Interpretation of the Columns in Benchmark Compliance Rules:
Rule ID: A unique identifier for the specific security rule or check
Title: A brief description of the security issue or misconfiguration
Severity — Low to High: Determines the risk of being exposed to attacks
Service Type: The AWS service affected or evaluated by the rule
Resource Type: The specific AWS resource being audited
| Rule ID | Title | Severity | Service Type | Resource Type |
|---|---|---|---|---|
| CSPM-AWS-2024-0004 | Clear-Text Origin, a potential to expose sensitive data in AWS CloudFront Content Distributions | High | CloudFront | Distributions |
| CSPM-AWS-2024-0008 | Trails lacks integration with CloudWatch | Medium | CloudTrail | Trails |
| CSPM-AWS-2024-0012 | CloudTrail Log File Validation is Disabled | Medium | CloudTrail | Trails |
| CSPM-AWS-2024-0013 | Logging Disabled for Trails | Medium | CloudTrail | Trails |
| CSPM-AWS-2024-0016 | CloudWatch Alarm without Action | Low | CloudWatch | Alarm |
| CSPM-AWS-2024-0018 | AMIs are Publicly Accessible | High | EC2 | Images |
| CSPM-AWS-2024-0021 | Unencrypted EBS Snapshot | High | EC2 | Snapshots |
| CSPM-AWS-2024-0022 | Publicly Accessible EBS Snapshot | High | EC2 | Snapshots |
| CSPM-AWS-2024-0023 | Unencrypted EBS Volume irrespective of its state | High | EC2 | Volumes |
| CSPM-AWS-2024-0027 | EC2 Instance is Assigned a Public IP Address | Medium | EC2 | Instances |
| CSPM-AWS-2024-0046 | Drop Invalid Header Fields Disabled | Medium | ElasticLoadBalancingv2 | LoadBalancer |
| CSPM-AWS-2024-0047 | Elastic Load Balancer (ELBv2) Permits Clear Text (HTTP) Communication | High | ElasticLoadBalancingv2 | Listener |
| CSPM-AWS-2024-0049 | ELBv2 Lacks Deletion Protection | Medium | ElasticLoadBalancingv2 | LoadBalancer |
| CSPM-AWS-2024-0055 | IAM Group uses Inline Policies instead of Managed Policies | Medium | IAM | Policy |
| CSPM-AWS-2024-0056 | IAM Group with No Users | Low | IAM | Group |
| CSPM-AWS-2024-0066 | Managed Policy Not Attached to Any Entity | Low | IAM | ManagedPolicy |
| CSPM-AWS-2024-0068 | Passwords Expiration Threshold Is Not Configured Or Exceeds The Specified Limit | Medium | IAM | AccountPasswordPolicy |
| CSPM-AWS-2024-0069 | The Minimum Password Length for IAM is Short. | Medium | IAM | AccountPasswordPolicy |
| CSPM-AWS-2024-0070 | Password Expiration Disabled | High | IAM | AccountPasswordPolicy |
| CSPM-AWS-2024-0071 | Password Policy Does Not Mandate Lowercase Characters | Medium | IAM | AccountPasswordPolicy |
| CSPM-AWS-2024-0072 | Password Policy Does Not Mandate a Number | Medium | IAM | AccountPasswordPolicy |
| CSPM-AWS-2024-0073 | Password Policy Does Not Mandate a Symbol | Medium | IAM | AccountPasswordPolicy |
| CSPM-AWS-2024-0074 | Password Policy Does Not Mandate Uppercase Characters | Medium | IAM | AccountPasswordPolicy |
| CSPM-AWS-2024-0075 | Password Policy Allows Reuse of Passwords | Medium | IAM | AccountPasswordPolicy |
| CSPM-AWS-2024-0076 | IAM Role uses Inline Policies instead of Managed Policies | Medium | IAM | Policy |
| CSPM-AWS-2024-0082 | Password-Enabled Service User | Critical | IAM | CredentialReport |
| CSPM-AWS-2024-0084 | Inadequate Key Rotation for 90 Days | Critical | IAM | AccessKey |
| CSPM-AWS-2024-0088 | User Holding Multiple API Keys | Critical | IAM | AccessKey |
| CSPM-AWS-2024-0089 | User with Enabled Keys and Password | Critical | IAM | AccessKey |
| CSPM-AWS-2024-0091 | User without MFA | Critical | IAM | Users |
| CSPM-AWS-2024-0092 | Rotation disabled for KMS Symmetric Customer Master Keys (CMKs) | Critical | KMS | Keys |
| CSPM-AWS-2024-0104 | No CloudWatch Alarm for”Console Logins without MFA” | High | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0108 | A Deprecated Certificate Authority found in the RDS Instance | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0112 | Single AZ RDS Instance lack the automatic failover capability | High | RDS | DBInstances |
| CSPM-AWS-2024-0114 | Invalid Legacy SSL Certificate (PostgreSQL) found for RDS DB Instance | High | RDS | DBInstances |
| CSPM-AWS-2024-0118 | Redshift Cluster Version Upgrade is Disabled | Medium | Redshift | Cluster |
| CSPM-AWS-2024-0119 | Redshift Cluster is Publicly accessible | High | Redshift | Cluster |
| CSPM-AWS-2024-0122 | All Traffic is Allowed by the Redshift Cluster Security Group | Critical | Redshift | ClusterSecurityGroups |
| CSPM-AWS-2024-0146 | VPC Subnet Lacks a Flow Log | Medium | VPC | FlowLog |
