Last active
April 24, 2020 19:36
-
-
Save mchancloud/87b84dd532e2858af3a57cc875fc7d0b to your computer and use it in GitHub Desktop.
AWS Security Hub - AWS Foundational Security Best Practices controls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ACM.1] Imported ACM certificates should be renewed within 90 days of expiration | |
[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-region trail | |
[CloudTrail.2] CloudTrail should have encryption at-rest enabled | |
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth | |
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials | |
[Config.1AWS] Config should be enabled | |
[EC2.1] EBS snapshots should not be public, determined by the ability to be restorable by anyone | |
[EC2.2] The VPC default security group should not allow inbound and outbound traffic | |
[EC2.3] Attached EBS volumes should be encrypted at-rest | |
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS | |
[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | |
[ES.1] ElasticSearch domains should have encryption at-rest enabled | |
[GuardDuty.1] GuardDuty should be enabled | |
[IAM.1] IAM policies should not allow full '*' administrative privileges | |
[IAM.2] IAM users should not have IAM policies attached | |
[IAM.3] IAM users access keys should be rotated every 90 days or less | |
[IAM.4] IAM root user access key should not exist | |
[IAM.5] MFA should be enabled for all IAM users that have console password | |
[IAM.6] Hardware MFA should be enabled for the root user | |
[IAM.7] Password policies for IAM users should have strong configurations | |
[Lambda.1] Lambda functions should prohibit public access by other accounts | |
[Lambda.2] Lambda functions should use latest runtimes | |
[RDS.1] RDS snapshot should be private | |
[RDS.2] RDS DB Instances should prohibit public access, determined by the PubliclyAccessible configuration | |
[RDS.3] RDS DB instances should have encryption at-rest enabled | |
[S3.1] S3 Block Public Access setting should be enabled | |
[S3.2] S3 buckets should prohibit public read access | |
[S3.3] S3 buckets should prohibit public write access | |
[S3.4] S3 buckets should have server-side encryption enabled | |
[SSM.1] EC2 instances should be managed by AWS Systems Manager | |
[SSM.2] EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment