EC2
Medium
—
us-east-1
i-00dac9a2d32a3cd01
EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2
Medium
—
us-east-1
i-0ece894d6d29136f5
EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2
Medium
—
us-east-1
vol-004919a0d32e05d34
No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2
Medium
CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption)
us-east-1
vol-004919a0d32e05d34
No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2
Medium
—
us-east-1
vol-074257a397fadc9ec
No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2
Medium
CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption)
us-east-1
vol-074257a397fadc9ec
No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2
Medium
—
us-east-2
eipalloc-0cc2fb68d9464496b
Elastic IP not associated with any resource.
Delete the unised IP to avoid an hourly charge for an Elastic IP address not associated with any running instance.
More info
EC2
Medium
—
us-east-2
eipalloc-0c40ecff557dc093e
Elastic IP not associated with any resource.
Delete the unised IP to avoid an hourly charge for an Elastic IP address not associated with any running instance.
More info
EC2
Medium
—
us-east-2
eipalloc-0af2a290d5e8fcc87
Elastic IP not associated with any resource.
Delete the unised IP to avoid an hourly charge for an Elastic IP address not associated with any running instance.
More info
EC2
Medium
—
us-east-2
eipalloc-01ab2c85c31e3bb51
Elastic IP not associated with any resource.
Delete the unised IP to avoid an hourly charge for an Elastic IP address not associated with any running instance.
More info
EC2
Medium
—
us-west-2
EC2ContainerService-Rony-EFC-ECS-Test-EcsInstanceAsg-1BNE3TD6NPE91
Auto Scaling group does not have activity notification configured.
Create activity notification for your Auto Scaling group.
More info
EC2
Medium
—
us-west-2
i-0362782bc36ed6a41
EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2
Medium
—
us-west-2
i-0f55b11c76adbbe3d
EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2
Medium
—
us-west-2
i-0c1b1df0b7efb0b57
EC2 Instance uses public IP address.
If you do not need your EC2 instance to be reachable from the Internet, remove the public IP address from it.
More info
EC2
Medium
—
us-west-2
i-0c1b1df0b7efb0b57
Found 1 overlap in the security group rules: "tcp:80 [0.0.0.0/0]" in "eks-cluster-sg-test-fargate-west2-1589044931", "EFS-access-4-Cluster-Rony-EFC-ECS-Test".
To reduce the risk of unintended access to the instance, analyse your security groups and remove any overlaps among the rules.
More info
EC2
Medium
—
us-west-2
vol-05830c14eadc21ea2
No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2
Medium
CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption)
us-west-2
vol-05830c14eadc21ea2
No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2
Medium
—
us-west-2
vol-06d98619c32de5968
No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2
Medium
CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption)
us-west-2
vol-06d98619c32de5968
No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2
Medium
—
us-west-2
vol-0ee3ff4a2100dc2f3
No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2
Medium
CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption)
us-west-2
vol-0ee3ff4a2100dc2f3
No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2
Medium
—
us-west-2
vol-0dbacadab7b315e80
No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2
Medium
CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption)
us-west-2
vol-0dbacadab7b315e80
No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
EC2
Medium
—
us-west-2
vol-0987ccd97176d01ee
No Lifecycle Policy configured.
Configure Amazon Data Lifecycle Manager to protect data by enforcing regular backups, to retain them as required by auditors or internal compliance, and to create disaster recovery backup policies.
More info
EC2
Medium
CIS 2.2.1 PCI DSS 3.5 HIPAA (Encryption)
us-west-2
vol-0987ccd97176d01ee
No EBS encryption found.
Enable EBS encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-east-1
vpc-07f3b77c454b3c310
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-east-1
vpc-071a12f8ec7613303
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-east-1
vpc-073764f023b9a5efc
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC
Medium
—
us-east-1
vgw-0ffb876255b0b6b8e
Virtual Private Gateway not in use.
Consider deleting any unused Virtual Private Gateways.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-east-2
vpc-02585025ab31219f8
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-east-2
vpc-0d6a54312c6027726
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-east-2
vpc-0c15019aee6c8423e
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-west-1
vpc-72ea2314
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-west-2
vpc-033848556cef01aca
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-west-2
vpc-0ed42ee2ea7505377
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
VPC
Medium
CIS 3.9 PCI DSS 10.2 HIPAA (Audit)
us-west-2
vpc-05461e6842795a02d
VPC Flow Logs are disabled.
