bmt 0.9.0 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. data/lib/data/0.10/methodologies/cloud_config_aws.json +621 -0
  4. data/lib/data/0.10/methodologies/cloud_config_azure.json +1402 -0
  5. data/lib/data/0.10/methodologies/cloud_config_gcp.json +431 -0
  6. data/lib/data/0.10/methodologies/mobile_ios.json +438 -0
  7. metadata +24 -34
  8. data/lib/data/0.1/methodologies/ai_llm.json +0 -517
  9. data/lib/data/0.1/methodologies/api_testing.json +0 -659
  10. data/lib/data/0.1/methodologies/mobile_ios.json +0 -452
  11. data/lib/data/0.9/mappings/templates.json +0 -17
  12. data/lib/data/0.9/mappings/templates.schema.json +0 -62
  13. data/lib/data/0.9/methodologies/active_directory.json +0 -426
  14. data/lib/data/0.9/methodologies/binaries.json +0 -252
  15. data/lib/data/0.9/methodologies/internal_network.json +0 -454
  16. data/lib/data/0.9/methodologies/mobile_android.json +0 -514
  17. data/lib/data/0.9/methodologies/mobile_ios.json +0 -452
  18. data/lib/data/0.9/methodologies/network.json +0 -207
  19. data/lib/data/0.9/methodologies/template.json +0 -83
  20. data/lib/data/0.9/methodologies/website_testing.json +0 -1078
  21. data/lib/data/0.9/schema.json +0 -124
  22. /data/lib/data/{0.1 → 0.10}/mappings/templates.json +0 -0
  23. /data/lib/data/{0.1 → 0.10}/mappings/templates.schema.json +0 -0
  24. /data/lib/data/{0.1 → 0.10}/methodologies/active_directory.json +0 -0
  25. /data/lib/data/{0.9 → 0.10}/methodologies/ai_llm.json +0 -0
  26. /data/lib/data/{0.9 → 0.10}/methodologies/api_testing.json +0 -0
  27. /data/lib/data/{0.1 → 0.10}/methodologies/binaries.json +0 -0
  28. /data/lib/data/{0.9 → 0.10}/methodologies/hardware_testing.json +0 -0
  29. /data/lib/data/{0.1 → 0.10}/methodologies/internal_network.json +0 -0
  30. /data/lib/data/{0.1 → 0.10}/methodologies/mobile_android.json +0 -0
  31. /data/lib/data/{0.1 → 0.10}/methodologies/network.json +0 -0
  32. /data/lib/data/{0.1 → 0.10}/methodologies/template.json +0 -0
  33. /data/lib/data/{0.1 → 0.10}/methodologies/website_testing.json +0 -0
  34. /data/lib/data/{0.1 → 0.10}/schema.json +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8f773ca5bd15e5a49bb524caa7331e981ecf7e4dc1d2fd6ce025cd459a6205a9
4
- data.tar.gz: 417cc82899153c132f820d6c06c4e55eeb5eb3ab6d889fcb2299eb5fce87622b
3
+ metadata.gz: 25492dee89ea5ca5599f843a654fb94496dca75ed40b99f6d04bd84dec9ea3a2
4
+ data.tar.gz: 5a6de51c268c1ffcbd9a5ae5ac13a1c1c088f1e00f9be95bbc63600eda7bb56d
5
5
  SHA512:
6
- metadata.gz: 48bbd4887ec2c14d829f9784b27626a6b4c6d59f44cd59c2c909c4ec8309abc63692b8d280ea6fb6cc9430e5cfa5ff119b9456af17c2e74336a5425901664954
7
- data.tar.gz: 858aaaf8c68f72b235e16aecf2096dec2649127d3a82a51737cd362ba7e04c71cfef1309a1b800f3788740a073443e033f1d8cf6f4e545c785e3dc2ba9374e86
6
+ metadata.gz: be69ee73899fc4fcd8178ec9011312e9202ebbeb9fc085fc8744bc5b84151182cb840ebbd35e037c34369332315a197943459bde5fa20430193efe0338a5d136
7
+ data.tar.gz: 3351c109af8d3ac813ce4c304d9246f0f780adb43093801ca5d0917ff672409b9066bcd4d0c838df879e804e358fc29e602969a1e89ffd894ff8aaf34d745b5d
data/lib/bmt/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Bmt
2
- VERSION = '0.9.0'.freeze
2
+ VERSION = '0.10.0'.freeze
3
3
  end
data/lib/data/0.10/methodologies/cloud_config_aws.json ADDED
@@ -0,0 +1,621 @@
1
+ {
2
+ "metadata": {
3
+ "title": "AWS Cloud Configuration Review Methodology",
4
+ "release_date": "2025-10-30T00:00:00+00:00",
5
+ "description": "Methodology based on the Amazon Web Services Benchmarks",
6
+ "vrt_version": "1.15.1"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "identity_and_access_management",
12
+ "title": "Identity and Access Management",
13
+ "description": "This section outlines checks for AWS Identity and Access Management (IAM), focusing on the principle of least privilege, password policies, and the security of the root account.",
14
+ "type": "checklist",
15
+ "items": [
16
+ {
17
+ "key": "iam_root_access_keys_exist",
18
+ "title": "Confirm that No Access Keys are Associated with the Root Account",
19
+ "description": "The root account holds the highest level of privilege in an AWS account. For maximum security, access keys should not be associated with this user. It should be verified that no active or inactive access keys exist for the root user to mitigate the risk of a full account compromise.",
20
+ "caption": "",
21
+ "tools": ""
22
+ },
23
+ {
24
+ "key": "iam_root_mfa_enabled",
25
+ "title": "Verify that Multi-Factor Authentication (MFA) is Activated for the Root Account",
26
+ "description": "Activating MFA for the root account adds an essential layer of security. This measure should be confirmed as active to protect the most privileged user from unauthorized access.",
27
+ "caption": "",
28
+ "tools": ""
29
+ },
30
+ {
31
+ "key": "iam_password_policy_strong",
32
+ "title": "Check for a Strong IAM Password Policy",
33
