diff --git a/.github/workflows/verify-specs.yaml b/.github/workflows/verify-specs.yaml
new file mode 100755
index 00000000..b3e6fae3
--- /dev/null
+++ b/.github/workflows/verify-specs.yaml
@@ -0,0 +1,21 @@
+name: Verify Specs
+on:
+ pull_request:
+ merge_group:
+jobs:
+ build:
+ name: Verify Specs
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/setup-go@v5
+ with:
+ go-version-file: go.mod
+
+ - run: |
+ make generate-specs
+ if [ -n "$(git status --porcelain)" ]; then
+ echo "Run 'generate-specs' and push it"
+ exit 1
+ fi
diff --git a/Makefile b/Makefile
index e6c528cd..e5f404d0 100644
--- a/Makefile
+++ b/Makefile
@@ -49,4 +49,8 @@ verify-bundle:
rm scripts/bundle.tar.gz
build-opa:
- go build ./cmd/opa
\ No newline at end of file
+ go build ./cmd/opa
+
+.PHONY: generate-specs
+generate-specs:
+ go run ./cmd/specs
diff --git a/cmd/specs/main.go b/cmd/specs/main.go
new file mode 100644
index 00000000..7d835544
--- /dev/null
+++ b/cmd/specs/main.go
@@ -0,0 +1,93 @@
+package main
+
+import (
+ "fmt"
+ "os"
+ "path/filepath"
+ "sort"
+ "strings"
+
+ "gopkg.in/yaml.v3"
+
+ "github.com/aquasecurity/trivy/pkg/iac/framework"
+ "github.com/aquasecurity/trivy/pkg/iac/rego"
+ "github.com/aquasecurity/trivy/pkg/iac/rules"
+ iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+const complianceDirPath = "pkg/specs/compliance/"
+
+var specs = map[framework.Framework]*iacTypes.Spec{
+ framework.CIS_AWS_1_2: {
+ ID: "aws-cis-1.2",
+ Title: "AWS CIS Foundations v1.2",
+ Description: "AWS CIS Foundations",
+ Version: "1.2",
+ Platform: "aws",
+ Type: "cis",
+ RelatedResources: []string{
+ "https://www.cisecurity.org/benchmark/amazon_web_services",
+ },
+ },
+ framework.CIS_AWS_1_4: {
+ ID: "aws-cis-1.4",
+ Title: "AWS CIS Foundations v1.4",
+ Description: "AWS CIS Foundations",
+ Version: "1.4",
+ Platform: "aws",
+ Type: "cis",
+ RelatedResources: []string{
+ "https://www.cisecurity.org/benchmark/amazon_web_services",
+ },
+ },
+}
+
+func main() {
+ frameworks := make([]framework.Framework, 0, len(specs))
+ for f := range specs {
+ frameworks = append(frameworks, f)
+ }
+
+ // Clean up all Go checks
+ rules.Reset()
+
+ // Load Rego checks
+ rego.LoadAndRegister()
+
+ for _, rule := range rules.GetRegistered(frameworks...) {
+ for f, controlIDs := range rule.Frameworks {
+ for _, id := range controlIDs {
+ specs[f].Controls = append(specs[f].Controls, iacTypes.Control{
+ ID: id,
+ Name: rule.ShortCode,
+ Description: rule.Summary,
+ Severity: iacTypes.Severity(rule.Severity),
+ Checks: []iacTypes.SpecCheck{{ID: rule.AVDID}},
+ })
+ }
+ }
+ }
+
+ for _, spec := range specs {
+ sort.Slice(spec.Controls, func(i, j int) bool {
+ return strings.Compare(spec.Controls[i].ID, spec.Controls[j].ID) < 0
+ })
+ }
+
+ for _, c := range specs {
+ if err := writeCompliance(c, complianceDirPath); err != nil {
+ panic(err)
+ }
+ }
+}
+
+func writeCompliance(spec *iacTypes.Spec, path string) error {
+ file, err := os.Create(filepath.Join(path, fmt.Sprintf("%s.yaml", spec.ID)))
+ if err != nil {
+ return err
+ }
+ defer file.Close()
+ encoder := yaml.NewEncoder(file)
+ encoder.SetIndent(2)
+ return encoder.Encode(iacTypes.ComplianceSpec{Spec: *spec})
+}
diff --git a/pkg/specs/compliance/aws-cis-1.2.yaml b/pkg/specs/compliance/aws-cis-1.2.yaml
index 3d8d4eeb..f7780468 100644
--- a/pkg/specs/compliance/aws-cis-1.2.yaml
+++ b/pkg/specs/compliance/aws-cis-1.2.yaml
@@ -3,216 +3,212 @@ spec:
title: AWS CIS Foundations v1.2
description: AWS CIS Foundations
version: "1.2"
- platfrom: aws
+ platform: aws
type: cis
relatedResources:
- - https://www.cisecurity.org/benchmark/amazon_web_services
+ - https://www.cisecurity.org/benchmark/amazon_web_services
controls:
- - id: "1.1"
- name: limit-root-account-usage
- description: |-
- The "root" account has unrestricted access to all resources in the AWS account. It is highly
- recommended that the use of this account be avoided.
