Rule Remediation Steps

Here you’ll find rule remediation steps for many common compliance violations. Follow the steps to manually bring resources back into compliance using the AWS Management Console, AWS CLI, Azure Portal, or Azure CLI.

• IAM root user should not be used
• IAM password policies should prevent reuse of previously used passwords
• IAM password policies should expire passwords within 90 days
• IAM root user access key should not exist
• IAM should have virtual MFA enabled for the root account
• IAM should have hardware MFA enabled for the root account
• IAM policies should not be attached to users
• Ensure a support role has been created to manage incidents with AWS Support
• CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
• CloudFront viewer protocol policy should be set to https-only
• ELBv1 listener protocol should not be set to http
• EC2 instances should have autoscaling groups with two or more availability zones
• EBS volume encryption should be enabled
• CloudFront distributions should have geo-restrictions specified
• AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
• IAM user access keys should be rotated every 90 days or less
• IAM password policies should require at least one uppercase character
• IAM password policies should require at least one lowercase character
• IAM password policies should require at least one symbol
• IAM password policies should require at least one number
• IAM password policies should require a minimum length of 14
• CloudTrail should be enabled in all regions
• CloudTrail log file validation should be enabled
• S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
• CloudTrail trails should have CloudWatch log integration enabled
• AWS Config should be enabled in all regions
• S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
• CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
• Alarm for denied connections in CloudFront logs should be configured
• CloudTrail log files should be encrypted using KMS CMKs
• KMS CMK rotation should be enabled
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
• ELBv1 load balancer cross zone load balancing should be enabled
• VPC security group inbound rules should not permit ingress from any address to all ports and protocols
• VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
• VPC flow logs should be sent to CloudWatch logs
• SQS access policies should not have global “.” access
• VPC flow logging should be enabled
• CloudWatch log metric filter and alarm for unauthorized API calls should be configured
• CloudWatch log metric filter and alarm for VPC security group changes should be configured
• CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
• CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
• CloudWatch log metric filter and alarm for VPC route table changes should be configured
• CloudWatch log metric filter and alarm for VPC changes should be configured
• CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
• CloudWatch log metric filter and alarm for usage of root account should be configured
• CloudWatch log metric filter and alarm for IAM policy changes should be configured
• CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
• CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
• ELBv1 load balancer access logging should be enabled
• CloudFront access logging should be enabled
• CloudWatch log groups should be encrypted with KMS CMKs
• DynamoDB tables should be encrypted with KMS CMKs
• SQS queue server-side encryption should be enabled (AWS-managed keys)
• CloudFront distributions should be protected by WAFs
• CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured
• CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
• CloudWatch log metric filter and alarm should be set for Config configuration changes
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
• IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
• IAM password policies should prevent reuse of the four previously used passwords
• VPC default security group should restrict all traffic
• IAM policies should not have full “*:*” administrative privileges
• RDS instances should be encrypted (AWS-managed keys or KMS CMKs)
• RDS instances should have FedRAMP approved database engines
• RDS instances should be encrypted with KMS CMKs
• S3 bucket server side encryption should be enabled
• S3 bucket policies should only allow requests that use HTTPS
• S3 bucket versioning and lifecycle policies should be enabled
• ELB listener security groups should not be set to TCP all
• VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
• VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
• ElastiCache transport encryption should be enabled
• DynamoDB tables Point in Time Recovery should be enabled
• RDS instances should have backup retention periods configured
• IAM multi-factor authentication should be enabled for all IAM users that have a console password
• Storage Accounts ‘Secure transfer required’ should be enabled
• Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
• Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
• Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
• S3 bucket policies should not allow all actions for all principals
• S3 bucket policies should not allow list actions for all principals
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
• VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
• IAM role trust policies should not allow all principals to assume the role
• IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
• SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0