Loading controls...
Benchmark: Other Compliance Checks
Overview
This benchmark contains additional checks to help you detect resource configurations that do not meet best practice. These checks are not associated with any particular compliance framework, so we recommend integrating any relevant checks into your workflow on a per control basis.
Usage
Browse dashboards and select Other Compliance Checks:
steampipe dashboardOr run the benchmarks in your terminal:
steampipe check aws_compliance.benchmark.otherSnapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share aws_compliance.benchmark.otherControls
- ACM certificates should not use wildcard certificates
- ACM certificates should have transparency logging enabled
- API Gateway stages should have authorizers configured
- Auto Scaling groups should not have any suspended processes
- CloudFormation stacks should have notifications enabled
- CloudFormation stacks outputs should not have any secrets
- CloudFormation stacks should have rollback enabled
- Cloudformation stacks termination protection should be enabled
- CloudFront distributions should have geo restriction enabled
- CloudFront distributions should encrypt traffic to non S3 origins
- CloudFront distributions should use secure SSL cipher
- CloudWatch should not allow cross-account sharing
- CodeBuild projects should not be unused for 90 days or greater
- CodeBuild projects should not use an user controlled buildspec
- EC2 instances high level findings should not be there in inspector scans
- EC2 instances should not be attached to 'launch wizard' security groups
- Public EC2 instances should have IAM profile attached
- EC2 instances user data should not have secrets
- EC2 transit gateways should have auto accept shared attachments disabled
- ECR repositories should have image scan on push enabled
- ECR repositories should prohibit public access
- ECS clusters encryption at rest should be enabled
- ECS cluster instances should be in a VPC
- At least one instance should be registered with ECS cluster
- ECS services should be attached to a load balancer
- ECS task definitions should have logging enabled
- EFS file systems should be encrypted with CMK
- EFS file systems should enforce SSL
- EKS clusters should have control plane audit logging enabled
- EKS clusters should not be configured within a default VPC
- ELB load balancers should prohibit public access
- ELB application load balancers secured listener certificate should not expire within next 30 days
- ELB application load balancers secured listener certificate should not expire within next 7 days
- ELB application load balancers should have at least one outbound rule
- ELB application and network load balancers should use listeners
- ELB classic load balancers should have at least one outbound rule
- ELB listeners should use secure SSL cipher
- ELB listeners SSL/TLS protocol version should be checked
- EMR public access should be blocked at account level
- Elasticsearch domains should have cognito authentication enabled
- Elasticsearch domains should have internal user database enabled
- Glue dev endpoints CloudWatch logs encryption should be enabled
- Glue dev endpoints job bookmark encryption should be enabled
- Glue dev endpoints S3 encryption should be enabled
- Glue jobs bookmarks encryption should be enabled
- Glue jobs CloudWatch logs encryption should be enabled
- Glue jobs S3 encryption should be enabled
- IAM roles should not have any assume role policies attached
- IAM users should have hardware MFA enabled
- IAM administrator users should have MFA enabled
- Kinesis streams should be encrypted with CMK
- Kinesis streams should have server side encryption enabled
- KMS CMK policies should prohibit public access
- Lambda functions CloudTrail logging should be enabled
- Lambda functions tracing should be enabled
- RDS DB instances CA certificates should not expire within next 7 days
- RDS DB instances should be integrated with CloudWatch logs
- Route 53 domains auto renew should be enabled
- Route 53 domains should not expire within next 30 days
- Route 53 domains should not expire within next 7 days
- Route 53 domains should not be expired
- Route53 domains privacy protection should be enabled
- Route 53 domains should have transfer lock enabled
- Route 53 zones should have query logging enabled
- S3 buckets object logging should be enabled
- S3 buckets static website hosting should be disabled
- SageMaker models should be in a VPC
- SageMaker models should have network isolation enabled
- SageMaker notebook instances should be encrypted using CMK
- SageMaker notebook instances should be in a VPC
- SageMaker notebook instances root access should be disabled
- SageMaker training jobs should be in VPC
- SageMaker training jobs should be enabled with inter-container traffic encryption
- SageMaker training jobs should have network isolation enabled
- SageMaker training jobs volumes and outputs should have KMS encryption enabled
- SNS topic policies should prohibit public access
- SQS queues should be configured with a dead-letter queue.
- SQS queue policies should prohibit public access
- VPC endpoint services should have acceptance required enabled
- VPC security groups should restrict uses of 'launch-wizard' security groups.
- VPC security groups should restrict ingress redis access from 0.0.0.0/0
- VPC security groups should restrict ingress Kafka port access from 0.0.0.0/0
- VPC security groups should restrict ingress kibana port access from 0.0.0.0/0