View Categories

Implementing SecPod Regional Rules in AWS

Print Friendly, PDF & Email
BenchmarkRule IDTitleService TypeResource Type
SecPod_RegionalCSPM-AWS-2024-0002ACM Certificate with Transparency Logging Set to DisabledACMACM Certificate
SecPod_RegionalCSPM-AWS-2024-0008Trails lacks integration with CloudWatchCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0009CloudTrail Data Events Logging Not ConfiguredCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0010CloudTrail Logs are not encrypted using KMS Customer Master Keys (CMKs).CloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0011Logging for Global services is Disabled for TrailCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0012CloudTrail Log File Validation is DisabledCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0013Logging Disabled for TrailsCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0014CloudTrail Service Not ConfiguredCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0015Configuration of CloudTrail Data Logging does not include all ResourcesCloudTrailEventSelector
SecPod_RegionalCSPM-AWS-2024-0016CloudWatch Alarm without ActionCloudWatchAlarm
SecPod_RegionalCSPM-AWS-2024-0017AWS Config Recorders Not EnabledConfigServiceConfigurationRecorders
SecPod_RegionalCSPM-AWS-2024-0018AMIs are Publicly AccessibleEC2Images
SecPod_RegionalCSPM-AWS-2024-0019Use of Default Security GroupsEC2Instances
SecPod_RegionalCSPM-AWS-2024-0020Non-empty Default Security Group RulesetsEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0021Unencrypted EBS SnapshotEC2Snapshots
SecPod_RegionalCSPM-AWS-2024-0022Publicly Accessible EBS SnapshotEC2Snapshots
SecPod_RegionalCSPM-AWS-2024-0023Unencrypted EBS Volume irrespective of its stateEC2Volumes
SecPod_RegionalCSPM-AWS-2024-0024EC2 Instance Belongs to Specific Security GroupEC2Instances
SecPod_RegionalCSPM-AWS-2024-0026Use of Restricted Instances TypesEC2Instances
SecPod_RegionalCSPM-AWS-2024-0027EC2 Instance is Assigned a Public IP AddressEC2Instances
SecPod_RegionalCSPM-AWS-2024-0029EC2 Security Group Allows Access to All PortsEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0032All ICMP Traffic Permitted by EC2 Security GroupEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-01Security Group Allows Unrestricted Access through “MySQL” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-02Security Group Allows Unrestricted Access through “DNS” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-03Security Group Allows Unrestricted Access through “MongoDB” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-04Security Group Allows Unrestricted Access through “MsSQL” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-05Security Group Allows Unrestricted Access through “Oracle DB” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-06Security Group Allows Unrestricted Access through “PostgreSQL” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-07Security Group Allows Unrestricted Access through “RDP” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-08Security Group Allows Unrestricted Access through “SSH” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-09Security Group Allows Unrestricted Access through “NFS” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0033-10Security Group Allows Unrestricted Access through “SMTP” Well-Known PortEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0034-01Security Group Allows Access through Port FTPEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0034-02Security Group Allows Access through Port TelnetEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0042Unused Security GroupEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0043Elastic Load Balancer (ELB) Allows Clear Text (HTTP) CommunicationElasticLoadBalancingLoadBalancer
SecPod_RegionalCSPM-AWS-2024-0044Absence of Elastic Load Balancer (ELB) Access LogsElasticLoadBalancingLoadBalancer
SecPod_RegionalCSPM-AWS-2024-0045An Old SSL/TLS Policy DetectedElasticLoadBalancingLoadBalancer
SecPod_RegionalCSPM-AWS-2024-0046Drop Invalid Header Fields DisabledElasticLoadBalancingv2LoadBalancer
SecPod_RegionalCSPM-AWS-2024-0047Elastic Load Balancer (ELBv2) Permits Clear Text (HTTP) CommunicationElasticLoadBalancingv2Listener
SecPod_RegionalCSPM-AWS-2024-0048Lack of ELBv2 Access LogsElasticLoadBalancingv2LoadBalancer
SecPod_RegionalCSPM-AWS-2024-0049ELBv2 Lacks Deletion ProtectionElasticLoadBalancingv2LoadBalancer
SecPod_RegionalCSPM-AWS-2024-0050An Old SSL/TLS Policy Detected (ELBv2)ElasticLoadBalancingv2Listener
SecPod_RegionalCSPM-AWS-2024-0092Rotation disabled for KMS Symmetric Customer Master Keys (CMKs)KMSKeys
SecPod_RegionalCSPM-AWS-2024-0093No CloudWatch Alarm Monitoring for “AWS Configuration Changes”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0094No CloudWatch Alarm Monitoring for “CloudTrail Configuration Changes”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0095No CloudWatch Alarm for “Disabled or Deleted Master Keys”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0096No CloudWatch Alarm for “Failed Console Authentications”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0097No CloudWatch Alarm for “IAM Policy Changes”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0098No CloudWatch Alarm for “Network Access Control Lists Changes”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0099No CloudWatch Alarm for “Network Gateways Changes”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0100No CloudWatch Alarm for “Root Account Usage”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0101No CloudWatch Alarm for “Route Table Changes”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0102No