AWS Lacework Security 1.0 | Lacework Documentation

📄️ lacework-global-89

EC2 instance does not have any tags

📄️ lacework-global-90

Encrypt Elastic Block Store (EBS) Volumes

📄️ lacework-global-91

Encrypt Redshift Clusters

📄️ lacework-global-92

Do not use server certificates uploaded before Heartbleed vulnerability

📄️ lacework-global-93

Relational Database Service (RDS) should not have a Public Interface

📄️ lacework-global-94

Ensure the S3 bucket requires Multi-Factor Authentication (MFA) to delete objects

📄️ lacework-global-95

Ensure the S3 bucket has access logging enabled

📄️ lacework-global-97

Ensure the S3 bucket has versioning enabled

📄️ lacework-global-98

Ensure the attached S3 bucket policy does not grant global 'Get' permission (Automated)

📄️ lacework-global-99

Ensure the attached S3 bucket policy does not grant global 'Delete' permission (Automated)

📄️ lacework-global-100

Ensure the attached S3 bucket policy does not grant global 'List' permission (Automated)

📄️ lacework-global-101

Ensure the attached S3 bucket policy does not grant global 'Put' permission (Automated)

📄️ lacework-global-102

Redshift Cluster should not be Publicly Accessible (Automated)

📄️ lacework-global-103

Deploy EC2 instances in EC2-VPC platform

📄️ lacework-global-104

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 3306 (MySQL)

📄️ lacework-global-105

No Identity and Access Management (IAM) users with password-based console access should exist

📄️ lacework-global-106

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5432 (PostgreSQL)

📄️ lacework-global-107

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 1433 (SQLServer)

📄️ lacework-global-108

Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 1434 (SQLServer)

📄️ lacework-global-109

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (Mini SQL (mSQL))

📄️ lacework-global-110

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (Virtual Network Computing (VNC) Listener)

📄️ lacework-global-111

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (Virtual Network Computing (VNC) Server)

📄️ lacework-global-112

Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 137 (NetBIOS)

📄️ lacework-global-113

Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 138 (NetBIOS)

📄️ lacework-global-114

Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 445 (Common Internet File System (CIFS))

📄️ lacework-global-115

Rotate access keys every 30 days or less

📄️ lacework-global-116

Rotate access keys every 45 days or less

📄️ lacework-global-117

Rotate public ssh keys every 30 days or less

📄️ lacework-global-118

Rotate public ssh keys every 45 days or less

📄️ lacework-global-119

Rotate public ssh keys every 90 days or less

📄️ lacework-global-120

Deactivate access keys not used in 90 days

📄️ lacework-global-121

Identity and Access Management (IAM) user should not be inactive for more than 30 days

📄️ lacework-global-122

Exposed OpenSearch Domain

📄️ lacework-global-123

OpenSearch Domain should be in Virtual Private Cloud (VPC) (Automated)

📄️ lacework-global-124

OpenSearch Domain should have Encryption At Rest enabled

📄️ lacework-global-125

CloudFront Origin Protocol Policy should explicitly set https-only or reflect the viewer policy configuration

📄️ lacework-global-126

CloudFront Origin SSL Protocols should not use insecure Ciphers

📄️ lacework-global-127

Security group should not allow inbound traffic from all to all Internet Control Message Protocol (ICMP)

📄️ lacework-global-128

EC2 instances should not have a Public IP address attached

📄️ lacework-global-129

CloudFront Viewer Protocol Policy should use https-only or redirect-to-https

📄️ lacework-global-130

Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ permission [list S3 objects]

📄️ lacework-global-131

Ensure the bucket Access Control List (ACL) does not grant 'Everyone' write permission [create, overwrite, and delete S3 objects]

📄️ lacework-global-132

Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ_ACP permission [read bucket ACL]

📄️ lacework-global-133

Ensure the bucket Access Control List (ACL) does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL]

📄️ lacework-global-134

Ensure the bucket Access Control List (ACL) does not grant 'Everyone' FULLCONTROL [READ, WRITE, READACP, WRITE_ACP]

📄️ lacework-global-135

Ensure the bucket Access Control List (ACL) does not grant AWS users READ permission [list S3 objects]

📄️ lacework-global-136

Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects]

📄️ lacework-global-137

Ensure the bucket Access Control List (ACL) does not grant AWS users READ_ACP permission [read bucket ACL]

📄️ lacework-global-138

Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE_ACP permission [modify bucket ACL]

📄️ lacework-global-139

Ensure the bucket Access Control List (ACL) does not grant AWS users FULLCONTROL [READ, WRITE, READACP, WRITE_ACP]