+ "description": "A strong password policy should be in place for IAM users to increase account resilience against brute-force login attempts. The current policy should be reviewed to confirm it enforces requirements for minimum length, uppercase and lowercase letters, numbers, and symbols.",
34
+ "caption": "",
35
+ "tools": ""
36
+ },
37
+ {
38
+ "key": "iam_password_policy_prevents_reuse",
39
+ "title": "Verify the IAM Password Policy Prevents Password Reuse",
40
+ "description": "The IAM password policy can be configured to prevent users from reusing a specified number of previous passwords. This setting should be checked to ensure it is active, which makes it more difficult for an attacker to gain access using a previously compromised password.",
41
+ "caption": "",
42
+ "tools": ""
43
+ },
44
+ {
45
+ "key": "iam_password_policy_expires_passwords",
46
+ "title": "Confirm the IAM Password Policy Enforces Password Expiration",
47
+ "description": "The IAM password policy should be reviewed to confirm that it requires users to change their passwords within a defined period (e.g., 90 days or less). Regularly expiring passwords reduces the risk of an old, potentially compromised password remaining active indefinitely.",
48
+ "caption": "",
49
+ "tools": ""
50
+ },
51
+ {
52
+ "key": "iam_mfa_for_console_users",
53
+ "title": "Verify MFA is Required for All IAM Users with Console Access",
54
+ "description": "All IAM users that are permitted to authenticate to the AWS Management Console should have MFA enabled. This adds a critical layer of protection for interactive user sessions.",
55
+ "caption": "",
56
+ "tools": ""
57
+ },
58
+ {
59
+ "key": "iam_no_user_attached_policies",
60
+ "title": "Confirm IAM Policies are Attached to Groups or Roles, Not Directly to Users",
61
+ "description": "Attaching IAM policies directly to users can complicate access management. The best practice is to attach policies to groups or roles and then assign users to those groups or roles. All user accounts should be reviewed to confirm they do not have policies attached directly.",
62
+ "caption": "",
63
+ "tools": ""
64
+ },
65
+ {
66
+ "key": "iam_access_keys_rotated",
67
+ "title": "Check that IAM User Access Keys are Rotated Periodically",
68
+ "description": "Long-lived credentials like access keys present a security risk. A process should be in place to ensure all IAM user access keys are rotated within a defined period, such as every 90 days, to limit the window of opportunity for misuse if a key is compromised.",
69
+ "caption": "",
70
+ "tools": ""
71
+ },
72
+ {
73
+ "key": "iam_support_role_exists",
74
+ "title": "Verify an IAM Role Exists for Managing Incidents with AWS Support",
75
+ "description": "To allow authorized users to manage incidents with AWS Support, a dedicated IAM role should be created. This avoids sharing credentials and allows for more granular control over who can interact with AWS Support on the account's behalf.",
76
+ "caption": "",
77
+ "tools": ""
78
+ },
79
+ {
80
+ "key": "iam_remove_inactive_credentials",
81
+ "title": "Check for Inactive IAM User Credentials",
82
+ "description": "User credentials, including passwords and access keys, that have not been used for a defined period (e.g., 90 days or more) pose an unnecessary risk. These inactive credentials should be identified and confirmed as disabled or removed.",
83
+ "caption": "",
84
+ "tools": ""
85
+ }
86
+ ]
87
+ },
88
+ {
89
+ "key": "networking_and_connectivity",
90
+ "title": "Networking and Connectivity",
91
+ "description": "This section covers security best practices for network configurations, including Virtual Private Clouds (VPCs), Security Groups, and network traffic logging.",
92
+ "type": "checklist",
93
+ "items": [
94
+ {
95
+ "key": "network_restrict_ssh_access",
96
+ "title": "Verify Security Groups Restrict Ingress on Port 22 from Any IP",
97
+ "description": "Security groups act as a stateful firewall for EC2 instances. Unrestricted ingress access on port 22 (SSH) from any IP address (0.0.0.0/0) significantly increases the risk of brute-force attacks. The configuration of all security groups should be reviewed to confirm that such a rule does not exist.",
98
+ "caption": "",
99
+ "tools": ""
100
+ },
101
+ {
102
+ "key": "network_restrict_rdp_access",
103
+ "title": "Verify Security Groups Restrict Ingress on Port 3389 from Any IP",
104
+ "description": "Allowing unrestricted ingress traffic on port 3389 (RDP) from any IP address (0.0.0.0/0) creates a significant security risk. All security groups should be audited to ensure this configuration is not in use, thereby protecting Windows-based instances from external brute-force attacks.",
105
+ "caption": "",
106
+ "tools": ""
107
+ },
108
+ {
109
+ "key": "network_vpc_flow_logs_enabled",
110
+ "title": "Confirm that VPC Flow Logging is Enabled in All VPCs",
111
+ "description": "VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. This data is invaluable for security monitoring and network traffic analysis. It should be verified that flow logging is enabled for all VPCs.",
112