CloudWatch Alarm for “S3 Bucket Policy Changes”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0103No CloudWatch Alarm for “Console Logins without MFA”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0104No CloudWatch Alarm for”Console Logins without MFA”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0105No CloudWatch Alarm for “Unauthorized API Calls”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0106No CloudWatch Alarm for “VPC Changes”CloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0107RDS Instance Backup DisabledRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0108A Deprecated Certificate Authority found in the RDS InstanceRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0109Auto Minor Version Upgrade Disabled in the RDS InstanceRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0110The RDS Instance is Publicly AccessibleRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0111The Backup Retention Time is Short in RDS InstancesRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0112Single AZ RDS Instance lack the automatic failover capabilityRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0113RDS Instance Storage Not EncryptedRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0114Invalid Legacy SSL Certificate (PostgreSQL) found for RDS DB InstanceRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0115RDS Instance Security Group allows All IP AddressesRDSDBSecurityGroup
SecPod_RegionalCSPM-AWS-2024-0116Publicly Accessible RDS DB SnapshotRDSDBSnapshot
SecPod_RegionalCSPM-AWS-2024-0117Redshift data in the cluster is not encrypted at restRedshiftCluster
SecPod_RegionalCSPM-AWS-2024-0118Redshift Cluster Version Upgrade is DisabledRedshiftCluster
SecPod_RegionalCSPM-AWS-2024-0119Redshift Cluster is Publicly accessibleRedshiftCluster
SecPod_RegionalCSPM-AWS-2024-0120Disabled User Activity Logging for Redshift ClusterRedshiftParameterGroup
SecPod_RegionalCSPM-AWS-2024-0121SSL is not required for Redshift Cluster Parameter GroupsRedshiftParameterGroups
SecPod_RegionalCSPM-AWS-2024-0122All Traffic is Allowed by the Redshift Cluster Security GroupRedshiftClusterSecurityGroups
SecPod_RegionalCSPM-AWS-2024-0127S3 Bucket has Disabled Default EncryptionS3Buckets
SecPod_RegionalCSPM-AWS-2024-0128Logging of S3 bucket Access is DisabledS3Buckets
SecPod_RegionalCSPM-AWS-2024-0129S3 Bucket without Multi-Factor Authentication (MFA) DeleteS3Buckets
SecPod_RegionalCSPM-AWS-2024-0130S3 Bucket has No VersioningS3Buckets
SecPod_RegionalCSPM-AWS-2024-0138SQS Queue Server with Disabled EncryptionSQSQueue
SecPod_RegionalCSPM-AWS-2024-0142Unused Network ACLs detectedEC2NetworkAcl
SecPod_RegionalCSPM-AWS-2024-0143VPC Routing Table fails to Maintain High Selectivity in PeeringEC2RouteTable
SecPod_RegionalCSPM-AWS-2024-0146VPC Subnet Lacks a Flow LogEC2FlowLog
SecPod_RegionalCSPM-AWS-2024-0147S3 bucket access logging is not enabled on the CloudTrail S3 bucketCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0148CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management eventsCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0149Encryption should be enabled at-rest in CloudTrail.CloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0151Enable Amazon EBS encryption by default for your account in the current region.EC2Volumes
SecPod_RegionalCSPM-AWS-2024-0152Ensure that only IMDSv2 is permitted by EC2 Metadata Service.EC2Instances
SecPod_RegionalCSPM-AWS-2024-0154EFS file systems do not have encryption enabled.EFSFileSystems
SecPod_RegionalCSPM-AWS-2024-0155Ensure that IAM Access analyzer is enabled for all regionsAccessAnalyzerAnalyzer
SecPod_RegionalCSPM-AWS-2024-0160IAM instance roles are used for AWS resource access from instancesEC2Instances
SecPod_RegionalCSPM-AWS-2024-0162Ensure AWS Organizations changes are monitored using CloudWatchLogsCloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0164At the bucket level, the S3 Block Public Access setting needs to be enabled.S3Buckets
SecPod_RegionalCSPM-AWS-2024-0165Enabling the S3 Block Public Access setting is necessary.S3Buckets
SecPod_RegionalCSPM-AWS-2024-0166Ensure AWS Security Hub is enabledSecurityHubHub
SecPod_RegionalCSPM-AWS-2024-0167In every VPC, VPC flow logging is must to be enabled.EC2FlowLog
SecPod_RegionalCSPM-AWS-2024-0173API Gateway REST and WebSocket API execution logging should be enabledAPIGatewayStages
SecPod_RegionalCSPM-AWS-2024-0174API Gateway REST API stages should be configured to use SSL certificates for backend authenticationAPIGatewayStages
SecPod_RegionalCSPM-AWS-2024-0175API Gateway REST API stages should have AWS X-Ray tracing enabledAPIGatewayStages
SecPod_RegionalCSPM-AWS-2024-0176API Gateway should be associated with a WAF Web ACLAPIGatewayStages
SecPod_RegionalCSPM-AWS-2024-0177API Gateway REST API cache data should be encrypted at restAPIGatewayStages
SecPod_RegionalCSPM-AWS-2024-0178API Gateway routes should specify an authorization typeAPIGatewayStages
SecPod_RegionalCSPM-AWS-2024-0179Access logging should be configured for API Gateway V2 StagesAPIGatewayStages
SecPod_RegionalCSPM-AWS-2024-0180AWS AppSync GraphQL APIs should not be authenticated with API keysAppSyncAppSync Graphql APIs
SecPod_RegionalCSPM-AWS-2024-0182Amazon EC2 Auto Scaling group should cover multiple Availability ZonesAutoScalingAutoScalingGroups
SecPod_RegionalCSPM-AWS-2024-0183Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)AutoScalingLaunchConfigurations
SecPod_RegionalCSPM-AWS-2024-0184Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addressesAutoScalingLaunchConfigurations