Ensure VPC flow logging is enabled in all VPCs.
More info
S3
Medium
—
us-east-1
cf-templates-lqa4fy3xqyy2-us-west-2
Amazon S3 bucket is missing Public Access Block configuration.
To ensure that public access to all your S3 buckets and objects is blocked, turn on Public Access Block.
More info
S3
Medium
—
us-east-1
cf-templates-lqa4fy3xqyy2-us-west-2
Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3
Medium
CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption)
us-east-1
cf-templates-lqa4fy3xqyy2-us-west-2
Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3
Medium
—
us-east-1
elasticbeanstalk-us-east-1-531239714189
Amazon S3 bucket is missing Public Access Block configuration.
To ensure that public access to all your S3 buckets and objects is blocked, turn on Public Access Block.
More info
S3
Medium
CIS 2.1.1 PCI DSS 3.5 HIPAA (Encryption)
us-east-1
elasticbeanstalk-us-east-1-531239714189
Amazon S3 bucket server-side encryption is disabled.
Enable server-side encryption for S3 buckets to protect your data.
More info
S3
Medium
CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption)
us-east-1
elasticbeanstalk-us-east-1-531239714189
Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3
Medium
—
us-east-1
test-collector
Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3
Medium
CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption)
us-east-1
test-collector
Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3
Medium
—
us-east-1
test-resources
Amazon S3 bucket is missing Public Access Block configuration.
To ensure that public access to all your S3 buckets and objects is blocked, turn on Public Access Block.
More info
S3
Medium
—
us-east-1
test-resources
Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3
Medium
CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption)
us-east-1
test-resources
Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3
Medium
—
us-east-1
test-scanner
Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3
Medium
CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption)
us-east-1
test-scanner
Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
S3
Medium
—
us-east-1
test-update
Amazon S3 bucket uses server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
For more control over the data-at-rest encryption, use server-side encryption with customer-provided encryption keys (SSE-C).
More info
S3
Medium
CIS 2.1.2 PCI DSS 4.2 HIPAA (Encryption)
us-east-1
test-update
Amazon S3 bucket policy was not found.
Add S3 bucket policy to require encryption during data transit. To be compliant, the policy should explicitly deny access to HTTP requests.
More info
IAM
Medium
CIS 1.5 PCI DSS 8.4
us-east-1
IAM
The root user does not use any Multi-factor authentication (MFA) device.
Enable an MFA device for AWS account root user.
More info
IAM
Medium
—
us-east-1
IAM
Account password policy for IAM users does not require the use of symbols, as per CIS controls 1.7.
Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.
More info
IAM
Medium
—
us-east-1
IAM
Account password policy for IAM users does not require the use of uppercase letters, as per CIS controls 1.5.
Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.
More info
IAM
Medium
—
us-east-1
IAM
Account password policy for IAM users does not require the use of lowercase letters, as per CIS controls 1.6.
Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.
More info
IAM
Medium
—
us-east-1
IAM
Account password policy for IAM users for password expiration is not set, not meeting the PCI DSS Requirement 8.2.4.
Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords.
More info
IAM
Medium
PCI DSS 8.4
us-east-1
root
The root user does not have Multi-factor authentication (MFA) enabled.
PCI DSS Requirement 8.3: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.
More info
IAM
Medium
CIS 1.10 PCI DSS 8.4
us-east-1
Rony
IAM user "Rony" does not have Multi-factor authentication (MFA) enabled.
PCI DSS Requirement 8.3: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
More info
IAM
Medium
CIS 1.10 PCI DSS 8.4
us-east-1
Sergei
IAM user "Sergei" does not have Multi-factor authentication (MFA) enabled.
PCI DSS Requirement 8.3: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
More info
Lambda
Medium
—
us-east-1
test-collector
Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda
Medium
—
us-east-1
test-collector
Lambda function has no access to VPC-only resources.
Configuring your Lambda function to access resources in a VPC.
