Rule Remediation Steps¶
Here you’ll find rule remediation steps for many common compliance violations. Follow the steps to manually bring resources back into compliance using the AWS Management Console, AWS CLI, Azure Portal, or Azure CLI.
- IAM root user should not be used
- IAM password policies should prevent reuse of previously used passwords
- IAM password policies should expire passwords within 90 days
- IAM root user access key should not exist
- IAM should have MFA enabled for the root account
- IAM should have hardware MFA enabled for the root account
- IAM policies should not be attached to users
- Ensure a support role has been created to manage incidents with AWS Support
- CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
- CloudFront viewer protocol policy should be set to https-only or redirect-to-https
- ELBv1 listener protocol should not be set to http
- Auto Scaling groups should span two or more availability zones
- EBS volume encryption should be enabled
- CloudFront distributions should have geo-restrictions specified
- AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
- IAM user access keys should be rotated every 90 days or less
- IAM password policies should require at least one uppercase character
- IAM password policies should require at least one lowercase character
- IAM password policies should require at least one symbol
- IAM password policies should require at least one number
- IAM password policies should require a minimum length of 14
- CloudTrail should be enabled in all regions
- CloudTrail log file validation should be enabled
- S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
- CloudTrail trails should have CloudWatch log integration enabled
- AWS Config should be enabled in all regions
- S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
- CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
- Alarm for denied connections in CloudFront logs should be configured
- CloudTrail log files should be encrypted with customer managed KMS keys
- KMS CMK rotation should be enabled
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
- ELBv1 load balancer cross zone load balancing should be enabled
- VPC security group inbound rules should not permit ingress from a public address to all ports and protocols
- VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
- VPC flow logs should be sent to CloudWatch logs
- SQS access policies should not have global
"*.*"
access - SNS subscriptions should deny access via HTTP
- VPC flow logging should be enabled
- CloudWatch log metric filter and alarm for unauthorized API calls should be configured
- CloudWatch log metric filter and alarm for VPC security group changes should be configured
- CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
- CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
- CloudWatch log metric filter and alarm for VPC route table changes should be configured
- CloudWatch log metric filter and alarm for VPC changes should be configured
- CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
- CloudWatch log metric filter and alarm for usage of root account should be configured
- CloudWatch log metric filter and alarm for IAM policy changes should be configured
- CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
- CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
- Load balancer access logging should be enabled
- CloudFront access logging should be enabled
- CloudWatch log groups should be encrypted with customer managed KMS keys
- DynamoDB tables should be encrypted with AWS or customer managed KMS keys
- SQS queue server-side encryption should be enabled with KMS keys
- CloudFront distributions should be protected by WAFs
- CloudWatch log metric filter and alarm for disabling or scheduled deletion of customer managed KMS keys should be configured
- CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
- CloudWatch log metric filter and alarm should be set for Config configuration changes
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
- IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
- IAM password policies should prevent reuse of the four previously used passwords
- VPC default security group should restrict all traffic
- IAM policies should not have full “
*
:*
” administrative privileges - RDS instances and Aurora DB clusters should be encrypted
- RDS instances should have FedRAMP approved database engines
- RDS instances should be encrypted with customer managed KMS keys
- S3 bucket server-side encryption should be enabled
- S3 bucket policies should only allow requests that use HTTPS
- S3 bucket versioning and lifecycle policies should be enabled
- ELB listener security groups should not be set to TCP all
- VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
- VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
- ElastiCache transport encryption should be enabled
- DynamoDB tables Point in Time Recovery should be enabled
- RDS instances should have backup retention periods configured
- IAM multi-factor authentication should be enabled for all IAM users that have a console password
- Storage Accounts ‘Secure transfer required’ should be enabled
- Storage Account default network access rules should deny all traffic
- Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
- Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
- Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
- Virtual Network Network Watcher should be enabled
- Virtual Machines data disks (non-boot volumes) should be encrypted
- Virtual Machines unattached disks should be encrypted
- Blob Storage containers should have public access disabled
- Storage Accounts should have ‘Trusted Microsoft Services’ enabled
- RDS Aurora cluster multi-AZ should be enabled
- S3 bucket policies should not allow all actions for all IAM principals and public users
- S3 bucket policies should not allow list actions for all IAM principals and public users
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
- IAM policies should not allow broad list actions on S3 buckets
- IAM role trust policies should not allow all principals to assume the role
- IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
- SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0
- MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
- PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
- Ensure Azure Application Gateway Web application firewall (WAF) is enabled
- MySQL Database server “enforce SSL connection” should be enabled
- PostgreSQL Database server “enforce SSL connection” should be enabled
- Key Vault ‘Enable Soft Delete’ and ‘Enable Purge Protection’ should be enabled
- S3 buckets should have all “block public access” options enabled
- VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)
- CloudTrail trails should be configured to log data events for S3 buckets
- Exactly one CloudTrail trail should monitor global services
- CloudTrail trails should be configured to log management events
- CloudTrail should have at least one CloudTrail trail set to a multi-region trail
- CloudTrail trails should not be associated with missing SNS topics
- AWS CloudWatch alarms should have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 1433 (MSSQL Server)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)
- Require Multi Availability Zones turned on for RDS Instances
- KMS master keys should not be publicly accessible
- EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests
- IAM roles used for trust relationships should have MFA or external IDs
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate)
- Redshift cluster ‘Publicly Accessible’ should not be enabled
- EC2 instances should not have a public IP association (IPv4)
- IAM users should be members of at least one group
- IAM users should have MFA (virtual or hardware) enabled
- S3 bucket access logging should be enabled
- S3 bucket replication (cross-region or same-region) should be enabled
- Lambda function policies should not allow global access
- S3 buckets should not be publicly readable
- RDS instance ‘Publicly Accessible’ should not be enabled
- S3 bucket policies and ACLs should not be configured for public read access
- RDS instance ‘Deletion Protection’ should be enabled
- SQL Server auditing should be enabled
- SQL Server auditing retention should be 90 days or greater
- Virtual Network security group flow log retention period should be set to 90 days or greater
- Active Directory custom subscription owner roles should not be created
- Security Center pricing tier should be set to ‘Standard’
- Security Center default policy setting ‘Monitor System Updates’ should be enabled
- Security Center default policy setting ‘Monitor OS Vulnerabilities’ should be enabled
- Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled
- Security Center default policy setting ‘Monitor Disk Encryption’ should be enabled
- Security Center default policy setting ‘Monitor Network Security Groups’ should be enabled
- Security Center default policy setting ‘Monitor Web Application Firewall’ should be enabled
- Security Center default policy setting ‘Enable Next Generation Firewall (NGFW) Monitoring’ should be enabled
- Security Center default policy setting ‘Monitor Vulnerability Assessment’ should be enabled
- Security Center default policy setting “Monitor Storage Blob Encryption” should be enabled
- Security Center default policy setting “Monitor JIT Network Access” should be enabled
- Security Center default policy setting “Monitor Adaptive Application Whitelisting” should be enabled
- Security Center default policy setting “Monitor SQL Auditing” should be enabled
- Security Center default policy setting “Monitor SQL Encryption” should be enabled
- Security Center contact emails should be set
- PostgreSQL Database configuration ‘log_checkpoints’ should be on
- PostgreSQL Database configuration ‘log_connections’ should be on
- Monitor Activity Log Alert should exist for Create Policy Assignment
- Monitor Activity Log Alert should exist for Create or Update Network Security Group
- Monitor Activity Log Alert should exist for Delete Network Security Group
- Monitor Activity Log Alert should exist for Create or Update Network Security Group Rule
- Monitor Activity Log Alert should exist for Delete Network Security Group Rule
- Monitor Activity Log Alert should exist for Create or Update Security Solution
- Monitor Activity Log Alert should exist for Delete Security Solution
- Monitor Activity Log Alert should exist for Create or Update or Delete SQL Server Firewall Rule
- Monitor Activity Log Alert should exist for Update Security Policy
