-
Notifications
You must be signed in to change notification settings - Fork 810
/
audit_config.yaml
396 lines (336 loc) · 16.2 KB
/
audit_config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
# Each finding type has an ID (example: S3_PUBLIC_POLICY_GETOBJECT_ONLY) that the auditing code records.
# title: A more human friendly name
# severity: May be one of High, Medium, Low, Info, Verbose, or Ignore
# is_global: Identifies this finding type as not being associated with a region when it is reported
# group: Used to group these finding types in the report
EXCEPTION:
title: An exception occurred during the audit.
description: Other issues cannot be checked for until this is fixed.
severity: Critical
group: ERROR
S3_PUBLIC_POLICY_GETOBJECT_ONLY:
title: Internet accessible S3 bucket via policy (only GetObject)
description: This is the right way to make an S3 bucket public when you don't want to put CloudFront in front of it. This may be done when a third-party caching service is being used and you don't care about direct access to the S3 bucket.
severity: Info
is_global: True
group: S3
S3_PUBLIC_POLICY:
title: Internet accessible S3 bucket via policy
description: This S3 bucket allows more public access than simply GetObject. These public privileges should be reduced.
severity: High
is_global: True
group: S3
S3_PUBLIC_ACL:
title: Public grant to S3 bucket via ACL
description: Access to S3 buckets should be controlled by policies, not ACL. ACLs result in overly permissive privileges to list the contents of the bucket.
severity: High
is_global: True
group: S3
S3_ACCESS_BLOCK_OFF:
title: S3 Control Access Block is not on
description: This control prevents S3 buckets from being made public. If there are no public S3 buckets in the account this should be turned on.
severity: Low
is_global: True
group: S3
S3_ACCESS_BLOCK_ALL_ACCESS_TYPES:
title: S3 Control Access Block is not blocking all access
description: This control prevents S3 buckets from being made public. Confirm that the exception that has been made is necessary.
severity: Low
is_global: True
group: S3
GUARDDUTY_OFF:
title: GuardDuty is not enabled
description: GuardDuty is an AWS threat detection service that detects compromised access keys, EC2 instances, and more. It should be enabled in all regions.
severity: Medium
group: GuardDuty
CLOUDTRAIL_OFF:
title: CloudTrail is off
description: CloudTrail provides audit logs for an account and should be enabled. Preferably, this should be done at the Organization level.
severity: Low
is_global: True
group: CloudTrail
CLOUDTRAIL_NOT_MULTIREGION:
title: CloudTrail is not multiregion
description: When CloudTrail was first released, you had to specify which regions to enable it in. It now defaults to recording audit logs for all regions. It should be configured for multiregion.
severity: Low
group: CloudTrail
PASSWORD_POLICY_NOT_SET:
title: Password policy is not set
description: A password policy helps ensure strong passwords are used by IAM Users. Setting a password policy does not impact existing users, so after setting this, you should ensure users reset their passwords so that they are in compliance.
severity: Low
is_global: True
group: IAM
PASSWORD_POLICY_CHARACTER_MINIMUM:
title: Password policy does not meet minimum character requirement
description: A password length requirement helps ensure strong passwords are used by IAM Users. Setting a password policy does not impact existing users, so after setting this, you should ensure users reset their passwords so that they are in compliance.
severity: Low
is_global: True
group: IAM
PASSWORD_POLICY_CHARACTER_SET_REQUIREMENTS:
title: Password policy does not require all character sets
description: A password character set requirement help ensure strong passwords are used by IAM Users. Setting a password policy does not impact existing users, so after setting this, you should ensure users reset their passwords so that they are in compliance.
severity: Low
is_global: True
group: IAM
ROOT_USER_HAS_ACCESS_KEYS:
title: Root user has access keys
description: The root user should be used only in exceptional cases, and should therefore not use access keys. IAM Users or Roles should be used instead.
severity: Low
is_global: True
group: IAM
ROOT_USER_HAS_NO_MFA:
title: Root user has no MFA
description: MFA (multi-factor authentication) helps mitigate account take-overs. If this root user does not have an MFA associated with them, the account can more easily be compromised, especially through email account compromises, even if you do not know the password (as happens with Organization created accounts).
severity: Medium
is_global: True
group: IAM
USER_WITH_PASSWORD_LOGIN_BUT_NO_MFA:
title: User has password login, but not MFA
description: MFA (multi-factor authentication) helps mitigate user account take-over.
severity: Medium
is_global: True
group: IAM
USER_HAS_NEVER_LOGGED_IN:
title: User has never logged in
description: The password for these users should be removed. If the user has no access keys, the user should be removed. The password may be a default password or may have been transmitted to the user insecurely, such that the user account may be compromised.
severity: Medium
is_global: True
group: IAM
USER_HAS_NOT_LOGGED_IN_FOR_OVER_MAX_DAYS:
title: User has not logged in for over 90 days
description: The user has not used their password login for over 90 days. The password login should be removed from this user, or the user entirely.