- checks:
- - id: AVD-AWS-0140
- severity: LOW
- - id: "1.10"
- name: no-password-reuse
- description: IAM Password policy should prevent password reuse.
- checks:
- - id: AVD-AWS-0056
- severity: MEDIUM
- - id: "1.11"
- name: set-max-password-age
- description: IAM Password policy should have expiry less than or equal to 90 days.
- checks:
- - id: AVD-AWS-0062
- severity: MEDIUM
- - id: "1.12"
- name: no-root-access-keys
- description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account.
- checks:
- - id: AVD-AWS-0141
- severity: CRITICAL
- - id: "1.13"
- name: enforce-root-mfa
- description: |-
- The "root" account has unrestricted access to all resources in the AWS account. It is highly
- recommended that this account have MFA enabled.
- checks:
- - id: AVD-AWS-0142
- severity: CRITICAL
- - id: "1.16"
- name: no-user-attached-policies
- description: IAM policies should not be granted directly to users.
- checks:
- - id: AVD-AWS-0143
- severity: LOW
- - id: "1.2"
- name: enforce-user-mfa
- description: IAM Users should have MFA enforcement activated.
- checks:
- - id: AVD-AWS-0145
- severity: MEDIUM
- - id: "1.3"
- name: disable-unused-credentials
- description: Credentials which are no longer used should be disabled.
- checks:
- - id: AVD-AWS-0144
- severity: MEDIUM
- - id: "1.4"
- name: rotate-access-keys
- description: Access keys should be rotated at least every 90 days
- checks:
- - id: AVD-AWS-0146
- severity: LOW
- - id: "1.5"
- name: require-uppercase-in-passwords
- description: IAM Password policy should have requirement for at least one uppercase character.
- checks:
- - id: AVD-AWS-0061
- severity: MEDIUM
- - id: "1.6"
- name: require-lowercase-in-passwords
- description: IAM Password policy should have requirement for at least one lowercase character.
- checks:
- - id: AVD-AWS-0058
- severity: MEDIUM
- - id: "1.7"
- name: require-symbols-in-passwords
- description: IAM Password policy should have requirement for at least one symbol in the password.
- checks:
- - id: AVD-AWS-0060
- severity: MEDIUM
- - id: "1.8"
- name: require-numbers-in-passwords
- description: IAM Password policy should have requirement for at least one number in the password.
- checks:
- - id: AVD-AWS-0059
- severity: MEDIUM
- - id: "1.9"
- name: set-minimum-password-length
- description: IAM Password policy should have minimum password length of 14 or more characters.
- checks:
- - id: AVD-AWS-0063
- severity: MEDIUM
- - id: "2.3"
- name: no-public-log-access
- description: The S3 Bucket backing Cloudtrail should be private
- checks:
- - id: AVD-AWS-0161
- severity: CRITICAL
- - id: "2.4"
- name: ensure-cloudwatch-integration
- description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs
- checks:
- - id: AVD-AWS-0162
- severity: LOW
- - id: "2.5"
- name: enable-all-regions
- description: Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed
- checks:
- - id: AVD-AWS-0014
- severity: MEDIUM
- - id: "2.6"
- name: require-bucket-access-logging
- description: You should enable bucket access logging on the CloudTrail S3 bucket.
