Terraform Policy Library Rules
AWS: AutoScaling Group: Deny public IP address in launch configuration
Prohibit creation of autoscaling group if the launch configuration used has public IP address enabled.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without a default root object.
Requires AWS/CloudFront distributions to be configured with a default root object.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without access logging
Requires AWS/CloudFront distributions to be configured with access logging.
Parameters
None
Requires AWS/CloudFront distributions to be configured with encrypted traffic to origin.
Requires AWS/CloudFront distributions to be configured with access logging. Prohibits 'origin_protocol_policy' set to 'http-only' and prohibits 'origin_protocol_policy' set to 'match-viewer' if 'viewer_protocol_policy' is set to 'allow-all'.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without an HTTPS viewer protocol policy
Requires AWS/CloudFront distribution default and ordered cache behaviors to be configured with an 'https-only' or 'redirect-to-https' viewer_protocol_policy.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without a WAF association
Requires AWS/CloudFront distributions to be configured with a WAF web ACL ID.
Parameters
None
AWS: CloudTrail: Prohibit CloudTrails without server side encryption
Require AWS/Cloudtrail to have server side encryption using an AWS KMS key.
Parameters
None
AWS: CodeBuild Project: Prohibit if logging is not configured
Require CodeBuild Projects to have 'logs_config' with either s3_logs or 'cloudwatch_logs' enabled.
Parameters
None
AWS: Codebuild Project: Prohibit Privileged Mode enabled.
Require CodeBuild Projects environment config to have 'privileged_mode' set to false.
Parameters
None
AWS: DAX: Prohibit DAX clusters with disabled encryption at rest
Require AWS/DAX clusters to have enabled encryption at rest.
Parameters
None
AWS: DMS: Prohibit publicly accessible DMS replication instances
Require AWS/DMS replication instances to not be publicly accessible.
Parameters
None
AWS: EC2/EBS: Requires volumes to have a snapshot.
Ensure individually created EBS volumes have at least one associated snapshot.
Parameters
None
AWS: EC2: Ensure the EBS volumes are encrypted
Require individually created EBS volumes to be encrypted.
Parameters
None
AWS: EC2: Prohibit EC2 instances with a Public IP Address
Require AWS/EC2 instance to not have a Public IP Address.
Parameters
None
AWS: EC2: Restrict volume deletion after instance termination
Prevent volume being deleted after the termination of EC2 instance.
Parameters
None
AWS: EC2: Restrict instances with unapproved AMIs
Require EC2 instances to use an AMI from a pre-approved list.
Parameters
-
Parameters:
-
allowed_ami_ids: A list of AMI IDs (e.g., ami-830c94e3, ami-0022c769)
- Type: set_of_strings
- Unique: false
- Required: true
-
-
Required Parameters: allowed_ami_ids
AWS: EC2: Restrict instances with unapproved Regions
Require EC2 instances to use an AWS Region from a pre-approved list.
Parameters
-
Parameters:
-
allowed_regions: A list of AWS regions (eg., us-east-1, us-west-2)
- Type: set_of_strings
- Unique: false
- Required: true
-
-
Required Parameters: allowed_regions
AWS: EC2: Restrict instances with unapproved subnets
Require EC2 instances to use a subnet from a pre-approved list.
Parameters
-
Parameters:
-
allowed_subnets: A list of subnet IDs (e.g., subnet-012, subnet-890)
- Type: set_of_strings
- Unique: false
- Required: true
-
-
Required Parameters: allowed_subnets
AWS: EC2: Restrict instances with unapproved Security Groups
Require AWS/EC2 to use Security Groups from a pre-approved list.
Parameters
-
Parameters:
-
allowed_security_groups: A list of Security Groups (e.g., sg-830c94e3, sg-0022c769)
- Type: set_of_strings
- Unique: false
- Required: true
-
-
Required Parameters: allowed_security_groups
AWS: EC2: Ensure the instances use encrypted volume.
Require AWS/EC2 instances to use encrypted block storage volume.
Parameters
None
AWS: EC2: Restrict instances without IMDSv2
EC2 instances and EC2 Launch templates require Instance Metadata Service Version 2 (IMDSv2) enabled.
Parameters
None
AWS: EC2: Prohibit EC2 instances without a VPC
Require AWS/EC2 instances to be deployed in a dedicated VPC with specified security group IDs
Parameters
None
AWS: ECS: Prohibit ECS Service which has Assign Public IP enabled
Require AWS/ECS Service to have 'assign_public_ip' set as false in 'network_configuration'.
