Professional Documents
Culture Documents
Cloud Account
adidas-linked-einvoice-cn (642660452893) , All Regions
TABLE OF CONTENTS
Executive Summary
Failed Tests
Passed Tests
EXECUTIVE SUMMARY
0 5 25 4 0
EksCluster (0) 0 0
DynamoDbTable (0) 0 0
Route53HostedZone (0) 0 0
IamPolicy (508) 506 2
IamRole (15) 12 3
List<Lambda> (1) 1 0
KMS (0) 0 0
Region (2) 0 2
VPC (1) 1 0
Non
Rule Name Severity Tested Relevant Compliant
Enforce Password Policy High 1 1 1
ALB-WAF High 1 1 1
Ensure multi-factor authentication (MFA) is enabled for High 2 1 1
all IAM users that have a console password
Ensure IAM policies that allow full "*:*" administrative High 508 1 1
privileges are not created
Ensure the default security group of every VPC restricts High 4 1 1
all traffic
Iam roles with managed admin priviledges Medium 15 15 3
Ensure CloudTrail is enabled in all regions Medium 2 2 2
Ensure first access key is rotated every 90 days or less Medium 2 1 1
Ensure a log metric filter and alarm exist for changes to Medium 1 1 1
network gateways
IAM User with All Access Medium 2 2 1
Ensure IAM password policy require at least one symbol Medium 1 1 1
Ensure a log metric filter and alarm exist for AWS Medium 1 1 1
Management Console authentication failures
Ensure a log metric filter and alarm exist for IAM policy Medium 1 1 1
changes
Ensure IAM password policy requires at least one Medium 1 1 1
uppercase letter
Password Policy must require at least one number Medium 1 1 1
Ensure a log metric filter and alarm exist for Medium 1 1 1
Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for route table Medium 1 1 1
changes
Non
Rule Name Severity Tested Relevant Compliant
FAILED TESTS
FAILED
High
Enforce Password Policy
Description:
Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be
used to ensure password are comprised of different character sets, have minimal length, rotation and history
restrictions.
D9_PR_2
Remediation:
Refer to IAM Best Practices at:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
(http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
Failed Entities
ID Name Region VPC
FAILED
ALB-WAF High
Description:
Ensure that all your public AWS ALB are integrated with the Web Application Firewall (AWS WAF) service to protect
against application-layer attacks .
CIS-Adv-Control
Failed Entities
ID Name Region VPC
arn:aws- BJI-PRD-EIN-ALB Beijing (cn_north_1) vpc-04013d3a487d91ab8
cn:elasticloadbalancing:cn-
north-
1:642660452893:loadbalancer
/app/BJI-PRD-EIN-
ALB/ba8ba461c444968f
FAILED
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console High
password
Description:
Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA
enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as
for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that
have a console password.
Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a
device that emits a time-sensitive key and have knowledge of a credential.
1.2
Remediation:
Perform the following to enable MFA:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
(https://console.aws.amazon.com/iam/)
2. In the navigation pane, choose Users.
3. In the User Name list, choose the name of the intended MFA user.
4. Choose the Security Credentials tab, and then choose Manage MFA Device.
5. In the Manage MFA Device wizard, choose A virtual MFA device, and then choose Next Step.
IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The
graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not
support QR codes.
6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual
MFA Applications.) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose
the option to create a new account (a new virtual MFA device).
7. Determine whether the MFA app supports QR codes, and then do one of the following:
7.1 Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to
Scan code, and then use the device's camera to scan the code.
7.2 In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret
configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords.
8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently
appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then
type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.
Additional Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-
iam-user (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-
mfa-for-iam-user)
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
IAM Best Practices at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
(http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
Virtual MFA Applications guidance by AWS:
https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications
(https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications)
Failed Entities
ID Name Region VPC
FAILED
Ensure IAM policies that allow full "*:*" administrative privileges are not created High
Description:
It is recommended and considered a standard security advice to grant least privileges that is, granting only the
permissions required to perform a task. IAM policies are the means by which privileges are granted to users,
groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only
those tasks, instead of granting full administrative privileges.
Remediation:
Using the GUI, perform the following to detach the policy that has full administrative privileges:
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
(https://console.aws.amazon.com/iam/.)
2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
3. Select the policy that needs to be deleted.
4. In the policy action menu, select first Detach
5. Select all Users, Groups, Roles that have this policy attached
6. Click Detach Policy
7. In the policy action menu, select Detach
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
ANPAPHSCJ455ZCEVGVPWA AdministratorAccess Global (global) -
FAILED
High
Ensure the default security group of every VPC restricts all traffic
Description:
A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic,
and allow all traffic between instances assigned to the security group. If you don't specify a security group when you
launch an instance, the instance is automatically assigned to this default security group. Security groups provide
stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security
group restrict all traffic.