- checks:
- - id: AVD-AWS-0163
- severity: LOW
- - id: "3.1"
- name: require-unauthorised-api-call-alarm
- description: Ensure a log metric filter and alarm exist for unauthorized API calls
- checks:
- - id: AVD-AWS-0147
- severity: LOW
- - id: "3.10"
- name: require-sg-change-alarms
- description: Ensure a log metric filter and alarm exist for security group changes
- checks:
- - id: AVD-AWS-0156
- severity: LOW
- - id: "3.11"
- name: require-nacl-changes-alarm
- description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- checks:
- - id: AVD-AWS-0157
- severity: LOW
- - id: "3.12"
- name: require-network-gateway-changes-alarm
- description: Ensure a log metric filter and alarm exist for changes to network gateways
- checks:
- - id: AVD-AWS-0158
- severity: LOW
- - id: "3.13"
- name: require-network-gateway-changes-alarm
- description: Ensure a log metric filter and alarm exist for route table changes
- checks:
- - id: AVD-AWS-0159
- severity: LOW
- - id: "3.14"
- name: require-vpc-changes-alarm
- description: Ensure a log metric filter and alarm exist for VPC changes
- checks:
- - id: AVD-AWS-0160
- severity: LOW
- - id: "3.2"
- name: require-non-mfa-login-alarm
- description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- checks:
- - id: AVD-AWS-0148
- severity: LOW
- - id: "3.3"
- name: require-root-user-usage-alarm
- description: Ensure a log metric filter and alarm exist for usage of root user
- checks:
- - id: AVD-AWS-0149
- severity: LOW
- - id: "3.4"
- name: require-iam-policy-change-alarm
- description: Ensure a log metric filter and alarm exist for IAM policy changes
- checks:
- - id: AVD-AWS-0150
- severity: LOW
- - id: "3.5"
- name: require-cloud-trail-change-alarm
- description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- checks:
- - id: AVD-AWS-0151
- severity: LOW
- - id: "3.6"
- name: require-console-login-failures-alarm
- description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- checks:
- - id: AVD-AWS-0152
- severity: LOW
- - id: "3.7"
- name: require-cmk-disabled-alarm
- description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- checks:
- - id: AVD-AWS-0153
- severity: LOW
- - id: "3.8"
- name: require-s3-bucket-policy-change-alarm
- description: Ensure a log metric filter and alarm exist for S3 bucket policy changes
- checks:
- - id: AVD-AWS-0154
- severity: LOW
- - id: "3.9"
- name: require-config-configuration-changes-alarm
- description: Ensure a log metric filter and alarm exist for AWS Config configuration changes
- checks:
- - id: AVD-AWS-0155
- severity: LOW
- - id: "4.1"
- name: no-public-ingress-sgr
- description: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389.
- checks:
- - id: AVD-AWS-0107
- severity: HIGH
- - id: "4.2"
- name: no-public-ingress-sgr
- description: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389.
- checks:
- - id: AVD-AWS-0107
- severity: HIGH
\ No newline at end of file
+ - id: "1.1"
+ name: limit-root-account-usage
+ description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.
+ checks:
+ - id: AVD-AWS-0140
+ severity: LOW
+ - id: "1.10"
+ name: no-password-reuse
+ description: IAM Password policy should prevent password reuse.
+ checks:
+ - id: AVD-AWS-0056
+ severity: MEDIUM
+ - id: "1.11"
+ name: set-max-password-age
+ description: IAM Password policy should have expiry less than or equal to 90 days.
+ checks:
+ - id: AVD-AWS-0062
+ severity: MEDIUM
+ - id: "1.12"
+ name: no-root-access-keys
+ description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account.
+ checks:
+ - id: AVD-AWS-0141
+ severity: CRITICAL
+ - id: "1.13"
+ name: enforce-root-mfa
+ description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that this account have MFA enabled.
+ checks:
+ - id: AVD-AWS-0142
+ severity: CRITICAL
+ - id: "1.16"
+ name: no-user-attached-policies
+ description: IAM policies should not be granted directly to users.