+ "caption": "",
113
+ "tools": ""
114
+ },
115
+ {
116
+ "key": "network_default_security_group_restricts_traffic",
117
+ "title": "Verify the Default Security Group in every VPC Restricts All Traffic",
118
+ "description": "The default security group for a VPC should be configured to restrict all inbound and outbound traffic. This follows a least-privilege model, forcing the explicit creation of rules in other, non-default security groups for any required traffic.",
119
+ "caption": "",
120
+ "tools": ""
121
+ },
122
+ {
123
+ "key": "network_route_tables_for_igw_and_vgw",
124
+ "title": "Check that Route Tables for VPC Peering are Least Access",
125
+ "description": "When using a VPC peering connection, it is important to review the route tables to ensure they do not allow for more network access than is explicitly required. The routes should be checked to confirm they adhere to the principle of least privilege.",
126
+ "caption": "",
127
+ "tools": ""
128
+ },
129
+ {
130
+ "key": "network_cloudfront_distribution_with_waf",
131
+ "title": "Confirm CloudFront Distributions are Integrated with AWS WAF",
132
+ "description": "For any CloudFront distribution, it should be confirmed that AWS Web Application Firewall (WAF) is attached. WAF provides protection against common web exploits that could affect application availability or security.",
133
+ "caption": "",
134
+ "tools": ""
135
+ }
136
+ ]
137
+ },
138
+ {
139
+ "key": "compute_platform_security",
140
+ "title": "Compute Platform Security",
141
+ "description": "This section details security recommendations for core AWS compute resources like EC2, Lambda, and container services (ECR, ECS, EKS).",
142
+ "type": "checklist",
143
+ "items": [
144
+ {
145
+ "key": "ec2_ebs_encryption_enabled",
146
+ "title": "Verify Encryption is Enabled for EBS Volumes",
147
+ "description": "Encrypting EBS volumes protects data at rest. It should be verified that all EBS volumes, both boot and data, are configured with encryption enabled to safeguard sensitive information. AWS encrypts new EBS volumes by default.",
148
+ "caption": "",
149
+ "tools": ""
150
+ },
151
+ {
152
+ "key": "ec2_imdsv2_required",
153
+ "title": "Confirm EC2 Instances Require IMDSv2",
154
+ "description": "The EC2 Instance Metadata Service (IMDS) provides data about an instance. Version 2 (IMDSv2) uses session-oriented requests, which provides enhanced protection against vulnerabilities. It should be verified that instances are configured to require the use of IMDSv2.",
155
+ "caption": "",
156
+ "tools": ""
157
+ },
158
+ {
159
+ "key": "ec2_no_public_amis",
160
+ "title": "Check that AMIs are Not Publicly Shared",
161
+ "description": "Amazon Machine Images (AMIs) should not be publicly available unless explicitly intended for public consumption. Sharing AMIs publicly can expose sensitive data or proprietary software configurations. All AMIs should be reviewed to confirm their launch permissions are not set to public.",
162
+ "caption": "",
163
+ "tools": ""
164
+ },
165
+ {
166
+ "key": "lambda_least_privilege_roles",
167
+ "title": "Verify Lambda Functions Use Least-Privilege IAM Roles",
168
+ "description": "Each Lambda function should have an execution role with IAM policies that grant only the permissions necessary for the function to operate. The policies attached to Lambda execution roles should be reviewed to ensure they do not grant excessive permissions.",
169
+ "caption": "",
170
+ "tools": ""
171
+ },
172
+ {
173
+ "key": "lambda_function_policies_restrict_public_access",
174
+ "title": "Confirm Lambda Function Policies Restrict Public Access",
175
+ "description": "A resource-based policy can be attached to a Lambda function to control access. It should be confirmed that these policies do not grant public or anonymous access, which would allow anyone to invoke the function.",
176
+ "caption": "",
177
+ "tools": ""
178
+ },
179
+ {
180
+ "key": "ecr_repository_scan_on_push",
181
+ "title": "Verify ECR Repositories are Configured to Scan on Push",
182
+ "description": "Amazon Elastic Container Registry (ECR) can automatically scan container images for software vulnerabilities upon being pushed to a repository. It should be confirmed that this setting is enabled for all repositories to identify vulnerabilities early in the development lifecycle.",
183
+ "caption": "",
184
+ "tools": ""
185
+ },
186
+ {
187
+ "key": "ecr_repository_tag_immutability",
188
+ "title": "Confirm Tag Immutability is Enabled for ECR Repositories",
189
+ "description": "Tag immutability prevents image tags from being overwritten by a different image pushed with the same tag. The status of this setting should be checked to ensure it is configured, which helps prevent tag-related deployment issues and maintains a reliable image history.",
190
+ "caption": "",
191
+ "tools": ""
192
+ },
193
+ {
194
+ "key": "ecs_task_definitions_use_least_privilege",
195
+ "title": "Verify ECS Task Definitions Use Least-Privilege IAM Roles",