SecPod_RegionalCSPM-AWS-2024-0185Auto Scaling groups should use multiple instance types in multiple Availability ZonesAutoScalingAutoScalingGroups
SecPod_RegionalCSPM-AWS-2024-0186EC2 Auto Scaling groups should use EC2 launch templatesAutoScalingAutoScalingGroups
SecPod_RegionalCSPM-AWS-2024-0187AWS Backup recovery points should be encrypted at restBackupBackupRecoveryPoints
SecPod_RegionalCSPM-AWS-2024-0197CloudWatch log groups should be retained for a specified time periodCloudWatchCloudWatchLogGroups
SecPod_RegionalCSPM-AWS-2024-0200CodeBuild S3 logs should be encryptedCodeBuildCodeBuildS3Logs
SecPod_RegionalCSPM-AWS-2024-0201CodeBuild project environments should have a logging configurationCodeBuildCodeBuildProject
SecPod_RegionalCSPM-AWS-2024-0202AWS Config should be enabledConfigConfigurationRecorder
SecPod_RegionalCSPM-AWS-2024-0203Firehose delivery streams should be encrypted at restDataFirehoseDeliveryStream
SecPod_RegionalCSPM-AWS-2024-0204Database Migration Service replication instances should not be publicDMSReplicationInstances
SecPod_RegionalCSPM-AWS-2024-0205DMS endpoints for Neptune databases should have IAM authorization enabledDMSDMSEndpoints
SecPod_RegionalCSPM-AWS-2024-0206DMS endpoints for MongoDB should have an authentication mechanism enabledDMSDMSEndpoints
SecPod_RegionalCSPM-AWS-2024-0207DMS endpoints for Redis should have TLS enabledDMSDMSEndpoints
SecPod_RegionalCSPM-AWS-2024-0208DMS replication instances should have automatic minor version upgrade enabledDMSReplicationInstances
SecPod_RegionalCSPM-AWS-2024-0209DMS replication tasks for the target database should have logging enabledDMSReplicationTasks
SecPod_RegionalCSPM-AWS-2024-0210DMS replication tasks for the source database should have logging enabledDMSReplicationTasks
SecPod_RegionalCSPM-AWS-2024-0211DMS endpoints should use SSLDMSDMSEndpoints
SecPod_RegionalCSPM-AWS-2024-0212Amazon DocumentDB clusters should be encrypted at restDocumentDBDocumentDBCluster
SecPod_RegionalCSPM-AWS-2024-0213Amazon DocumentDB clusters should have an adequate backup retention periodDocumentDBDocumentDBCluster
SecPod_RegionalCSPM-AWS-2024-0214Amazon DocumentDB manual cluster snapshots should not be publicDocumentDBDocumentDBManualCluster
SecPod_RegionalCSPM-AWS-2024-0215Amazon DocumentDB clusters should publish audit logs to CloudWatch LogsDocumentDBDocumentDBCluster
SecPod_RegionalCSPM-AWS-2024-0216Amazon DocumentDB clusters should have deletion protection enabledDocumentDBDocumentDBCluster
SecPod_RegionalCSPM-AWS-2024-0217DynamoDB tables should automatically scale capacity with demandDynamoDBDynamoDBTable
SecPod_RegionalCSPM-AWS-2024-0218DynamoDB tables should have point-in-time recovery enabledDynamoDBDynamoDBTable
SecPod_RegionalCSPM-AWS-2024-0219DynamoDB Accelerator (DAX) clusters should be encrypted at restDynamoDBDAXCluster
SecPod_RegionalCSPM-AWS-2024-0220DynamoDB tables should be present in a backup planDynamoDBDynamoDBTable
SecPod_RegionalCSPM-AWS-2024-0221DynamoDB tables should have deletion protection enabledDynamoDBDynamoDBTable
SecPod_RegionalCSPM-AWS-2024-0222DynamoDB Accelerator clusters should be encrypted in transitDynamoDBDAXCluster
SecPod_RegionalCSPM-AWS-2024-0224Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 serviceEC2Instances
SecPod_RegionalCSPM-AWS-2024-0225Unused EC2 EIPs should be removedEC2Addresses
SecPod_RegionalCSPM-AWS-2024-0226EC2 subnets should not automatically assign public IP addressesEC2Subnet
SecPod_RegionalCSPM-AWS-2024-0227Unused Network Access Control Lists should be removedEC2NetworkAcls
SecPod_RegionalCSPM-AWS-2024-0228EC2 instances should not use multiple ENIsEC2Instances
SecPod_RegionalCSPM-AWS-2024-0229Security groups should only allow unrestricted incoming traffic for authorized portsEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0230Both VPN tunnels for an AWS Site-to-Site VPN connection should be upEC2VPCConnections
SecPod_RegionalCSPM-AWS-2024-0231EC2 Transit Gateways should not automatically accept VPC attachment requestsEC2TransitGateway
SecPod_RegionalCSPM-AWS-2024-0232EC2 paravirtual instance types should not be usedEC2Instances
SecPod_RegionalCSPM-AWS-2024-0233EC2 launch templates should not assign public IPs to network interfacesEC2LaunchTemplate
SecPod_RegionalCSPM-AWS-2024-0234EBS volumes should be in a backup planBackupBackupSelection
SecPod_RegionalCSPM-AWS-2024-0236Stopped EC2 instances should be removed after a specified time periodEC2Instances
SecPod_RegionalCSPM-AWS-2024-0237EC2 Client VPN endpoints should have client connection logging enabledEC2ClientVPNEndpoint
SecPod_RegionalCSPM-AWS-2024-0238ECR private repositories should have image scanning configuredECRRepository
SecPod_RegionalCSPM-AWS-2024-0239ECR private repositories should have tag immutability configuredECRRepository
SecPod_RegionalCSPM-AWS-2024-0240ECR repositories should have at least one lifecycle policy configuredECRRepository
SecPod_RegionalCSPM-AWS-2024-0241Amazon ECS task definitions should have secure networking modes and user definitionsECSTaskDefinition
SecPod_RegionalCSPM-AWS-2024-0242ECS Fargate services should run on the latest Fargate platform versionECSService
SecPod_RegionalCSPM-AWS-2024-0243ECS clusters should use Container InsightsECSCluster
SecPod_RegionalCSPM-AWS-2024-0244ECS services should not have public IP addresses assigned to them automaticallyECSService
SecPod_RegionalCSPM-AWS-2024-0245ECS task definitions should not share the host’s process namespaceECSTaskDefinition
SecPod_RegionalCSPM-AWS-2024-0246ECS containers should run as non-privilegedECSTaskDefinition
SecPod_RegionalCSPM-AWS-2024-0247ECS containers should be limited to read-only access to root filesystemsECSTaskDefinition