- Azure Kubernetes Service instances should have RBAC enabled
- PostgreSQL Database configuration ‘log_disconnections’ should be on
- PostgreSQL Database configuration ‘log_duration’ should be on
- PostgreSQL Database configuration ‘connection_throttling’ should be on
- PostgreSQL Database configuration ‘log_retention days’ should be greater than 3
- Monitor log profile should be created
- Monitor ‘Activity Log Retention’ should be 365 days or greater
- Monitor audit profile should log all activities
- Monitor log profile should have activity logs for global services and all regions
- Key Vault logging should be enabled
- App Service web app authentication should be enabled
- App Service web apps should have ‘HTTPS only’ enabled
- App Service web apps should have ‘Minimum TLS Version’ set to ‘1.2’
- App Service web apps should have ‘Incoming client certificates’ enabled
- VPC security group inbound rules should not permit ingress from any address to all ports and protocols
- IAM users should only have one active access key available
- S3 bucket object-level logging for write events should be enabled
- S3 bucket object-level logging for read events should be enabled
- CloudWatch log metric filter and alarm for AWS Organizations changes should be configured for the master account
- VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 22
- VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 3389
- ECS task definitions should not use the root user
- ECS task definitions should be configured with a health check
- ECS task definitions should not add Linux capabilities beyond defaults and should drop ‘NET_RAW’
- ECS task definitions should not mount sensitive host system directories
- ECS task definitions should limit memory usage for containers
- ECS task definitions should set CPU limit for containers
- ECS task definitions should mount the container’s root filesystem as read-only
- ECS container definitions should not mount volumes with mount propagation set to shared
- ECS tasks should be configured with a health check
- CloudFront distribution viewer certificate should use secure TLS protocol versions (1.2 and above)
- CloudFront distribution custom origins should use secure TLS protocol versions (1.2 and above)
- ELB HTTPS listeners should use secure TLS protocol versions (1.2 and above)
- ELBv2 HTTPS listeners should use secure TLS protocol versions (1.2 and above)
- API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above)
- API Gateway v2 custom domains should use secure TLS protocol versions (1.2 and above)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ except to ports 80 and 443
- KMS crypto keys should be rotated at least once every 365 days
- VPC firewall rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
- Service accounts should only have Google-managed service account keys
- User-managed service accounts should not have admin privileges
- IAM users should not have project-level ‘Service Account User’ or ‘Service Account Token Creator’ roles
- KMS keys should not be anonymously or publicly accessible
- KMS keys should be rotated every 90 days or less
- IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles
- IAM default audit log config should include ‘DATA_READ’ and ‘DATA_WRITE’ log types
- IAM default audit log config should not exempt any users
- At least one project-level logging sink should be configured with an empty filter
- Logging storage bucket retention policies and Bucket Lock should be configured
- Logging metric filter and alert for project ownership assignments/changes should be configured
- Logging metric filter and alert for project ownership assignments/changes should be configured
- Logging metric filter and alert for project ownership assignments/changes should be configured
- Logging metric filter and alert for network firewall rule changes should be configured
- Logging metric filter and alert for network route changes should be configured
- Logging metric filter and alert for network changes should be configured
- Logging metric filter and alert for Storage IAM permission changes should be configured
- Logging metric filter and alert for SQL instance configuration changes should be configured
- The default network for a project should be deleted
- Networks should not be in legacy mode
- DNS managed zone DNSSEC should be enabled
- DNS managed zone DNSSEC key-signing keys should not use RSASHA1
- DNS managed zone DNSSEC zone-signing keys should not use RSASHA1
- Network firewall rules should not permit ingress from 0.0.0.0/0 to port 22 (SSH)
- Network firewall rules should not permit ingress from 0.0.0.0/0 to port 3389 (RDP)
- Network subnet flow logs should be enabled
- Load balancer HTTPS or SSL proxy SSL policies should not have weak cipher suites
- Compute instances should not use the default service account
- Compute instances should not use the default service account with full access to all Cloud APIs
- Compute instance ‘block-project-ssh-keys’ should be enabled
- Compute project metadata ‘OS Login’ should be enabled
- Compute instances ‘Enable connecting to serial ports’ should not be enabled
- Compute instances ‘IP forwarding’ should not be enabled
- Compute instance disks should be encrypted with customer-supplied encryption keys (CSEKs)
- Compute instance Shielded VM should be enabled
- Compute instances should not have public IP addresses