severity: Medium
is_global: True
group: IAM
USER_HAS_TWO_ACCESS_KEYS:
title: User has two access keys
description: A user should only have one access key. The ability to have multiple access keys is only for when an access key is being rolled, and the old one should be removed. The user should identify one access key to use and the other should be removed.
severity: Low
is_global: True
group: IAM
USER_HAS_UNUSED_ACCESS_KEY:
title: User has unused access key
description: These users have access keys that have never been used. These access keys may have been communicated to the user insecurely, or otherwise may not be as well protected as they should.
severity: Low
is_global: True
group: IAM
USER_HAS_NOT_USED_ACCESS_KEY_FOR_MAX_DAYS:
title: User has not used access key for over 90 days
description: Access keys that have not been used for a while should be removed as they may have been lost, but still grant access to the account.
severity: Low
is_global: True
group: IAM
IAM_BAD_MFA_POLICY:
title: Incorrect policy used to attempt to enforce MFA
description: AWS had advised incorrect policies for enforcing MFA which allowed an attacker, if they compromised keys that were protected by this policy, to remove the MFA policy from themselves, or remove the existing MFA device and add their own.
severity: High
is_global: True
group: IAM
IAM_KNOWN_BAD_POLICY:
title: Known bad policy used
description: AWS has provided flawed policies to customers. These are either deprecated or no longer advised.
severity: High
is_global: True
group: IAM
IAM_NOTACTION_ALLOW:
title: Use of NotAction in an Allow statement
description: Using NotAction in an Allow policy almost always results in unwanted actions being allowed and should be avoided.
severity: Medium
is_global: True
group: IAM
IAM_ROLE_ALLOWS_ASSUMPTION_FROM_ANYWHERE:
title: IAM role allows assumption from anywhere
description: The IAM role's trust policy allows any other account to assume it.
severity: High
is_global: True
group: IAM
IAM_MANAGED_POLICY_UNINTENTIONALLY_ALLOWING_ADMIN:
title: Managed policy is allowing admin
description: This finding is primarily for the deprecated AmazonElasticTranscoderFullAccess policy that was found to grant admin privileges.
severity: Medium
is_global: True
group: IAM
IAM_CUSTOM_POLICY_ALLOWS_ADMIN:
title: Custom policy allows admin
description: Instead of using the AdministratorAccess policy, a custom policy was created that does the same thing, or allows escalation to the same thing.
severity: Low
is_global: True
group: IAM
IAM_UNEXPECTED_FORMAT:
title: Unexpected formatting of IAM policy
description: IAM policies can be written to do things that are unexpected. This catch-all issue identifies anything unexpected in a policy.
severity: Low
is_global: True
group: IAM
IAM_UNEXPECTED_ADMIN_PRINCIPAL:
title: IAM role with admin privileges can be assumed by unexpected principals
description: Admins in an account should be assumed by people. This rule detects IAM Roles that have admin privileges which can be granted to EC2s and other services.
severity: High
is_global: True
group: IAM
IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL:
title: IAM role with s3 listing and get privileges can be assumed by unexpected principals
description: The ability to list s3 buckets, and get objects from them, should be restricted largely to people as compromising an EC2 with this privilege could lead to exfiltration of data.
severity: High
is_global: True
group: IAM
IAM_LINTER:
title: IAM linting issues
description: Issues identified by the IAM linter Parliament
severity: Low
is_global: True
group: IAM
IAM_NAME_DOES_NOT_INDICATE_ADMIN:
title: Name does not indicate admin
description: This IAM Group grants admin privileges, but the name does not indicate it is for admins.
severity: Low
is_global: True
group: IAM
DOMAIN_NOT_SET_TO_RENEW:
title: Domain not set to autorenew
description: This domain will no longer be under your control once it expires and may be taken over by someone else.
severity: High
is_global: True
group: Route53
DOMAIN_HAS_NO_TRANSFER_LOCK:
title: Domain does not have a domain transfer lock set
description: A domain transfer lock mitigates the possibility of someone else taking ownership of your domain. Not all TLD's support this. For example, the .io domain does not support this.
severity: Low
is_global: True
group: Route53
EBS_SNAPSHOT_PUBLIC:
title: EBS snapshot is public
description: This is essentially a copy of a hard-drive and may contain sensitive information. These are very easy for attackers to find.
severity: High
group: EC2
RDS_PUBLIC_SNAPSHOT:
title: RDS snapshot is public
description: This is a copy of the contents of a database and may contain sensitive information. These are very easy for attackers to find.
severity: High
group: RDS
RDS_PUBLIC_IP:
title: RDS has a public IP address
description: Check whether this RDS instance is publicly accessible. Best practice is to put RDS instances in private subnets and not give them public IPs.
severity: Low
group: RDS
RDS_VPC_CLASSIC:
title: RDS is using VPC classic
description: At one point AWS did not have the concept of VPCs so all network resources had public IPs. Workloads not in VPCs cannot take advantage of certain security benefits and should be migrated. Databases should be in private subnets.