The default VPC in every region should have its default security group updated to comply. Any newly created VPCs
will automatically contain a default security group that will need remediation to comply with this recommendation.
NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege
port access required by systems to work properly because it can log all packet acceptances and rejections occurring
under the current security groups. This dramatically reduces the primary barrier to least privilege engineering -
discovering the minimum ports required by systems in the environment. Even if the VPC flow logging
recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any
period of discovery and engineering for least privileged security groups.
4 TESTED 1 RELEVANT 1 NON COMPLIANT
4.3
Remediation:
Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as
resources outside of these routes are inaccessible to the peered VPC.
Security Group Members Perform the following to implement the prescribed state:
1. Identify AWS resources that exist within the default security group
2. Create a set of least privilege security groups for those resources
3. Place the resources in those security groups
4. Remove the resources noted in #1 from the default security group
Security Group State
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
(https://console.aws.amazon.com/vpc/home)
2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
3. In the left pane, click Security Groups
4. For each default security group, perform the following:
5. Select the default security group
6. Click the Inbound Rules tab
7. Remove any inbound rules
8. Click the Outbound Rules tab
9. Remove any inbound rules
Recommended: IAM groups allow you to edit the "name" field. After remediating default groups rules for all VPCs in
all regions, edit this field to add text similar to "DO NOT USE. DO NOT ADD RULES"
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
sg-0805e4ab3ca7fb59e default Beijing (cn_north_1) vpc-04013d3a487d91ab8
FAILED
CIS-Adv-Control
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure CloudTrail is enabled in all regions
Description:
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The
recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API
caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a
history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line
tools, and higher-level AWS services (such as CloudFormation).
Remediation:
Perform the following to enable global (Multi-region) CloudTrail logging: Via the management Console
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
(https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click Get Started Now , if presented
3.1 Click Add new trail
3.2 Enter a trail name in the Trail name box
3.3 Set the Apply trail to all regions option to Yes
3.4 Specify an S3 bucket name in the S3 bucket box and Click Create
4. If 1 or more trails already exist, select the target trail to enable for global logging
5. Click the edit icon (pencil) next to Apply trail to all regions , Click Yes and Click Save.
6. Click the edit icon (pencil) next to Management Events click All for setting Read/Write Events and Click Save.
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure first access key is rotated every 90 days or less
Description:
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that
you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS
Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs
for individual AWS services. It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised
or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an
old key which might have been lost, cracked, or stolen.
Remediation:
1. Login to the AWS Management Console:
2. Click Services
3. Click IAM
4. Click on Users
5. Click on Security Credentials
6. As an Administrator
- Click on Make Inactive for keys that have not been rotated in 90 Days
7. As an IAM User
- Click on Make Inactive or Delete for keys which have not been rotated or used in 90 Days
8. Click on `` Create Access Key
9. Update programmatic call with new Access Key credentials
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for changes to network gateways
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination
outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via
a controlled path.
3.12
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
N/A List<CloudTrail> N/A -
FAILED
Medium
IAM User with All Access
Description:
There should not be any iam user with admin access
Failed Entities
ID Name Region VPC
Remediation:
Perform the following to set the password policy as prescribed:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Check "Require at least one non-alphanumeric character"
5. Click "Apply password policy"
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
IAM Best Practices:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
(http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
Failed Entities
ID Name Region VPC
642660452893 Account Summary Global (global) -
FAILED
Ensure a log metric filter and alarm exist for AWS Management Console authentication Medium
failures
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed
console authentication attempts.
Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may
provide an indicator, such as source IP, that can be used in other event correlation.
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
FAILED
Ensure a log metric filter and alarm exist for IAM policy changes Medium
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes
made to Identity and Access Management (IAM) policies.
Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.
3.4
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure IAM password policy requires at least one uppercase letter
Description:
It is recommended that the password policy require at least one uppercase letter. Password policies are, in part,
used to enforce password complexity requirements. IAM password policies can be used to ensure passwords
consist of different character sets. Setting a password complexity policy increases account resiliency against brute
force login attempts.