| CSPM-AWS-2024-0152 | Ensure that only IMDSv2 is permitted by EC2 Metadata Service. | Critical | EC2 | Instances |
| CSPM-AWS-2024-0160 | IAM instance roles are used for AWS resource access from instances | Critical | EC2 | Instances |
| CSPM-AWS-2024-0161 | Multi-factor authentication (MFA) not enabled for all IAM users that have a console password | Critical | IAM | CredentialReport |
| CSPM-AWS-2024-0167 | In every VPC, VPC flow logging is must to be enabled. | Critical | VPC | FlowLog |
| CSPM-AWS-2024-0176 | API Gateway should be associated with a WAF Web ACL | Medium | APIGateway | Stages |
| CSPM-AWS-2024-0197 | CloudWatch log groups should be retained for a specified time period | Medium | CloudWatch | CloudWatchLogGroups |
| CSPM-AWS-2024-0203 | Firehose delivery streams should be encrypted at rest | Medium | DataFirehose | DeliveryStream |
| CSPM-AWS-2024-0208 | DMS replication instances should have automatic minor version upgrade enabled | Medium | DMS | ReplicationInstances |
| CSPM-AWS-2024-0216 | Amazon DocumentDB clusters should have deletion protection enabled | Medium | DocumentDB | DocumentDBCluster |
| CSPM-AWS-2024-0221 | DynamoDB tables should have deletion protection enabled | Medium | DynamoDB | DynamoDBTable |
| CSPM-AWS-2024-0225 | Unused EC2 EIPs should be removed | Low | EC2 | Addresses |
| CSPM-AWS-2024-0226 | EC2 subnets should not automatically assign public IP addresses | Medium | EC2 | Subnet |
| CSPM-AWS-2024-0234 | EBS volumes should be in a backup plan | Low | Backup | BackupSelection |
| CSPM-AWS-2024-0236 | Stopped EC2 instances should be removed after a specified time period | Medium | EC2 | Instances |
| CSPM-AWS-2024-0238 | ECR private repositories should have image scanning configured | High | ECR | Repository |
| CSPM-AWS-2024-0239 | ECR private repositories should have tag immutability configured | Medium | ECR | Repository |
| CSPM-AWS-2024-0251 | Amazon EFS volumes should be in backup plans | Medium | Backup | BackupSelection |
| CSPM-AWS-2024-0265 | Classic Load Balancer should span multiple Availability Zones | Medium | ELB | LoadBalancers |
| CSPM-AWS-2024-0266 | Application Load Balancer should be configured with defensive or strictest desync mitigation mode | Medium | ELBv2 | LoadBalancer |
| CSPM-AWS-2024-0278 | Elasticsearch domains should encrypt data sent between nodes | Medium | ElasticsearchService | ElasticSearchDomain |
| CSPM-AWS-2024-0281 | Elasticsearch domains should have at least three data nodes | Medium | ES | ElasticSearchDomain |
| CSPM-AWS-2024-0290 | Kinesis streams should be encrypted at rest | Medium | Kinesis | Stream |
| CSPM-AWS-2024-0300 | ActiveMQ brokers should stream audit logs to CloudWatch | Medium | MQ | Broker |
| CSPM-AWS-2024-0301 | Amazon MQ brokers should have automatic minor version upgrade enabled | Low | MQ | Broker |
| CSPM-AWS-2024-0305 | MSK clusters should have enhanced monitoring configured | Low | MSK | Cluster |
| CSPM-AWS-2024-0307 | Neptune DB clusters should publish audit logs to CloudWatch Logs | Medium | Neptune | DBCluster |
| CSPM-AWS-2024-0309 | Neptune DB clusters should have deletion protection enabled | Low | Neptune | DBCluster |
| CSPM-AWS-2024-0312 | Neptune DB clusters should have IAM database authentication enabled | Medium | Neptune | DBCluster |
| CSPM-AWS-2024-0313 | Neptune DB clusters should be configured to copy tags to snapshots | Low | Neptune | DBCluster |
| CSPM-AWS-2024-0322 | OpenSearch domains should have encryption at rest enabled | Medium | Opensearch | Domain |
| CSPM-AWS-2024-0323 | OpenSearch domains should have the latest software update installed | Low | Opensearch | Domain |
| CSPM-AWS-2024-0324 | OpenSearch domains should have at least three dedicated primary nodes | Low | Opensearch | Domain |
| CSPM-AWS-2024-0326 | OpenSearch domains should encrypt data sent between nodes | Medium | Opensearch | Domain |
| CSPM-AWS-2024-0329 | OpenSearch domains should have at least three data nodes | Medium | Opensearch | Domain |
| CSPM-AWS-2024-0331 | Connections to OpenSearch domains should be encrypted using the latest TLS security policy | Medium | Opensearch | Domain |
| CSPM-AWS-2024-0332 | AWS Private CA root certificate authority should be disabled | Low | PCA | CertificateAuthority |
