| AWS_APIGATEWAY_ALLOWS_ANONYMOUS_ACCESS | 255. Allow access only to the necessary ports |
| AWS_CFT_SERVES_CONTENT_OVER_HTTP | 181. Transmit data using secure protocols |
| AWS_CF_DISTRIBUTION_HAS_LOGGING_DISABLED | 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system |
| AWS_CLOUDFRONT_HAS_LOGGING_DISABLED | 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system |
| AWS_CLOUDFRONT_INSECURE_PROTOCOLS | 148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
336. Disable insecure TLS versions |
| AWS_CLOUDTRAIL_FILES_NOT_VALIDATED | 080. Prevent log modification |
| AWS_CLOUDTRAIL_IS_TRAIL_BUCKET_LOGGING_DISABLED | 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system |
| AWS_CLOUDTRAIL_NOT_LOGGING | 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system |
| AWS_CLOUDTRAIL_TRAILS_NOT_MULTIREGION | 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system |
| AWS_COGNITO_HAS_MFA_DISABLED | 229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
319. Make authentication options equally secure
328. Request MFA for critical systems |
| AWS_CREDENTIALS | 145. Protect system cryptographic keys
156. Source code without sensitive information
266. Disable insecure functionalities |
| AWS_DYNAMODB_ENCRYPTED_WITH_AWS_MASTER_KEYS | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_DYNAMODB_HAS_NOT_POINT_IN_TIME_RECOVERY | 186. Use the principle of least privilege
265. Restrict access to critical processes |
| AWS_DYNAMODB_NOT_DEL_PROTEC | 186. Use the principle of least privilege
265. Restrict access to critical processes |
| AWS_EBS_HAS_ENCRYPTION_DISABLED | 185. Encrypt sensitive information
300. Mask sensitive data
266. Disable insecure functionalities |
| AWS_EC2_ACL_ALLOW_ALL_INGRESS_TRAFFIC | 255. Allow access only to the necessary ports |
| AWS_EC2_ACL_ALLOW_EGRESS_TRAFFIC | 255. Allow access only to the necessary ports |
| AWS_EC2_ANYONE_ADMIN_PORTS | 255. Allow access only to the necessary ports |
| AWS_EC2_DEFAULT_ALL_TRAFIC | 255. Allow access only to the necessary ports |
| AWS_EC2_DEFAULT_SECURITY_GROUP | 266. Disable insecure functionalities |
| AWS_EC2_HAS_ASSOCIATE_PUBLIC_IP_ADDRESS | 266. Disable insecure functionalities |
| AWS_EC2_HAS_DEFAULT_SECURITY_GROUPS_IN_USE | 266. Disable insecure functionalities |
| AWS_EC2_HAS_INSTANCES_USING_UNAPPROVED_AMIS | 266. Disable insecure functionalities |
| AWS_EC2_HAS_MODIFY_ATTRIBUTE | 266. Disable insecure functionalities |
| AWS_EC2_HAS_NOT_TERMINATION_PROTECTION | 186. Use the principle of least privilege |
| AWS_EC2_HAS_TERMINATE_SHUTDOWN_BEHAVIOR | 266. Disable insecure functionalities |
| AWS_EC2_HAS_UNENCRYPTED_AMIS | 266. Disable insecure functionalities |
| AWS_EC2_HAS_UNENCRYPTED_SNAPSHOTS | 266. Disable insecure functionalities |
| AWS_EC2_HAS_UNUSED_KEY_PAIRS | 266. Disable insecure functionalities |
| AWS_EC2_HAS_UNUSED_SEGGROUPS | 266. Disable insecure functionalities |
| AWS_EC2_IAM_INSTANCE_WITHOUT_PROFILE | 266. Disable insecure functionalities |
| AWS_EC2_INSECURE_PORT_RANGE | 255. Allow access only to the necessary ports |
| AWS_EC2_INSTANCES_WITHOUT_PROFILE | 255. Allow access only to the necessary ports |
| AWS_EC2_OPEN_ALL_PORTS_TO_THE_PUBLIC | 255. Allow access only to the necessary ports |
| AWS_EC2_SEC_GROUPS_RFC1918 | 255. Allow access only to the necessary ports |
| AWS_EC2_UNRESTRICTED_CIDRS | 255. Allow access only to the necessary ports |
| AWS_EC2_UNRESTRICTED_DNS_ACCESS | 255. Allow access only to the necessary ports |
| AWS_EC2_UNRESTRICTED_FTP_ACCESS | 255. Allow access only to the necessary ports |
| AWS_EC2_UNRESTRICTED_IP_PROTOCOlS | 255. Allow access only to the necessary ports |
| AWS_EC2_VPC_ENDPOINTS_EXPOSED | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_EC2_VPC_WITHOUT_FLOWLOG | 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system |
| AWS_EFS_IS_ENCRYPTION_DISABLED | 185. Encrypt sensitive information
300. Mask sensitive data
266. Disable insecure functionalities |
| AWS_EKS_HAS_ENDPOINTS_PUBLICLY_ACCESSIBLE | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_ELASTICACHE_REST_ENCRYPTION_DISABLED | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_ELASTICACHE_TRANSIT_ENCRYPTION_DISABLED | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_ELASTICACHE_USES_DEFAULT_PORT | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_ELB2_HAS_NOT_DELETION_PROTECTION | 186. Use the principle of least privilege