SecPod_RegionalCSPM-AWS-2024-0248Secrets should not be passed as container environment variablesECSTaskDefinition
SecPod_RegionalCSPM-AWS-2024-0249ECS task definitions should have a logging configurationECSTaskDefinition
SecPod_RegionalCSPM-AWS-2024-0250Elastic File System should be configured to encrypt file data at-rest using AWS KMSEFSFileSystems
SecPod_RegionalCSPM-AWS-2024-0251Amazon EFS volumes should be in backup plansBackupBackupSelection
SecPod_RegionalCSPM-AWS-2024-0252EFS access points should enforce a root directoryEFSAccessPoint
SecPod_RegionalCSPM-AWS-2024-0253EFS access points should enforce a user identityEFSAccessPoint
SecPod_RegionalCSPM-AWS-2024-0254EKS clusters should run on a supported Kubernetes versionEKSCluster
SecPod_RegionalCSPM-AWS-2024-0255ElastiCache Redis clusters should have automatic backup enabledElastiCacheCacheClusters
SecPod_RegionalCSPM-AWS-2024-0256ElastiCache for Redis cache clusters should have auto minor version upgrades enabledElastiCacheCacheClusters
SecPod_RegionalCSPM-AWS-2024-0257ElastiCache replication groups should have automatic failover enabledElastiCacheReplicationGroups
SecPod_RegionalCSPM-AWS-2024-0258ElastiCache replication groups should have encryption-at-rest enabledElastiCacheReplicationGroups
SecPod_RegionalCSPM-AWS-2024-0259ElastiCache replication groups should have encryption-in-transit enabledElastiCacheReplicationGroups
SecPod_RegionalCSPM-AWS-2024-0260ElastiCache for Redis replication groups before version 6.0 should use Redis AUTHElastiCacheReplicationGroups
SecPod_RegionalCSPM-AWS-2024-0261ElastiCache clusters should not use the default subnet groupElastiCacheCacheClusters
SecPod_RegionalCSPM-AWS-2024-0262Elastic Beanstalk environments should have enhanced health reporting enabledElasticBeanstalkEnvironment
SecPod_RegionalCSPM-AWS-2024-0263Elastic Beanstalk managed platform updates should be enabledElasticBeanstalkEnvironment
SecPod_RegionalCSPM-AWS-2024-0264Application Load Balancer should be configured to redirect all HTTP requests to HTTPSELBv2ApplicationLoadBalancer
SecPod_RegionalCSPM-AWS-2024-0265Classic Load Balancer should span multiple Availability ZonesELBLoadBalancers
SecPod_RegionalCSPM-AWS-2024-0266Application Load Balancer should be configured with defensive or strictest desync mitigation modeELBv2LoadBalancer
SecPod_RegionalCSPM-AWS-2024-0267Application, Network and Gateway Load Balancers should span multiple Availability ZonesELBv2LoadBalancer
SecPod_RegionalCSPM-AWS-2024-0268Classic Load Balancer should be configured with defensive or strictest desync mitigation modeELBLoadBalancer
SecPod_RegionalCSPM-AWS-2024-0270Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate ManagerELBLoadBalancer
SecPod_RegionalCSPM-AWS-2024-0271Classic Load Balancers should have connection draining enabledELBLoadBalancer
SecPod_RegionalCSPM-AWS-2024-0273Classic Load Balancers should have cross-zone load balancing enabledELBLoadBalancer
SecPod_RegionalCSPM-AWS-2024-0274Amazon EMR cluster primary nodes should not have public IP addressesEMREMRCluster
SecPod_RegionalCSPM-AWS-2024-0275Amazon EMR block public access setting should be enabledEMREMRCluster
SecPod_RegionalCSPM-AWS-2024-0276Elasticsearch domains should have encryption at-rest enabledESElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0277Elasticsearch domains should not be publicly accessibleESElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0278Elasticsearch domains should encrypt data sent between nodesESElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0279Elasticsearch domain error logging to CloudWatch Logs should be enabledESElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0280Elasticsearch domains should have audit logging enabledESElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0281Elasticsearch domains should have at least three data nodesESElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0282Elasticsearch domains should be configured with at least three dedicated master nodesESElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0283Connections to Elasticsearch domains should be encrypted using the latest TLS security policyESElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0284EventBridge custom event buses should have a resource-based policy attachedEventBridgeEventBus
SecPod_RegionalCSPM-AWS-2024-0285EventBridge global endpoints should have event replication enabledEventBridgeEndpoint
SecPod_RegionalCSPM-AWS-2024-0286FSx for OpenZFS file systems should be configured to copy tags to backups and volumesFSxFileSystem
SecPod_RegionalCSPM-AWS-2024-0287FSx for Lustre file systems should be configured to copy tags to backupsFSxFileSystem
SecPod_RegionalCSPM-AWS-2024-0288GuardDuty should be enabledGuardDutyAccount
SecPod_RegionalCSPM-AWS-2024-0290Kinesis streams should be encrypted at restKinesisStream
SecPod_RegionalCSPM-AWS-2024-0293AWS KMS keys should not be deleted unintentionallyKMSKey
SecPod_RegionalCSPM-AWS-2024-0294Lambda function policies should prohibit public accessLambdaLambdaFunction
SecPod_RegionalCSPM-AWS-2024-0295Lambda functions should use supported runtimesLambdaLambdaFunction
SecPod_RegionalCSPM-AWS-2024-0296Lambda functions should be in a VPCLambdaLambdaFunction
SecPod_RegionalCSPM-AWS-2024-0298Macie should be enabledMacieSession
SecPod_RegionalCSPM-AWS-2024-0299Macie automated sensitive data discovery should be enabledMacieAccount
SecPod_RegionalCSPM-AWS-2024-0300ActiveMQ brokers should stream audit logs to CloudWatchMQBroker
SecPod_RegionalCSPM-AWS-2024-0301Amazon MQ brokers should have automatic minor version upgrade enabledMQBroker
SecPod_RegionalCSPM-AWS-2024-0302ActiveMQ brokers should use active/standby deployment modeMQBroker