196
+ "description": "ECS tasks can be assigned an IAM role to interact with other AWS services. It should be confirmed that the policies attached to these task roles grant only the minimum required permissions, adhering to the principle of least privilege.",
197
+ "caption": "",
198
+ "tools": ""
199
+ },
200
+ {
201
+ "key": "eks_endpoint_public_access_restricted",
202
+ "title": "Check that EKS Cluster Endpoint Public Access is Restricted",
203
+ "description": "The Kubernetes API server endpoint for an EKS cluster should not be accessible to the public internet. Access should be restricted to specific IP CIDR blocks within the VPC to reduce the cluster's attack surface.",
204
+ "caption": "",
205
+ "tools": ""
206
+ }
207
+ ]
208
+ },
209
+ {
210
+ "key": "data_storage_services",
211
+ "title": "Data Storage Services",
212
+ "description": "This section covers security configurations for AWS storage services, including S3 for object storage, EFS and FSx for file storage, and AWS Backup for data protection.",
213
+ "type": "checklist",
214
+ "items": [
215
+ {
216
+ "key": "s3_account_block_public_access",
217
+ "title": "Confirm S3 Block Public Access Setting is Enabled at the Account Level",
218
+ "description": "The S3 Block Public Access feature provides a centralized way to prevent public access to S3 buckets and objects. It should be confirmed that this setting is enabled at the account level to mitigate the risk of accidental data exposure from misconfigured buckets.",
219
+ "caption": "",
220
+ "tools": ""
221
+ },
222
+ {
223
+ "key": "s3_default_encryption_enabled",
224
+ "title": "Verify Default Encryption is Enabled for S3 Buckets",
225
+ "description": "S3 buckets should have default encryption enabled to ensure that all new objects are automatically encrypted when stored. This protects data at rest without requiring encryption to be specified for each object upload.",
226
+ "caption": "",
227
+ "tools": ""
228
+ },
229
+ {
230
+ "key": "s3_versioning_enabled",
231
+ "title": "Confirm that S3 Bucket Versioning is Enabled",
232
+ "description": "Versioning keeps multiple variants of an object in the same bucket, which can be used to preserve, retrieve, and restore every version of every object stored. It should be confirmed that versioning is enabled as a protection against accidental or malicious overwrites and deletions.",
233
+ "caption": "",
234
+ "tools": ""
235
+ },
236
+ {
237
+ "key": "s3_access_logging_enabled",
238
+ "title": "Check that Server Access Logging is Enabled for S3 Buckets",
239
+ "description": "Server access logging provides detailed records for the requests that are made to an S3 bucket. It should be verified that logging is enabled and directed to a separate, secure bucket to provide an audit trail for access and to support security investigations.",
240
+ "caption": "",
241
+ "tools": ""
242
+ },
243
+ {
244
+ "key": "s3_mfa_delete_enabled",
245
+ "title": "Verify MFA Delete is Enabled for S3 Buckets",
246
+ "description": "The MFA Delete feature requires an additional factor of authentication for changing a bucket's versioning state and permanently deleting an object version. It should be confirmed that this setting is enabled to provide a higher level of security against accidental or unauthorized data deletion.",
247
+ "caption": "",
248
+ "tools": ""
249
+ },
250
+ {
251
+ "key": "efs_encryption_at_rest_enabled",
252
+ "title": "Confirm Encryption for Data at Rest is Enabled for EFS File Systems",
253
+ "description": "Amazon EFS supports encryption of data at rest to protect sensitive information stored within file systems. It should be verified that encryption is enabled for all EFS file systems.",
254
+ "caption": "",
255
+ "tools": ""
256
+ },
257
+ {
258
+ "key": "fsx_encryption_at_rest_enabled",
259
+ "title": "Verify Encryption for Data at Rest is Enabled for FSx File Systems",
260
+ "description": "Amazon FSx for Windows File Server encrypts data at rest using keys managed in AWS KMS. The configuration should be reviewed to confirm that at-rest encryption is active for all file systems.",
261
+ "caption": "",
262
+ "tools": ""
263
+ },
264
+ {
265
+ "key": "storage_gateway_chap_auth_configured",
266
+ "title": "Check that CHAP Authentication is Configured for Storage Gateway iSCSI Targets",
267
+ "description": "Challenge-Handshake Authentication Protocol (CHAP) provides authentication for iSCSI targets, protecting against unauthorized access. It should be confirmed that mutual CHAP is configured for any volume attached via iSCSI on a Storage Gateway.",
268
+ "caption": "",
269
+ "tools": ""
270
+ },
271
+ {
272
+ "key": "backup_plan_exists",
273
+ "title": "Confirm a Backup Plan Exists",
274
+ "description": "AWS Backup provides a centralized service to manage backups across AWS services. A backup plan defines when and how you want to back up your AWS resources. It should be verified that at least one backup plan is configured and active.",
275
