VPC
High
—
us-east-1
vpc-07f3b77c454b3c310
VPC has only one subnet.
For high availability, use multiple subnets in different availability zones. Separate public and private subnets will help securing services that don't need public access.
More info
S3
High
—
us-east-1
cf-templates-lqa4fy3xqyy2-us-west-2
Amazon S3 bucket versioning is disabled.
Enable S3 bucket versioning to protect the objects from accidental deletion or overwrite.
More info
S3
High
—
us-east-1
elasticbeanstalk-us-east-1-531239714189
Amazon S3 bucket versioning is disabled.
Enable S3 bucket versioning to protect the objects from accidental deletion or overwrite.
More info
S3
High
—
us-east-1
test-collector
Amazon S3 bucket versioning is disabled.
Enable S3 bucket versioning to protect the objects from accidental deletion or overwrite.
More info
S3
High
—
us-east-1
test-scanner
Amazon S3 bucket versioning is disabled.
Enable S3 bucket versioning to protect the objects from accidental deletion or overwrite.
More info
S3
High
—
us-east-1
test-update
Amazon S3 bucket versioning is disabled.
Enable S3 bucket versioning to protect the objects from accidental deletion or overwrite.
More info
IAM
High
—
us-east-1
amplify-login-lambda-69749404
IAM role "amplify-login-lambda-69749404" was never used.
Consider removing the IAM roles that you are not using.
More info
IAM
High
—
us-east-1
AWS-QuickSetup-StackSet-Local-ExecutionRole
IAM role "AWS-QuickSetup-StackSet-Local-ExecutionRole" must require either MFA or an external ID to designate who can assume the role. The role's misconfigured account is: "arn:aws:iam::531239714189:role/AWS-QuickSetup-StackSet-Local-AdministrationRole".
Update the IAM role, making sure it uses either MFA or an external ID to designate who can assume the role.
More info
IAM
High
—
us-east-1
service-role/AWSDataLifecycleManagerDefaultRoleForAMIManagement
IAM role "AWSDataLifecycleManagerDefaultRoleForAMIManagement" was never used.
Consider removing the IAM roles that you are not using.
More info
IAM
High
—
us-east-1
service-role/DAXtoDynamoDB
IAM role "DAXtoDynamoDB" was never used.
Consider removing the IAM roles that you are not using.
More info
IAM
High
—
us-east-1
ecsSpotFleetRole
IAM role "ecsSpotFleetRole" was never used.
Consider removing the IAM roles that you are not using.
More info
IAM
High
—
us-east-1
EMR_AutoScaling_DefaultRole
IAM role "EMR_AutoScaling_DefaultRole" was never used.
Consider removing the IAM roles that you are not using.
More info
IAM
High
—
us-east-1
service-role/KinesisFirehoseServiceRole-stream3-us-east-1-1614218937171
IAM role "KinesisFirehoseServiceRole-stream3-us-east-1-1614218937171" was never used.
Consider removing the IAM roles that you are not using.
More info
IAM
High
—
us-east-1
my-test-role-no-policies
IAM role "my-test-role-no-policies" must require either MFA or an external ID to designate who can assume the role. The role's misconfigured account is: "arn:aws:iam::531239714189:root".
Update the IAM role, making sure it uses either MFA or an external ID to designate who can assume the role.
More info
IAM
High
—
us-east-1
my-test-role-no-policies
IAM role "my-test-role-no-policies" was never used.
Consider removing the IAM roles that you are not using.
More info
IAM
High
—
us-east-1
service-role/StepFunctions-HelloWorld-role-3938622e
IAM role "StepFunctions-HelloWorld-role-3938622e" was never used.
Consider removing the IAM roles that you are not using.
More info
IAM
High
—
us-east-1
service-role/test-role-5z4s12tw
IAM role "test-role-5z4s12tw" was never used.
Consider removing the IAM roles that you are not using.
More info
IAM
High
—
us-east-1
service-role/test-role-e90ltcu0
IAM role "test-role-e90ltcu0" was never used.
Consider removing the IAM roles that you are not using.
More info
Simple Email Service
High
—
us-west-2
prevasio.io
DomainKeys Identified Mail (DKIM) signing for the domain is disabled.
Enable DKIM to authenticate your email, by entering the specified records into your DNS settings.
More info
CloudTrail
High
—
us-east-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
us-east-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
us-east-2
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
us-east-2
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
us-west-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
us-west-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
us-west-2
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
us-west-2
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-south-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-south-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-northeast-2
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-northeast-2
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-southeast-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-southeast-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-southeast-2
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-southeast-2
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-northeast-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ap-northeast-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ca-central-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
ca-central-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-central-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-central-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-west-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-west-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-west-2
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-west-2
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-west-3
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-west-3
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-north-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
eu-north-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
sa-east-1
my-trail
S3 bucket "prevasio-test-bucket" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
CloudTrail
High
—
sa-east-1
test-trail
S3 bucket "aws-cloudtrail-logs-531239714189-8b5cd0ac" is used by CloudTrail, but it has no S3 Object Lock.