| CSPM-AWS-2024-0333 | IAM authentication should be configured for RDS instances | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0355 | RDS DB instances should have deletion protection enabled | Low | RDS | DBInstances |
| CSPM-AWS-2024-0358 | Amazon Redshift clusters should have automatic snapshots enabled | Medium | Redshift | Cluster |
| CSPM-AWS-2024-0359 | Redshift clusters should use enhanced VPC routing | Medium | Redshift | Cluster |
| CSPM-AWS-2024-0368 | S3 general purpose buckets should be encrypted at rest with AWS KMS keys | Medium | S3 | Buckets |
| CSPM-AWS-2024-0372 | Amazon SageMaker notebook instances should not have direct internet access | High | SageMaker | NotebookInstances |
| CSPM-AWS-2024-0373 | SageMaker notebook instances should be launched in a custom VPC | High | SageMaker | NotebookInstances |
| CSPM-AWS-2024-0374 | Users should not have root access to SageMaker notebook instances | High | SageMaker | NotebookInstances |
| CSPM-AWS-2024-0376 | Secrets Manager secrets should have automatic rotation enabled | Medium | SecretsManager | Secret |
| CSPM-AWS-2024-0377 | Secrets Manager secrets configured with automatic rotation should rotate successfully | Medium | SecretsManager | Secret |
| CSPM-AWS-2024-0416 | Ensure Encryption for AWS AMIs is Enabled | High | EC2 | Images |
| CSPM-AWS-2024-0441 | Enable Storage Encryption for Amazon WorkSpaces | High | WorkSpaces | Workspace |
| CSPM-AWS-2024-0445 | Enable Encryption at Rest for Lambda Environment Variables using Customer Master Keys | High | Lambda | Function |
| CSPM-AWS-2024-0452 | SageMaker Notebook Data Not Encrypted with Customer Managed Keys | High | SageMaker | NotebookInstances |
| CSPM-AWS-2024-0464 | Agent Sessions Not Encrypted with Customer-Managed Keys in Amazon Bedrock | High | Bedrock | Agent |
| CSPM-AWS-2024-0465 | Agent Sessions Not Protected by Guardrails in Amazon Bedrock | High | Bedrock | Agent |
| CSPM-AWS-2024-0468 | Amazon Bedrock Guardrails Missing Sensitive Information Filters | High | Bedrock | Guardrails |
| CSPM-AWS-2024-0487 | Unused EBS Volumes | Medium | EC2 | Volumes |
| CSPM-AWS-2024-0501 | Ensure Existence of IAM Users | High | IAM | User |
| CSPM-AWS-2024-0514 | Enable Termination Protection for CloudFormation Stacks | High | CloudFormation | Stack |
| CSPM-AWS-2024-0515 | AWS Config Global Resources Inclusion | High | ConfigService | ConfigurationRecorder |
| CSPM-AWS-2024-0535 | Ensure ACM Certificate Requests Are Validated | Medium | ACM | Certificate |
| CSPM-AWS-2024-0560 | Enforce VPC-Only Access for SageMaker Domains | Medium | SageMaker | Domain |
| CSPM-AWS-2024-0589 | Ensure Redshift Clusters Do Not Use Default Port 5439 | Low | Redshift | Clusters |
| CSPM-AWS-2024-0593 | Detect ACM Certificates with Wildcard Domain Names | Low | ACM | Certificate |
| CSPM-AWS-2024-0594 | Ensure Latest Apache ActiveMQ Engine Version for Amazon MQ Brokers | Low | MQ | Broker |
| CSPM-AWS-EKS-2024-0001 | Insufficient Control Plane Logging | Critical | EKS | Cluster |
| CSPM-AWS-EKS-2024-0002 | KMS Encryption Disabled | Critical | EKS | Cluster |
| CSPM-AWS-EKS-2024-0003 | Publicly Accessible API Server | Critical | EKS | Cluster |
| CSPM-AWS-2024-0276 | Elasticsearch domains should have encryption at-rest enabled | Medium | ES | ElasticSearchDomain |
| CSPM-AWS-2024-0441 | Enable Storage Encryption for Amazon WorkSpaces | High | WorkSpaces | Workspace |
| CSPM-AWS-2024-0385 | SSM documents should not be public | Critical | SSM | Document |
| CSPM-AWS-2024-0247 | ECS containers should be limited to read-only access to root filesystems | High | ECS | TaskDefinition |
| CSPM-AWS-2024-0166 | Ensure AWS Security Hub is enabled | Critical | SecurityHub | Hub |
| CSPM-AWS-2024-0252 | EFS access points should enforce a root directory | Medium | EFS | AccessPoint |
| CSPM-AWS-2024-0253 | EFS access points should enforce a user identity | Medium | EFS | AccessPoint |
| CSPM-AWS-2024-0386 | Transfer Family servers should not use FTP protocol for endpoint connection | Medium | Transfer | Server |
| CSPM-AWS-2024-0446 | Enable IAM Authentication for Lambda Function URLs | High | Lambda | FunctionUrlConfigs |
| CSPM-AWS-2024-0296 | Lambda functions should be in a VPC | Low | Lambda | LambdaFunction |
| CSPM-AWS-2024-0295 | Lambda functions should use supported runtimes | Medium | Lambda | LambdaFunction |
| CSPM-AWS-2024-0403 | ECR Repository Should Not Be Public | High | ECR | Repository |
| CSPM-AWS-2024-0547 | Ensure Lambda Functions do not use Function URLs | High | Lambda | Function |