+ checks:
+ - id: AVD-AWS-0143
+ severity: LOW
+ - id: "1.2"
+ name: enforce-user-mfa
+ description: IAM Users should have MFA enforcement activated.
+ checks:
+ - id: AVD-AWS-0145
+ severity: MEDIUM
+ - id: "1.3"
+ name: disable-unused-credentials
+ description: Credentials which are no longer used should be disabled.
+ checks:
+ - id: AVD-AWS-0144
+ severity: MEDIUM
+ - id: "1.4"
+ name: rotate-access-keys
+ description: Access keys should be rotated at least every 90 days
+ checks:
+ - id: AVD-AWS-0146
+ severity: LOW
+ - id: "1.5"
+ name: require-uppercase-in-passwords
+ description: IAM Password policy should have requirement for at least one uppercase character.
+ checks:
+ - id: AVD-AWS-0061
+ severity: MEDIUM
+ - id: "1.6"
+ name: require-lowercase-in-passwords
+ description: IAM Password policy should have requirement for at least one lowercase character.
+ checks:
+ - id: AVD-AWS-0058
+ severity: MEDIUM
+ - id: "1.7"
+ name: require-symbols-in-passwords
+ description: IAM Password policy should have requirement for at least one symbol in the password.
+ checks:
+ - id: AVD-AWS-0060
+ severity: MEDIUM
+ - id: "1.8"
+ name: require-numbers-in-passwords
+ description: IAM Password policy should have requirement for at least one number in the password.
+ checks:
+ - id: AVD-AWS-0059
+ severity: MEDIUM
+ - id: "1.9"
+ name: set-minimum-password-length
+ description: IAM Password policy should have minimum password length of 14 or more characters.
+ checks:
+ - id: AVD-AWS-0063
+ severity: MEDIUM
+ - id: "2.3"
+ name: no-public-log-access
+ description: The S3 Bucket backing Cloudtrail should be private
+ checks:
+ - id: AVD-AWS-0161
+ severity: CRITICAL
+ - id: "2.4"
+ name: ensure-cloudwatch-integration
+ description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs
+ checks:
+ - id: AVD-AWS-0162
+ severity: LOW
+ - id: "2.5"
+ name: enable-all-regions
+ description: Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed
+ checks:
+ - id: AVD-AWS-0014
+ severity: MEDIUM
+ - id: "2.6"
+ name: require-bucket-access-logging
+ description: You should enable bucket access logging on the CloudTrail S3 bucket.
+ checks:
+ - id: AVD-AWS-0163
+ severity: LOW
+ - id: "3.1"
+ name: require-unauthorised-api-call-alarm
+ description: Ensure a log metric filter and alarm exist for unauthorized API calls
+ checks:
+ - id: AVD-AWS-0147
+ severity: LOW
+ - id: "3.10"
+ name: require-sg-change-alarms
+ description: Ensure a log metric filter and alarm exist for security group changes
+ checks:
+ - id: AVD-AWS-0156
+ severity: LOW
+ - id: "3.11"
+ name: require-nacl-changes-alarm
+ description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
+ checks:
+ - id: AVD-AWS-0157
+ severity: LOW
+ - id: "3.12"
+ name: require-network-gateway-changes-alarm
+ description: Ensure a log metric filter and alarm exist for changes to network gateways
+ checks:
+ - id: AVD-AWS-0158
+ severity: LOW
+ - id: "3.13"
+ name: require-network-gateway-changes-alarm
+ description: Ensure a log metric filter and alarm exist for route table changes
+ checks:
+ - id: AVD-AWS-0159
+ severity: LOW
+ - id: "3.14"
+ name: require-vpc-changes-alarm
+ description: Ensure a log metric filter and alarm exist for VPC changes
+ checks:
+ - id: AVD-AWS-0160
+ severity: LOW
+ - id: "3.2"
+ name: require-non-mfa-login-alarm
+ description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
+ checks:
+ - id: AVD-AWS-0148
+ severity: LOW
+ - id: "3.3"
+ name: require-root-user-usage-alarm
+ description: Ensure a log metric filter and alarm exist for usage of root user
+ checks:
+ - id: AVD-AWS-0149
+ severity: LOW
+ - id: "3.4"