+ "caption": "",
276
+ "tools": ""
277
+ }
278
+ ]
279
+ },
280
+ {
281
+ "key": "database_services",
282
+ "title": "Database Services",
283
+ "description": "This section provides security checks for various AWS database services, including RDS, DynamoDB, Redshift, and ElastiCache.",
284
+ "type": "checklist",
285
+ "items": [
286
+ {
287
+ "key": "rds_not_publicly_accessible",
288
+ "title": "Confirm RDS Database Instances Are Not Publicly Accessible",
289
+ "description": "RDS instances should not be directly accessible from the public internet. The 'Publicly accessible' setting should be reviewed and confirmed as 'No' to ensure database instances are only reachable from within their VPC or authorized networks.",
290
+ "caption": "",
291
+ "tools": ""
292
+ },
293
+ {
294
+ "key": "rds_storage_encryption_enabled",
295
+ "title": "Verify Storage Encryption is Enabled for RDS Instances",
296
+ "description": "Encrypting RDS instances protects the underlying storage, automated backups, read replicas, and snapshots. It should be confirmed that encryption at rest is enabled for all RDS database instances.",
297
+ "caption": "",
298
+ "tools": ""
299
+ },
300
+ {
301
+ "key": "rds_iam_authentication_enabled",
302
+ "title": "Check that IAM Database Authentication is Enabled for RDS Instances",
303
+ "description": "IAM database authentication allows you to authenticate to your DB instance with an IAM user or role, avoiding the need to manage database credentials separately. It should be verified that this feature is enabled.",
304
+ "caption": "",
305
+ "tools": ""
306
+ },
307
+ {
308
+ "key": "rds_auto_minor_version_upgrade_enabled",
309
+ "title": "Confirm Automatic Minor Version Upgrades are Enabled for RDS Instances",
310
+ "description": "The 'Auto minor version upgrade' feature ensures that your RDS instances are automatically updated with the latest minor version patches, which often include security fixes. It should be confirmed that this setting is enabled.",
311
+ "caption": "",
312
+ "tools": ""
313
+ },
314
+ {
315
+ "key": "rds_enhanced_monitoring_enabled",
316
+ "title": "Verify Enhanced Monitoring is Enabled for RDS Instances",
317
+ "description": "Enhanced Monitoring provides real-time metrics for the operating system that your DB instance runs on. The data can be directed to CloudWatch Logs for analysis. It should be confirmed that this feature is enabled to gain deeper insights into instance performance and health.",
318
+ "caption": "",
319
+ "tools": ""
320
+ },
321
+ {
322
+ "key": "dynamodb_pitr_enabled",
323
+ "title": "Check that Point-in-Time Recovery (PITR) is Enabled for DynamoDB Tables",
324
+ "description": "Point-in-time recovery helps protect your DynamoDB tables from accidental write or delete operations. It should be confirmed that this feature is enabled, as it allows you to restore a table to any point in time during the preceding 35 days.",
325
+ "caption": "",
326
+ "tools": ""
327
+ },
328
+ {
329
+ "key": "redshift_cluster_not_public",
330
+ "title": "Confirm Redshift Clusters Are Not Publicly Accessible",
331
+ "description": "Amazon Redshift clusters should not be accessible from the public internet. The cluster's network configuration should be reviewed to confirm that the 'Publicly accessible' option is disabled.",
332
+ "caption": "",
333
+ "tools": ""
334
+ },
335
+ {
336
+ "key": "redshift_cluster_encryption_enabled",
337
+ "title": "Verify Encryption is Enabled for Redshift Clusters",
338
+ "description": "Redshift clusters should have encryption at rest enabled to protect the underlying data. This configuration should be confirmed as active for all clusters.",
339
+ "caption": "",
340
+ "tools": ""
341
+ },
342
+ {
343
+ "key": "redshift_audit_logging_enabled",
344
+ "title": "Check that Audit Logging is Enabled for Redshift Clusters",
345
+ "description": "Audit logging captures information about connections and user activities in your Redshift cluster. It should be verified that audit logging is enabled to provide a detailed record for security analysis and compliance.",
346
+ "caption": "",
347
+ "tools": ""
348
+ },
349
+ {
350
+ "key": "elasticache_redis_auth_token_enabled",
351
+ "title": "Verify AUTH Token is Enabled for ElastiCache for Redis Replication Groups",
352
+ "description": "To secure data in transit and at rest, ElastiCache for Redis clusters should be configured to require an authentication token (password). It should be confirmed that the `AuthToken` parameter is enabled for replication groups.",
353
+ "caption": "",
354
+ "tools": ""
355
+ }
356
+ ]
357
+ },
358
+ {
359
+ "key": "end_user_compute_services",
360
+ "title": "End-User Compute Services",
361
+ "description": "This section contains security recommendations for AWS End-User Compute services, such as WorkSpaces and AppStream 2.0.",
362
+ "type": "checklist",
363
+ "items": [
364
+ {
365
+ "key": "workspaces_root_volume_encrypted",
366
+ "title": "Verify Root Volumes of WorkSpaces are Encrypted",