- Storage bucket uniform access control should be enabled
- Storage bucket uniform access control should be enabled
- MySQL database instance ‘local_infile’ database flag should be set to ‘off’
- PostgreSQL database instance ‘log_checkpoints’ database flag should be set to ‘on’
- PostgreSQL database instance ‘log_connections’ database flag should be set to ‘on’
- PostgreSQL database instance ‘log_disconnections’ database flag should be set to ‘on’
- PostgreSQL database instance ‘log_lock_waits’ database flag should be set to ‘on’
- PostgreSQL database instance ‘log_min_messages’ database flag should be set appropriately
- PostgreSQL database instance ‘log_temp_files’ database flag should be set to ‘0’ (on)
- PostgreSQL database instance ‘log_min_duration_statement’ database flag should be set to ‘-1’ (disabled)
- SQL Server database instance ‘cross db ownership chaining’ database flag should be set to ‘off’
- SQL Server database instance ‘contained database authentication’ database flag should be set to ‘off’
- SQL database instances should require incoming connections to use SSL
- SQL database instances should not permit access from 0.0.0.0/0
- SQL database instances should not have public IPs
- SQL database instance automated backups should be enabled
- BigQuery datasets should not be anonymously or publicly accessible
- VPC subnet ‘Private Google Access’ should be enabled
- Custom Role should be assigned for administering resource locks
- Storage Account queue service logging should be enabled for read, write, and delete requests
- Storage Account soft delete should be enabled
- Storage Accounts for critical data should be encrypted with Customer Managed Keys
- Storage Accounts that include activity logs should be encrypted with Customer Managed Keys
- Monitor Activity Log alert should be configured for ‘Delete Policy Assignment’
- Network security groups should not permit ingress from the internet to UDP ports
- Virtual Machines should use Managed Disks
- Virtual Machine OS and data disks should be encrypted with Customer Managed Keys
- Virtual Machine unattached managed disks should be encrypted with Customer Managed Keys
- Key Vault keys should have an expiration date
- Key Vault secrets should have an expiration date
- App Service web apps should use a system-assigned managed service identity
- App Service web app HTTP version should be the latest
- App Service web app FTP deployments should be disabled
- Azure Defender should be enabled for Virtual Machines
- Azure Defender should be enabled for App Services
- Azure Defender should be enabled for SQL Servers
- Azure Defender should be enabled for SQL Servers on Virtual Machines
- Azure Defender should be enabled for Storage Accounts
- Azure Defender should be enabled for Kubernetes Services
- Azure Defender should be enabled for Container Registries
- Azure Defender should be enabled for Key Vaults
- SQL Server vulnerability assessments should be enabled
- SQL Server ‘periodic recurring scans’ for vulnerability assessments should be enabled
- SQL Server ‘send scan reports’ for vulnerability assessments should be enabled
- SQL Server ‘also send email notifications to admins and subscription owners’ for vulnerability assessments should be enabled
- Virtual Machine legacy virtual hard disks should be encrypted
- Security Center ‘Send email notification for high severity alerts’ should be enabled
- Security Center setting ‘All users with the following roles’ should be set to ‘Owner’
- SQL Database transparent data encryption should be enabled
- SQL Server Active Directory Admin should be configured
- SQL Server TDE protector should be encrypted with a Key Vault CMK
- Security Center monitoring agent should be automatically provisioned
- The ‘cluster-admin’ role should not be used
- Roles and cluster roles should not grant ‘get’, ‘list’, or ‘watch’ permissions for secrets
- Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries
- Roles and cluster roles should not grant ‘create’ permissions for pods
- Default service account ‘automountServiceAccountToken’ should be set to ‘false’
- Service account ‘automountServiceAccountToken’ should be set to ‘false’
- Pods should not run privileged containers
- Pods should not run containers wishing to share the host process ID namespace
- Pods should not run containers wishing to share the host IPC namespace
- Pods should not run containers wishing to share the host network namespace
- Pods should not run containers with allowPrivilegeEscalation
- Pods should not run containers as the root user
- Pods should not run containers with the NET_RAW capability
- Pods should not run containers with added capabilities
- Pods should not run containers with default capabilities assigned
- Pods should not use secrets stored in environment variables
- Pod seccomp profile should be set to ‘docker/default’
- Pods and containers should apply a security context
- The default namespace should not be used
- Roles and cluster roles should not be bound to the default service account
- Lambda permissions with a service principal should apply to only one resource and AWS account
- WAFv2 web ACLs should include the ‘AWSManagedRulesKnownBadInputsRuleSet’ managed rule group
- Account alternate contact should be configured
- Account alternate contact should be configured