EC2 Medium —
us-east-1
i-00dac9a2d32a3cd01 EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2 Medium —
us-east-1
i-0ece894d6d29136f5 EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2 Medium —
us-east-1
vol-004919a0d32e05d34 No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2 Medium CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption) us-east-1
vol-004919a0d32e05d34 No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2 Medium —
us-east-1
vol-074257a397fadc9ec No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2 Medium CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption) us-east-1
vol-074257a397fadc9ec No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2 Medium —
us-east-2
eipalloc-0cc2fb68d9464496b Elastic IP not associated with any resource.
Delete the unised IP to avoid an hourly charge for an Elastic IP address not associated with any running instance.
More info
EC2 Medium —
us-east-2
eipalloc-0c40ecff557dc093e Elastic IP not associated with any resource.
Delete the unised IP to avoid an hourly charge for an Elastic IP address not associated with any running instance.
More info
EC2 Medium —
us-east-2
eipalloc-0af2a290d5e8fcc87 Elastic IP not associated with any resource.
Delete the unised IP to avoid an hourly charge for an Elastic IP address not associated with any running instance.
More info
EC2 Medium —
us-east-2
eipalloc-01ab2c85c31e3bb51 Elastic IP not associated with any resource.
Delete the unised IP to avoid an hourly charge for an Elastic IP address not associated with any running instance.
More info
EC2 Medium —
us-west-2
EC2ContainerService-Rony-EFC-ECS-Test-EcsInstanceAsg-1BNE3TD6NPE91 Auto Scaling group does not have activity notification configured.
Create activity notification for your Auto Scaling group.
More info
EC2 Medium —
us-west-2
i-0362782bc36ed6a41 EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2 Medium —
us-west-2
i-0f55b11c76adbbe3d EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2 Medium —
us-west-2
i-0c1b1df0b7efb0b57 EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2 Medium —
us-west-2
i-0c1b1df0b7efb0b57 Found 1 overlap in the security group rules: "tcp:80 [0.0.0.0/0]" in "eks-cluster-sg-test-fargate-west2-1589044931", "EFS-access-4-Cluster-Rony-EFC-ECS-Test".
To reduce the risk of unintended access to the instance, analyse your security groups and remove any overlaps among the rules.
More info
EC2 Medium —
us-west-2
vol-05830c14eadc21ea2 No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2 Medium CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption) us-west-2
vol-05830c14eadc21ea2 No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2 Medium —
us-west-2
vol-06d98619c32de5968 No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2 Medium CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption) us-west-2
vol-06d98619c32de5968 No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2 Medium —
us-west-2
vol-0ee3ff4a2100dc2f3 No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2 Medium CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption) us-west-2
vol-0ee3ff4a2100dc2f3 No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2 Medium —
us-west-2
vol-0dbacadab7b315e80 No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2 Medium CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption) us-west-2
vol-0dbacadab7b315e80 No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2 Medium —
us-west-2
vol-0987ccd97176d01ee No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2 Medium CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption) us-west-2
vol-0987ccd97176d01ee No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-east-1
vpc-07f3b77c454b3c310 VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-east-1
vpc-071a12f8ec7613303 VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-east-1
vpc-073764f023b9a5efc VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC Medium —
us-east-1
vgw-0ffb876255b0b6b8e Virtual Private Gateway not in use.
Consider deleting any unused Virtual Private Gateways.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-east-2
vpc-02585025ab31219f8 VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-east-2
vpc-0d6a54312c6027726 VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-east-2
vpc-0c15019aee6c8423e VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-west-1
vpc-72ea2314 VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-west-2
vpc-033848556cef01aca VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-west-2
vpc-0ed42ee2ea7505377 VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC Medium CIS 3.9 PCI DSS 10.2 HIPAA (Audit) us-west-2
vpc-05461e6842795a02d VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
S3 Medium —
us-east-1
cf-templates-lqa4fy3xqyy2-us-west-2 Amazon S3 bucket is missing Public Access Block configuration.
To ensure that public access to all your S3 buckets and objects is blocked, turn on Public Access Block.
More info
S3 Medium —
us-east-1
cf-templates-lqa4fy3xqyy2-us-west-2 Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3 Medium CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption) us-east-1
cf-templates-lqa4fy3xqyy2-us-west-2 Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3 Medium —
us-east-1
elasticbeanstalk-us-east-1-531239714189 Amazon S3 bucket is missing Public Access Block configuration.
To ensure that public access to all your S3 buckets and objects is blocked, turn on Public Access Block.
More info
S3 Medium CIS 2.1.1 PCI DSS 3.5 HIPAA (Encryption) us-east-1
elasticbeanstalk-us-east-1-531239714189 Amazon S3 bucket server-side encryption is disabled.
Enable server-side encryption for S3 buckets to protect your data.