Parameters
None
AWS: Elastic Beanstalk: Prohibit the Elastic beanstalk environments with disabled managed actions
Require AWS/Elastic Beanstalk environments to have the managed actions setting enabled.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled encryption at rest
Require AWS/Elasticsearch domains to have enabled encryption at rest.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains not created in VPC
Require AWS/Elasticsearch domains to have subnets added in vpc_options.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains which does not use TLS 1.2 and have https enforced.
Require AWS/Elasticsearch domains to have https enforced and use TLS 1.2.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled node to node encryption
Require AWS/Elasticsearch domains to have enabled node to node encryption.
Parameters
None
AWS: ELB: Prohibit Elastic Load Balancers with listener's lb_protocol not set to SSL/HTTPS
Requires AWS/ELB listeners to be configured with lb_protocol as either SSL or HTTPS.
Parameters
None
AWS: ELB: Prohibit Elastic Load Balancers with connection draining not set to true
Requires AWS/ELB listeners to be configured with connection_draining as true.
Parameters
None
AWS: GuardDuty: Block GuardDuty organization with disabled GuardDuty detector
Require GuardDuty Detector to be enabled for a GuardDuty Organiztion.
Parameters
None
AWS: IAM: Ensure IAM account has Complex and Unique password policy
Require AWS/IAM account to have complex and unique password policy. As recommended by https://attack.mitre.org/techniques/T1110/ the standards here are based off of those established in https://pages.nist.gov/800-63-3/sp800-63b.html#appA and https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434
Parameters
None
AWS: IAM: Ensure IAM account password policy meets AWS Foundational Security Best Practices
Require AWS/IAM account to have complex and unique password policy. As recommended by https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html
Parameters
None
AWS: IAM: Restrict Access Key Actions in IAM policies
Require AWS/IAM user/group/role policies to not have Create/Update/List/Delete AccessKeys permissions and allow all ('iam:' or '') in 'Action'.
Parameters
None
AWS: IAM: Restrict hardcoded secret credentials.
Hardcoding of AWS 'access_key' and 'secret_key' in Terraform files is prohibited.
Parameters
None
AWS: IAM: Prohibit IAM policies directly being attached to IAM users
Requires AWS/IAM policies not to be attached directly to IAM users.
Parameters
None
AWS: IAM: Prohibit Policies containing an Asterisk
Require AWS/IAM policies not have an asterisk ("") in Actions nor asterisk ("") without prefix in Resources.
Parameters
None
KICS: ALB Deletion Protection Disabled
Application Load Balancer should have deletion protection enabled
Parameters
None
KICS: ALB Is Not Integrated With WAF
All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
Parameters
None
KICS: ALB Listening on HTTP
AWS Application Load Balancer (alb) should not listen on HTTP
Parameters
None
KICS: ALB Not Dropping Invalid Headers
It's considered a best practice when using Application Load Balancers to drop invalid header fields
Parameters
None
KICS: AmazonMQ Broker Encryption Disabled
AmazonMQ Broker should have Encryption Options defined
Parameters
None
KICS: AMI Not Encrypted
AWS AMI Encryption is not enabled
Parameters
None
KICS: AMI Shared With Multiple Accounts
Limits access to AWS AMIs by checking if more than one account is using the same image
Parameters
None
KICS: API Gateway Access Logging Disabled
API Gateway should have Access Log Settings defined
Parameters
None
KICS: API Gateway Deployment Without Access Log Setting
API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.
Parameters
None
KICS: API Gateway Deployment Without API Gateway UsagePlan Associated
API Gateway Deployment should have API Gateway UsagePlan defined and associated.
Parameters
None
KICS: API Gateway Endpoint Config is Not Private
The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet
Parameters
None
KICS: API Gateway Method Does Not Contains An API Key
An API Key should be required on a method request.
Parameters
None
KICS: API Gateway Method Settings Cache Not Encrypted
API Gateway Method Settings Cache should be encrypted
Parameters
None
KICS: API Gateway Stage Without API Gateway UsagePlan Associated
API Gateway Stage should have API Gateway UsagePlan defined and associated.
Parameters
None
KICS: API Gateway With CloudWatch Logging Disabled
AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation
Parameters
None
KICS: API Gateway With Invalid Compression
API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.