SecPod_RegionalCSPM-AWS-2024-0303RabbitMQ brokers should use cluster deployment modeMQBroker
SecPod_RegionalCSPM-AWS-2024-0304MSK clusters should be encrypted in transit among broker nodesMSKCluster
SecPod_RegionalCSPM-AWS-2024-0305MSK clusters should have enhanced monitoring configuredMSKCluster
SecPod_RegionalCSPM-AWS-2024-0306Neptune DB clusters should be encrypted at restNeptuneDBCluster
SecPod_RegionalCSPM-AWS-2024-0307Neptune DB clusters should publish audit logs to CloudWatch LogsNeptuneDBCluster
SecPod_RegionalCSPM-AWS-2024-0308Neptune DB cluster snapshots should not be publicNeptuneDBClusterSnapshot
SecPod_RegionalCSPM-AWS-2024-0309Neptune DB clusters should have deletion protection enabledNeptuneDBCluster
SecPod_RegionalCSPM-AWS-2024-0310Neptune DB clusters should have automated backups enabledNeptuneDBCluster
SecPod_RegionalCSPM-AWS-2024-0311Neptune DB cluster snapshots should be encrypted at restNeptuneDBClusterSnapshot
SecPod_RegionalCSPM-AWS-2024-0312Neptune DB clusters should have IAM database authentication enabledNeptuneDBCluster
SecPod_RegionalCSPM-AWS-2024-0313Neptune DB clusters should be configured to copy tags to snapshotsNeptuneDBCluster
SecPod_RegionalCSPM-AWS-2024-0314Neptune DB clusters should be deployed across multiple Availability ZonesNeptuneDBCluster
SecPod_RegionalCSPM-AWS-2024-0315Network Firewall firewalls should be deployed across multiple Availability ZonesNetworkFirewallFirewall
SecPod_RegionalCSPM-AWS-2024-0316Network Firewall logging should be enabledNetworkFirewallLoggingConfiguration
SecPod_RegionalCSPM-AWS-2024-0317Network Firewall policies should have at least one rule group associatedNetworkFirewallFirewallPolicy
SecPod_RegionalCSPM-AWS-2024-0318The default stateless action for Network Firewall policies should be drop or forward for full packetsNetworkFirewallFirewallPolicy
SecPod_RegionalCSPM-AWS-2024-0319The default stateless action for Network Firewall policies should be drop or forward for fragmented packetsNetworkFirewallFirewallPolicy
SecPod_RegionalCSPM-AWS-2024-0320Stateless network firewall rule group should not be emptyNetworkFirewallRuleGroup
SecPod_RegionalCSPM-AWS-2024-0321Network Firewall firewalls should have deletion protection enabledNetworkFirewallFirewall
SecPod_RegionalCSPM-AWS-2024-0322OpenSearch domains should have encryption at rest enabledOpensearchDomain
SecPod_RegionalCSPM-AWS-2024-0323OpenSearch domains should have the latest software update installedOpensearchDomain
SecPod_RegionalCSPM-AWS-2024-0324OpenSearch domains should have at least three dedicated primary nodesOpensearchDomain
SecPod_RegionalCSPM-AWS-2024-0325OpenSearch domains should not be publicly accessibleOpensearchDomain
SecPod_RegionalCSPM-AWS-2024-0326OpenSearch domains should encrypt data sent between nodesOpensearchDomain
SecPod_RegionalCSPM-AWS-2024-0328OpenSearch domains should have audit logging enabledOpensearchDomain
SecPod_RegionalCSPM-AWS-2024-0329OpenSearch domains should have at least three data nodesOpensearchDomain
SecPod_RegionalCSPM-AWS-2024-0330OpenSearch domains should have fine-grained access control enabledOpensearchDomain
SecPod_RegionalCSPM-AWS-2024-0331Connections to OpenSearch domains should be encrypted using the latest TLS security policyOpensearchDomain
SecPod_RegionalCSPM-AWS-2024-0332AWS Private CA root certificate authority should be disabledPCACertificateAuthority
SecPod_RegionalCSPM-AWS-2024-0333IAM authentication should be configured for RDS instancesRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0334IAM authentication should be configured for RDS clustersRDSDBCluster
SecPod_RegionalCSPM-AWS-2024-0335Amazon Aurora clusters should have backtracking enabledRDSDBCluster
SecPod_RegionalCSPM-AWS-2024-0336RDS DB clusters should be configured for multiple Availability ZonesRDSDBCluster
SecPod_RegionalCSPM-AWS-2024-0337RDS DB clusters should be configured to copy tags to snapshotsRDSDBCluster
SecPod_RegionalCSPM-AWS-2024-0338RDS DB instances should be configured to copy tags to snapshotsRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0339RDS instances should be deployed in a VPCRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0340Existing RDS event notification subscriptions should be configured for critical cluster eventsRDSEventSubscription
SecPod_RegionalCSPM-AWS-2024-0341Existing RDS event notification subscriptions should be configured for critical database instance eventsRDSEventSubscription
SecPod_RegionalCSPM-AWS-2024-0342An RDS event notifications subscription should be configured for critical database parameter group eventsRDSEventSubscription
SecPod_RegionalCSPM-AWS-2024-0343An RDS event notifications subscription should be configured for critical database security group eventsRDSEventSubscription
SecPod_RegionalCSPM-AWS-2024-0344RDS instances should not use a database engine default portRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0345RDS Database Clusters should use a custom administrator usernameRDSDBCluster
SecPod_RegionalCSPM-AWS-2024-0346RDS database instances should use a custom administrator usernameRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0347RDS DB instances should be protected by a backup planRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0348RDS DB clusters should be encrypted at restRDSDBCluster
SecPod_RegionalCSPM-AWS-2024-0349RDS DB instances should have encryption at-rest enabledRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0350Aurora MySQL DB clusters should publish audit logs to CloudWatch LogsRDSDBClusters
SecPod_RegionalCSPM-AWS-2024-0351RDS DB clusters should have automatic minor version upgrade enabledRDSDBCluster