More info
S3 Medium CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption) us-east-1
elasticbeanstalk-us-east-1-531239714189 Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3 Medium —
us-east-1
test-collector Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3 Medium CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption) us-east-1
test-collector Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3 Medium —
us-east-1
test-resources Amazon S3 bucket is missing Public Access Block configuration.
To ensure that public access to all your S3 buckets and objects is blocked, turn on Public Access Block.
More info
S3 Medium —
us-east-1
test-resources Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3 Medium CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption) us-east-1
test-resources Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3 Medium —
us-east-1
test-scanner Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3 Medium CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption) us-east-1
test-scanner Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3 Medium —
us-east-1
test-update Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3 Medium CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption) us-east-1
test-update Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
IAM Medium CIS 1.5 PCI DSS 8.4 us-east-1
The root user does not use any Multi-factor authentication (MFA) device.
Enable an MFA device for AWS account root user.
More info
IAM Medium —
us-east-1
Account password policy for IAM users does not require the use of symbols, as per CIS controls 1.7.
Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.
More info
IAM Medium —
us-east-1
Account password policy for IAM users does not require the use of uppercase letters, as per CIS controls 1.5.
Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.
More info
IAM Medium —
us-east-1
Account password policy for IAM users does not require the use of lowercase letters, as per CIS controls 1.6.
Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.
More info
IAM Medium —
us-east-1
Account password policy for IAM users for password expiration is not set, not meeting the PCI DSS Requirement 8.2.4.
Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.
More info
IAM Medium PCI DSS 8.4 us-east-1
root The root user does not have Multi-factor authentication (MFA) enabled.
PCI DSS Requirement 8.3: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.
More info
IAM Medium CIS 1.10 PCI DSS 8.4 us-east-1
Rony IAM user "Rony" does not have Multi-factor authentication (MFA) enabled.
PCI DSS Requirement 8.3: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
More info
IAM Medium CIS 1.10 PCI DSS 8.4 us-east-1
Sergei IAM user "Sergei" does not have Multi-factor authentication (MFA) enabled.
PCI DSS Requirement 8.3: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
More info
Lambda Medium —
us-east-1
test-collector Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda Medium —
us-east-1
test-collector Lambda function has no access to VPC-only resources.
Configuring your Lambda function to access resources in a VPC.
More info
Lambda Medium —
us-east-1
test-scanner Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda Medium —
us-east-1
test-db-responder Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda Medium —
us-east-1
test-db-responder Lambda function has no access to VPC-only resources.
Configuring your Lambda function to access resources in a VPC.
More info
Lambda Medium —
us-east-1
test-scheduler Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda Medium —
us-east-1
test-scheduler Lambda function has no access to VPC-only resources.
Configuring your Lambda function to access resources in a VPC.
More info
Lambda Medium —
us-west-2
my-function Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda Medium —
us-west-2
my-function Lambda function has no access to VPC-only resources.
Configuring your Lambda function to access resources in a VPC.
More info
RDS Medium —
us-east-1
test-encrypted RDS snapshot uses an encryption key "0e84f319-3c54-4544-aa77-0b06e916cfd7", which is not a recommended KMS customer-managed key, but an AWS default key "aws/rds".
When a new RDS snapshot is created, make sure it uses KMS customer-managed keys.
More info
Simple Email Service Medium PCI DSS 3.5 HIPAA (Encryption) us-east-1
inbox-rule SES ruleset does not encrypt your emails before saving them to the Amazon S3 bucket
Edit the rule and enable email encryption for the S3 action.
More info
GuardDuty Medium —
us-east-1
68bbeba9ba01465b3ac3dc58324666a9 GuardDuty detector has no administrator account associated with the current GuardDuty member account.
Designate an account within the AWS Organisations organization to be the GuardDuty delegated administrator.
More info
GuardDuty Medium —
us-east-2
2cbbec46d6a31c5d6eb86a9e73f9f0a3 GuardDuty detector has no administrator account associated with the current GuardDuty member account.
Designate an account within the AWS Organisations organization to be the GuardDuty delegated administrator.
More info
CloudTrail Medium CIS 3.1 us-east-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium —
us-east-1
You have 32 CloudTrail trails with multi-region logging configuration that record global service events.
To avoid duplication, ensure you have only one trail to log global service events.