More info
Lambda
Medium
—
us-east-1
test-scanner
Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda
Medium
—
us-east-1
test-db-responder
Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda
Medium
—
us-east-1
test-db-responder
Lambda function has no access to VPC-only resources.
Configuring your Lambda function to access resources in a VPC.
More info
Lambda
Medium
—
us-east-1
test-scheduler
Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda
Medium
—
us-east-1
test-scheduler
Lambda function has no access to VPC-only resources.
Configuring your Lambda function to access resources in a VPC.
More info
Lambda
Medium
—
us-west-2
my-function
Lambda function encrypts the environment variables at rest with an encryption key "aws/lambda", which is not a recommended KMS customer-managed key, but an AWS default key.
Make sure the environment variables are protected with a KMS customer-managed key. If you store sensitive data in the environment variables, use AWS Secrets Manager instead.
More info
Lambda
Medium
—
us-west-2
my-function
Lambda function has no access to VPC-only resources.
Configuring your Lambda function to access resources in a VPC.
More info
RDS
Medium
—
us-east-1
test-encrypted
RDS snapshot uses an encryption key "0e84f319-3c54-4544-aa77-0b06e916cfd7", which is not a recommended KMS customer-managed key, but an AWS default key "aws/rds".
When a new RDS snapshot is created, make sure it uses KMS customer-managed keys.
More info
Simple Email Service
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
inbox-rule
SES ruleset does not encrypt your emails before saving them to the Amazon S3 bucket
Edit the rule and enable email encryption for the S3 action.
More info
GuardDuty
Medium
—
us-east-1
68bbeba9ba01465b3ac3dc58324666a9
GuardDuty detector has no administrator account associated with the current GuardDuty member account.
Designate an account within the AWS Organisations organization to be the GuardDuty delegated administrator.
More info
GuardDuty
Medium
—
us-east-2
2cbbec46d6a31c5d6eb86a9e73f9f0a3
GuardDuty detector has no administrator account associated with the current GuardDuty member account.
Designate an account within the AWS Organisations organization to be the GuardDuty delegated administrator.
More info
CloudTrail
Medium
CIS 3.1
us-east-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
—
us-east-1
CloudTrail
You have 32 CloudTrail trails with multi-region logging configuration that record global service events.
To avoid duplication, ensure you have only one trail to log global service events.
More info
CloudTrail
Medium
CIS 3.1
us-east-2
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
us-west-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
ap-east-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
ap-south-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
ap-northeast-2
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
ap-southeast-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
ap-southeast-2
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
ap-northeast-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
ca-central-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
eu-central-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
eu-west-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
eu-west-2
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
eu-west-3
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
eu-north-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
me-south-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudTrail
Medium
CIS 3.1
sa-east-1
CloudTrail
No CloudTrail trails found for this region.
Create a CloudTrail trail to meet your governance, compliance, and auditing needs for your AWS accounts.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
/aws/lambda/test-collector:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
/aws/lambda/test-responder:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
/aws/lambda/test-scanner:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-1
/aws/lambda/test-scheduler:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-2
/aws/codebuild/InlineSecureScanning:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-2
/aws/eks/beautiful-outfit-1611727262/cluster:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-2
/aws/lambda/HelloWorldFunction:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-2
/aws/lambda/Sophos-Optix-flowlogs-fn:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-2
/aws/transfer/s-4ab6146e87334a43a:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-2
/ecs/console-sample-app-static:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-east-2
/ecs/first-run-task-definition:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-1
/aws/lambda/Sophos-Optix-flowlogs-fn:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-1
/aws/lambda/test:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-2
/aws/lambda/Sophos-Optix-cloudtrail-fn:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-2
/aws/lambda/Sophos-Optix-flowlogs-fn:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-2
/aws/lambda/SophosOptixRegionalResourcesLambda:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-2
/aws/lambda/my-function:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-2
/aws/transfer/s-3d3e19784f014b1a9:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-2
aws-cloudtrail-logs-531239714189-58a7e086:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-2
aws-cloudtrail-logs-531239714189-f6d6a35f:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudWatch
Medium
PCI DSS 3.5 HIPAA (Encryption)
us-west-2
my-trail:*
Log data in the CloudWatch log group is not encrypted with a KMS customer-managed key.