📄️ lacework-global-140

Ensure the attached S3 bucket policy does not grant 'Allow' permission to everyone (Automated)

📄️ lacework-global-141

Rotate access keys every 180 days or less

📄️ lacework-global-142

Rotate access keys every 350 days or less

📄️ lacework-global-143

Lambda Function should have tracing enabled

📄️ lacework-global-144

Lambda Function should not have Virtual Private Cloud (VPC) access

📄️ lacework-global-145

Network Access Control Lists (ACL) do not allow unrestricted inbound traffic

📄️ lacework-global-146

Network Access Control Lists (ACL) do not allow unrestricted outbound traffic

📄️ lacework-global-147

Exposed AWS Virtual Private Cloud (VPC) endpoints

📄️ lacework-global-148

Security group inbound traffic should not allow inbound traffic from all

📄️ lacework-global-149

Security group inbound traffic should not allow traffic except port 80 and 443

📄️ lacework-global-150

Security Group should not allow inbound traffic from all to TCP port 9200 or 9300 (Opensearch/Elasticsearch)

📄️ lacework-global-151

Security Group should not allow inbound traffic from all to TCP port 5601 (Kibana)

📄️ lacework-global-152

Security Group should not allow inbound traffic from all to TCP port 6379 (Redis)

📄️ lacework-global-153

Security Group should not allow inbound traffic from all to TCP port 2379 (etcd)

📄️ lacework-global-154

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 23 (Telnet)

📄️ lacework-global-155

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows Remote Procedure Call (RPC))

📄️ lacework-global-156

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows Server Message Block (SMB))

📄️ lacework-global-157

No Default Virtual Private Cloud (VPC) should be present in an AWS account

📄️ lacework-global-159

Load Balancers should have Access Logs enabled

📄️ lacework-global-160

Ensure No Public Elastic Block Store (EBS) Snapshots

📄️ lacework-global-161

OpenSearch Domain should have Encryption with Customer-Managed Key Management Service (KMS) Keys

📄️ lacework-global-171

Encrypt Relational Database Service (RDS) database with customer managed Key Management Service (KMS) key

📄️ lacework-global-179

Lambda Function should not have Admin Privileges

📄️ lacework-global-180

Lambda Function should not have Cross Account Access

📄️ lacework-global-181

Ensure non-root user exists in the account

📄️ lacework-global-182

Ensure Elastic Load Balancer (ELB) has latest Secure Cipher policies Configured for Session Encryption

📄️ lacework-global-183

Ensure Elastic Load Balancer (ELB) is not affected by POODLE Vulnerability (CVE-2014-3566)

📄️ lacework-global-184

Elastic Load Balancer (ELB) should not use insecure Ciphers

📄️ lacework-global-196

EC2 instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB)

📄️ lacework-global-197

Elastic Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB)

📄️ lacework-global-198

Application Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB)

📄️ lacework-global-199

Security group attached to Application Load Balancer should not allow inbound traffic from all

📄️ lacework-global-217

Ensure the S3 bucket has default server-side encryption enabled

📄️ lacework-global-218

EC2 instance should not allow inbound traffic from all to TCP port 21

📄️ lacework-global-219

EC2 instance should not allow inbound traffic from all to TCP port 20

📄️ lacework-global-220

EC2 instance should not allow inbound traffic from all to TCP port 25

📄️ lacework-global-221

EC2 instance should not allow inbound traffic from all to TCP port 53

📄️ lacework-global-222

EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 53

📄️ lacework-global-223

Elastic Load Balancer (ELB) Security Group should have Outbound Rules attached to it

📄️ lacework-global-224

Ensure Elastic Load Balancer V2 (ELBV2) has latest Secure Cipher policies Configured for Session Encryption

📄️ lacework-global-225

Elastic Load Balancer (ELB) SSL Certificate expires in 5 Days

📄️ lacework-global-226

Elastic Load Balancer (ELB) SSL Certificate expires in 45 Days

📄️ lacework-global-227

Security groups are not attached to an in-use network interface

📄️ lacework-global-228

Security group attached to EC2 instance should not allow inbound traffic from all ports

📄️ lacework-global-229

Security group attached to Relational Database Service (RDS) DB instance should not allow inbound traffic from all ports

📄️ lacework-global-230

Security group attached to Network Interface should not allow inbound traffic from all ports

📄️ lacework-global-231

Security group attached to Elastic Load Balancer should not allow inbound traffic from all ports

📄️ lacework-global-482

Classic LBs should have a valid and secure security group

📄️ lacework-global-483

Elastic Load Balancer (ELB) security group should restrict egress and ingress (Automated)