| CSPM-AWS-2024-0284 | EventBridge custom event buses should have a resource-based policy attached | Low | EventBridge | EventBus |
| CSPM-AWS-2024-0108 | A Deprecated Certificate Authority found in the RDS Instance | Medium | RDS | DBInstances |
| REM-AWS-2024-0225 | ElastiCache replication groups should have automatic failover enabled | Medium | ElastiCache | ReplicationGroups |
| CSPM-AWS-2024-0108 | A Deprecated Certificate Authority found in the RDS Instance | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0283 | Connections to Elasticsearch domains should be encrypted using the latest TLS security policy | Medium | ES | ElasticSearchDomain |
| CSPM-AWS-2024-0255 | ElastiCache Redis clusters should have automatic backup enabled | High | ElastiCache | CacheClusters |
| CSPM-AWS-2024-0334 | IAM authentication should be configured for RDS clusters | Medium | RDS | DBCluster |
| CSPM-AWS-2024-0337 | RDS DB clusters should be configured to copy tags to snapshots | Medium | RDS | DBCluster |
| CSPM-AWS-2024-0351 | RDS DB clusters should have automatic minor version upgrade enabled | Medium | RDS | DBCluster |
| CSPM-AWS-2024-0354 | RDS clusters should have deletion protection enabled | Medium | RDS | DBCluster |
| CSPM-AWS-2024-0381 | SNS topics should be encrypted at-rest using AWS KMS | Medium | SNS | Topic |
| CSPM-AWS-2024-0107 | RDS Instance Backup Disabled | High | RDS | DBInstance |
| CSPM-AWS-2024-0333 | IAM authentication should be configured for RDS instances | High | RDS | DBInstance |
| CSPM-AWS-2024-0256 | ElastiCache for Redis cache clusters should have auto minor version upgrades enabled | High | CacheClusters | Databases |
| CSPM-AWS-2024-0341 | Existing RDS event notification subscriptions should be configured for critical database instance events | Low | RDS | EventSubscription |
| CSPM-AWS-2024-0002 | ACM Certificate with Transparency Logging Set to Disabled | Medium | ACM | ACM Certificate |
| CSPM-AWS-2024-0260 | ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH | Medium | ElastiCache | ReplicationGroups |
| CSPM-AWS-2024-0592-02 | ElastiCache Cluster Non-Default Port Enforcement (Memcached Cluster) | Low | ElastiCache | CacheClusters |
| CSPM-AWS-2024-0257 | ElastiCache replication groups should have automatic failover enabled | Medium | ElastiCache | ReplicationGroups |
| CSPM-AWS-2024-0195 | CloudFront distributions should encrypt traffic to custom origins | Medium | CloudFront | Distributions |
| CSPM-AWS-2024-0021 | Unencrypted EBS Snapshot | High | EC2 | Snapshots |
| CSPM-AWS-2024-0005 | Insecure Origin TLS/SSL, a potential to expose sensitive data in AWS CloudFront Content Distributions | High | CloudFront | Distributions |
| CSPM-AWS-2024-0193 | CloudFront distributions should use custom SSL/TLS certificates | Medium | CloudFront | Distributions |
| CSPA-AWS-2024-0009 | CloudFront distributions should use custom SSL/TLS certificates | Medium | CloudFront | Distributions |
| CSPM-AWS-2024-0592-01 | ElastiCache Cluster Non-Default Port Enforcement (Redis Cluster) | Low | ElastiCache | ReplicationGroups |
| CSPM-AWS-2024-0256 | ElastiCache for Redis cache clusters should have auto minor version upgrades enabled | High | ElastiCache | CacheClusters |
| CSPM-AWS-2024-0194 | CloudFront distributions should use SNI to serve HTTPS requests | Low | CloudFront | Distributions |
| CSPM-AWS-2024-0192 | CloudFront distributions should have logging enabled | Medium | CloudFront | Distribution |
| CSPM-AWS-2024-0588 | Ensure CloudFront Geo Restriction is Enabled | Medium | CloudFront | Distributions |
| CSPM-AWS-2024-0188 | CloudFront distributions should have a default root object configured | Medium | CloudFront | Distributions |
| CSPM-AWS-2024-0191 | CloudFront distributions should have logging enabled | Medium | CloudFront | Distributions |
| CSPM-AWS-2024-0270 | Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager | Medium | ELB | LoadBalancer |
| CSPM-AWS-2024-0342 | An RDS event notification subscription should be configured for critical database parameter group events | Low | RDS | EventSubscription |
| CSPM-AWS-2024-0344 | RDS instances should not use a database engine default port | Low | RDS | DBInstances |
| CSPM-AWS-2024-0043 | Elastic Load Balancer (ELB) Allows Clear Text (HTTP) Communication | Low | ElasticLoadBalancing | LoadBalancer |