Parameters
None
KICS: API Gateway With Open Access
API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.
Parameters
None
KICS: API Gateway Without Configured Authorizer
API Gateway REST API should have an API Gateway Authorizer
Parameters
None
KICS: API Gateway Without Security Policy
API Gateway should have a Security Policy defined and use TLS 1.2.
Parameters
None
KICS: API Gateway Without SSL Certificate
SSL Client Certificate should be enabled
Parameters
None
KICS: API Gateway without WAF
API Gateway should have WAF (Web Application Firewall) enabled
Parameters
None
KICS: API Gateway X-Ray Disabled
API Gateway should have X-Ray Tracing enabled
Parameters
None
KICS: Athena Database Not Encrypted
AWS Athena Database data in S3 should be encrypted
Parameters
None
KICS: Athena Workgroup Not Encrypted
Athena Workgroup query results should be encrypted, for all queries that run in the workgroup
Parameters
None
KICS: Authentication Without MFA
Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating
Parameters
None
KICS: Auto Scaling Group With No Associated ELB
AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.
Parameters
None
KICS: Automatic Minor Upgrades Disabled
RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.
Parameters
None
KICS: Autoscaling Groups Supply Tags
Autoscaling groups should supply tags to configurate
Parameters
None
KICS: AWS Password Policy With Unchangeable Passwords
Unchangeable passwords in AWS password policy
Parameters
None
KICS: Batch Job Definition With Privileged Container Properties
Batch Job Definition should not have Privileged Container Properties
Parameters
None
KICS: CA Certificate Identifier Is Outdated
The CA certificate Identifier must be 'rds-ca-2019'.
Parameters
None
KICS: CDN Configuration Is Missing
Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.
Parameters
None
KICS: Certificate Has Expired
Expired SSL/TLS certificates should be removed
Parameters
None
KICS: Certificate RSA Key Bytes Lower Than 256
The certificate should use a RSA key with a length equal to or higher than 256 bytes
Parameters
None
KICS: CloudFront Logging Disabled
AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined
Parameters
None
KICS: Cloudfront Viewer Protocol Policy Allows HTTP
Checks if the connection between CloudFront and the viewer is encrypted
Parameters
None
KICS: CloudFront Without Minimum Protocol TLS 1.2
CloudFront Minimum Protocol version should be at least TLS 1.2
Parameters
None
KICS: CloudFront Without WAF
All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
Parameters
None
KICS: CloudTrail Log File Validation Disabled
CloudTrail log file validation should be enabled to determine whether a log file has not been tampered
Parameters
None
KICS: CloudTrail Log Files Not Encrypted With KMS
Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
Parameters
None
KICS: CloudTrail Log Files S3 Bucket is Publicly Accessible
CloudTrail Log Files S3 Bucket should not be publicly accessible
Parameters
None
KICS: CloudTrail Log Files S3 Bucket with Logging Disabled
CloudTrail Log Files S3 Bucket should have 'logging' enabled
Parameters
None
KICS: CloudTrail Logging Disabled
Checks if logging is enabled for CloudTrail.
Parameters
None
KICS: CloudTrail Multi Region Disabled
CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled
Parameters
None
KICS: CloudTrail Not Integrated With CloudWatch
CloudTrail should be integrated with CloudWatch
Parameters
None
KICS: CloudTrail SNS Topic Name Undefined
Check if SNS topic name is set for CloudTrail
Parameters
None
KICS: CloudWatch AWS Config Configuration Changes Alarm Missing
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Parameters
None
KICS: CloudWatch AWS Organizations Changes Missing Alarm
Ensure a log metric filter and alarm exist for AWS organizations changes
Parameters
None
KICS: CloudWatch Changes To NACL Alarm Missing
Ensure a log metric filter and alarm exist for changes to NACL
Parameters
None
KICS: Cloudwatch Cloudtrail Configuration Changes Alarm Missing
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Parameters
None
KICS: CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK
Parameters
None
KICS: CloudWatch IAM Policy Changes Alarm Missing
Ensure a log metric filter and alarm exist for IAM policy changes
Parameters
None
KICS: CloudWatch Log Group Without KMS
AWS CloudWatch Log groups should be encrypted using KMS
Parameters
None
KICS: CloudWatch Logging Disabled
Check if CloudWatch logging is disabled for Route53 hosted zones
Parameters
None