+ name: require-iam-policy-change-alarm
+ description: Ensure a log metric filter and alarm exist for IAM policy changes
+ checks:
+ - id: AVD-AWS-0150
+ severity: LOW
+ - id: "3.5"
+ name: require-cloud-trail-change-alarm
+ description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes
+ checks:
+ - id: AVD-AWS-0151
+ severity: LOW
+ - id: "3.6"
+ name: require-console-login-failures-alarm
+ description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
+ checks:
+ - id: AVD-AWS-0152
+ severity: LOW
+ - id: "3.7"
+ name: require-cmk-disabled-alarm
+ description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
+ checks:
+ - id: AVD-AWS-0153
+ severity: LOW
+ - id: "3.8"
+ name: require-s3-bucket-policy-change-alarm
+ description: Ensure a log metric filter and alarm exist for S3 bucket policy changes
+ checks:
+ - id: AVD-AWS-0154
+ severity: LOW
+ - id: "3.9"
+ name: require-config-configuration-changes-alarm
+ description: Ensure a log metric filter and alarm exist for AWS Config configuration changes
+ checks:
+ - id: AVD-AWS-0155
+ severity: LOW
+ - id: "4.1"
+ name: no-public-ingress-sgr
+ description: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389.
+ checks:
+ - id: AVD-AWS-0107
+ severity: HIGH
+ - id: "4.2"
+ name: no-public-ingress-sgr
+ description: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389.
+ checks:
+ - id: AVD-AWS-0107
+ severity: HIGH
diff --git a/pkg/specs/compliance/aws-cis-1.4.yaml b/pkg/specs/compliance/aws-cis-1.4.yaml
index 9193a446..58025e2f 100644
--- a/pkg/specs/compliance/aws-cis-1.4.yaml
+++ b/pkg/specs/compliance/aws-cis-1.4.yaml
@@ -3,245 +3,224 @@ spec:
title: AWS CIS Foundations v1.4
description: AWS CIS Foundations
version: "1.4"
- platfrom: aws
+ platform: aws
type: cis
relatedResources:
- - https://www.cisecurity.org/benchmark/amazon_web_services
+ - https://www.cisecurity.org/benchmark/amazon_web_services
controls:
- - id: 2.1.3
- name: require-mfa-delete
- description: Buckets should have MFA deletion protection enabled.
- checks:
- - id: AVD-AWS-0170
- severity: LOW
- - id: "1.12"
- name: disable-unused-credentials-45-days
- description: |-
- AWS IAM users can access AWS resources using different types of credentials, such as
- passwords or access keys. It is recommended that all credentials that have been unused in
- 45 or greater days be deactivated or removed.
- checks:
- - id: AVD-AWS-0166
- severity: LOW
- - id: "1.13"
- name: limit-user-access-keys
- description: No user should have more than one active access key.
- checks:
- - id: AVD-AWS-0167
- severity: LOW
- - id: "1.14"
- name: rotate-access-keys
- description: Access keys should be rotated at least every 90 days
- checks:
- - id: AVD-AWS-0146
- severity: LOW
- - id: "1.15"
- name: no-user-attached-policies
- description: IAM policies should not be granted directly to users.
- checks:
- - id: AVD-AWS-0143
- severity: LOW
- - id: "1.16"
- name: no-policy-wildcards
- description: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
- checks:
- - id: AVD-AWS-0057
- severity: HIGH
- - id: "1.17"
- name: require-support-role
- description: Missing IAM Role to allow authorized users to manage incidents with AWS Support.
- checks:
- - id: AVD-AWS-0169
- severity: LOW
- - id: "1.19"
- name: remove-expired-certificates
- description: Delete expired TLS certificates
- checks:
- - id: AVD-AWS-0168
- severity: LOW
- - id: "1.20"
- name: enable-access-analyzer
- description: Enable IAM Access analyzer for IAM policies about all resources in each region.
- checks:
- - id: AVD-AWS-0175
- severity: LOW
- - id: "1.4"
- name: enforce-user-mfa
- description: IAM Users should have MFA enforcement activated.