| CSPM-AWS-2024-0274 | Amazon EMR cluster primary nodes should not have public IP addresses | High | EMR | EMRCluster |
| CSPM-AWS-2024-0255 | ElastiCache standalone Redis clusters should have automatic backup enabled | High | ElastiCache | CacheClusters |
| CSPM-AWS-2024-0255-01 | ElastiCache Redis replication groups should have automatic backup enabled | High | ElastiCache | CacheClusters |
| CSPM-AWS-2024-0336 | RDS DB clusters should be configured for multiple Availability Zones | Medium | RDS | DBCluster |
| CSPM-AWS-2024-0336-01 | RDS DB instances should be configured for multiple Availability Zones | Medium | RDS | DBCluster |
| CSPM-AWS-2024-0033 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-01 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-02 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-03 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-04 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-05 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-06 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-07 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-08 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-09 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0033-10 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0034 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0034-01 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0034-02 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0035 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0036 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0037 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0038 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0040 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0041 | Security Group allows unrestricted access through: \”MySQL\” Well-Known Port and \”Oracle DB\” Well-Known Port | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0113 | RDS Instance Storage Not Encrypted | High | RDS | DBInstances |
| CSPM-AWS-2024-0350 | Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs | Medium | RDS | DBClusters |
| CSPM-AWS-2024-0338 | RDS DB instances should be configured to copy tags to snapshots | Low | RDS | DBInstances |
| CSPM-AWS-2024-0356 | RDS DB instances should publish logs to CloudWatch Logs | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0032 | All ICMP Traffic Permitted by EC2 Security Group | High | EC2 | SecurityGroups |
| CSPM-AWS-2024-0111 | The Backup Retention Time is Short in RDS Instances | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0354 | RDS clusters should have deletion protection enabled | Low | RDS | DBInstances |
| CSPM-AWS-2024-0340 | Existing RDS event notification subscriptions should be configured for critical cluster events | Low | RDS | EventSubscription |
| CSPM-AWS-2024-0352 | RDS cluster snapshots should be encrypted at rest | Medium | RDS | DBSnapshots |
| CSPM-AWS-2024-0478 | Unrestricted RPC Access Detected | Medium | EC2 | SecurityGroups |
| CSPM-AWS-2024-0475 | Security Group Allowing Excessive RFC 1918 Private IP Ranges | Medium | EC2 | SecurityGroups |
| CSPM-AWS-2024-0348 | RDS DB clusters should be encrypted at rest | Medium | RDS | DBCluster |
| CSPM-AWS-2024-0353 | Enhanced monitoring should be configured for RDS DB instances | Low | RDS | DBInstances |
| CSPM-AWS-2024-0356 | RDS DB instances should publish logs to CloudWatch Logs | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0029 | EC2 Security Group Allows Access to All Ports | Critical | EC2 | SecurityGroup |
| CSPM-AWS-2024-0197 | CloudWatch log groups should be retained for a specified time period | Medium | CloudWatchLogs | CloudWatchLogGroups |
| CSPM-AWS-2024-0477 | Unrestricted Telnet Access Detected | Medium | EC2 | SecurityGroup |
| CSPM-AWS-2024-0479 | Unrestricted NetBIOS Access Detected | Medium | EC2 | SecurityGroup |
| CSPM-AWS-2024-0480 | Unrestricted FTP Access Detected | Medium | EC2 | SecurityGroup |
| CSPM-AWS-2024-0481 | Unrestricted CIFS Access Detected | Medium | EC2 | SecurityGroup |
| CSPM-AWS-2024-0483 | Unrestricted HTTP Access Detected | Medium | EC2 | SecurityGroup |
| CSPM-AWS-2024-0484 | Unrestricted HTTPS Access Detected | Medium | EC2 | SecurityGroup |
| CSPM-AWS-2024-0345 | RDS Database Clusters should use a custom administrator username | Medium | RDS | DBCluster |
