📄️ lacework-global-34
Ensure no 'root' user account access key exists (Automated)
📄️ lacework-global-45
This rule also encompasses lacework-global-485 and lacework-global-486. See Adjusted Controls for CIS AWS 1.4.0 or Adjusted Controls for AWS FSBP Standard for further details.
📄️ lacework-global-50
Configure S3 Buckets with 'Block public access (bucket settings)' (Automated)
📄️ lacework-global-52
Enable encryption for Relational Database Service (RDS) Instances (Automated)
📄️ lacework-global-53
Enable CloudTrail in all regions (Automated)
📄️ lacework-global-69
Enable hardware Multi-Factor Authentication (MFA) for the 'root' user account (Manual)
📄️ lacework-global-93
Relational Database Service (RDS) should not have a Public Interface
📄️ lacework-global-102
Redshift Cluster should not be Publicly Accessible (Automated)
📄️ lacework-global-123
OpenSearch Domain should be in Virtual Private Cloud (VPC) (Automated)
📄️ lacework-global-128
EC2 instances should not have a Public IP address attached
📄️ lacework-global-148
Security group inbound traffic should not allow inbound traffic from all
📄️ lacework-global-160
Ensure No Public Elastic Block Store (EBS) Snapshots
📄️ lacework-global-215
Security groups should not allow unrestricted access to ports with high risk (Automated)
📄️ lacework-global-216
Do not unintentionally delete AWS Key Management Service (KMS) keys (Automated)
📄️ lacework-global-367
Neptune DB cluster snapshots should not be public (Automated)
📄️ lacework-global-368
Lambda function policies should prohibit public access (Automated)
📄️ lacework-global-369
Database Migration Service (DMS) replication instances should not be public (Automated)
📄️ lacework-global-370
Relational Database Service (RDS) snapshot should be private (Automated)
📄️ lacework-global-371
Elastic Kubernetes Service (EKS) cluster endpoints should not be publicly accessible (Automated)
📄️ lacework-global-372
Elastic Kubernetes Service (EKS) clusters should run on a supported Kubernetes version (Automated)
📄️ lacework-global-374
Elastic Container Service (ECS) task definitions should not share the host's process namespace (Manual)
📄️ lacework-global-375
Elastic Container Service (ECS) containers should run as non-privileged (Manual)
📄️ lacework-global-376
Limit Elastic Container Service (ECS) containers to read-only access to root filesystems (Manual)
📄️ lacework-global-377
Do not pass secrets as container environment variables (Manual)
📄️ lacework-global-378
CloudFront distributions should have a default root object configured (Automated)
📄️ lacework-global-379
CodeBuild project environment variables should not contain clear text credentials (Automated)
📄️ lacework-global-380
CodeBuild Bitbucket source repository URLs should not contain sensitive credentials (Automated)
📄️ lacework-global-381
Systems Manager (SSM) documents should not be public (Automated)
📄️ lacework-global-382
Rivest-Shamir-Adleman (RSA) certificates managed by AWS Certificate Manager (ACM) should use a key length of at least 2,048 bits (Automated)
📄️ lacework-global-383
Enable automatic minor version upgrades for Relational Database Service (RDS) instances (Automated)
📄️ lacework-global-384
Auto Scaling group launch configurations should configure Elastic Compute Cloud (EC2) instances to require Instance Metadata Service Version 2 (IMDSv2) (Automated)
📄️ lacework-global-385
Amazon Elastic Compute Cloud (EC2) instances launched using Auto Scaling group launch configurations should not have Public IP addresses (Automated)
📄️ lacework-global-386
Deploy Relational Database Service (RDS) instances within a Virtual Private Cloud (VPC) (Automated)
📄️ lacework-global-387
CloudFront distributions should not point to non-existent Amazon S3 origins (Automated)
📄️ lacework-global-388
Amazon SageMaker notebook instances should not have direct internet access (Automated)
📄️ lacework-global-389
Users should not have root access to SageMaker notebook instances (Automated)
📄️ lacework-global-390
ElastiCache Redis clusters should have automatic backup enabled (Automated)
📄️ lacework-global-391
ElastiCache for Redis cache clusters should have auto minor version upgrade enabled (Automated)
📄️ lacework-global-392
Amazon Elastic Map Reduce (EMR) cluster primary nodes should not have public IP addresses (Automated)
📄️ lacework-global-393
ElastiCache clusters should not use the default subnet group (Automated)
📄️ lacework-global-394
Launch SageMaker notebook instances in a custom Virtual Private Cloud (VPC) (Automated)
📄️ lacework-global-395
Amazon Elastic Compute Cloud (EC2) launch templates should not assign public IPs to network interfaces (Manual)
📄️ lacework-global-396
Amazon EC2 instances managed by Systems Manager (SSM) should have a patch compliance status of COMPLIANT after a patch installation (Manual)
📄️ lacework-global-804
Elastic Container Service (ECS) services should not have public IP addresses assigned to them automatically (Automated)
📄️ lacework-global-805
Elastic Container Registry (ECR) private repositories should have image scanning configured (Automated)
📄️ lacework-global-806
Amazon EC2 Transit Gateways should not automatically accept Virtual Private Cloud (VPC) attachment requests (Automated)
📄️ lacework-global-807
S3 general purpose buckets should block public read access (Automated)
📄️ lacework-global-808
S3 general purpose buckets should block public write access (Automated)
📄️ lacework-global-809
ElasticSearch Domain should be in Virtual Private Cloud (VPC) (Automated)
📄️ lacework-global-810
EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) (Automated)
📄️ lacework-global-811
Restrict S3 bucket policy permissions granted to other AWS accounts (Automated)
📄️ lacework-global-821
Elastic Beanstalk should have managed platform updates enabled (Automated)
📄️ lacework-global-822
Elastic Beanstalk should stream logs to CloudWatch (Automated)
📄️ lacework-global-827
GuardDuty not enabled in account (Automated)