- checks:
- - id: AVD-AWS-0145
- severity: MEDIUM
- - id: "1.4"
- name: no-root-access-keys
- description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account.
- checks:
- - id: AVD-AWS-0141
- severity: CRITICAL
- - id: "1.5"
- name: enforce-root-mfa
- description: |-
- The "root" account has unrestricted access to all resources in the AWS account. It is highly
- recommended that this account have MFA enabled.
- checks:
- - id: AVD-AWS-0142
- severity: CRITICAL
- - id: "1.6"
- name: enforce-root-hardware-mfa
- description: |-
- The "root" account has unrestricted access to all resources in the AWS account. It is highly
- recommended that this account have hardware MFA enabled.
- checks:
- - id: AVD-AWS-0165
- severity: MEDIUM
- - id: "1.7"
- name: limit-root-account-usage
- description: |-
- The "root" account has unrestricted access to all resources in the AWS account. It is highly
- recommended that the use of this account be avoided.
- checks:
- - id: AVD-AWS-0140
- severity: LOW
- - id: "1.8"
- name: set-minimum-password-length
- description: IAM Password policy should have minimum password length of 14 or more characters.
- checks:
- - id: AVD-AWS-0063
- severity: MEDIUM
- - id: "1.9"
- name: no-password-reuse
- description: IAM Password policy should prevent password reuse.
- checks:
- - id: AVD-AWS-0056
- severity: MEDIUM
- - id: "3.10"
- name: enable-object-write-logging
- description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.
- checks:
- - id: AVD-AWS-0171
- severity: LOW
- - id: "3.11"
- name: enable-object-read-logging
- description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.
- checks:
- - id: AVD-AWS-0172
- severity: LOW
- - id: "3.3"
- name: no-public-log-access
- description: The S3 Bucket backing Cloudtrail should be private
- checks:
- - id: AVD-AWS-0161
- severity: CRITICAL
- - id: "3.4"
- name: ensure-cloudwatch-integration
- description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs
- checks:
- - id: AVD-AWS-0162
- severity: LOW
- - id: "3.6"
- name: require-bucket-access-logging
- description: You should enable bucket access logging on the CloudTrail S3 bucket.
- checks:
- - id: AVD-AWS-0163
- severity: LOW
- - id: "4.10"
- name: require-sg-change-alarms
- description: Ensure a log metric filter and alarm exist for security group changes
- checks:
- - id: AVD-AWS-0156
- severity: LOW
- - id: "4.1"
- name: require-unauthorised-api-call-alarm
- description: Ensure a log metric filter and alarm exist for unauthorized API calls
- checks:
- - id: AVD-AWS-0147
- severity: LOW
- - id: "4.11"
- name: require-nacl-changes-alarm
- description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- checks:
- - id: AVD-AWS-0157
- severity: LOW
- - id: "4.12"
- name: require-network-gateway-changes-alarm
- description: Ensure a log metric filter and alarm exist for changes to network gateways
- checks:
- - id: AVD-AWS-0158
- severity: LOW
- - id: "4.13"
- name: require-network-gateway-changes-alarm
- description: Ensure a log metric filter and alarm exist for route table changes
- checks:
- - id: AVD-AWS-0159
- severity: LOW
- - id: "4.14"
- name: require-vpc-changes-alarm
- description: Ensure a log metric filter and alarm exist for VPC changes
- checks:
- - id: AVD-AWS-0160
- severity: LOW
- - id: "4.15"
- name: require-org-changes-alarm
- description: Ensure a log metric filter and alarm exist for organisation changes
- checks:
- - id: AVD-AWS-0174
- severity: LOW
- - id: "4.2"
- name: require-non-mfa-login-alarm
- description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- checks:
- - id: AVD-AWS-0148
- severity: LOW
- - id: "4.3"
- name: require-root-user-usage-alarm
- description: Ensure a log metric filter and alarm exist for usage of root user
- checks:
- - id: AVD-AWS-0149
- severity: LOW
- - id: "4.4"
- name: require-iam-policy-change-alarm
- description: Ensure a log metric filter and alarm exist for IAM policy changes
- checks:
- - id: AVD-AWS-0150
- severity: LOW
- - id: "4.5"
- name: require-cloud-trail-change-alarm
- description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- checks:
- - id: AVD-AWS-0151
- severity: LOW
- - id: "4.6"
- name: require-console-login-failures-alarm
- description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- checks:
- - id: AVD-AWS-0152
- severity: LOW
- - id: "4.7"
- name: require-cmk-disabled-alarm
- description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- checks:
- - id: AVD-AWS-0153
- severity: LOW
- - id: "4.8"
- name: require-s3-bucket-policy-change-alarm
- description: Ensure a log metric filter and alarm exist for S3 bucket policy changes
- checks:
- - id: AVD-AWS-0154
- severity: LOW
- - id: "4.9"
- name: require-config-configuration-changes-alarm
- description: Ensure a log metric filter and alarm exist for AWS Config configuration changes
- checks:
- - id: AVD-AWS-0155
- severity: LOW
- - id: "5.1"
- name: aws-vpc-no-public-ingress-acl
- description: Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389.