| CSPM-AWS-2024-0346 | RDS database instances should use a custom administrator username | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0109 | Auto Minor Version Upgrade Disabled in the RDS Instance | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0110 | The RDS Instance is publicly accessible | Medium | RDS | DBInstances |
| CSPM-AWS-2024-0116 | Publicly Accessible RDS DB Snapshot | Critical | RDS | DBSnapshot |
| CSPM-AWS-2024-0201 | CodeBuild project environments should have a logging configuration | Medium | CodeBuild | CodeBuildProject |
| CSPM-AWS-2024-0555 | Ensure S3 Protection is Enabled for GuardDuty | High | GuardDuty | Findings |
| CSPM-AWS-2024-0556 | Ensure Malware Protection is Enabled for Amazon EC2 in GuardDuty | High | GuardDuty | Findings |
| CSPM-AWS-2024-0200 | CodeBuild S3 logs should be encrypted | Low | CodeBuild | CodeBuildProject |
| CSPM-AWS-2024-0016 | CloudWatch Alarm without Action | Low | CloudWatch | Alarm |
| CSPM-AWS-2024-0237 | EC2 Client VPN endpoints should have client connection logging enabled | Low | EC2 | EC2 |
| CSPM-AWS-2024-0576 | Ensure Descriptive Text for EC2 Security Group Rules | Low | EC2 | SecurityGroupRules |
| CSPM-AWS-2024-0231 | EC2 Transit Gateways should not automatically accept VPC attachment requests | High | EC2 | TransitGateway |
| CSPM-AWS-2024-0335 | Amazon Aurora clusters should have backtracking enabled | Medium | RDS | DBCluster |
| CSPM-AWS-2024-0206 | DMS endpoints for MongoDB should have an authentication mechanism enabled | Medium | DMS | DMSEndpoints |
| CSPM-AWS-2024-0211 | DMS endpoints should use SSL | Medium | DMS | DMSEndpoints |
| CSPM-AWS-2024-0207 | DMS endpoints for Redis should have TLS enabled | Critical | DMS | DMSEndpoints |
| CSPM-AWS-2024-0204 | Database Migration Service replication instances should not be public | Critical | DMS | ReplicationInstances |
| CSPM-AWS-2024-0178 | API Gateway routes should specify an authorization type | Medium | APIGateway | API Gateway Method |
| CSPM-AWS-2024-0311 | Neptune DB cluster snapshots should be encrypted at rest | Medium | Neptune | DBClusterSnapshot |
| CSPM-AWS-2024-0308 | Neptune DB cluster snapshots should not be public | Medium | Neptune | DBClusterSnapshot |
| CSPM-AWS-2024-0306 | Neptune DB clusters should be encrypted at rest | Medium | Neptune | DBClusterSnapshot |
| CSPM-AWS-2024-0176 | API Gateway should be associated with a WAF Web ACL | Medium | APIGateway | Stages |
| CSPM-AWS-2024-0177 | API Gateway REST API cache data should be encrypted at rest | Medium | APIGateway | Stages |
| CSPM-AWS-2024-0179 | Access logging should be configured for API Gateway V2 Stages | Medium | APIGatewayV2 | Stages |
| CSPM-AWS-2024-0551 | Ensure Private API Gateway Endpoints | High | APIGateway | Endpoint |
| CSPM-AWS-2024-0247 | ECS containers should be limited to read-only access to root filesystems | High | ECS | TaskDefinition |
| CSPM-AWS-2024-0245 | ECS task definitions should not share the host’s process namespace | High | ECS | TaskDefinition |
| CSPM-AWS-2024-0157 | Make sure that every SSL/TLS certificate that has expired is deleted from AWS IAM | Critical | Medium | Instance |
| CSPM-AWS-2024-0246 | ECS containers should run as non-privileged | High | ECS | TaskDefinition |
| CSPM-AWS-2024-0173 | API Gateway REST and WebSocket API execution logging should be enabled | Medium | APIGateway | Stages |
| CSPM-AWS-2024-0175 | API Gateway REST API stages should have AWS X-Ray tracing enabled | Low | APIGateway | Stages |
| CSPM-AWS-2024-0174 | API Gateway REST API stages should be configured to use SSL certificates for backend authentication | Medium | APIGateway | Stages |
| CSPM-AWS-2024-0247 | ECS containers should be limited to read-only access to root filesystems | High | ECS | TaskDefinition |
| CSPM-AWS-2024-0245 | ECS task definitions should not share the host’s process namespace | High | ECS | TaskDefinition |
| CSPM-AWS-2024-0157 | Make sure that every SSL/TLS certificate that has expired is deleted from AWS IAM | Critical | EC2 | Instance |
| CSPM-AWS-2024-0246 | ECS containers should run as non-privileged | High | ECS | TaskDefinition |
| CSPM-AWS-2024-0011 | Logging for Global services is Disabled for Trail | Medium | CloudTrail | Trails |
| CSPA-AWS-2024-0014 | Logging for Global services is Disabled for Trail | Medium | CloudTrail | Trails |
| CSPA-AWS-2024-0055 | AWS Config should be enabled | Medium | Config | ConfigurationRecorder |
| CSPM-AWS-2024-0202 | AWS Config should be enabled | Medium | Config | ConfigurationRecorder |