367
+ "description": "The root volume (C: drive) of an Amazon WorkSpace contains the operating system and user profile data. It should be confirmed that encryption is enabled for this volume to protect data at rest.",
368
+ "caption": "",
369
+ "tools": ""
370
+ },
371
+ {
372
+ "key": "workspaces_user_volumes_encrypted",
373
+ "title": "Verify User Volumes of WorkSpaces are Encrypted",
374
+ "description": "The user volume (D: drive) of an Amazon WorkSpace stores user data. To protect this data, it should be verified that encryption is enabled for all user volumes.",
375
+ "caption": "",
376
+ "tools": ""
377
+ },
378
+ {
379
+ "key": "workspaces_internet_access_disabled",
380
+ "title": "Check that Internet Access is Disabled for WorkSpaces",
381
+ "description": "Unless there is a specific business requirement, direct internet access from Amazon WorkSpaces should be disabled. This reduces the risk of data exfiltration and exposure to external threats. The directory settings should be reviewed to confirm this.",
382
+ "caption": "",
383
+ "tools": ""
384
+ },
385
+ {
386
+ "key": "appstream_default_internet_access_disabled",
387
+ "title": "Verify Default Internet Access is Disabled for AppStream 2.0 Fleets and Image Builders",
388
+ "description": "AppStream 2.0 fleets and image builders should not have default internet access enabled unless explicitly required. This configuration should be reviewed to ensure it is disabled, thereby reducing the attack surface and potential for unauthorized outbound communication.",
389
+ "caption": "",
390
+ "tools": ""
391
+ },
392
+ {
393
+ "key": "appstream_clipboard_redirection_disabled",
394
+ "title": "Confirm Clipboard Redirection is Disabled for AppStream 2.0 Fleets",
395
+ "description": "Disabling clipboard redirection between a user's local device and their AppStream 2.0 session helps prevent data leakage. It should be verified that this setting is disabled, allowing data to be copied and pasted only within the remote session.",
396
+ "caption": "",
397
+ "tools": ""
398
+ },
399
+ {
400
+ "key": "appstream_file_transfer_disabled",
401
+ "title": "Confirm File Transfer is Disabled Between Local Devices and AppStream 2.0",
402
+ "description": "To prevent unauthorized data transfer, the ability for users to upload or download files between their local device and an AppStream 2.0 session should be disabled. This setting should be reviewed to ensure it is appropriately configured.",
403
+ "caption": "",
404
+ "tools": ""
405
+ }
406
+ ]
407
+ },
408
+ {
409
+ "key": "logging_and_audit_trails",
410
+ "title": "Logging and Audit Trails",
411
+ "description": "This section focuses on ensuring that comprehensive logging is in place, primarily through AWS CloudTrail, to provide a detailed audit trail of all activities within the AWS account.",
412
+ "type": "checklist",
413
+ "items": [
414
+ {
415
+ "key": "logging_cloudtrail_enabled_in_all_regions",
416
+ "title": "Confirm CloudTrail is Activated Across All AWS Regions",
417
+ "description": "AWS CloudTrail provides a record of actions taken by a user, role, or an AWS service. To ensure comprehensive visibility into account activity, it should be verified that a CloudTrail trail is configured to be active in all regions.",
418
+ "caption": "",
419
+ "tools": ""
420
+ },
421
+ {
422
+ "key": "logging_cloudtrail_log_file_validation_enabled",
423
+ "title": "Verify that CloudTrail Log File Validation is Enabled",
424
+ "description": "Log file validation provides a means to verify the integrity of CloudTrail log files, ensuring they have not been tampered with after delivery. This setting should be confirmed as enabled for all trails.",
425
+ "caption": "",
426
+ "tools": ""
427
+ },
428
+ {
429
+ "key": "logging_cloudtrail_s3_bucket_not_public",
430
+ "title": "Check that the S3 Bucket for CloudTrail Logs is Not Publicly Accessible",
431
+ "description": "The S3 bucket used to store CloudTrail logs contains sensitive audit information and must not be publicly accessible. The bucket's permissions should be reviewed to confirm that all forms of public access are denied.",
432
+ "caption": "",
433
+ "tools": ""
434
+ },
435
+ {
436
+ "key": "logging_cloudtrail_integrated_with_cloudwatch",
437
+ "title": "Confirm CloudTrail Trails are Integrated with CloudWatch Logs",
438
+ "description": "Integrating CloudTrail with CloudWatch Logs enables real-time monitoring of API activity and allows for the creation of alarms based on specific log events. This integration should be confirmed as active for all trails.",
439
+ "caption": "",
440
+ "tools": ""
441
+ },
442
+ {
443
+ "key": "logging_cloudtrail_s3_bucket_encrypted_kms",
444
+ "title": "Verify the CloudTrail S3 Bucket is Encrypted at Rest using KMS",
445
+ "description": "To protect the confidentiality of log data at rest, the S3 bucket designated for CloudTrail should be configured with server-side encryption using AWS Key Management Service (KMS). This ensures the logs themselves are encrypted.",