SecPod_RegionalCSPM-AWS-2024-0352RDS cluster snapshots and database snapshots should be encrypted at restRDSDBSnapshots
SecPod_RegionalCSPM-AWS-2024-0353Enhanced monitoring should be configured for RDS DB instancesRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0354RDS clusters should have deletion protection enabledRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0355RDS DB instances should have deletion protection enabledRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0356RDS DB instances should publish logs to CloudWatch LogsRDSDBInstances
SecPod_RegionalCSPM-AWS-2024-0357Connections to Amazon Redshift clusters should be encrypted in transitRedshiftCluster, ClusterParameterGroup
SecPod_RegionalCSPM-AWS-2024-0358Amazon Redshift clusters should have automatic snapshots enabledRedshiftCluster
SecPod_RegionalCSPM-AWS-2024-0359Redshift clusters should use enhanced VPC routingRedshiftCluster
SecPod_RegionalCSPM-AWS-2024-0360Amazon Redshift clusters should not use the default Admin usernameRedshiftCluster
SecPod_RegionalCSPM-AWS-2024-0361Redshift clusters should not use the default database nameRedshiftCluster
SecPod_RegionalCSPM-AWS-2024-0363S3 general purpose buckets with versioning enabled should have Lifecycle configurationsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0364S3 general purpose buckets should have event notifications enabledS3Buckets
SecPod_RegionalCSPM-AWS-2024-0365ACLs should not be used to manage user access to S3 general purpose bucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0366S3 general purpose buckets should have Lifecycle configurationsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0367S3 general purpose buckets should have Object Lock enabledS3Buckets
SecPod_RegionalCSPM-AWS-2024-0368S3 general purpose buckets should be encrypted at rest with AWS KMS keysS3Buckets
SecPod_RegionalCSPM-AWS-2024-0369S3 access points should have block public access settings enabledS3AccessPoint
SecPod_RegionalCSPM-AWS-2024-0370S3 general purpose bucket policies should restrict access to other AWS accountsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0371S3 general purpose buckets should use cross-Region replicationS3Buckets
SecPod_RegionalCSPM-AWS-2024-0372Amazon SageMaker notebook instances should not have direct internet accessSageMakerNotebookInstances
SecPod_RegionalCSPM-AWS-2024-0373SageMaker notebook instances should be launched in a custom VPCSageMakerNotebookInstances
SecPod_RegionalCSPM-AWS-2024-0374Users should not have root access to SageMaker notebook instancesSageMakerNotebookInstances
SecPod_RegionalCSPM-AWS-2024-0375SageMaker endpoint production variants should have an initial instance count greater than 1SageMakerEndpoint
SecPod_RegionalCSPM-AWS-2024-0376Secrets Manager secrets should have automatic rotation enabledSecretsManagerSecret
SecPod_RegionalCSPM-AWS-2024-0377Secrets Manager secrets configured with automatic rotation should rotate successfullySecretsManagerSecret
SecPod_RegionalCSPM-AWS-2024-0379Secrets Manager secrets should be rotated within a specified number of daysSecretsManagerSecret
SecPod_RegionalCSPM-AWS-2024-0380Service Catalog portfolios should be shared within an AWS organization onlyServiceCatalogPortfolio
SecPod_RegionalCSPM-AWS-2024-0381SNS topics should be encrypted at-rest using AWS KMSSNSTopic
SecPod_RegionalCSPM-AWS-2024-0382EC2 instances should be managed by AWS Systems ManagerSSMInstances
SecPod_RegionalCSPM-AWS-2024-0383EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installationSSMPatchCompliance
SecPod_RegionalCSPM-AWS-2024-0384EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANTSSMAssociationCompliance
SecPod_RegionalCSPM-AWS-2024-0385SSM documents should not be publicSSMDocument
SecPod_RegionalCSPM-AWS-2024-0386Transfer Family servers should not use FTP protocol for endpoint connectionTransferServer
SecPod_RegionalCSPM-AWS-2024-0397At least one CloudTrail trail should be enabledCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0398A log metric filter and alarm should exist for usage of the “root” userCloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0403ECR Repository Should Not Be PublicECRRepository
SecPod_RegionalCSPM-AWS-2024-0404Lambda With Secrets As Environment VariablesLambdaFunctions
SecPod_RegionalCSPM-AWS-2024-0407Detect Public ‘READ_ACP’ Access on S3 BucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0408Detect Public ‘WRITE’ ACL Access on S3 BucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0409Detect Public ‘WRITE_ACP’ ACL Access on S3 BucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0410Detect ‘READ’ Access for Authenticated AWS Users on S3 BucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0411Detect ‘READ_ACP’ Access for Authenticated AWS Users on S3 BucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0412Detect ‘WRITE’ Access for Authenticated AWS Users on S3 BucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0413Detect ‘WRITE_ACP’ Access for Authenticated AWS Users on S3 BucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0414Detect ‘FULL_CONTROL’ Access for Authenticated AWS Users on S3 BucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0416Ensure Encryption for AWS AMIs is EnabledEC2Images
SecPod_RegionalCSPM-AWS-2024-0417Ensure EC2 Instances Are Not in Public SubnetsEC2Instances
SecPod_RegionalCSPM-AWS-2024-0418Ensure Proper EC2 Security Group Configuration for ELBElasticLoadBalancingLoadBalancers
SecPod_RegionalCSPM-AWS-2024-0419Review Internet-Facing Classic Load Balancers (CLBs) for SecurityElasticLoadBalancingLoadBalancers