KICS: CloudWatch Logs Destination With Vulnerable Policy
CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'
Parameters
None
KICS: CloudWatch Management Console Auth Failed Alarm Missing
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Parameters
None
KICS: CloudWatch Console Sign-in Without MFA Alarm Missing
Ensure a log metric filter and alarm exist for management console sign-in without MFA
Parameters
None
KICS: CloudWatch Metrics Disabled
Checks if CloudWatch Metrics is Enabled
Parameters
None
KICS: CloudWatch Network Gateways Changes Alarm Missing
Ensure a log metric filter and alarm exist for network gateways changes
Parameters
None
KICS: CloudWatch Root Account Use Missing
Ensure a log metric filter and alarm exist for root acount usage
Parameters
None
KICS: CloudWatch Route Table Changes Alarm Missing
Ensure a log metric filter and alarm exist for route table changes
Parameters
None
KICS: CloudWatch S3 policy Change Alarm Missing
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Parameters
None
KICS: Cloudwatch Security Group Changes Alarm Missing
Ensure a log metric filter and alarm exist for security group changes
Parameters
None
KICS: CloudWatch Unauthorized Access Alarm Missing
Ensure a log metric filter and alarm exist for unauthorized API calls
Parameters
None
KICS: CloudWatch VPC Changes Alarm Missing
Ensure a log metric filter and alarm exist for VPC changes
Parameters
None
KICS: CloudWatch Without Retention Period Specified
AWS CloudWatch Log groups should have retention days specified
Parameters
None
KICS: CMK Is Unusable
AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true
Parameters
None
KICS: CMK Rotation Disabled
Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.
Parameters
None
KICS: CodeBuild Project Encrypted With AWS Managed Key
CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys
Parameters
None
KICS: Cognito UserPool Without MFA
AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users
Parameters
None
KICS: Configuration Aggregator to All Regions Disabled
AWS Config Configuration Aggregator All Regions must be set to True
Parameters
None
KICS: Config Rule For Encrypted Volumes Disabled
Check if AWS config rules do not identify Encrypted Volumes as a source.
Parameters
None
KICS: Cross-Account IAM Assume Role Policy Without ExternalId or MFA
Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
Parameters
None
KICS: DAX Cluster Not Encrypted
AWS DAX Cluster should have server-side encryption at rest
Parameters
None
KICS: DB Instance Publicly Accessible
RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').
Parameters
None
KICS: DB Instance Storage Not Encrypted
AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.
Parameters
None
KICS: DB Security Group Has Public Interface
The CIDR IP should not be a public interface
Parameters
None
KICS: DB Security Group Open To Large Scope
The IP address in a DB Security Group must not have more than 256 hosts.
Parameters
None
KICS: DB Security Group With Public Scope
The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it
Parameters
None
KICS: Default Security Groups With Unrestricted Traffic
Check if default security group does not restrict all inbound and outbound traffic.
Parameters
None
KICS: Default VPC Exists
It isn't recommended to use resources in default VPC
Parameters
None
KICS: DOCDB Cluster Encrypted With AWS Managed Key
DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys
Parameters
None
KICS: DOCDB Cluster Not Encrypted
AWS DOCDB Cluster storage should be encrypted
Parameters
None
KICS: DOCDB Cluster Without KMS
AWS DOCDB Cluster should be encrypted with a KMS encryption key
Parameters
None
KICS: DocDB Logging Is Disabled
DocDB logging should be enabled
Parameters
None
KICS: DynamoDB Table Not Encrypted
AWS DynamoDB Tables should have server-side encryption
Parameters
None
KICS: DynamoDB Table Point In Time Recovery Disabled
It's considered a best practice to have point in time recovery enabled for DynamoDB Table
Parameters
None
KICS: Dynamodb VPC Endpoint Without Route Table Association
Dynamodb VPC Endpoint should be associated with Route Table Association
Parameters
None
KICS: EBS Default Encryption Disabled
EBS Encryption should be enabled
Parameters
None
KICS: EBS Volume Encryption Disabled
EBS volumes should be encrypted
Parameters
None
KICS: EBS Volume Snapshot Not Encrypted
The value on AWS EBS Volume Snapshot Encryptation must be true
Parameters
None
KICS: EC2 Instance Has Public IP
EC2 Instance should not have a public IP address.