1.5
Remediation:
Perform the following to set the password policy as prescribed: Via AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Check "Requires at least one uppercase letter"
5. Click "Apply password policy"
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Refer to IAM Best Practices at the following link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
(http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
Failed Entities
ID Name Region VPC
FAILED
Medium
Password Policy must require at least one number
Description:
It is recommended that the password policy require at least one number. Password policies are, in part, used to
enforce password complexity requirements. IAM password policies can be used to ensure passwords consist of
different character sets. Setting a password complexity policy increases account resiliency against brute force login
attempts.
1.8
Remediation:
Setting a password complexity policy increases account resiliency against brute force login attempts.
Perform the following to set the password policy as prescribed: Via AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Check "Require at least one number"
5. Click "Apply password policy"
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
IAM Best Practices:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
(http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
Failed Entities
ID Name Region VPC
642660452893 Account Summary Global (global) -
FAILED
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Medium
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms.
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.
3.2
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for route table changes
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to
network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.
3.13
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure IAM password policy requires minimum length of 10 or greater
Description:
Set the IAM password policy to ensure passwords consist of at least 10 characters. Password policies are, in part,
used to enforce password complexity requirements. Setting a password complexity policy increases account
resiliency against brute force login attempts.
1.9
Remediation:
Setting a password complexity policy increases account resiliency against brute force login attempts.
Perform the following to set the password policy as prescribed: Via AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane 4. Set "Minimum password length" to 10 or greater.
5. Click "Apply password policy"
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
IAM Best Practices:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
(http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for unauthorized API calls
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for
unauthorized API calls.
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious
activity.
3.1
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CountingLogEventsExample.html
(https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CountingLogEventsExample.html)
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for VPC changes
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is
also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is
recommended that a metric filter and alarm be established for changes made to VPCs.
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
FAILED
Medium
Credentials (with password enabled) unused for 90 days or more should be disabled
Description:
It is recommended that all credentials that have been unused for 90 or more days be removed or deactivated. AWS
IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated
with a compromised or abandoned account to be used.
Remediation:
Perform the following to remove or deactivate credentials:
1. Login to the AWS Management Console:
2. Click Services
3. Click IAM
4. Click on Users
5. Click on Security Credentials
6. As an Administrator
- Click on Make Inactive for credentials that have not been used in 90 Days
7. As an IAM User
- Click on Make Inactive or Delete for credentials which have not been used in 90
Days
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for security group changes
Description:
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.
3.10
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
FAILED
Medium
RDS not encrypted
Description:
RDS Database should be encrypted at rest
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for usage of 'root' account
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root
login attempts.
Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity
to reduce the use of it.
1 TESTED 1 RELEVANT 1 NON COMPLIANT
3.3
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for
changes to S3 bucket policies.
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3
buckets.
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress
traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made
to NACLs.
Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.
3.11
Remediation:
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on filter pattern relevant for this check. For More details, refer to CIS Amazon Web
Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. Create an SNS topic that the alarm will notify Note: you can execute this command once and then re-use the
same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2 Note: you can execute this command once and then re-
use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic
created in step 2
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
FAILED
Medium
Ensure IAM password policy require at least one lowercase letter
Description:
It is recommended that the password policy require at least one lowercase letter. Password policies are, in part,
used to enforce password complexity requirements. IAM password policies can be used to ensure passwords
consist of different character sets. Setting a password complexity policy increases account resiliency against brute
force login attempts.
1.6
Remediation:
Perform the following to set the password policy as prescribed: Via the AWS Console
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Check "Requires at least one lowercase letter"
5. Click "Apply password policy"
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
IAM Best Practices:
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
(http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
Failed Entities
ID Name Region VPC
642660452893 Account Summary Global (global) -
FAILED
Low
Ensure IAM password policy expires passwords within 90 days or less
Description:
IAM password policies can require passwords to be rotated or expired after a given number of days. It is
recommended that the password policy expire passwords after 90 days or less.
Reducing the password lifetime increases account resiliency against brute force login attempts. Additionally,
requiring regular password changes help in the following scenarios:
- Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system
compromise, software vulnerability, or internal threat.
- Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even
if it's encrypted.
- Many people use the same password for many systems such as work, email, and personal.
- Compromised end user workstations might have a keystroke logger.
1.11
Remediation:
Perform the following to set the password policy as prescribed: Via AWS Console:
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Check "Enable password expiration"
5. Set "Password expiration period (in days):" to 90 or less
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
642660452893 Account Summary Global (global) -
FAILED
Low
Default-SG Not to be Used
Description:
Security Group should be custom created and applied in production
Failed Entities
ID Name Region VPC
FAILED
Remediation:
Perform the following to set the password policy as prescribed:
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
(https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
Failed Entities
ID Name Region VPC
642660452893 Account Summary Global (global) -
FAILED
Ensure a support role has been created to manage incidents with AWS Support Low
Description:
AWS provides a support center that can be used for incident notification and response, as well as technical support
and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow
Support Center Access in order to manage Incidents with AWS Support.