| CSPM-AWS-2024-0516 | AWS Config Log Delivery Failure | High | ConfigService | ConfigurationRecordersStatus |
| CSPM-AWS-2024-0362 | Route 53 public hosted zones should log DNS queries | Medium | Route53 | HostedZone |
| CSPM-AWS-2024-0128 | S3 bucket access logging is not enabled on the CloudTrail S3 bucket | Critical | CloudTrail | Trails |
| CSPM-AWS-2024-0147 | S3 bucket access logging is not enabled on the CloudTrail S3 bucket | Critical | CloudTrail | Trails |
| CSPM-AWS-2024-0017 | AWS Config Recorders Not Enabled | Medium | ConfigService | ConfigurationRecorders |
| CSPM-AWS-2024-0020 | Non-empty Default Security Group Rulesets | Critical | EC2 | SecurityGroups |
| CSPM-AWS-2024-0083 | IAM Credentials that have been inactive for 45 Days or more are not disabled | Critical | IAM | CredentialReport |
| CSPM-AWS-2024-0009 | CloudTrail Data Events Logging Not Configured | Medium | CloudTrail | Trails |
| CSPM-AWS-2024-0009 | CloudTrail Data Events Logging Not Configured | Medium | CloudTrail | Trails |
| CSPM-AWS-2024-0162 | Ensure AWS Organizations changes are monitored using CloudWatchLogs | Critical | CloudWatchLogs | MetricFilter |
| CSPM-AZURE-2024-0853 | Double encryption should be enabled on Azure Data Explorer | High | Azure Kusto | Kusto Cluster |
| CSPM-AWS-2024-0093 | No CloudWatch Alarm Monitoring for \”AWS Configuration Changes\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0094 | “No CloudWatch Alarm Monitoring for \”CloudTrail Configuration Changes\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0095 | “No CloudWatch Alarm for \”Disabled or Deleted Master Keys\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0096 | “No CloudWatch Alarm for \”Failed Console Authentications\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0097 | “No CloudWatch Alarm for \”IAM Policy Changes\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0098 | No CloudWatch Alarm for \”Network Access Control Lists Changes\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0099 | No CloudWatch Alarm for \”Network Gateways Changes\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0100 | No CloudWatch Alarm for \”Root Account Usage\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0101 | No CloudWatch Alarm for \”Route Table Changes\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0102 | No CloudWatch Alarm for \”S3 Bucket Policy Changes\” | Medium | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0103 | No CloudWatch Alarm for \”Security Group Changes\” | Low | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0104 | No CloudWatch Alarm for\”Console Logins without MFA\” | Low | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0105 | No CloudWatch Alarm for \”Unauthorized API Calls\” | Low | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0106 | No CloudWatch Alarm for \”VPC Changes\” | Low | CloudWatchLogs | MetricFilter |
| CSPM-AWS-2024-0205 | DMS endpoints for Neptune databases should have IAM authorization enabled | Medium | DMS | DMSEndpoints |
| CSPM-AWS-2024-0215 | Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs | Medium | DocumentDB | DocumentDBCluster |
| CSPM-AWS-2024-0213 | Amazon DocumentDB clusters should have an adequate backup retention period | Medium | DocumentDB | DocumentDBCluster |
| CSPM-AWS-2024-0122 | All Traffic is allowed by the Redshift Cluster Security Group | Medium | Redshift | SecurityGroupRules |
| CSPM-AWS-2024-0560 | Enforce VPC-Only Access for SageMaker Domains | Medium | SageMaker | Domain |
| CSPM-AWS-2024-0212 | Amazon DocumentDB clusters should be encrypted at rest | Medium | DocumentDB | DocumentDBCluster |
| CSPM-AWS-2024-0078 | No MFA for Root Account | Critical | IAM | CredentialReport |
| CSPM-AWS-2024-0077 | No Hardware MFA for Root Account | Critical | IAM | CredentialReport |
| CSPM-AWS-2024-0159 | IAM Managed policies should not allow full \”*\” administrative privileges | High | IAM | Policies |
| CSPM-AWS-2024-0067 | No authorized user is allowed to handle issues with Amazon Support | Critical | IAM | Policies |
| CSPM-AWS-2024-0328 | OpenSearch domains should have audit logging enabled | Medium | Opensearch | Domain |
| CSPM-AWS-2024-0316 | Network Firewall logging should be enabled | Medium | NetworkFirewall | LoggingConfiguration |
| CSPM-AWS-2024-0079 | Root account used recently | Critical | IAM | CredentialReport |
| CSPM-AWS-2024-0090 | User with inline policies | Critical | IAM | Policies |