- checks:
- - id: AVD-AWS-0105
- severity: MEDIUM
- - id: "5.3"
- name: restrict-all-in-default-sg
- description: Default security group should restrict all traffic
- checks:
- - id: AVD-AWS-0173
- severity: LOW
\ No newline at end of file
+ - id: "1.12"
+ name: disable-unused-credentials-45-days
+ description: Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
+ checks:
+ - id: AVD-AWS-0166
+ severity: LOW
+ - id: "1.13"
+ name: limit-user-access-keys
+ description: No user should have more than one active access key.
+ checks:
+ - id: AVD-AWS-0167
+ severity: LOW
+ - id: "1.14"
+ name: rotate-access-keys
+ description: Access keys should be rotated at least every 90 days
+ checks:
+ - id: AVD-AWS-0146
+ severity: LOW
+ - id: "1.15"
+ name: no-user-attached-policies
+ description: IAM policies should not be granted directly to users.
+ checks:
+ - id: AVD-AWS-0143
+ severity: LOW
+ - id: "1.19"
+ name: remove-expired-certificates
+ description: Delete expired TLS certificates
+ checks:
+ - id: AVD-AWS-0168
+ severity: LOW
+ - id: "1.20"
+ name: enable-access-analyzer
+ description: Enable IAM Access analyzer for IAM policies about all resources in each region.
+ checks:
+ - id: AVD-AWS-0175
+ severity: LOW
+ - id: "1.4"
+ name: enforce-user-mfa
+ description: IAM Users should have MFA enforcement activated.
+ checks:
+ - id: AVD-AWS-0145
+ severity: MEDIUM
+ - id: "1.4"
+ name: no-root-access-keys
+ description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account.
+ checks:
+ - id: AVD-AWS-0141
+ severity: CRITICAL
+ - id: "1.5"
+ name: enforce-root-mfa
+ description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that this account have MFA enabled.
+ checks:
+ - id: AVD-AWS-0142
+ severity: CRITICAL
+ - id: "1.6"
+ name: enforce-root-hardware-mfa
+ description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that this account have hardware MFA enabled.
+ checks:
+ - id: AVD-AWS-0165
+ severity: MEDIUM
+ - id: "1.7"
+ name: limit-root-account-usage
+ description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.
+ checks:
+ - id: AVD-AWS-0140
+ severity: LOW
+ - id: "1.8"
+ name: set-minimum-password-length
+ description: IAM Password policy should have minimum password length of 14 or more characters.
+ checks:
+ - id: AVD-AWS-0063
+ severity: MEDIUM
+ - id: "1.9"
+ name: no-password-reuse
+ description: IAM Password policy should prevent password reuse.
+ checks:
+ - id: AVD-AWS-0056
+ severity: MEDIUM
+ - id: 2.1.3
+ name: require-mfa-delete
+ description: Buckets should have MFA deletion protection enabled.
+ checks:
+ - id: AVD-AWS-0170
+ severity: LOW
+ - id: "3.10"
+ name: enable-object-write-logging
+ description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.
+ checks:
+ - id: AVD-AWS-0171
+ severity: LOW
+ - id: "3.11"
+ name: enable-object-read-logging
+ description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.