SecPod_RegionalCSPM-AWS-2024-0420Analyze Amazon Macie Finding Statistics for S3 BucketsS3Buckets
SecPod_RegionalCSPM-AWS-2024-0427Detect IAM CreateLoginProfile ActivityCloudTrailEvents
SecPod_RegionalCSPM-AWS-2024-0431Ensure Secure KMS Cross-Account AccessKMSKey
SecPod_RegionalCSPM-AWS-2024-0432Ensure Secure SQS Cross-Account AccessSQSQueue
SecPod_RegionalCSPM-AWS-2024-0433Ensure Redshift Clusters Are Encrypted with KMS Customer Managed KeysRedshiftCluster
SecPod_RegionalCSPM-AWS-2024-0434Set Up AWS Billing Alarm to Monitor CostsCloudWatchAlarm
SecPod_RegionalCSPM-AWS-2024-0435Ensure Metric Filter for Rejected Traffic in VPC Flow LogsCloudWatchLogsMetricFilter
SecPod_RegionalCSPM-AWS-2024-0439Restrict Cross-Account Access to Amazon OpenSearch DomainsElasticsearchServiceElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0440Enable Amazon OpenSearch Domain Encryption with KMS Customer-Managed Keys (CMKs)ElasticsearchServiceElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0441Enable Storage Encryption for Amazon WorkSpacesWorkSpacesWorkspace
SecPod_RegionalCSPM-AWS-2024-0442Enable In-Transit and At-Rest Encryption for Amazon EMR ClustersEMREMRCluster
SecPod_RegionalCSPM-AWS-2024-0445Enable Encryption at Rest for Lambda Environment Variables using Customer Master KeysLambdaFunction
SecPod_RegionalCSPM-AWS-2024-0446Enable IAM Authentication for Lambda Function URLsLambdaFunctionUrlConfigs
SecPod_RegionalCSPM-AWS-2024-0447Kinesis Stream Not Encrypted With CMKKinesisStream
SecPod_RegionalCSPM-AWS-2024-0448Amazon Macie Not EnabledMacieSession
SecPod_RegionalCSPM-AWS-2024-0449Improper Security Group Configuration for ELBv2 ALBELBv2LoadBalancers
SecPod_RegionalCSPM-AWS-2024-0450Unreviewed Internet-Facing ELBv2 Load BalancersELBv2LoadBalancers
SecPod_RegionalCSPM-AWS-2024-0451Excessive SSM Session Length DetectedSSMSession
SecPod_RegionalCSPM-AWS-2024-0452SageMaker Notebook Data Not Encrypted with Customer Managed KeysSageMakerNotebookInstances
SecPod_RegionalCSPM-AWS-2024-0453Neptune Database Not Encrypted with Customer Managed KeysNeptuneDBInstances
SecPod_RegionalCSPM-AWS-2024-0454Glue Data Catalog Not Encrypted with Customer Managed KeysGlueDataCatalog
SecPod_RegionalCSPM-AWS-2024-0455X-Ray Data Not Encrypted with Customer Managed KeysXRayEncryptionConfig
SecPod_RegionalCSPM-AWS-2024-0456Secrets Not Encrypted with Customer Managed KeysSecretsManagerSecret
SecPod_RegionalCSPM-AWS-2024-0457DocumentDB Clusters Not Encrypted with KMS Customer Managed KeysDocumentDBDBCluster
SecPod_RegionalCSPM-AWS-2024-0458DMS Replication Instances Not Encrypted with KMS Customer Managed KeysDMSReplicationInstances
SecPod_RegionalCSPM-AWS-2024-0460Storage Gateway File Shares Not Encrypted with KMS Customer Managed KeysStoragegatewayFileShare
SecPod_RegionalCSPM-AWS-2024-0461AWS Comprehend Analysis Job Results Not Encrypted with KMSComprehendEntitiesDetectionJob
SecPod_RegionalCSPM-AWS-2024-0462Unresolved IAM Access Analyzer Findings DetectedAccessAnalyzerFindings
SecPod_RegionalCSPM-AWS-2024-0463AppFlow Data Not Encrypted with KMS Customer Managed KeysAppFlowFlow
SecPod_RegionalCSPM-AWS-2024-0464Agent Sessions Not Encrypted with Customer-Managed Keys in Amazon BedrockBedrockAgent
SecPod_RegionalCSPM-AWS-2024-0465Agent Sessions Not Protected by Guardrails in Amazon BedrockBedrockAgent
SecPod_RegionalCSPM-AWS-2024-0466Amazon Bedrock Guardrails Not Encrypted with Customer-Managed KeysBedrockGuardrails
SecPod_RegionalCSPM-AWS-2024-0467Amazon Bedrock Custom Models Not Encrypted with Customer-Managed KeysBedrockCustomModel
SecPod_RegionalCSPM-AWS-2024-0468Amazon Bedrock Guardrails Missing Sensitive Information FiltersBedrockGuardrails
SecPod_RegionalCSPM-AWS-2024-0471EC2 Instance Launched Outside of a VPC DetectedEC2Instances
SecPod_RegionalCSPM-AWS-2024-0472EC2 Instance Using Incorrect Tenancy ModelEC2Instances
SecPod_RegionalCSPM-AWS-2024-0473EC2 Instance Not in an Auto Scaling GroupEC2Instances
SecPod_RegionalCSPM-AWS-2024-0475Security Group Allowing Excessive RFC 1918 Private IP RangesEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0476Unrestricted Security Group Egress DetectedEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0477Unrestricted Telnet Access DetectedEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0478Unrestricted RPC Access DetectedEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0479Unrestricted NetBIOS Access DetectedEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0480Unrestricted FTP Access DetectedEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0481Unrestricted CIFS Access DetectedEC2SecurityGroup
SecPod_RegionalCSPM-AWS-2024-0483Unrestricted HTTP Access DetectedEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0484Unrestricted HTTPS Access DetectedEC2SecurityGroups
SecPod_RegionalCSPM-AWS-2024-0485App-Tier EC2 Instance Using IAM RolesEC2Instances
SecPod_RegionalCSPM-AWS-2024-0486EC2 Instances Scanned by Amazon Inspector ClassicInspectorAssessmentTarget
SecPod_RegionalCSPM-AWS-2024-0487Unused EBS VolumesEC2Volumes
SecPod_RegionalCSPM-AWS-2024-0488VPC Endpoint Cross Account AccessEC2VPCEndpoint
SecPod_RegionalCSPM-AWS-2024-0490S3 Buckets with Website Hosting Configuration EnabledS3Buckets
SecPod_RegionalCSPM-AWS-2024-0491CloudTrail Integrated With CloudWatchCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0492CloudTrail Delivery FailingCloudTrailTrails
SecPod_RegionalCSPM-AWS-2024-0509Ensure KMS Customer Master Key (CMK) is Utilized for EBS VolumeEC2Volumes
SecPod_RegionalCSPM-AWS-2024-0511SQS Queues Encrypted with KMS CMKsSQSQueue
SecPod_RegionalCSPM-AWS-2024-0512CloudFormation Stack Notification IntegrationCloudFormationStack
