Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Severity | Service Type | Resource Type |
|---|---|---|---|---|
| CSPM-AWS-2024-0008 | Trails lacks integration with CloudWatch | Medium | CloudTrail | Trails |
| CSPM-AWS-2024-0012 | CloudTrail Log File Validation is Disabled | Medium | CloudTrail | Trails |
| CSPM-AWS-2024-0013 | Logging Disabled for Trails | Medium | CloudTrail | Trails |
| CSPM-AWS-2024-0016 | CloudWatch Alarm without Action | Low | CloudWatch | Alarm |
| CSPM-AWS-2024-0018 | AMIs are Publicly Accessible | High | EC2 | Images |
| CSPM-AWS-2024-0021 | Unencrypted EBS Snapshot | High | EC2 | Snapshots |
| CSPM-AWS-2024-0022 | Publicly Accessible EBS Snapshot | High | EC2 | Snapshots |
| CSPM-AWS-2024-0023 | Unencrypted EBS Volume irrespective of its state | High | EC2 | Volumes |
| CSPM-AWS-2024-0027 | EC2 Instance is assigned a Public IP Address | Medium | EC2 | Instances |
| CSPM-AWS-2024-0046 | Drop Invalid Header Fields Disabled | Medium | ElasticLoadBalancingv2 | LoadBalancer |
| CSPM-AWS-2024-0047 | Elastic Load Balancer (ELBv2) Permits Clear Text (HTTP) Communication | High | ElasticLoadBalancingv2 | Listener |
| CSPM-AWS-2024-0049 | ELBv2 Lacks Deletion Protection | Medium | ElasticLoadBalancingv2 | LoadBalancer |
| CSPM-AWS-2024-0092 | Rotation disabled for KMS Symmetric Customer Master Keys (CMKs) | Critical | KMS | Keys |
| CSPM-AWS-2024-0104 | No CloudWatch Alarm for”Console Logins without MFA” | High | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0108 | A Deprecated Certificate Authority found in the RDS Instance | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0112 | Single AZ RDS Instance lack the automatic failover capability | High | RDS | DBInstances |
| CSPM-AWS-2024-0114 | Invalid Legacy SSL Certificate (PostgreSQL) found for RDS DB Instance | High | RDS | DBInstances |
| CSPM-AWS-2024-0118 | Redshift Cluster Version Upgrade is Disabled | Medium | Redshift | Cluster |
| CSPM-AWS-2024-0119 | Redshift Cluster is Publicly accessible | High | Redshift | Cluster |
| CSPM-AWS-2024-0122 | All Traffic is Allowed by the Redshift Cluster Security Group | Critical | Redshift | ClusterSecurityGroups |
| CSPM-AWS-2024-0146 | VPC Subnet Lacks a Flow Log | Medium | VPC | FlowLog |
| CSPM-AWS-2024-0152 | Ensure that only IMDSv2 is permitted by EC2 Metadata Service. | Critical | EC2 | Instances |
| CSPM-AWS-2024-0160 | IAM instance roles are used for AWS resource access from instances | Critical | EC2 | Instances |
| CSPM-AWS-2024-0167 | In every VPC, VPC flow logging is must to be enabled. | Critical | VPC | FlowLog |
| CSPM-AWS-2024-0176 | API Gateway should be associated with a WAF Web ACL | Medium | APIGateway | Stages |
| CSPM-AWS-2024-0197 | CloudWatch log groups should be retained for a specified time period | Medium | CloudWatch | CloudWatchLogGroups |
| CSPM-AWS-2024-0203 | Firehose delivery streams should be encrypted at rest | Medium | DataFirehose | DeliveryStream |
| CSPM-AWS-2024-0208 | DMS replication instances should have automatic minor version upgrade enabled | Medium | DMS | ReplicationInstances |
| CSPM-AWS-2024-0216 | Amazon DocumentDB clusters should have deletion protection enabled | Medium | DocumentDB | DocumentDBCluster |
