standard
turbot/aws_compliance
- Detect & correct accounts without alternate security contact
- Detect & correct accounts without metric filter for bucket policy changes
- Detect & correct accounts without metric filter for CloudTrail configuration
- Detect & correct accounts without metric filter for Config configuration
- Detect & correct accounts without metric filter for console authentication failure
- Detect & correct accounts without metric filter for console login MFA changes
- Detect & correct accounts without metric filter for disable or delete CMK
- Detect & correct accounts without metric filter for IAM policy changes
- Detect & correct accounts without metric filter for network ACL changes
- Detect & correct CloudWatch log groups without metric filter for network gateway changes
- Detect & correct CloudWatch log groups without metric filter for organization changes
- Detect & correct accounts without metric filter for root login
- Detect & correct accounts without metric filter for route table changes
- Detect & correct accounts without metric filter for security group changes
- Detect & correct accounts without metric filter for unauthorized API changes
- Detect & correct accounts without metric filter for VPC changes
- Detect & correct API Gateway rest API stages with x-ray tracing disabled
- Detect & correct CloudTrail trail logs not encrypted with KMS CMK
- Detect & correct CloudTrail trails with log file validation disabled
- Detect & correct CloudTrail trails with multi-region read/write disabled
- Detect & correct CloudTrail trails using public S3 bucket
- Detect & correct CloudTrail trails with S3 logging disabled
- Detect & correct CloudTrail trails with S3 object level logging for read events disabled
- Detect & correct CloudTrail trails with S3 object level logging for write events disabled
- Detect & correct Config disabled in regions
- Detect & correct DynamoDB table with deletion protection disabled
- Detect & correct DynamoDB table with point-in-time recovery disabled
- Detect & correct EBS encryption by default disabled in regions
- Detect & correct EBS snapshots when publicly restorable
- Detect & correct EC2 classic load balancers with connection draining disabled
- Detect & correct EC2 instances with IMDSv1 enabled
- Detect & correct EC2 instances with multiple ENIs
- Detect & correct EC2 instances with public access enabled
- Detect & correct EFS file systems with encryption at rest disabled
- Detect & correct regions with IAM Access Analyzer disabled
- Detect & correct IAM account password policies without maximum password age of 90 days
- Detect & correct IAM account password policies without minimum length of 14
- Detect & correct IAM account password policies without requirement for any lowercase letter
- Detect & correct IAM account password policies without requirement for any number
- Detect & correct IAM account password policies without requirement for any symbol
- Detect & correct IAM account password policies without requirement for any uppercase letter
- Detect & correct IAM account password policies without password reuse 24
- Detect & correct IAM accounts without support role
- Detect & correct IAM groups attached with *:* policy
- Detect & correct IAM groups with unrestricted CloudShellFullAccess policy
- Detect & correct IAM roles attached with *:* policy
- Detect & correct IAM roles with unrestricted CloudShellFullAccess policy
- Detect & correct IAM root users last used in 90 days or more
- Detect & correct IAM root users with access keys
- Detect & correct IAM root users with hardware MFA disabled
- Detect & correct IAM root users with MFA disabled
- Detect & correct expired IAM server certificates
- Detect & correct IAM users with unused access key from 90 days or more
- Detect & correct IAM users with access key created during initial user setup
- Detect & correct IAM users with console access MFA disabled
- Detect & correct IAM users with IAM policy attached
- Detect & correct IAM users with inline policy
- Detect & correct IAM users with more than one active key
- Detect & correct IAM users attached with *:* policy
- Detect & correct IAM users with unrestricted CloudShellFullAccess policy
- Detect & correct IAM users with unused access key from 45 days or more
- Detect & correct IAM users with unused access key from 90 days or more
- Detect & correct IAM users with unused login profile from 45 days or more
- Detect & correct IAM users with unused login profile from 90 days or more