+ checks:
+ - id: AVD-AWS-0172
+ severity: LOW
+ - id: "3.3"
+ name: no-public-log-access
+ description: The S3 Bucket backing Cloudtrail should be private
+ checks:
+ - id: AVD-AWS-0161
+ severity: CRITICAL
+ - id: "3.4"
+ name: ensure-cloudwatch-integration
+ description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs
+ checks:
+ - id: AVD-AWS-0162
+ severity: LOW
+ - id: "3.6"
+ name: require-bucket-access-logging
+ description: You should enable bucket access logging on the CloudTrail S3 bucket.
+ checks:
+ - id: AVD-AWS-0163
+ severity: LOW
+ - id: "4.1"
+ name: require-unauthorised-api-call-alarm
+ description: Ensure a log metric filter and alarm exist for unauthorized API calls
+ checks:
+ - id: AVD-AWS-0147
+ severity: LOW
+ - id: "4.10"
+ name: require-sg-change-alarms
+ description: Ensure a log metric filter and alarm exist for security group changes
+ checks:
+ - id: AVD-AWS-0156
+ severity: LOW
+ - id: "4.11"
+ name: require-nacl-changes-alarm
+ description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
+ checks:
+ - id: AVD-AWS-0157
+ severity: LOW
+ - id: "4.12"
+ name: require-network-gateway-changes-alarm
+ description: Ensure a log metric filter and alarm exist for changes to network gateways
+ checks:
+ - id: AVD-AWS-0158
+ severity: LOW
+ - id: "4.13"
+ name: require-network-gateway-changes-alarm
+ description: Ensure a log metric filter and alarm exist for route table changes
+ checks:
+ - id: AVD-AWS-0159
+ severity: LOW
+ - id: "4.14"
+ name: require-vpc-changes-alarm
+ description: Ensure a log metric filter and alarm exist for VPC changes
+ checks:
+ - id: AVD-AWS-0160
+ severity: LOW
+ - id: "4.15"
+ name: require-org-changes-alarm
+ description: Ensure a log metric filter and alarm exist for organisation changes
+ checks:
+ - id: AVD-AWS-0174
+ severity: LOW
+ - id: "4.2"
+ name: require-non-mfa-login-alarm
+ description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
+ checks:
+ - id: AVD-AWS-0148
+ severity: LOW
+ - id: "4.3"
+ name: require-root-user-usage-alarm
+ description: Ensure a log metric filter and alarm exist for usage of root user
+ checks:
+ - id: AVD-AWS-0149
+ severity: LOW
+ - id: "4.4"
+ name: require-iam-policy-change-alarm
+ description: Ensure a log metric filter and alarm exist for IAM policy changes
+ checks:
+ - id: AVD-AWS-0150
+ severity: LOW
+ - id: "4.5"
+ name: require-cloud-trail-change-alarm
+ description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes
+ checks:
+ - id: AVD-AWS-0151
+ severity: LOW
+ - id: "4.6"
+ name: require-console-login-failures-alarm
+ description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
+ checks:
+ - id: AVD-AWS-0152
+ severity: LOW
+ - id: "4.7"
+ name: require-cmk-disabled-alarm
+ description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
+ checks:
+ - id: AVD-AWS-0153
+ severity: LOW
+ - id: "4.8"
+ name: require-s3-bucket-policy-change-alarm
+ description: Ensure a log metric filter and alarm exist for S3 bucket policy changes
+ checks:
+ - id: AVD-AWS-0154
+ severity: LOW
+ - id: "4.9"
+ name: require-config-configuration-changes-alarm
+ description: Ensure a log metric filter and alarm exist for AWS Config configuration changes
+ checks:
+ - id: AVD-AWS-0155
+ severity: LOW
+ - id: "5.1"
+ name: no-public-ingress-acl
+ description: Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389.
+ checks:
+ - id: AVD-AWS-0105
+ severity: MEDIUM
+ - id: "5.3"
+ name: restrict-all-in-default-sg
+ description: Default security group should restrict all traffic
+ checks:
+ - id: AVD-AWS-0173
+ severity: LOW