265. Restrict access to critical processes |
| AWS_ELB2_HAS_NOT_HTTPS | 181. Transmit data using secure protocols
266. Disable insecure functionalities |
| AWS_ELBV2_HAS_ACCESS_LOGGING_DISABLED | 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system |
| AWS_ELBV2_INSECURE_PROTOCOLS | 148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
336. Disable insecure TLS versions |
| AWS_ELBV2_INSECURE_SSL_CIPHER | 148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
336. Disable insecure TLS versions |
| AWS_HAS_PUBLICLY_SHARED_AMIS | 266. Disable insecure functionalities |
| AWS_IAM_ADMIN_POLICY_ATTACHED | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege
035. Manage privilege modifications |
| AWS_IAM_ALLOWS_PRIV_ESCALATION_BY_ATTACH_POLICY | 035. Manage privilege modifications |
| AWS_IAM_ALLOWS_PRIV_ESCALATION_BY_POLICIES_VERSIONS | 035. Manage privilege modifications |
| AWS_IAM_FULL_ACCESS_SSM | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_GROUP_WITH_INLINE_POLICY | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_HAS_MFA_DISABLED | 229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
319. Make authentication options equally secure
328. Request MFA for critical systems |
| AWS_IAM_HAS_OLD_ACCESS_KEYS | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_HAS_OLD_CREDS_ENABLED | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_HAS_OLD_SSH_PUBLIC_KEYS | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_HAS_PERMISSIVE_ROLE_POLICY | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_HAS_ROOT_ACTIVE_SIGNING_CERTIFICATES | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_IAM_HAS_WILDCARD_RESOURCE_IN_WRITE_ACTION | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_IS_POLICY_MISS_CONFIGURED | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_MFA_DISABLED_FOR_USERS_WITH_CONSOLE_PASSWD | 229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
319. Make authentication options equally secure
328. Request MFA for critical systems |
| AWS_IAM_MIN_PASSWORD_LEN_UNSAFE | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_NEGATIVE_STATEMENT | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_NOT_REQUIRES_LOWERCASE | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_NOT_REQUIRES_NUMBERS | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_NOT_REQUIRES_SYMBOLS | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_NOT_REQUIRES_UPPERCASE | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_OPEN_PASSROLE | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_PASSWORD_EXPIRATION_UNSAFE | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_PASSWORD_REUSE_UNSAFE | 130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords |
| AWS_IAM_PERMISSIVE_POLICY | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_POLICIES_ATTACHED_TO_USERS | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_IAM_ROOT_HAS_ACCESS_KEYS | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_IAM_ROOT_HAS_MFA_DISABLED | 229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
319. Make authentication options equally secure
328. Request MFA for critical systems |
| AWS_IAM_USERS_WITH_PASSWORD_AND_ACCESS_KEYS | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_USER_WITH_INLINE_POLICY | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_IAM_USER_WITH_MULTIPLE_ACCESS_KEYS | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_KMS_HAS_MASTER_KEYS_EXPOSED_TO_EVERYONE | 095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege |
| AWS_KMS_IS_KEY_ROTATION_DISABLED | 266. Disable insecure functionalities |
| AWS_RDS_HAS_NOT_AUTOMATED_BACKUPS | 186. Use the principle of least privilege
265. Restrict access to critical processes |
| AWS_RDS_HAS_NOT_DELETION_PROTECTION | 186. Use the principle of least privilege
265. Restrict access to critical processes |
| AWS_RDS_HAS_PUBLIC_INSTANCES | 096. Set user's required privileges
176. Restrict system objects
265. Restrict access to critical processes |
| AWS_RDS_HAS_PUBLIC_SNAPSHOTS | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_RDS_HAS_UNENCRYPTED_STORAGE | 134. Store passwords with salt