| CSPM-AWS-2024-0167 | In every VPC, VPC flow logging must be enabled | Critical | EC2 | FlowLog |
| CSPM-AWS-2024-0087 | Users whose access keys were created during setup but were never used | Critical | IAM | CredentialReport |
| CSPM-AWS-2024-0160 | IAM instance roles are used for AWS resource access from instances | Critical | EC2 | Instances |
| CSPM-AWS-2024-0154 | EFS file systems do not have encryption enabled | Critical | EFS | FileSystems |
| CSPM-AWS-2024-0170 | EC2 Security Group allows access to all ports | Critical | EC2 | SecurityGroup |
| CSPM-AWS-2024-0148 | CloudTrail should be enabled and configured with at least one multi-region trail that includes read and write management events | Critical | CloudTrail | Trails |
| CSPM-AWS-2024-0010 | CloudTrail Logs are not encrypted using KMS Customer Master Keys (CMKs) | Critical | CloudTrail | Trails |
| CSPM-AWS-2024-0149 | CloudTrail Logs are not encrypted using KMS Customer Master Keys (CMKs) | Critical | CloudTrail | Trails |
| CSPM-AWS-2024-0164 | At the bucket level, the S3 Block Public Access setting needs to be enabled | Critical | S3 | Buckets |
| CSPM-AWS-2024-0426 | Detect and Respond to Deactivated MFA Devices in AWS | High | IAM | MFADevices |
| CSPM-AWS-2024-0161 | User without MFA, Multi-factor authentication (MFA) not enabled for all IAM users that have a console password | Critical | IAM | CredentialReport |
| CSPM-AWS-2024-0091 | User without MFA, Multi-factor authentication (MFA) not enabled for all IAM users that have a console password | Critical | IAM | CredentialReport |
| CSPA-AWS-2024-0028 | Multi-factor authentication (MFA) not enabled for all IAM users that have a console password | Critical | IAM | CredentialReport |
| CSPM-AWS-2024-0454 | Glue Data Catalog ot encrypted with customer managed keys | High | Glue | DataCatalog |
| CSPM-AWS-2024-0564 | Ensure CloudWatch Logs Encryption for AWS Glue is Enabled | Medium | Glue | SecurityConfiguration |
| CSPM-AWS-2024-0495 | Enable DNSSEC Signing for Route 53 Hosted Zones | Medium | Route53 | HostedZones |
| CSPM-AWS-2024-0120 | Disabled User Activity Logging for Redshift Cluster | Critical | Redshift | ParameterGroup |
| CSPM-AWS-2024-0582 | Ensure Route 53 domains have Privacy Protection enabled | Low | Route53Domains | Domain |
| CSPM-AWS-2024-0123 | Route53 Domain Auto-Renewal is Not Enabled | Medium | Route53Domains | Domain |
| CSPM-AWS-2024-0124 | Route53 Domain Transfer is Not Locked | High | Route53Domains | Domain |
| CSPM-AWS-2024-0562 | Ensure Glue Data Catalog Encryption at Rest | Medium | Glue | Catalog |
| CSPM-AWS-2024-0286 | FSx for OpenZFS file systems should be configured to copy tags to backups and volumes | Low | FSx | FileSystem |
| CSPM-AWS-2024-0138 | SQS Queue Server with Disabled Encryption | High | SQS | Queue |
| CSPM-AWS-2024-0511 | SQS Queues Encrypted with KMS CMKs | High | SQS | Queue |
| CSPM-AWS-2024-0462 | Unresolved IAM Access Analyzer Findings Detected | High | AccessAnalyzer | Findings |
| CSPM-AWS-2024-0539 | Ensure Amazon Inspector 2 is Enabled | Medium | Inspector2 | Inspector2 |
| CSPM-AWS-2024-0565 | AWS Glue Job Bookmark Encryption Configuration | Medium | Glue | SecurityConfiguration |
| CSPM-AWS-2024-0563 | Amazon S3 Encryption Misconfiguration – Ensure Encryption at Rest is enabled | Medium | Glue | SecurityConfiguration |
| CSPM-AWS-2024-0279 | Elasticsearch domain error logging to CloudWatch Logs should be enabled | Medium | ES | ElasticSearchDomain |
| CSPM-AWS-2024-0249 | ECS task definitions should have a logging configuration | High | ECS | TaskDefinition |
| CSPM-AWS-2024-0519 | Ensure Redshift Clusters are launched in VPC | Medium | Redshift | Cluster |
| CSPM-AWS-2024-0360 | Amazon Redshift clusters should not use the default Admin username | Medium | Redshift | Cluster |
| CSPM-AWS-2024-0361 | Redshift clusters should not use the default database name | Medium | Redshift | Cluster |
| CSPM-AWS-2024-0117 | Redshift data in the cluster is not encrypted at rest | High | Redshift | Cluster |
| CSPM-AWS-2024-0357 | Connections to Amazon Redshift clusters should be encrypted in transit | Medium | Redshift | Cluster, ClusterParameterGroup |
| CSPM-AWS-2024-0121 | SSL is not required for Redshift Cluster Parameter Group | Critical | Redshift | ParameterGroups |
| CSPM-AWS-2024-0494 | Sender Policy Framework (SPF) in Use | Medium | Route53 | HostedZones |