S3 Object Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
us-east-2
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
us-east-2
dynamodb
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
us-west-1
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
us-west-2
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
ap-south-1
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
ap-northeast-2
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
ap-southeast-1
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
ap-southeast-2
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
ap-northeast-1
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
ca-central-1
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
eu-central-1
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
eu-west-1
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
eu-west-2
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
eu-west-3
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
eu-north-1
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
SNS
High
PCI DSS 3.5 HIPAA (Encryption)
sa-east-1
Sophos-Optix-flowlogs-s3-sns-topic
SNS topic is not encrypted
For additional confidentiality, ensure server-side encryption (SSE) is used to store sensitive data in encrypted topics.
More info
CloudFront
High
PCI DSS 4.2 HIPAA (Encryption)
us-east-1
EABCW25ZCESFI
CloudFront distribution is not configured to enforce encryption (using HTTPS) for data in transit.
HIPAA compliance requires all data to be transmitted over secure channels. Edit distribution's behaviour and set its viewer protocol policy to "HTTPS Only".
More info
CloudFront
High
PCI DSS 10.2 HIPAA (Audit)
us-east-1
EABCW25ZCESFI
CloudFront distribution is not configured to save access logs to an Amazon S3 bucket.
Enable distribution's access logs to comply with HIPAA (requires access logging for auditing purposes) and PCI DSS (Requirement 10: track and monitor all access to network resources and cardholder data).
More info
SageMaker
High
—
us-east-1
encrypted-notebook
SageMaker notebook instance is publicly accessible.
Make sure SageMaker notebook does not allow direct internet access. By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.
More info
SageMaker
High
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
my-motebook-instance
SageMaker notebook data is not encrypted.
To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook.
More info
SageMaker
High
—
us-east-1
my-motebook-instance
SageMaker notebook instance is publicly accessible.
Make sure SageMaker notebook does not allow direct internet access. By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.
More info
Athena
High
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
test-workgroup
Athena workgroup uses no encryption at rest.
To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, enable encryption at rest for the Athena workgroup.
More info
API Gateway
High
—
us-east-1
5pxmae2re2
API Gateway has no Web Application Firewall (WAF) enabled in the stage: "beta".
Enable WAF to protect your APIs from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks.
More info
API Gateway
High
—
us-east-2
s87eelcsz6
API Gateway has no client SSL certificate enabled in the stage: "dev".
Add a client SSL certificates to verify the requester's authenticity.
More info
API Gateway
High
—
us-east-2
s87eelcsz6
API Gateway has no active tracing with X-ray enabled in the stage: "dev".
Enable X-Ray tracing option in the stage's settings.
More info
API Gateway
High
PCI DSS 10.2 HIPAA (Audit)
us-east-2
s87eelcsz6
API Gateway has neither ERROR nor INFO level of logging enabled in the stage: "dev".
Enable either ERROR or INFO level of logging in the stage's settings.
More info
API Gateway
High
—
us-east-2
s87eelcsz6
API Gateway has not configured to cache or the cache is not encrypted in the stage: "dev".
Enable API cache and the "Encrypt cache data" options in the stage's settings.
More info
API Gateway
High
—
us-west-2
lrybev4omj
API Gateway has no Web Application Firewall (WAF) enabled in the stage: "test".
Enable WAF to protect your APIs from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks.
More info
API Gateway
High
—
us-west-2
lrybev4omj
API Gateway has no client SSL certificate enabled in the stage: "test".
Add a client SSL certificates to verify the requester's authenticity.
More info
API Gateway
High
—
us-west-2
lrybev4omj
API Gateway has no active tracing with X-ray enabled in the stage: "test".
Enable X-Ray tracing option in the stage's settings.
More info
SQS
High
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
test-execution-queue-collector
SQS queue is not encrypted.
To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, enable encryption with KMS for all SQS queues.
More info
SQS
High
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
test-queue.fifo
SQS queue is not encrypted.
To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, enable encryption with KMS for all SQS queues.
More info
Certificate Manager
High
—
us-east-1
e06529ef-2812-446e-b5cf-9238ab9e0cfd
ACM certificate validation for "prevasio.com" is using email validation method.
Make sure AWS Certificate Manager (ACM) can automatically renew SSL/TLS certificates before they expire by using DNS.
More info
Comprehend
High
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
d82797322f0833a4b7811a1d178fca1f
Output result encryption for your Comprehend analysis job "my-job2" is disabled.
To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure your output data is encrypted with a KMS customer-managed key (CMK).
More info
Comprehend
High
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
d82797322f0833a4b7811a1d178fca1f
Comprehend analysis job "my-job2" has encryption for the data in the storage volume is disabled.
To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure your data in the storage volume is encrypted with a KMS customer-managed key (CMK).
More info
Route 53
High
—
us-east-1
Z05513561EBVL6AJGPJJY
Route53 hosted zone contains DNS A records with unused IP address: 127.0.0.1.
Update the hosted zone's DNS records to delete any unused entries.
More info
Route 53
High
—
us-east-1
Z02864622OQ7CZDHNSXB7
Route53 hosted zone contains DNS A records with unused IP address: 44.192.32.79.
Update the hosted zone's DNS records to delete any unused entries.
More info