135. Passwords with random salt
185. Encrypt sensitive information
229. Request access credentials
264. Request authentication
300. Mask sensitive data |
| AWS_RDS_NOT_INSIDE_A_DB_SUBNET_GROUP | 255. Allow access only to the necessary ports |
| AWS_RDS_NOT_USES_IAM_AUTHENTICATION | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_RDS_UNRESTRICTED_DB_SECURITY_GROUPS | 255. Allow access only to the necessary ports |
| AWS_REDSHIFT_HAS_AUDIT_LOGS_DISABLED | 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system |
| AWS_REDSHIFT_HAS_ENCRYPTION_DISABLED | 185. Encrypt sensitive information
300. Mask sensitive data |
| AWS_REDSHIFT_HAS_PUBLIC_CLUSTERS | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_REDSHIFT_HAS_USER_ACTIVITY_LOG_DISABLED | 075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system |
| AWS_REDSHIFT_NOT_REQUIRES_SSL | 185. Encrypt sensitive information
265. Restrict access to critical processes
266. Disable insecure functionalities |
| AWS_S3_ACL_PUBLIC_BUCKETS | 096. Set user's required privileges
176. Restrict system objects
264. Request authentication
320. Avoid client-side control enforcement |
| AWS_S3_BUCKETS_ALLOW_UNAUTHORIZED_PUBLIC_ACCESS | 096. Set user's required privileges |
| AWS_S3_BUCKETS_ALLOW_UNAUTHORIZED_PUBLIC_ACCESS | 176. Restrict system objects |
| AWS_S3_BUCKETS_ALLOW_UNAUTHORIZED_PUBLIC_ACCESS | 264. Request authentication |
| AWS_S3_BUCKETS_ALLOW_UNAUTHORIZED_PUBLIC_ACCESS | 320. Avoid client-side control enforcement |
| AWS_S3_BUCKET_POLICY_ENCRYPTION_DISABLE | 134. Store passwords with salt |
| AWS_S3_BUCKET_POLICY_ENCRYPTION_DISABLE | 135. Passwords with random salt |
| AWS_S3_BUCKET_POLICY_ENCRYPTION_DISABLE | 185. Encrypt sensitive information |
| AWS_S3_BUCKET_POLICY_ENCRYPTION_DISABLE | 227. Display access notification |
| AWS_S3_BUCKET_POLICY_ENCRYPTION_DISABLE | 229. Request access credentials |
| AWS_S3_BUCKET_POLICY_ENCRYPTION_DISABLE | 264. Request authentication |
| AWS_S3_BUCKET_POLICY_ENCRYPTION_DISABLE | 300. Mask sensitive data |
| AWS_S3_BUCKET_VERSIONING_DISABLED | 266. Disable insecure functionalities |
| AWS_S3_HAS_ACCESS_LOGGING_DISABLED | 075. Record exceptional events in logs |
| AWS_S3_HAS_ACCESS_LOGGING_DISABLED | 376. Register severity level |
| AWS_S3_HAS_ACCESS_LOGGING_DISABLED | 377. Store logs based on valid regulation |
| AWS_S3_HAS_ACCESS_LOGGING_DISABLED | 378. Use of log management system |
| AWS_S3_HAS_INSECURE_TRANSPORT | 181. Transmit data using secure protocols |
| AWS_S3_PRIVATE_BUCKETS_NOT_BLOCKING_PUBLIC_ACLS | 095. Define users with privileges |
| AWS_S3_PRIVATE_BUCKETS_NOT_BLOCKING_PUBLIC_ACLS | 096. Set user's required privileges |
| AWS_S3_PRIVATE_BUCKETS_NOT_BLOCKING_PUBLIC_ACLS | 186. Use the principle of least privilege |
| AWS_S3_PUBLIC_BUCKETS | 095. Define users with privileges |
| AWS_S3_PUBLIC_BUCKETS | 096. Set user's required privileges |
| AWS_S3_PUBLIC_BUCKETS | 186. Use the principle of least privilege |
| AWS_SECRETS_HAS_AUTOMATIC_ROTATION_DISABLED | 266. Disable insecure functionalities |
| AWS_SNS_CAN_ANYONE_PUBLISH | 185. Encrypt sensitive information |
| AWS_SNS_CAN_ANYONE_PUBLISH | 265. Restrict access to critical processes |
| AWS_SNS_CAN_ANYONE_PUBLISH | 266. Disable insecure functionalities |
| AWS_SNS_CAN_ANYONE_SUBSCRIBE | 185. Encrypt sensitive information |
| AWS_SNS_CAN_ANYONE_SUBSCRIBE | 265. Restrict access to critical processes |
| AWS_SNS_CAN_ANYONE_SUBSCRIBE | 266. Disable insecure functionalities |
| AWS_SNS_HAS_SERVER_SIDE_ENCRYPTION_DISABLED | 185. Encrypt sensitive information |
| AWS_SNS_HAS_SERVER_SIDE_ENCRYPTION_DISABLED | 265. Restrict access to critical processes |
| AWS_SNS_HAS_SERVER_SIDE_ENCRYPTION_DISABLED | 266. Disable insecure functionalities |
| AWS_SQS_HAS_ENCRYPTION_DISABLED | 185. Encrypt sensitive information |
| AWS_SQS_HAS_ENCRYPTION_DISABLED | 265. Restrict access to critical processes |
| AWS_SQS_HAS_ENCRYPTION_DISABLED | 266. Disable insecure functionalities |
| AWS_SQS_IS_PUBLIC | 095. Define users with privileges |
| AWS_SQS_IS_PUBLIC | 096. Set user's required privileges |
| AWS_SQS_IS_PUBLIC | 186. Use the principle of least privilege |