Parameters
None
KICS: EC2 Instance Monitoring Disabled
EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods
Parameters
None
KICS: EC2 Instance Using API Keys
EC2 instances should use roles to be granted access to other AWS services
Parameters
None
KICS: EC2 Instance Using Default Security Group
EC2 instances should not use default security group(s)
Parameters
None
KICS: EC2 Instance Using Default VPC
EC2 Instances should not be configured under a default VPC network
Parameters
None
KICS: EC2 Not EBS Optimized
It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
Parameters
None
KICS: ECR Image Tag Not Immutable
ECR should have an image tag be immutable. This prevents image tags from being overwritten.
Parameters
None
KICS: ECR Repository Is Publicly Accessible
Amazon ECR image repositories shouldn't have public access
Parameters
None
KICS: ECR Repository Not Encrypted With CMK
ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation
Parameters
None
KICS: ECR Repository Without Policy
ECR Repository should have Policies attached to it
Parameters
None
KICS: ECS Cluster with Container Insights Disabled
ECS Cluster should enable container insights
Parameters
None
KICS: ECS Service Admin Role Is Present
ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role
Parameters
None
KICS: ECS Service Without Running Tasks
ECS Service should have at least 1 task running
Parameters
None
KICS: ECS Task Definition Network Mode Not Recommended
Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations
Parameters
None
KICS: ECS Task Definition Volume Not Encrypted
AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted
Parameters
None
KICS: ECS Task Definition Container With Plaintext Password
It's not recommended to use plaintext environment variables for sensitive information, such as credential data.
Parameters
None
KICS: EFS Not Encrypted
Elastic File System (EFS) must be encrypted
Parameters
None
KICS: EFS With Vulnerable Policy
EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.
Parameters
None
KICS: EFS Without KMS
Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Parameters
None
KICS: EKS Cluster Encryption Disabled
EKS Cluster should be encrypted
Parameters
None
KICS: EKS Cluster Has Public Access
Amazon EKS public endpoint shoud be set to false
Parameters
None
KICS: EKS Cluster Has Public Access CIDRs
Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"
Parameters
None
KICS: EKS cluster logging is not enabled
Amazon EKS control plane logging is not enabled
Parameters
None
KICS: EKS node group remote access disabled
EKS node group remote access is disabled when 'SourceSecurityGroups' is missing
Parameters
None
KICS: ElastiCache Nodes Not Created Across Multi AZ
ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster
Parameters
None
KICS: ElastiCache Redis Cluster Without Backup
ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0
Parameters
None
KICS: ElastiCache Replication Group Not Encrypted At Rest
ElastiCache Replication Group encryption should be enabled at Rest
Parameters
None
KICS: ElastiCache Replication Group Not Encrypted At Transit
ElastiCache Replication Group encryption should be enabled at Transit
Parameters
None
KICS: ElastiCache Using Default Port
ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211
Parameters
None
KICS: ElastiCache Without VPC
ElastiCache should be launched in a Virtual Private Cloud (VPC)
Parameters
None
KICS: Elasticsearch Domain Not Encrypted Node To Node
Elasticsearch Domain encryption should be enabled node to node
Parameters
None
KICS: Elasticsearch Domain With Vulnerable Policy
Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.
Parameters
None
KICS: ElasticSearch Encryption With KMS Disabled
Check if any ElasticSearch domain isn't encrypted with KMS.
Parameters
None
KICS: Elasticsearch Log Disabled
AWS Elasticsearch should have logs enabled
Parameters
None
KICS: ElasticSearch Not Encrypted At Rest
Check if ElasticSearch encryption is disabled at Rest
Parameters
None
KICS: Elasticsearch Without IAM Authentication
AWS Elasticsearch should ensure IAM Authentication
Parameters
None
KICS: ElasticSearch Without Slow Logs
Ensure that AWS Elasticsearch enables support for slow logs
Parameters
None
KICS: ELB Access Log Disabled
ELB should have logging enabled to help on error investigation
Parameters
None
KICS: ELB Using Insecure Protocols
ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.
Parameters
None
KICS: ELB Using Weak Ciphers
ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.
Parameters
None
KICS: EMR Without VPC
Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)
Parameters
None
KICS: Global Accelerator Flow Logs Disabled
Global Accelerator should have flow logs enabled
Parameters
None
KICS: Glue Data Catalog Encryption Disabled
Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled
Parameters
None
KICS: Glue Security Configuration Encryption Disabled
Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled
Parameters
None
KICS: Glue With Vulnerable Policy
Glue policy should avoid wildcard in 'principals' and 'actions'
Parameters
None
KICS: Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None