Rule Remediation Steps¶
Here you’ll find rule remediation steps for many common compliance violations. Follow the steps to manually bring resources back into compliance using the AWS Management Console, AWS CLI, Azure Portal, or Azure CLI.
- IAM root user should not be used
- IAM password policies should prevent reuse of previously used passwords
- IAM password policies should expire passwords within 90 days
- IAM root user access key should not exist
- IAM should have MFA enabled for the root account
- IAM should have hardware MFA enabled for the root account
- IAM policies should not be attached to users
- Ensure a support role has been created to manage incidents with AWS Support
- CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
- CloudFront viewer protocol policy should be set to https-only or redirect-to-https
- ELBv1 listener protocol should not be set to http
- Auto Scaling groups should span two or more availability zones
- EBS volume encryption should be enabled
- CloudFront distributions should have geo-restrictions specified
- AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
- IAM user access keys should be rotated every 90 days or less
- IAM password policies should require at least one uppercase character
- IAM password policies should require at least one lowercase character
- IAM password policies should require at least one symbol
- IAM password policies should require at least one number
- IAM password policies should require a minimum length of 14
- CloudTrail should be enabled in all regions
- CloudTrail log file validation should be enabled
- S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
- CloudTrail trails should have CloudWatch log integration enabled
- AWS Config should be enabled in all regions
- S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
- CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
- Alarm for denied connections in CloudFront logs should be configured
- CloudTrail log files should be encrypted using KMS CMKs
- KMS CMK rotation should be enabled
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
- ELBv1 load balancer cross zone load balancing should be enabled
- VPC security group inbound rules should not permit ingress from any address to all ports and protocols
- VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
- VPC flow logs should be sent to CloudWatch logs
- SQS access policies should not have global “.” access
- SNS subscriptions should deny access via HTTP
- VPC flow logging should be enabled
- CloudWatch log metric filter and alarm for unauthorized API calls should be configured
- CloudWatch log metric filter and alarm for VPC security group changes should be configured
- CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
- CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
- CloudWatch log metric filter and alarm for VPC route table changes should be configured
- CloudWatch log metric filter and alarm for VPC changes should be configured
- CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
- CloudWatch log metric filter and alarm for usage of root account should be configured
- CloudWatch log metric filter and alarm for IAM policy changes should be configured
- CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
- CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
- ELBv1 load balancer access logging should be enabled
- CloudFront access logging should be enabled
- CloudWatch log groups should be encrypted with KMS CMKs
- DynamoDB tables should be encrypted with AWS or customer managed KMS CMKs
- SQS queue server-side encryption should be enabled (AWS-managed keys)
- CloudFront distributions should be protected by WAFs
- CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured
- CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
- CloudWatch log metric filter and alarm should be set for Config configuration changes
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
- IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
- IAM password policies should prevent reuse of the four previously used passwords
- VPC default security group should restrict all traffic
- IAM policies should not have full “
*
:*
” administrative privileges - RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)
- RDS instances should have FedRAMP approved database engines
- RDS instances should be encrypted with KMS CMKs
- S3 bucket server-side encryption should be enabled
- S3 bucket policies should only allow requests that use HTTPS
- S3 bucket versioning and lifecycle policies should be enabled
- ELB listener security groups should not be set to TCP all
- VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
- VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
- ElastiCache transport encryption should be enabled
- DynamoDB tables Point in Time Recovery should be enabled
- RDS instances should have backup retention periods configured
- IAM multi-factor authentication should be enabled for all IAM users that have a console password
- Storage Accounts ‘Secure transfer required’ should be enabled
- Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
- Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
- Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
- Virtual Network Network Watcher should be enabled
- Virtual Machines data disks (non-boot volumes) should be encrypted
- Virtual Machines unattached disks should be encrypted
- RDS Aurora cluster multi-AZ should be enabled
- S3 bucket policies should not allow all actions for all IAM principals and public users
- S3 bucket policies should not allow list actions for all IAM principals and public users
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
- IAM policies should not allow broad list actions on S3 buckets
- IAM role trust policies should not allow all principals to assume the role
- IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
- SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0
- MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
- PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
- Ensure Azure Application Gateway Web application firewall (WAF) is enabled
- MySQL Database server “enforce SSL connection” should be enabled
- PostgreSQL Database server “enforce SSL connection” should be enabled
- Key Vault ‘Enable Soft Delete’ and ‘Enable Purge Protection’ should be enabled
- S3 buckets should have all “block public access” options enabled
- VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)
- CloudTrail trails should be configured to log data events for S3 buckets
- Exactly one CloudTrail trail should monitor global services
- CloudTrail trails should be configured to log management events
- CloudTrail should have at least one CloudTrail trail set to a multi-region trail
- CloudTrail trails should not be associated with missing SNS topics
- AWS CloudWatch alarms should have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/ port 1433 (MSSQL Server)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)
- Require Multi Availability Zones turned on for RDS Instances
- KMS master keys should not be publicly accessible
- EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests
- IAM roles used for trust relationships should have MFA or external IDs
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate)
- Redshift cluster ‘Publicly Accessible’ should not be enabled
- EC2 instances should not have a public IP association (IPv4)
- IAM users should be members of at least one group
- IAM users should have MFA (virtual or hardware) enabled
- S3 bucket access logging should be enabled
- S3 bucket replication (cross-region or same-region) should be enabled
- Lambda function policies should not allow global access
- S3 buckets should not be publicly readable
- RDS instance ‘Publicly Accessible’ should not be enabled
- S3 bucket policies and ACLs should not be configured for public read access
- RDS instance ‘Deletion Protection’ should be enabled
- SQL Server auditing should be enabled
- SQL Server auditing retention should be greater than 90 days
- Virtual Network security group flow log retention period should be set to 90 days or greater
- Active Directory custom subscription owner roles should not be created
- Security Center pricing tier should be set to ‘Standard’
- Security Center default policy setting ‘Monitor System Updates’ should be enabled
- Security Center default policy setting ‘Monitor OS Vulnerabilities’ should be enabled
- Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled
- Security Center default policy setting ‘Monitor Disk Encryption’ should be enabled
- Security Center default policy setting ‘Monitor Network Security Groups’ should be enabled
- Security Center default policy setting ‘Monitor Web Application Firewall’ should be enabled
- Security Center default policy setting ‘Enable Next Generation Firewall (NGFW) Monitoring’ should be enabled
- Security Center default policy setting ‘Monitor Vulnerability Assessment’ should be enabled
- Security Center default policy setting “Monitor Storage Blob Encryption” should be enabled
- Security Center default policy setting “Monitor JIT Network Access” should be enabled
- Security Center default policy setting “Monitor Adaptive Application Whitelisting” should be enabled
- Security Center default policy setting “Monitor SQL Auditing” should be enabled
- Security Center default policy setting “Monitor SQL Encryption” should be enabled
- Security Center contact emails should be set
- PostgreSQL Database configuration ‘log_checkpoints’ should be on
- PostgreSQL Database configuration ‘log_connections’ should be on
- Monitor Activity Log Alert should exist for Create Policy Assignment
- Monitor Activity Log Alert should exist for Create or Update Network Security Group
- Monitor Activity Log Alert should exist for Delete Network Security Group
- Monitor Activity Log Alert should exist for Create or Update Network Security Group Rule
- Monitor Activity Log Alert should exist for Delete Network Security Group Rule
- Monitor Activity Log Alert should exist for Create or Update Security Solution
- Monitor Activity Log Alert should exist for Delete Security Solution
- Monitor Activity Log Alert should exist for Create or Update or Delete SQL Server Firewall Rule
- Monitor Activity Log Alert should exist for Update Security Policy
- Azure Kubernetes Service instances should have RBAC enabled
- PostgreSQL Database configuration ‘log_disconnections’ should be on
- PostgreSQL Database configuration ‘log_duration’ should be on
- PostgreSQL Database configuration ‘connection_throttling’ should be on
- PostgreSQL Database configuration ‘log_retention days’ should be greater than 3
- Monitor log profile should be created
- Monitor ‘Activity Log Retention’ should be 365 days or greater
- Monitor audit profile should log all activities
- Monitor log profile should have activity logs for global services and all regions
- Key Vault logging should be enabled
- App Service web app authentication should be enabled
- App Service web apps should have ‘HTTPS only’ enabled
- App Service web apps should have ‘Minimum TLS Version’ set to ‘1.2’
- App Service web apps should have ‘Incoming client certificates’ enabled
- CloudFront distribution viewer certificate should use secure TLS protocol versions (1.2 and above)
- CloudFront distribution custom origins should use secure TLS protocol versions (1.2 and above)
- ELB HTTPS listeners should use secure TLS protocol versions (1.2 and above)
- ELBv2 HTTPS listeners should use secure TLS protocol versions (1.2 and above)
- API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above)