For more control over the data-at-rest encryption, make sure the CloudWatch log group uses encryption with AWS KMS.
More info
CloudFront
Medium
—
us-east-1
EABCW25ZCESFI
CloudFront distribution does not have a web application firewall (WAF) enabled.
To allow or block requests based on criteria that you specify, choose the web ACL to associate with your distribution.
More info
CloudFront
Medium
PCI DSS 10.2 HIPAA (Audit)
us-east-1
EABCW25ZCESFI
CloudFront distribution uses an S3 bucket as origin without an origin access identity, allowing direct access to your objects through Amazon S3 URLs.
Restrict bucket access in the origin settings so that users were able to access your S3 content using CloudFront URLs, not Amazon S3 URLs. This is required to comply with HIPAA privacy rule, enabling audit for all access to PHI.
More info
EMR
Medium
PCI DSS 10.2 HIPAA (Audit)
us-east-1
j-2XLTZN5X5X0UT
EMR cluster has no logging enabled to the Amazon S3 location.
Configure the cluster to periodically archive the log files stored on the master node to Amazon S3. If the cluster terminates, the logs will reveal if this is through normal shut down or due to an error.
More info
Kinesis
Medium
—
us-east-1
my-delivery-stream
Server-side encryption (SSE) for source records uses default AWS-owned CMK, not a recommended KMS customer-managed key.
When a new Firehose delivery stream is created, make sure the server-side encryption is enabled with a KMS customer-managed key.
More info
Kinesis
Medium
—
us-east-1
test-stream2
Server-side encryption (SSE) for source records uses default AWS-owned CMK, not a recommended KMS customer-managed key.
When a new Firehose delivery stream is created, make sure the server-side encryption is enabled with a KMS customer-managed key.
More info
Kinesis
Medium
—
us-east-1
test-stream2
S3 server-side encryption for the Firehose delivery stream uses an encryption key "6f8e9a68-8d11-4e6e-89fa-db920b230a5f", which is not a recommended KMS customer-managed key, but an AWS default key "aws/s3".
When a new Firehose delivery stream is created, make sure S3 encryption is enabled with a KMS customer-managed key.
More info
X-Ray
Medium
—
us-west-1
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
us-west-2
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
ap-south-1
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
ap-northeast-2
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
ap-southeast-1
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
ap-southeast-2
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
ap-northeast-1
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
ca-central-1
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
eu-central-1
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
eu-west-1
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
eu-west-2
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
eu-west-3
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
eu-north-1
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
X-Ray
Medium
—
sa-east-1
X-Ray
X-Ray encrypts traces and related data at rest by using default encryption without KMS CMK.
For more control over the data-at-rest encryption, make sure X-Ray uses a customer managed CMK.
More info
SQS
Medium
—
us-east-1
my-queue
SQS queue uses an AWS managed-key encryption key "alias/aws/sqs".
For more control over the data-at-rest encryption, make sure the SQS queue uses KMS customer-managed keys instead of AWS managed-keys.
More info
Systems Manager
Medium
—
us-east-1
Systems Manager
Systems Manager Agent is not installed on 2 EC2 instances: "i-00dac9a2d32a3cd01", "i-0ece894d6d29136f5".
To view and control your infrastructure on AWS, make sure the Systems Manager Agent (SSM Agent) is installed on all EC2 instances.
More info
Systems Manager
Medium
—
us-west-2
Systems Manager
Systems Manager Agent is not installed on 5 EC2 instances, such as "i-0548a56d248a067d8", "i-0362782bc36ed6a41", ...
To view and control your infrastructure on AWS, make sure the Systems Manager Agent (SSM Agent) is installed on all EC2 instances.
More info
Certificate Manager
Medium
—
us-east-1
e06529ef-2812-446e-b5cf-9238ab9e0cfd
ACM certificate is not eligible for automatic renewal.
Make sure AWS is able to renew the certificate either via DNS or email validation.
More info
Certificate Manager
Medium
—
us-east-1
24cd6d04-41be-43f4-97a5-dbbe07084195
ACM certificate is not eligible for automatic renewal.
Make sure AWS is able to renew the certificate either via DNS or email validation.
More info