446
+ "caption": "",
447
+ "tools": ""
448
+ },
449
+ {
450
+ "key": "logging_cloudtrail_data_events_for_s3",
451
+ "title": "Confirm CloudTrail Captures S3 Data Events for Business-Critical Buckets",
452
+ "description": "For S3 buckets containing business-critical data, CloudTrail should be configured to log data events (e.g., GetObject, PutObject). This provides object-level API activity tracking that is essential for security analysis and incident response.",
453
+ "caption": "",
454
+ "tools": ""
455
+ },
456
+ {
457
+ "key": "logging_cloudtrail_data_events_for_lambda",
458
+ "title": "Verify CloudTrail Captures Lambda Data Events for Business-Critical Functions",
459
+ "description": "For business-critical Lambda functions, CloudTrail should be configured to log data events, specifically the 'Invoke' API activity. This provides a detailed audit trail of when and by whom Lambda functions are executed.",
460
+ "caption": "",
461
+ "tools": ""
462
+ }
463
+ ]
464
+ },
465
+ {
466
+ "key": "monitoring_and_alerting",
467
+ "title": "Monitoring and Alerting",
468
+ "description": "This section covers the setup of automated monitoring and alerting on critical security events using AWS CloudWatch Alarms, triggered by CloudTrail log data.",
469
+ "type": "checklist",
470
+ "items": [
471
+ {
472
+ "key": "monitoring_alarm_for_unauthorized_api_calls",
473
+ "title": "Check for a CloudWatch Alarm on Unauthorized API Calls",
474
+ "description": "Monitoring CloudTrail logs for unauthorized API calls can help detect malicious activity or misconfigurations. It should be confirmed that a log metric filter is established in CloudWatch and that an alarm is configured to trigger notifications when such events occur.",
475
+ "caption": "",
476
+ "tools": ""
477
+ },
478
+ {
479
+ "key": "monitoring_alarm_for_mfa_console_signin",
480
+ "title": "Verify a CloudWatch Alarm Exists for Console Sign-Ins without MFA",
481
+ "description": "To enforce MFA usage, a CloudWatch alarm should be in place to detect and alert on any AWS Management Console sign-in that does not use multi-factor authentication. This provides a detective control for IAM user security.",
482
+ "caption": "",
483
+ "tools": ""
484
+ },
485
+ {
486
+ "key": "monitoring_alarm_for_root_account_usage",
487
+ "title": "Confirm a CloudWatch Alarm is in Place for Root Account Usage",
488
+ "description": "Usage of the root account should be rare and closely monitored. An alarm should be configured to trigger a notification whenever any API call is made using the root account's credentials.",
489
+ "caption": "",
490
+ "tools": ""
491
+ },
492
+ {
493
+ "key": "monitoring_alarm_for_iam_policy_changes",
494
+ "title": "Verify an Alarm Exists for IAM Policy Changes",
495
+ "description": "Changes to IAM policies can have significant security implications. A CloudWatch alarm should be configured to detect and alert on any API calls that modify IAM policies (e.g., CreatePolicy, DeletePolicy, PutGroupPolicy).",
496
+ "caption": "",
497
+ "tools": ""
498
+ },
499
+ {
500
+ "key": "monitoring_alarm_for_cloudtrail_configuration_changes",
501
+ "title": "Check for an Alarm on CloudTrail Configuration Changes",
502
+ "description": "To protect the integrity of your audit logs, a CloudWatch alarm should be configured to alert on any changes made to your CloudTrail configuration, such as creating, updating, or deleting trails.",
503
+ "caption": "",
504
+ "tools": ""
505
+ },
506
+ {
507
+ "key": "monitoring_alarm_for_console_authentication_failures",
508
+ "title": "Confirm an Alarm Exists for AWS Console Authentication Failures",
509
+ "description": "Repeated console sign-in failures can indicate a brute-force attempt. A CloudWatch alarm should be in place to monitor for and alert on these events, enabling a timely response.",
510
+ "caption": "",
511
+ "tools": ""
512
+ },
513
+ {
514
+ "key": "monitoring_alarm_for_disabling_or_deleting_cmks",
515
+ "title": "Verify an Alarm is Configured for the Disabling or Deletion of Customer-Managed Keys (CMKs)",
516
+ "description": "The disabling or scheduled deletion of a Customer-Managed Key (CMK) in KMS can render encrypted data unrecoverable. A CloudWatch alarm is essential to provide immediate notification of these critical events.",
517
+ "caption": "",
518
+ "tools": ""
519
+ },
520
+ {
521
+ "key": "monitoring_alarm_for_s3_bucket_policy_changes",
522
+ "title": "Check for an Alarm on S3 Bucket Policy Changes",
523
+ "description": "Changes to S3 bucket policies can inadvertently expose sensitive data. A CloudWatch alarm should be configured to monitor for any API calls that modify bucket policies (e.g., PutBucketPolicy, DeleteBucketPolicy).",
524
+ "caption": "",
525
+ "tools": ""
526
+ },
527
+ {
528
+ "key": "monitoring_alarm_for_aws_config_changes",
529
+ "title": "Confirm an Alarm Exists for AWS Config Configuration Changes",
530