1.20
Remediation:
For each account that failed this rule, on the IAM console.Navigate to Roles, and create a new role (assign it any
name, but it should suggest the Support role). Assign the AWSSupportAccess policy to this role.
Alternatively, instead of a Role, define a Group with the support policy.
Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.1.2
https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html#accessing-support
(https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html#accessing-support)
Failed Entities
ID Name Region VPC
PASSED TESTS
PASSED
ALB-with-Netbios-Datagram High
Description:
Public ApplicationLoadBalancer with service 'NetBIOS Datagram Service' (TCP:138) is exposed to the entire internet
CIS-Adv-Control
PASSED
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) High
Description:
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that
no security group allows unrestricted ingress access to port 3389.
4.2
PASSED
High
NLB with Telnet
CIS-Adv-Control
PASSED
High
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
Description:
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that
no security group allows unrestricted ingress access to port 22.
4.1
PASSED
CIS-Basic-Control
PASSED
High
Lambda With User Credential
Description:
Lambda can be run with either user credentials or IAM Role. User credentials are not a good way to run lambda as
they need credentials to be stored in the code or in environmental variables.
CIS-Adv-Control
PASSED
High
ECS Service with Admin Roles
Description:
ECS clusters are launched with admin Privilege
PASSED
High
s3-public-available
PASSED
PASSED
High
ALB-with-RDP
Description:
ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the
public internet
1 TESTED 0 RELEVANT 0 NON COMPLIANT
CIS-Adv-Control
PASSED
High
ALB with Oracle
CIS-Adv-Control
PASSED
Description:
Ensure that your Amazon EKS cluster's Kubernetes API server endpoint is not publicly accessible from the Internet
in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API
server endpoints depends on your EKS application use cases, however, for most use cases Cloud Conformity
recommends that the API server endpoints should be accessible only from within your AWS Virtual Private Cloud
(VPC).
CIS-Basic Control
PASSED
High
Ensure no root account access key exists
Description:
The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a
given AWS account. It is recommended that all access keys associated with the root account be removed. Removing
access keys associated with the root account limits vectors by which the account can be compromised. Additionally,
removing the root access keys encourages the creation and use of role based accounts that are least privileged.
1.12
PASSED
CIS-Adv-Control
PASSED
ALB-with-Telnet High
CIS-Adv-Control
PASSED
CIS-Adv-Control
PASSED
ALB-Ldap-without-SSL High
Description:
An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems
Interconnection (OSI) model. A load balancer serves as the single point of contact for clients. ALB should not be
exposed for unencrypted ldap endpoints
PASSED
CIS-Adv-Control
PASSED
PASSED
Security Groups - with remote ports too exposed to the public internet High
Description:
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that
no security group allows unrestricted ingress access to administrative ports ports.
PASSED
PASSED
CIS-Adv-Control
PASSED
CIS-Basic Control
PASSED
PASSED
Description:
AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within
the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is
used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently
retains all prior backing keys so that decryption of encrypted data can take place transparently.
Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key
cannot be accessed with a previous key that may have been exposed.
2.8
PASSED
High
ALB-with-CIFS
Description:
Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
CIS-Adv-Control
PASSED
High
Complete-internet exposed ElasticSearch Domain
Description:
ElasticSearch domain completely exposed to public and attacker can access it without any login and there is no ip
address restriction/whitelisting.
PASSED
Description:
Valid Domains are published via Route53
CIS-Adv-Control
PASSED
CIS-Basic-Control
PASSED
CIS-Basic-Control
PASSED
PASSED
CIS-Adv-Control
PASSED
Lambda With full Resource & Action Priviledge High
Description:
Determine the specific permissions needed by your Lambda Functions, and then craft IAM policies for these
permissions only, instead of full administrative privileges.There should not be any policies that grant blanket
permissions ('*') to resources. It is recommended and considered a standard security best practice to grant least
privileges that is, granting only the permissions required to perform a task.