severity: Low
group: RDS
AMI_PUBLIC:
title: AMI is public
description: An AMI is used to install the OS for an EC2 instance. These may contain sensitive information. These are very easy for attackers to find.
severity: High
group: EC2
ECR_PUBLIC:
title: ECR is public
description: The Amazon Elastic Container Registry (ECR) stores Docker images. These may contain sensitive information. These are somewhat hard for an attacker to find, but should not be made public.
severity: Medium
group: ECR
REDSHIFT_PUBLIC_IP:
title: Redshift has public IP
description: Redshift databases should be in private subnets. Databases should not have public IPs. You should additionally check if the Security Groups associated with this are allowing it to be publicly accessible.
severity: Medium
group: Redshift
ES_PUBLIC:
title: ElasticSearch cluster is publicly accessible
description: ElasticSearch databases should not be public. Change the resource policy to fix this.
severity: High
group: ElasticSearch
CLOUDFRONT_MINIMUM_PROTOCOL_SUPPORT:
title: CloudFront is supporting an insecure minimum protocol version
description: An advanced attacker with a privileged position in a network could obtain access to the encrypted traffic coming to this CloudFront distribution because this distribution supports an older, weaker protocol version.
severity: Low
is_global: True
group: CloudFront
EC2_SOURCE_DEST_CHECK_OFF:
title: EC2 Source/Destination check is off
description: If there are no routes, this is not doing anything and the Source/Destination check should be re-enabled.
severity: Info
group: EC2
EC2_CLASSIC:
title: EC2 Classic used
description: EC2 Classic does not use VPCs. Some security benefits are therefore not possible. These workloads should be migrated to modern EC2 instances.
severity: Info
group: EC2
EC2_OLD:
title: Old EC2
description: EC2 runnning that was launched more than 365 days ago.
severity: Info
group: EC2
LAMBDA_PUBLIC:
title: Lambda is internet accessible
description: Lambdas should not be publicly callable. Other resources such as an API Gateway should be used to call the Lambda.
severity: Medium
group: Lambda
GLACIER_PUBLIC:
title: Glacier vault is publicly accesible
description: Glacier is a storage service like S3. These vaults are harder to find, but may still contain sensitive information. The resource policy should be locked down to allow access only by certain accounts.
severity: Medium
group: Glacier
KMS_PUBLIC:
title: KMS is publicly accesible
description: This may allow an attacker to decrypt data using the KMS key.
severity: Medium
group: KMS
SQS_PUBLIC:
title: SQS is publicly accesible
description: This may allow an attacker to read or write messages to this queue.
severity: Medium
group: SQS
SNS_PUBLIC:
title: SNS is publicly accesible
description: This may allow an attacker to read or write messages to this queue.
severity: Medium
group: SNS
SG_CIDR_OVERLAPS:
title: Security Group overlaps
description: This often happens when one attempts to restrict access, then opens up the access further.
severity: Low
group: SecurityGroup
SG_CIDR_UNNEEDED:
title: Security Group CIDR unneeded
description: The CIDR in the Security Group cannot be blocked, so including it is not necessary.
severity: Info
group: SecurityGroup
SG_CIDR_UNEXPECTED:
title: Security Group CIDR unexpected
description: The CIDR in the Security Group is formatted oddly.
severity: Info
group: SecurityGroup
SG_LARGE_CIDR:
title: Security Group CIDR contains large IP range
description: The CIDR in a Security Group in the account contains a large IP range, defeating the purpose of restricting access with a Security Group.
severity: Info
group: SecurityGroup
LIGHTSAIL_IN_USE:
title: Lightsail in use
description: There is nothing wrong with Lightsail, but it does not tend to be used in enterprises. The instances often were created while testing something and forgotten about.
severity: Info
group: Lightsail
FOREIGN_HOSTED_ZONE:
title: Hosted zone found
description: Hosted Zones have legitimate uses, but may also be used to redirect traffic by an attacker, especially when they are owned by another account. (This finding needs more research into what should be filtered out, but I wanted to expose this info for manual review).
severity: Info
group: Route53
EC2_IMDSV2_NOT_ENFORCED:
title: IMDSv2 not enforced
description: The original metadata service that allows EC2s to assume IAM roles could allow an attacker to take over that role if they were able to find an SSRF vulnerability or proxy functionality on the instance. IMDSv2 should be enforced and not optional.
severity: Medium
group: EC2
ACCESSANALYZER_OFF:
title: Access Analyzer off
description: Access Analyzer is a free service that can tell you when resources are public or shared with unexpected accounts.
severity: Medium
group: AccessAnalyzer
REQUEST_SMUGGLING:
title: Request smuggling not denied
description: "HTTP request smuggling is possible against ALBs, as described here: https://portswigger.net/web-security/request-smuggling"
severity: Low
group: ELB
ELBV1_DESYNC_MITIGATION:
title: Desync mitigation mode not configured
description: "Desync mitigation mode protects your application from issues due to HTTP Desync and should be set to 'Strictest'. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-desync-mitigation-mode.html"
severity: Low
group: ELB