| CSPM-AWS-2024-0221 | DynamoDB tables should have deletion protection enabled | Medium | DynamoDB | DynamoDBTable |
| CSPM-AWS-2024-0225 | Unused EC2 EIPs should be removed | Low | EC2 | Addresses |
| CSPM-AWS-2024-0226 | EC2 subnets should not automatically assign public IP addresses | Medium | EC2 | Subnet |
| CSPM-AWS-2024-0234 | EBS volumes should be in a backup plan | Low | Backup | BackupSelection |
| CSPM-AWS-2024-0236 | Stopped EC2 instances should be removed after a specified time period | Medium | EC2 | Instances |
| CSPM-AWS-2024-0238 | ECR private repositories should have image scanning configured | High | ECR | Repository |
| CSPM-AWS-2024-0239 | ECR private repositories should have tag immutability configured | Medium | ECR | Repository |
| CSPM-AWS-2024-0251 | Amazon EFS volumes should be in backup plans | Medium | Backup | BackupSelection |
| CSPM-AWS-2024-0265 | Classic Load Balancer should span multiple Availability Zones | Medium | ELB | LoadBalancers |
| CSPM-AWS-2024-0266 | Application Load Balancer should be configured with defensive or strictest desync mitigation mode | Medium | ELBv2 | LoadBalancer |
| CSPM-AWS-2024-0278 | Elasticsearch domains should encrypt data sent between nodes | Medium | ElasticsearchService | ElasticSearchDomain |
| CSPM-AWS-2024-0281 | Elasticsearch domains should have at least three data nodes | Medium | ES | ElasticSearchDomain |
| CSPM-AWS-2024-0290 | Kinesis streams should be encrypted at rest | Medium | Kinesis | Stream |
| CSPM-AWS-2024-0300 | ActiveMQ brokers should stream audit logs to CloudWatch | Medium | MQ | Broker |
| CSPM-AWS-2024-0301 | Amazon MQ brokers should have automatic minor version upgrade enabled | Low | MQ | Broker |
| CSPM-AWS-2024-0305 | MSK clusters should have enhanced monitoring configured | Low | MSK | Cluster |
| CSPM-AWS-2024-0307 | Neptune DB clusters should publish audit logs to CloudWatch Logs | Medium | Neptune | DBCluster |
| CSPM-AWS-2024-0309 | Neptune DB clusters should have deletion protection enabled | Low | Neptune | DBCluster |
| CSPM-AWS-2024-0312 | Neptune DB clusters should have IAM database authentication enabled | Medium | Neptune | DBCluster |
| CSPM-AWS-2024-0313 | Neptune DB clusters should be configured to copy tags to snapshots | Low | Neptune | DBCluster |
| CSPM-AWS-2024-0322 | OpenSearch domains should have encryption at rest enabled | Medium | Opensearch | Domain |
| CSPM-AWS-2024-0323 | OpenSearch domains should have the latest software update installed | Low | Opensearch | Domain |
| CSPM-AWS-2024-0324 | OpenSearch domains should have at least three dedicated primary nodes | Low | Opensearch | Domain |
| CSPM-AWS-2024-0326 | OpenSearch domains should encrypt data sent between nodes | Medium | Opensearch | Domain |
| CSPM-AWS-2024-0329 | OpenSearch domains should have at least three data nodes | Medium | Opensearch | Domain |
| CSPM-AWS-2024-0331 | Connections to OpenSearch domains should be encrypted using the latest TLS security policy | Medium | Opensearch | Domain |
| CSPM-AWS-2024-0332 | AWS Private CA root certificate authority should be disabled | Low | PCA | CertificateAuthority |
