Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
Rule ID | Title | Severity | Service Type | Resource Type |
---|---|---|---|---|
CSPM-AWS-2024-0008 | Trails lack integration with CloudWatch | Low | CloudTrail | Trails |
CSPM-AWS-2024-0012 | CloudTrail Log File Validation is disabled | Low | CloudTrail | Trails |
CSPM-AWS-2024-0016 | CloudWatch Alarm without action | High | CloudWatch | Alarm |
CSPM-AWS-2024-0022 | Publicly Accessible EBS Snapshot | Critical | EC2 | Snapshots |
CSPM-AWS-2024-0023 | Unencrypted EBS Volume irrespective of its state | Medium | EC2 | Volumes |
CSPM-AWS-2024-0027 | EC2 Instance is Assigned a Public IP Address | High | EC2 | Instances |
CSPM-AWS-2024-0046 | Drop Invalid Header Fields disabled | Medium | ElasticLoadBalancingv2 | LoadBalancer |
CSPM-AWS-2024-0092 | Rotation disabled for KMS Symmetric Customer Master Keys (CMKs) | Medium | KMS | Keys |
CSPM-AWS-2024-0112 | Single AZ RDS Instance lack the automatic failover capability | Medium | RDS | DBInstances |
CSPM-AWS-2024-0118 | Redshift Cluster Version Upgrade is disabled | Medium | Redshift | Cluster |
CSPM-AWS-2024-0119 | Redshift Cluster is Publicly accessible | Critical | Redshift | Cluster |
CSPM-AWS-2024-0152 | Ensure that only IMDSv2 is permitted by EC2 Metadata Service | High | EC2 | Instances |
CSPM-AWS-2024-0167 | In every VPC, flow logging must be enabled | Medium | VPC | FlowLog |
CSPM-AWS-2024-0176 | API Gateway should be associated with a WAF Web ACL | Medium | APIGateway | Stages |
CSPM-AWS-2024-0197 | CloudWatch log groups should be retained for a specified time period | Medium | CloudWatch | CloudWatchLogGroups |
CSPM-AWS-2024-0208 | DMS replication instances should have automatic minor version upgrade enabled | Medium | DMS | ReplicationInstances |
CSPM-AWS-2024-0216 | Amazon DocumentDB clusters should have deletion protection enabled | Medium | DocumentDB | DocumentDBCluster |
CSPM-AWS-2024-0221 | DynamoDB tables should have deletion protection enabled | Medium | DynamoDB | DynamoDBTable |
CSPM-AWS-2024-0225 | Unused EC2 EIPs should be removed | Low | EC2 | Addresses |
CSPM-AWS-2024-0226 | EC2 subnets should not automatically assign public IP addresses | Medium | EC2 | Subnet |
CSPM-AWS-2024-0234 | EBS volumes should be in a backup plan | Low | Backup | BackupSelection |
CSPM-AWS-2024-0236 | Stopped EC2 instances should be removed after a specified time period | Medium | EC2 | Instances |
CSPM-AWS-2024-0238 | ECR private repositories should have image scanning configured | High | ECR | Repository |
CSPM-AWS-2024-0239 | ECR private repositories should have tag immutability configured | Medium | ECR | Repository |
CSPM-AWS-2024-0251 | Amazon EFS volumes should be in backup plans | Medium | Backup | BackupSelection |
CSPM-AWS-2024-0265 | Classic Load Balancer should span multiple Availability Zones | Medium | ELB | LoadBalancers |
CSPM-AWS-2024-0266 | Application Load Balancer should be configured with defensive or strictest desync mitigation mode | Medium | ELBv2 | LoadBalancer |
CSPM-AWS-2024-0278 | Elasticsearch domains should encrypt data sent between nodes | Medium | ElasticsearchService | ElasticSearchDomain |
CSPM-AWS-2024-0281 | Elasticsearch domains should have at least three data nodes | Medium | ES | ElasticSearchDomain |
CSPM-AWS-2024-0290 | Kinesis streams should be encrypted at rest | Medium | Kinesis | Stream |
CSPM-AWS-2024-0305 | MSK clusters should have enhanced monitoring configured | Low | MSK | Cluster |
CSPM-AWS-2024-0307 | Neptune DB clusters should publish audit logs to CloudWatch Logs | Medium | Neptune | DBCluster |
CSPM-AWS-2024-0309 | Neptune DB clusters should have deletion protection enabled | Low | Neptune | DBCluster |
CSPM-AWS-2024-0312 | Neptune DB clusters should have IAM database authentication enabled | Medium | Neptune | DBCluster |
CSPM-AWS-2024-0313 | Neptune DB clusters should be configured to copy tags to snapshots | Low | Neptune | DBCluster |
CSPM-AWS-2024-0322 | OpenSearch domains should have encryption at rest enabled | Medium | Opensearch | Domain |
CSPM-AWS-2024-0323 | OpenSearch domains should have the latest software update installed | Low | Opensearch | Domain |
CSPM-AWS-2024-0326 | OpenSearch domains should encrypt data sent between nodes | Medium | Opensearch | Domain |
CSPM-AWS-2024-0329 | OpenSearch domains should have at least three data nodes | Medium | Opensearch | Domain |
CSPM-AWS-2024-0331 | Connections to OpenSearch domains should be encrypted using the latest TLS security policy | Medium | Opensearch | Domain |
CSPM-AWS-2024-0332 | AWS Private CA root certificate authority should be disabled | Low | PCA | CertificateAuthority |
CSPM-AWS-2024-0333 | IAM authentication should be configured for RDS instances | Medium | RDS | DBInstances |
CSPM-AWS-2024-0355 | RDS DB instances should have deletion protection enabled | Low | RDS | DBInstances |
CSPM-AWS-2024-0358 | Amazon Redshift clusters should have automatic snapshots enabled | Medium | Redshift | Cluster |
CSPM-AWS-2024-0359 | Redshift clusters should use enhanced VPC routing | Medium | Redshift | Cluster |
CSPM-AWS-2024-0368 | S3 general purpose buckets should be encrypted at rest with AWS KMS keys | Medium | S3 | Buckets |
CSPM-AWS-2024-0372 | Amazon SageMaker notebook instances should not have direct internet access | High | SageMaker | NotebookInstances |
CSPM-AWS-2024-0373 | SageMaker notebook instances should be launched in a custom VPC | High | SageMaker | NotebookInstances |
CSPM-AWS-2024-0374 | Users should not have root access to SageMaker notebook instances | High | SageMaker | NotebookInstances |
CSPM-AWS-2024-0376 | Secrets Manager secrets should have automatic rotation enabled | Medium | SecretsManager | Secret |
CSPM-AWS-2024-0377 | Secrets Manager secrets configured with automatic rotation should rotate successfully | Medium | SecretsManager | Secret |
CSPM-AWS-EKS-2024-0001 | Insufficient Control Plane Logging | Medium | EKS | Cluster |
CSPM-AWS-EKS-2024-0003 | Publicly Accessible API Server | High | EKS | Cluster |