CIS-Adv-Control
PASSED
High
ECS Ingress Access Default Internet
Description:
ECS cluster is accessible over default inbound rule
PASSED
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible High
Description:
CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is
recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to
prevents public access
2.3
PASSED
Description:
Redshift is publicly accessible and also not inside a VPC
CIS-Basic-Control
PASSED
PASSED
ALB-MsSql High
Description:
Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
PASSED
PASSED
High
ALB-with-Netbios-NameService
Description:
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
CIS-Adv-Control
PASSED
ALB-with-Netbios High
Description:
Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
PASSED
Redshift-without-Encryption High
Description:
In Amazon Redshift, you can enable database encryption for your clusters to help protect data at rest. When you
enable encryption for a cluster, the data blocks and system metadata are encrypted for the cluster and its
snapshots.
CIS-Adv-Control
PASSED
Description:
It is recommended that IAM policies be applied directly to groups and roles but not to users. IAM policies are the
means by which privileges are granted to users, groups, or roles. By default, IAM users, groups, and roles have no
access to AWS resources.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users
grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently
receive or retain excessive privileges.
1.16
PASSED
Medium
Sagemaker outside vpc
Description:
A SageMaker notebook instance is a Machine Learning (ML) compute instance running on Jupyter Notebook
software. You can connect to your notebook instance from your VPC through an interface endpoint in your Virtual
Private Cloud (VPC), instead of connecting over the internet. Ensure that your AWS SageMaker notebook instances
placed in the VPC, to only access VPC resources for. AWS VPCs provides the controls to facilitate a formal process
for approving and testing all network connections and changes to the firewall and router configurations.
PASSED
PASSED
Medium
ElasticSearch without any access control
Description:
This ElasticSearch Domain have been build inside a aws VPC but the access to that Elasticsearch domain is without
any access control via resource policies or login requirement
PASSED
Medium
Ensure multi-regions trail exists for each AWS CloudTrail
Description:
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The
recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API
caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a
history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line
tools, and higher-level AWS services (such as CloudFormation).
PASSED
CIS-Basic-Control
PASSED
CIS-Adv-Control
PASSED
Medium
AMI-Public-snapshot
Description:
This check some thing we can look into once we provide golden images
CIS-Adv-Control
PASSED
Description:
The Amazon ECS container agent associates container instances to your cluster and tells Docker when to start, stop,
and query the containers you have specified to run. If the agent is unable to access the service, the container
instance is not able to operate as a member of your ECS cluster.
0 TESTED 0 RELEVANT 0 NON COMPLIANT
PASSED
Description:
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that
you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS
Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs
for individual AWS services. It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised
or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an
old key which might have been lost, cracked, or stolen.
1.4
PASSED
CIS-Adv-Control
PASSED
Medium
ECS Cluster Idle
Description:
Amazon ECS allows you to run and maintain a specified number of instances of a task definition simultaneously in
an Amazon ECS cluster. Idle ECS services should be removed to reduce container attack surface
CIS-Basic control
PASSED
Medium
ElasticSearch not inside VPC
Description:
ElasticSearch domain is exposed via public ES endpoint and should have proper resource access policies. Not a
recommended practice to have elastic search domain outside of vpc
PASSED
CIS-Adv Control
PASSED
Medium
Credentials (with first activated accessKey) unused for 90 days or more should be disabled
Description:
It is recommended that all credentials that have been unused for 90 or more days be removed or deactivated. AWS
IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated
with a compromised or abandoned account to be used.
1.3
PASSED
Medium
Ensure VPC flow logging is enabled in all VPCs
Description:
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network
interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch
Logs.
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous
traffic or insight during security workflows.
2.9
PASSED
Credentials (with second activated accessKey) unused for 90 days or more should be Medium
disabled
Description:
It is recommended that all credentials that have been unused for 90 or more days be removed or deactivated. AWS
IAM users can access AWS resources using different types of credentials, such as passwords or access keys.
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated
with a compromised or abandoned account to be used.
1.3
PASSED
Description:
Amazon ECS uses services: run and maintain number of instances of a task definition simultaneously in an ECS
cluster. Idle ECS clusters running services should be removed to reduce container attack surface
PASSED
PASSED
Low
lambda without Tags
Description:
All resources should have appropriate tags
PASSED
Low
adidas s3 redirect
PASSED
PASSED
Low
DynamoDB encrypted adidasOwned Key
Description:
DynamoDB should be encrypted with adidas managed KMS keys
CIS-Adv-Control
PASSED
Low
Register-lock
Description:
Ensure that your AWS Route 53 registered domains are locked to prevent any unauthorized transfers to another
domain name registrar
CIS-Adv-Control
PASSED
Low
Sagemaker Internet access without Root
PASSED
PASSED
Description:
The aws redshift cluster by default need access at port 5439
PASSED
Internal-Hosted-Zone Informational
Description:
This check is just informational to verify private hosted zone in Route53