+ "description": "Changes to the AWS Config service could impact your compliance and configuration auditing capabilities. A CloudWatch alarm should be in place to alert on any modifications to the Config service, such as stopping the recorder or deleting rules.",
531
+ "caption": "",
532
+ "tools": ""
533
+ },
534
+ {
535
+ "key": "monitoring_alarm_for_security_group_changes",
536
+ "title": "Verify an Alarm is Configured for Security Group Changes",
537
+ "description": "Modifications to security groups can alter network ingress and egress rules. To monitor for potentially unauthorized network access changes, a CloudWatch alarm should be set up to detect any API calls that change a security group.",
538
+ "caption": "",
539
+ "tools": ""
540
+ },
541
+ {
542
+ "key": "monitoring_alarm_for_nacl_changes",
543
+ "title": "Check for an Alarm on Network Access Control List (NACL) Changes",
544
+ "description": "Changes to Network ACLs can affect traffic flow at the subnet level. A CloudWatch alarm should be in place to provide alerts on any modifications to NACLs, ensuring visibility into network boundary changes.",
545
+ "caption": "",
546
+ "tools": ""
547
+ },
548
+ {
549
+ "key": "monitoring_alarm_for_network_gateway_changes",
550
+ "title": "Confirm an Alarm is Configured for Network Gateway Changes",
551
+ "description": "Network gateways are critical components for VPC connectivity. A CloudWatch alarm should be configured to alert on any changes to these gateways (e.g., creating, deleting, attaching, or detaching) to detect unexpected network routing modifications.",
552
+ "caption": "",
553
+ "tools": ""
554
+ },
555
+ {
556
+ "key": "monitoring_alarm_for_route_table_changes",
557
+ "title": "Verify an Alarm Exists for Route Table Changes",
558
+ "description": "Changes to route tables can impact how traffic is directed within and outside of your VPC. A CloudWatch alarm should be configured to monitor for and alert on any modifications to VPC route tables.",
559
+ "caption": "",
560
+ "tools": ""
561
+ },
562
+ {
563
+ "key": "monitoring_alarm_for_vpc_changes",
564
+ "title": "Check for an Alarm on VPC Changes",
565
+ "description": "Modifications to a Virtual Private Cloud (VPC) can have broad networking implications. A CloudWatch alarm should be in place to alert on any changes to VPCs, ensuring critical network infrastructure is monitored.",
566
+ "caption": "",
567
+ "tools": ""
568
+ },
569
+ {
570
+ "key": "monitoring_alarm_for_organizations_changes",
571
+ "title": "Confirm an Alarm Exists for Changes to AWS Organizations",
572
+ "description": "For accounts that are part of AWS Organizations, changes at the organization level can affect all member accounts. A CloudWatch alarm should be configured to alert on any Organizations API calls (e.g., AcceptHandshake, LeaveOrganization) to monitor for changes in organization structure.",
573
+ "caption": "",
574
+ "tools": ""
575
+ }
576
+ ]
577
+ },
578
+ {
579
+ "key": "aws_security_services_configuration",
580
+ "title": "AWS Security Services Configuration",
581
+ "description": "This section covers the configuration of key AWS-native security services, including AWS Config, GuardDuty, and Security Hub, which are foundational for governance and threat detection.",
582
+ "type": "checklist",
583
+ "items": [
584
+ {
585
+ "key": "security_services_config_enabled_in_all_regions",
586
+ "title": "Verify that AWS Config is Enabled in All Regions",
587
+ "description": "AWS Config provides a detailed view of the configuration of AWS resources in your account. It should be verified that AWS Config is enabled in all regions to support configuration management, audit, and compliance across your entire AWS footprint.",
588
+ "caption": "",
589
+ "tools": ""
590
+ },
591
+ {
592
+ "key": "security_services_guardduty_enabled",
593
+ "title": "Confirm that Amazon GuardDuty is Enabled",
594
+ "description": "Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. It should be confirmed that GuardDuty is enabled in all supported regions to protect your AWS accounts and workloads.",
595
+ "caption": "",
596
+ "tools": ""
597
+ },
598
+ {
599
+ "key": "security_services_security_hub_enabled",
600
+ "title": "Verify that AWS Security Hub is Enabled",
601
+ "description": "AWS Security Hub provides a comprehensive view of your high-priority security alerts and compliance status across your AWS accounts. It should be confirmed that Security Hub is enabled to aggregate, organize, and prioritize findings from various AWS services and partner products.",
602
+ "caption": "",
603
+ "tools": ""
604
+ }
605
+ ]
606
+ },
607
+ {
608
+ "key": "upload_logs",
609
+ "title": "Upload logs",
610
+ "description": "This should include all associated traffic associated to the in-scope targets.",
611
+ "type": "large_upload"
612
+ },
613
+ {
614
+ "key": "executive_summary",
615
+ "title": "Executive summary",
616
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
617
+ "type": "executive_summary"
618
+ }
619
+ ]
620
+ }
621
+ }