- Detect & correct KMS keys with rotation disabled
- Detect & correct RDS DB instances with auto minor version upgrade disabled
- Detect & correct RDS DB instances with encryption at rest disabled
- Detect & correct RDS DB instances with Multi-AZ disabled
- Detect & correct RDS DB instances with public access enabled
- Detect & correct S3 buckets with block public access disabled
- Detect & correct S3 buckets with default encryption disabled
- Detect & correct S3 buckets with Macie disabled
- Detect & correct S3 buckets with MFA delete disabled
- Detect & correct S3 buckets without SSL enforcement
- Detect & correct Security Hub disabled in regions
- Detect & correct default VPC security groups allowing ingress egress
- Detect & correct VPC network ACLs allowing ingress to remote server administration ports
- Detect & correct VPC security groups allowing ingress to port 22
- Detect & correct VPC security groups allowing ingress to port 3389
- Detect & correct VPC security groups allowing ingress to port 445
- Detect & correct VPC security groups allowing ingress to remote server administration ports
- Detect & correct VPC security groups allowing ingress to remote server administration ports IPv4
- Detect & correct VPC security groups allowing ingress to remote server administration ports IPv6
- Detect & correct VPCs without flow logs
Get Involved
Version
Trigger: Detect & correct CloudWatch log groups without metric filter for network gateway changes
Detect CloudWatch log groups wihtout metric filter for network gateway changes and then enable network gateway changes metric filter.
Query
with trails as ( select trail.account_id, trail.name as trail_name, trail.is_logging, split_part(trail.log_group_arn, ':', 7) as log_group_name from aws_cloudtrail_trail as trail, jsonb_array_elements(trail.event_selectors) as se where trail.is_multi_region_trail is true and trail.is_logging and se ->> 'ReadWriteType' = 'All' and trail.log_group_arn is not null order by trail_name),alarms as ( select metric_name, action_arn as topic_arn from aws_cloudwatch_alarm, jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn order by metric_name),topic_subscriptions as ( select subscription_arn, topic_arn from aws_sns_topic_subscription order by subscription_arn),metric_filters as ( select filter.name as filter_name, filter_pattern, log_group_name, metric_transformation_name from aws_cloudwatch_log_metric_filter as filter where filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' order by filter_name),filter_data as ( select t.account_id, t.trail_name, f.filter_name from trails as t join metric_filters as f on f.log_group_name = t.log_group_name join alarms as alarm on alarm.metric_name = f.metric_transformation_name join topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn)select a.account_id as title, region, a.account_id, sp_connection_name as connfrom aws_account as a left join filter_data as f on a.account_id = f.account_idwhere f.trail_name is null;with trails as ( select trail.account_id, trail.name as trail_name, trail.is_logging, split_part(trail.log_group_arn, ':', 7) as log_group_name from aws_cloudtrail_trail as trail, jsonb_array_elements(trail.event_selectors) as se where trail.is_multi_region_trail is true and trail.is_logging and se ->> 'ReadWriteType' = 'All' and trail.log_group_arn is not null order by trail_name),alarms as ( select metric_name, action_arn as topic_arn from aws_cloudwatch_alarm, jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn order by metric_name),topic_subscriptions as ( select subscription_arn, topic_arn from aws_sns_topic_subscription order by subscription_arn),metric_filters as ( select filter.name as filter_name, filter_pattern, log_group_name, metric_transformation_name from aws_cloudwatch_log_metric_filter as filter where filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' order by filter_name),filter_data as ( select t.account_id, t.trail_name, f.filter_name from trails as t join metric_filters as f on f.log_group_name = t.log_group_name join alarms as alarm on alarm.metric_name = f.metric_transformation_name join topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn)select a.account_id as title, region, a.account_id, sp_connection_name as connfrom aws_account as a left join filter_data as f on a.account_id = f.account_idwhere f.trail_name is null
Schedule
15m
Tags
category = Compliance
mod = aws
service = AWS/CloudWatch