elastic-search-enable-in-transit-encryption
Elasticsearch domain uses plaintext traffic for node to node communication.
aws-elastic-search-enable-logging
AWS ES Domain should have logging enabled
aws-elastic-search-encrypt-replication-group
Unencrypted Elasticache Replication Group.
aws-elastic-search-enforce-https
Elasticsearch doesn’t enforce HTTPS traffic.
aws-elastic-search-use-secure-tls-policy
Elasticsearch domain endpoint is using outdated TLS policy.
aws-elastic-service-enable-domain-encryption
Elasticsearch domain isn’t encrypted at rest.
aws-elasticache-add-description-for-security-group
Missing description for security group/security group rule.
aws-elasticache-enable-backup-retention
Redis cluster should have backup retention turned on
aws-elasticache-enable-in-transit-encryption
Elasticache Replication Group uses unencrypted traffic.
aws-elb-drop-invalid-headers
Load balancers should drop invalid headers
aws-elbv2-alb-not-public
Load balancer is exposed to the internet.
aws-elbv2-http-not-used
Use of plain HTTP.
aws-iam-block-kms-policy-wildcard
IAM customer managed policies should not allow decryption actions on all KMS keys
aws-iam-no-password-reuse
IAM Password policy should prevent password reuse.
aws-iam-no-policy-wildcards
IAM policy should avoid use of wildcards and instead apply the principle of least privilege
aws-iam-require-lowercase-in-passwords
IAM Password policy should have requirement for at least one lowercase character.
aws-iam-require-numbers-in-passwords
IAM Password policy should have requirement for at least one number in the password.
aws-iam-require-symbols-in-passwords
IAM Password policy should have requirement for at least one symbol in the password.
aws-iam-require-uppercase-in-passwords
IAM Password policy should have requirement for at least one uppercase character.
aws-iam-set-max-password-age
IAM Password policy should have expiry less than or equal to 90 days.
aws-iam-set-minimum-password-length
IAM Password policy should have minimum password length of 14 or more characters.
aws-kinesis-enable-in-transit-encryption
Kinesis stream is unencrypted.
aws-kms-auto-rotate-keys
A KMS key is not configured to auto-rotate.
aws-lambda-enable-tracing
Lambda functions should have X-Ray tracing enabled
aws-lambda-restrict-source-arn
Ensure that lambda function permission has a source arn specified
aws-launch-no-sensitive-info
Ensure all data stored in the Launch configuration EBS is securely encrypted
aws-misc-no-exposing-plaintext-credentials
AWS provider has access credentials specified.
aws-mq-enable-audit-logging
MQ Broker should have audit logging enabled
aws-mq-enable-general-logging
MQ Broker should have general logging enabled
aws-mq-no-public-access
Ensure MQ Broker is not publicly exposed
aws-msk-enable-in-transit-encryption
A MSK cluster allows unencrypted data in transit.
aws-msk-enable-logging
Ensure MSK Cluster logging is enabled
aws-neptune-enable-log-export
Nepture logs export should be enabled
aws-neptune-enable-storage-encryption
Neptune storage must be encrypted at rest
aws-rds-backup-retention-specified
RDS Cluster and RDS instance should have backup retention longer than default 1 day
aws-rds-enable-performance-insights
Encryption for RDS Performance Insights should be enabled.
aws-rds-encrypt-cluster-storage-data
There is no encryption specified or encryption is disabled on the RDS Cluster.
aws-rds-encrypt-instance-storage-data
RDS encryption has not been enabled at a DB Instance level.
aws-rds-no-classic-resources
AWS Classic resource usage.
aws-rds-no-public-db-access
A database resource is marked as publicly accessible.
aws-redshift-add-description-to-security-group
Missing description for security group/security group rule.
aws-redshift-encryption-customer-key
Redshift clusters should use at rest encryption
aws-redshift-non-default-vpc-deployment
Redshift cluster should be deployed into a specific VPC
aws-s3-block-public-acls
S3 Access block should block public ACL
aws-s3-block-public-policy
S3 Access block should block public policy
aws-s3-enable-bucket-encryption
Unencrypted S3 bucket.
aws-s3-enable-bucket-logging
S3 Bucket does not have logging enabled.
aws-s3-enable-versioning
S3 Data should be versioned
aws-s3-ignore-public-acls
S3 Access Block should Ignore Public Acl
aws-s3-no-public-access-with-acl
S3 Bucket has an ACL defined which allows public access.
aws-s3-no-public-buckets
S3 Access block should restrict public bucket to limit access
aws-s3-specify-public-access-block
S3 buckets should each define an aws_s3_bucket_public_access_block
aws-sns-enable-topic-encryption
Unencrypted SNS topic.
aws-sqs-enable-queue-encryption
Unencrypted SQS queue.
aws-sqs-no-wildcards-in-policy-documents
AWS SQS policy document has wildcard action statement.
aws-ssm-secret-use-customer-key
Secrets Manager should use customer managed keys
aws-vpc-add-description-to-security-group
Missing description for security group/security group rule.
aws-vpc-disallow-mixed-sgr
Ensures that usage of security groups with inline rules and security group rule resources are not mixed.
aws-vpc-no-default-vpc
AWS best practice to not use the default VPC for workflows
aws-vpc-no-excessive-port-access
An ingress Network ACL rule allows ALL ports.
aws-vpc-no-public-egress-sg
An inline egress security group rule allows traffic to /0.
aws-vpc-no-public-egress-sgr
An egress security group rule allows traffic to /0.
aws-vpc-no-public-ingress
An ingress Network ACL rule allows specific ports from /0.
aws-vpc-no-public-ingress-sg
An inline ingress security group rule allows traffic from /0.
aws-vpc-no-public-ingress-sgr
An ingress security group rule allows traffic from /0.
aws-vpc-use-secure-tls-policy
An outdated SSL policy is in use by a load balancer.
aws-workspace-enable-disk-encryption
Root and user volumes on Workspaces should be encrypted

Getting Started
Provider Checks
Config
GitHub Actions