| CSPM-AWS-2024-0333 | IAM authentication should be configured for RDS instances | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0355 | RDS DB instances should have deletion protection enabled | Low | RDS | DBInstances |
| CSPM-AWS-2024-0358 | Amazon Redshift clusters should have automatic snapshots enabled | Medium | Redshift | Cluster |
| CSPM-AWS-2024-0359 | Redshift clusters should use enhanced VPC routing | Medium | Redshift | Cluster |
| CSPM-AWS-2024-0368 | S3 general purpose buckets should be encrypted at rest with AWS KMS keys | Medium | S3 | Buckets |
| CSPM-AWS-2024-0372 | Amazon SageMaker notebook instances should not have direct internet access | High | SageMaker | NotebookInstances |
| CSPM-AWS-2024-0373 | SageMaker notebook instances should be launched in a custom VPC | High | SageMaker | NotebookInstances |
| CSPM-AWS-2024-0374 | Users should not have root access to SageMaker notebook instances | High | SageMaker | NotebookInstances |
| CSPM-AWS-2024-0376 | Secrets Manager secrets should have automatic rotation enabled | Medium | SecretsManager | Secret |
| CSPM-AWS-2024-0377 | Secrets Manager secrets configured with automatic rotation should rotate successfully | Medium | SecretsManager | Secret |
| CSPM-AWS-2024-0416 | Ensure Encryption for AWS AMIs is Enabled | High | EC2 | Images |
| CSPM-AWS-2024-0441 | Enable Storage Encryption for Amazon WorkSpaces | High | WorkSpaces | Workspace |
| CSPM-AWS-2024-0445 | Enable Encryption at Rest for Lambda Environment Variables using Customer Master Keys | High | Lambda | Function |
| CSPM-AWS-2024-0452 | SageMaker Notebook Data Not Encrypted with Customer Managed Keys | High | SageMaker | NotebookInstances |
| CSPM-AWS-2024-0464 | Agent Sessions Not Encrypted with Customer-Managed Keys in Amazon Bedrock | High | Bedrock | Agent |
| CSPM-AWS-2024-0465 | Agent Sessions Not Protected by Guardrails in Amazon Bedrock | High | Bedrock | Agent |
| CSPM-AWS-2024-0468 | Amazon Bedrock Guardrails Missing Sensitive Information Filters | High | Bedrock | Guardrails |
| CSPM-AWS-2024-0487 | Unused EBS Volumes | Medium | EC2 | Volumes |
| CSPM-AWS-2024-0514 | Enable Termination Protection for CloudFormation Stacks | High | CloudFormation | Stack |
| CSPM-AWS-2024-0515 | AWS Config Global Resources Inclusion | High | ConfigService | ConfigurationRecorder |
| CSPM-AWS-2024-0535 | Ensure ACM Certificate Requests Are Validated | Medium | ACM | Certificate |
| CSPM-AWS-2024-0560 | Enforce VPC-Only Access for SageMaker Domains | Medium | SageMaker | Domain |
| CSPM-AWS-2024-0589 | Ensure Redshift Clusters Do Not Use Default Port 5439 | Low | Redshift | Clusters |
| CSPM-AWS-2024-0593 | Detect ACM Certificates with Wildcard Domain Names | Low | ACM | Certificate |
| CSPM-AWS-2024-0594 | Ensure Latest Apache ActiveMQ Engine Version for Amazon MQ Brokers | Low | MQ | Broker |
| CSPM-AWS-EKS-2024-0001 | Insufficient Control Plane Logging | Critical | EKS | Cluster |
| CSPM-AWS-EKS-2024-0002 | KMS Encryption Disabled | Critical | EKS | Cluster |
| CSPM-AWS-EKS-2024-0003 | Publicly Accessible API Server | Critical | EKS | Cluster |
| CSPM-AWS-2024-0276 | Elasticsearch domains should have encryption at-rest enabled | Medium | ES | ElasticSearchDomain |
| CSPM-AWS-2024-0441 | Enable Storage Encryption for Amazon WorkSpaces | High | WorkSpaces | Workspace |
