View Categories

Understand NIST 800-53 revision 5 Regional Rules in AWS

Print Friendly, PDF & Email

Interpretation of the Columns in Benchmark Compliance Rules:

Rule ID: A unique identifier for the specific security rule or check

Title: A brief description of the security issue or misconfiguration

Severity Low to High: Determines the risk of being exposed to attacks

Service Type: The AWS service affected or evaluated by the rule

Resource Type: The specific AWS resource being audited

Rule IDTitleSeverityService TypeResource Type
CSPM-AWS-2024-0008Trails lack integration with CloudWatchLowCloudTrailTrails
CSPM-AWS-2024-0012CloudTrail Log File Validation is disabledLowCloudTrailTrails
CSPM-AWS-2024-0016CloudWatch Alarm without actionHighCloudWatchAlarm
CSPM-AWS-2024-0022Publicly Accessible EBS SnapshotCriticalEC2Snapshots
CSPM-AWS-2024-0023Unencrypted EBS Volume irrespective of its stateMediumEC2Volumes
CSPM-AWS-2024-0027EC2 Instance is Assigned a Public IP AddressHighEC2Instances
CSPM-AWS-2024-0046Drop Invalid Header Fields disabledMediumElasticLoadBalancingv2LoadBalancer
CSPM-AWS-2024-0092Rotation disabled for KMS Symmetric Customer Master Keys (CMKs)MediumKMSKeys
CSPM-AWS-2024-0112Single AZ RDS Instance lack the automatic failover capabilityMediumRDSDBInstances
CSPM-AWS-2024-0118Redshift Cluster Version Upgrade is disabledMediumRedshiftCluster
CSPM-AWS-2024-0119Redshift Cluster is Publicly accessibleCriticalRedshiftCluster
CSPM-AWS-2024-0152Ensure that only IMDSv2 is permitted by EC2 Metadata ServiceHighEC2Instances
CSPM-AWS-2024-0167In every VPC, flow logging must be enabledMediumVPCFlowLog
CSPM-AWS-2024-0176API Gateway should be associated with a WAF Web ACLMediumAPIGatewayStages
CSPM-AWS-2024-0197CloudWatch log groups should be retained for a specified time periodMediumCloudWatchCloudWatchLogGroups
CSPM-AWS-2024-0208DMS replication instances should have automatic minor version upgrade enabledMediumDMSReplicationInstances
CSPM-AWS-2024-0216Amazon DocumentDB clusters should have deletion protection enabledMediumDocumentDBDocumentDBCluster
CSPM-AWS-2024-0221DynamoDB tables should have deletion protection enabledMediumDynamoDBDynamoDBTable
CSPM-AWS-2024-0225Unused EC2 EIPs should be removedLowEC2Addresses
CSPM-AWS-2024-0226EC2 subnets should not automatically assign public IP addressesMediumEC2Subnet
CSPM-AWS-2024-0234EBS volumes should be in a backup planLowBackupBackupSelection
CSPM-AWS-2024-0236Stopped EC2 instances should be removed after a specified time periodMediumEC2Instances
CSPM-AWS-2024-0238ECR private repositories should have image scanning configuredHighECRRepository
CSPM-AWS-2024-0239ECR private repositories should have tag immutability configuredMediumECRRepository
CSPM-AWS-2024-0251Amazon EFS volumes should be in backup plansMediumBackupBackupSelection
CSPM-AWS-2024-0265Classic Load Balancer should span multiple Availability ZonesMediumELBLoadBalancers
CSPM-AWS-2024-0266Application Load Balancer should be configured with defensive or strictest desync mitigation modeMediumELBv2LoadBalancer
CSPM-AWS-2024-0278Elasticsearch domains should encrypt data sent between nodesMediumElasticsearchServiceElasticSearchDomain
CSPM-AWS-2024-0281Elasticsearch domains should have at least three data nodesMediumESElasticSearchDomain
CSPM-AWS-2024-0290Kinesis streams should be encrypted at restMediumKinesisStream
CSPM-AWS-2024-0305MSK clusters should have enhanced monitoring configuredLowMSKCluster
CSPM-AWS-2024-0307Neptune DB clusters should publish audit logs to CloudWatch LogsMediumNeptuneDBCluster
CSPM-AWS-2024-0309Neptune DB clusters should have deletion protection enabledLowNeptuneDBCluster
CSPM-AWS-2024-0312Neptune DB clusters should have IAM database authentication enabledMediumNeptuneDBCluster
CSPM-AWS-2024-0313Neptune DB clusters should be configured to copy tags to snapshotsLowNeptuneDBCluster
CSPM-AWS-2024-0322OpenSearch domains should have encryption at rest enabledMediumOpensearchDomain
CSPM-AWS-2024-0323OpenSearch domains should have the latest software update installedLowOpensearchDomain
CSPM-AWS-2024-0326OpenSearch domains should encrypt data sent between nodesMediumOpensearchDomain
CSPM-AWS-2024-0329OpenSearch domains should have at least three data nodesMediumOpensearchDomain
CSPM-AWS-2024-0331Connections to OpenSearch domains should be encrypted using the latest TLS security policyMediumOpensearchDomain
CSPM-AWS-2024-0332AWS Private CA root certificate authority should be disabledLowPCACertificateAuthority
CSPM-AWS-2024-0333IAM authentication should be configured for RDS instancesMediumRDSDBInstances
CSPM-AWS-2024-0355RDS DB instances should have deletion protection enabledLowRDSDBInstances
CSPM-AWS-2024-0358Amazon Redshift clusters should have automatic snapshots enabledMediumRedshiftCluster
CSPM-AWS-2024-0359Redshift clusters should use enhanced VPC routingMediumRedshiftCluster
CSPM-AWS-2024-0368S3 general purpose buckets should be encrypted at rest with AWS KMS keysMediumS3Buckets
CSPM-AWS-2024-0372Amazon SageMaker notebook instances should not have direct internet accessHighSageMakerNotebookInstances
CSPM-AWS-2024-0373SageMaker notebook instances should be launched in a custom VPCHighSageMakerNotebookInstances
CSPM-AWS-2024-0374Users should not have root access to SageMaker notebook instancesHighSageMakerNotebookInstances
CSPM-AWS-2024-0376Secrets Manager secrets should have automatic rotation enabledMediumSecretsManagerSecret
CSPM-AWS-2024-0377Secrets Manager secrets configured with automatic rotation should rotate successfullyMediumSecretsManagerSecret
CSPM-AWS-EKS-2024-0001Insufficient Control Plane LoggingMediumEKSCluster
CSPM-AWS-EKS-2024-0003Publicly Accessible API ServerHighEKSCluster