SecPod_RegionalCSPM-AWS-2024-0513Ensure CloudFormation Stack Policies Prevent Accidental UpdatesCloudFormationStack
SecPod_RegionalCSPM-AWS-2024-0514Enable Termination Protection for CloudFormation StacksCloudFormationStack
SecPod_RegionalCSPM-AWS-2024-0515AWS Config Global Resources InclusionConfigServiceConfigurationRecorder
SecPod_RegionalCSPM-AWS-2024-0516AWS Config Log Delivery FailureConfigServiceConfigurationRecordersStatus
SecPod_RegionalCSPM-AWS-2024-0519Ensure Redshift Clusters Are Launched in VPCRedshiftClusters
SecPod_RegionalCSPM-AWS-2024-0522Ensure CloudWatch Events Are EnabledEventsEventBridgeRules
SecPod_RegionalCSPM-AWS-2024-0524EC2 Instance Provisioning Alert – Large Instances DetectedCloudWatchAlarms
SecPod_RegionalCSPM-AWS-2024-0525EC2 Instance Configuration and Status Change DetectedCloudWatchAlarms
SecPod_RegionalCSPM-AWS-2024-0526AWS Organizations Configuration Changes Detected – Monitor for Unauthorized ModificationsCloudWatchAlarms
SecPod_RegionalCSPM-AWS-2024-0527Ensure ElastiCache Clusters are Deployed in VPCElastiCacheCluster
SecPod_RegionalCSPM-AWS-2024-0529ElastiCache Node Type ComplianceElastiCacheCluster
SecPod_RegionalCSPM-AWS-2024-0530Ensure ElastiCache Engine Version ComplianceElastiCacheCluster
SecPod_RegionalCSPM-AWS-2024-0531OpenSearch Cluster Nodes LimitElasticsearchServiceElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0532Ensure OpenSearch Cluster Instances are of Specified Instance TypesElasticsearchServiceElasticSearchDomain
SecPod_RegionalCSPM-AWS-2024-0534Enforce Specific Amazon WorkSpaces Bundle TypesWorkSpacesBundle
SecPod_RegionalCSPM-AWS-2024-0535Ensure ACM Certificate Requests Are ValidatedACMCertificate
SecPod_RegionalCSPM-AWS-2024-0537Amazon Inspector Findings Detected – Address Security VulnerabilitiesInspectorFindings
SecPod_RegionalCSPM-AWS-2024-0538Ensure No Amazon Inspector ExclusionsInspectorFindings
SecPod_RegionalCSPM-AWS-2024-0539Ensure Amazon Inspector 2 is EnabledInspector2Inspector2
SecPod_RegionalCSPM-AWS-2024-0540Comprehensive Trusted Advisor ChecksTrustedAdvisorTrustedAdvisorCheck
SecPod_RegionalCSPM-AWS-2024-0542Amazon EMR Cluster Instance LimitEMRCluster
SecPod_RegionalCSPM-AWS-2024-0543EMR Cluster Desired Instance TypesEMRCluster
SecPod_RegionalCSPM-AWS-2024-0544Ensure Amazon EMR Clusters Are In VPCEMRCluster
SecPod_RegionalCSPM-AWS-2024-0546Detect Lambda Functions with Admin PrivilegesLambdaPolicy
SecPod_RegionalCSPM-AWS-2024-0547Ensure Lambda Functions Do Not Use Function URLsLambdaFunction
SecPod_RegionalCSPM-AWS-2024-0549Amazon Macie Sensitive Data Repository ConfigurationMacie2Configuration
SecPod_RegionalCSPM-AWS-2024-0550Amazon Macie Data Discovery Job ConfigurationMacie2Configuration
SecPod_RegionalCSPM-AWS-2024-0551Ensure Private API Gateway EndpointsAPIGatewayEndpoint
SecPod_RegionalCSPM-AWS-2024-0552API Gateway Client Certificate Misconfiguration – Verify SSL Certificate UsageAPIGatewayEndpoint
SecPod_RegionalCSPM-AWS-2024-0554Detect and Resolve GuardDuty FindingsGuardDutyFindings
SecPod_RegionalCSPM-AWS-2024-0555Ensure S3 Protection is Enabled for GuardDutyGuardDutyFindings
SecPod_RegionalCSPM-AWS-2024-0556Ensure Malware Protection is Enabled for Amazon EC2 in GuardDutyGuardDutyFindings
SecPod_RegionalCSPM-AWS-2024-0557Ensure AWS Config Rules ComplianceConfigServiceConfigRule
SecPod_RegionalCSPM-AWS-2024-0559Ensure SSM Parameters are EncryptedSSMParameters
SecPod_RegionalCSPM-AWS-2024-0560Enforce VPC-Only Access for SageMaker DomainsSageMakerDomain
SecPod_RegionalCSPM-AWS-2024-0562Ensure Glue Data Catalog Encryption at RestGlueCatalog
SecPod_RegionalCSPM-AWS-2024-0563Amazon S3 Encryption Misconfiguration – Ensure Encryption at Rest is EnabledGlueSecurityConfiguration
SecPod_RegionalCSPM-AWS-2024-0564Ensure CloudWatch Logs Encryption for AWS Glue is EnabledGlueSecurityConfiguration
SecPod_RegionalCSPM-AWS-2024-0565AWS Glue Job Bookmark Encryption ConfigurationGlueSecurityConfiguration
SecPod_RegionalCSPM-AWS-2024-0566Ensure Secrets Manager is UtilizedSecretsManagerSecrets
SecPod_RegionalCSPM-AWS-2024-0567EKS Security Groups ConfigurationEKSSecurityGroups
SecPod_RegionalCSPM-AWS-2024-0568Ensure Latest ECS Container Instance Agent VersionECSContainerInstance
SecPod_RegionalCSPM-AWS-2024-0569AWS Well-Architected Tool Usage VerificationWellArchitectedWorkloads
SecPod_RegionalCSPM-AWS-2024-0570Detection of High and Medium Risk Issues from AWS Well-Architected ToolWellArchitectedWorkloads
SecPod_RegionalCSPM-AWS-2024-0576Ensure Descriptive Text for EC2 Security Group RulesEC2SecurityGroupRules
SecPod_RegionalCSPM-AWS-2024-0577Default Security Group Detected – Avoid ‘launch-wizard’ Prefixed GroupsEC2Instances
SecPod_RegionalCSPM-AWS-2024-0578Outdated EC2 AMIEC2Images
SecPod_RegionalCSPM-AWS-2024-0589Ensure Redshift Clusters Do Not Use Default Port 5439RedshiftClusters
SecPod_RegionalCSPM-AWS-2024-0590Resource Tagging not presentResourceGroupsTaggingAPIResources
SecPod_RegionalCSPM-AWS-2024-0591AWS SES Identity VerificationSESIdentity
SecPod_RegionalCSPM-AWS-2024-0592-01ElastiCache Cluster Non-Default Port Enforcement (Redis Cluster)ElastiCacheReplicationGroups
SecPod_RegionalCSPM-AWS-2024-0592-02ElastiCache Cluster Non-Default Port Enforcement (Memcached Cluster)ElastiCacheCacheClusters
SecPod_RegionalCSPM-AWS-2024-0593Detect ACM Certificates with Wildcard Domain NamesACMCertificate
SecPod_RegionalCSPM-AWS-2024-0594Ensure Latest Apache ActiveMQ Engine Version for Amazon MQ BrokersMQBroker
SecPod_RegionalCSPM-AWS-EKS-2024-0001Insufficient Control Plane LoggingEKSCluster
SecPod_RegionalCSPM-AWS-EKS-2024-0002KMS Encryption DisabledEKSCluster
SecPod_RegionalCSPM-AWS-EKS-2024-0003Publicly Accessible API ServerEKSCluster