More info
CloudTrail Medium CIS 3.1 us-east-2
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 us-west-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 ap-east-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 ap-south-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 ap-northeast-2
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 ap-southeast-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 ap-southeast-2
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 ap-northeast-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 ca-central-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 eu-central-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 eu-west-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 eu-west-2
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 eu-west-3
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 eu-north-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 me-south-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail Medium CIS 3.1 sa-east-1
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-1
/aws/lambda/test-collector:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-1
/aws/lambda/test-responder:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-1
/aws/lambda/test-scanner:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-1
/aws/lambda/test-scheduler:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-2
/aws/codebuild/InlineSecureScanning:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-2
/aws/eks/beautiful-outfit-1611727262/cluster:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-2
/aws/lambda/HelloWorldFunction:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-2
/aws/lambda/Sophos-Optix-flowlogs-fn:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-2
/aws/transfer/s-4ab6146e87334a43a:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-2
/ecs/console-sample-app-static:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-east-2
/ecs/first-run-task-definition:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-1
/aws/lambda/Sophos-Optix-flowlogs-fn:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-1
/aws/lambda/test:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-2
/aws/lambda/Sophos-Optix-cloudtrail-fn:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-2
/aws/lambda/Sophos-Optix-flowlogs-fn:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-2
/aws/lambda/SophosOptixRegionalResourcesLambda:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-2
/aws/lambda/my-function:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-2
/aws/transfer/s-3d3e19784f014b1a9:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-2
aws-cloudtrail-logs-531239714189-58a7e086:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-2
aws-cloudtrail-logs-531239714189-f6d6a35f:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch Medium PCI DSS 3.5 HIPAA (Encryption) us-west-2
my-trail:* Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudFront Medium —
us-east-1
EABCW25ZCESFI CloudFront distribution does not have a web application firewall (WAF) enabled.
To allow or block requests based on criteria that you specify, choose the web ACL to associate with your distribution.
More info
CloudFront Medium PCI DSS 10.2 HIPAA (Audit) us-east-1
EABCW25ZCESFI CloudFront distribution uses an S3 bucket as origin without an origin access identity, allowing direct access to your objects through Amazon S3 URLs.
Restrict bucket access in the origin settings so that users were able to access your S3 content using CloudFront URLs, not Amazon S3 URLs. This is required to comply with HIPAA privacy rule, enabling audit for all access to PHI.
More info
EMR Medium PCI DSS 10.2 HIPAA (Audit) us-east-1
j-2XLTZN5X5X0UT EMR cluster has no logging enabled to the Amazon S3 location.
Configure the cluster to periodically archive the log files stored on the master node to Amazon S3. If the cluster terminates, the logs will reveal if this is through normal shut down or due to an error.
More info
Kinesis Medium —
us-east-1
my-delivery-stream Server-side encryption (SSE) for source records uses default AWS-owned CMK, not a recommended KMS customer-managed key.
When a new Firehose delivery stream is created, make sure the server-side encryption is enabled with a KMS customer-managed key.
More info
Kinesis Medium —
us-east-1
test-stream2 Server-side encryption (SSE) for source records uses default AWS-owned CMK, not a recommended KMS customer-managed key.
When a new Firehose delivery stream is created, make sure the server-side encryption is enabled with a KMS customer-managed key.
More info
Kinesis Medium —
us-east-1
test-stream2 S3 server-side encryption for the Firehose delivery stream uses an encryption key "6f8e9a68-8d11-4e6e-89fa-db920b230a5f", which is not a recommended KMS customer-managed key, but an AWS default key "aws/s3".
When a new Firehose delivery stream is created, make sure S3 encryption is enabled with a KMS customer-managed key.
More info
X-Ray Medium —
us-west-1
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
us-west-2
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
ap-south-1
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
ap-northeast-2
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
ap-southeast-1
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
ap-southeast-2
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
ap-northeast-1
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
ca-central-1
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
eu-central-1
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
eu-west-1
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
eu-west-2
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
eu-west-3
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
eu-north-1
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray Medium —
sa-east-1
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
SQS Medium —
us-east-1
my-queue SQS queue uses an AWS managed-key encryption key "alias/aws/sqs".
For more control over the data-at-rest encryption, make sure the SQS queue uses KMS customer-managed keys instead of AWS managed-keys.
More info
Systems Manager Medium —
us-east-1
Systems Manager Agent is not installed on 2 EC2 instances: "i-00dac9a2d32a3cd01", "i-0ece894d6d29136f5".
To view and control your infrastructure on AWS, make sure the Systems Manager Agent (SSM Agent) is installed on all EC2 instances.
More info
Systems Manager Medium —
us-west-2
Systems Manager Agent is not installed on 5 EC2 instances, such as "i-0548a56d248a067d8", "i-0362782bc36ed6a41", ...
To view and control your infrastructure on AWS, make sure the Systems Manager Agent (SSM Agent) is installed on all EC2 instances.
More info
Certificate Manager Medium —
us-east-1
e06529ef-2812-446e-b5cf-9238ab9e0cfd ACM certificate is not eligible for automatic renewal.
Make sure AWS is able to renew the certificate either via DNS or email validation.
More info
Certificate Manager Medium —
us-east-1
24cd6d04-41be-43f4-97a5-dbbe07084195 ACM certificate is not eligible for automatic renewal.
Make sure AWS is able to renew the certificate either via DNS or email validation.
More info