aws-security-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/README.md +235 -0
  2. package/dashboard/dist/assets/index-DCplBiuM.css +2 -0
  3. package/dashboard/dist/assets/index-jFq0Af8S.js +46 -0
  4. package/dashboard/dist/data.json +926 -0
  5. package/dashboard/dist/favicon.svg +1 -0
  6. package/dashboard/dist/icons.svg +24 -0
  7. package/dashboard/dist/index.html +14 -0
  8. package/dist/bin/aws-security-mcp.d.ts +1 -0
  9. package/dist/bin/aws-security-mcp.js +16057 -0
  10. package/dist/bin/aws-security-mcp.js.map +1 -0
  11. package/dist/src/commands/dashboard.d.ts +3 -0
  12. package/dist/src/commands/dashboard.js +90 -0
  13. package/dist/src/commands/dashboard.js.map +1 -0
  14. package/dist/src/commands/deploy-dashboard.d.ts +3 -0
  15. package/dist/src/commands/deploy-dashboard.js +117 -0
  16. package/dist/src/commands/deploy-dashboard.js.map +1 -0
  17. package/dist/src/index.d.ts +96 -0
  18. package/dist/src/index.js +15765 -0
  19. package/dist/src/index.js.map +1 -0
  20. package/package.json +65 -0
package/dashboard/dist/data.json ADDED
@@ -0,0 +1,926 @@
1
+ {
2
+ "lastScan": {
3
+ "scanStart": "2026-04-10T09:39:33.943Z",
4
+ "scanEnd": "2026-04-10T09:39:57.022Z",
5
+ "region": "cn-north-1",
6
+ "accountId": "468254682119",
7
+ "summary": {
8
+ "totalFindings": 50,
9
+ "critical": 2,
10
+ "high": 3,
11
+ "medium": 13,
12
+ "low": 32,
13
+ "modulesSuccess": 7,
14
+ "modulesError": 0
15
+ },
16
+ "modules": [
17
+ {
18
+ "module": "security_group",
19
+ "findingsCount": 0,
20
+ "status": "success"
21
+ },
22
+ {
23
+ "module": "s3",
24
+ "findingsCount": 33,
25
+ "status": "success"
26
+ },
27
+ {
28
+ "module": "iam",
29
+ "findingsCount": 3,
30
+ "status": "success"
31
+ },
32
+ {
33
+ "module": "cloudtrail",
34
+ "findingsCount": 3,
35
+ "status": "success"
36
+ },
37
+ {
38
+ "module": "rds",
39
+ "findingsCount": 0,
40
+ "status": "success"
41
+ },
42
+ {
43
+ "module": "ebs",
44
+ "findingsCount": 11,
45
+ "status": "success"
46
+ },
47
+ {
48
+ "module": "vpc",
49
+ "findingsCount": 0,
50
+ "status": "success"
51
+ }
52
+ ],
53
+ "findings": [
54
+ {
55
+ "riskScore": 8.5,
56
+ "title": "Account-level S3 Block Public Access is not configured",
57
+ "resourceType": "AWS::S3::AccountPublicAccessBlock",
58
+ "resourceId": "468254682119",
59
+ "resourceArn": "arn:aws-cn:iam::468254682119:root",
60
+ "region": "global",
61
+ "description": "Account 468254682119 has no Block Public Access configuration set at the account level.",
62
+ "impact": "There is no account-level safeguard against public S3 bucket access.",
63
+ "remediationSteps": [
64
+ "Enable all four Block Public Access settings at the account level."
65
+ ],
66
+ "severity": "HIGH",
67
+ "priority": "P1",
68
+ "module": "s3"
69
+ },
70
+ {
71
+ "riskScore": 3,
72
+ "title": "S3 bucket auto-sg-update-stack-cloudtraillogbucket-6xueze51oacf does not have versioning enabled",
73
+ "resourceType": "AWS::S3::Bucket",
74
+ "resourceId": "auto-sg-update-stack-cloudtraillogbucket-6xueze51oacf",
75
+ "resourceArn": "arn:aws-cn:s3:::auto-sg-update-stack-cloudtraillogbucket-6xueze51oacf",
76
+ "region": "cn-north-1",
77
+ "description": "Bucket \"auto-sg-update-stack-cloudtraillogbucket-6xueze51oacf\" versioning is not set.",
78
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
79
+ "remediationSteps": [
80
+ "Enable versioning on the bucket.",
81
+ "Consider adding lifecycle rules to manage version storage costs."
82
+ ],
83
+ "severity": "LOW",
84
+ "priority": "P3",
85
+ "module": "s3"
86
+ },
87
+ {
88
+ "riskScore": 3,
89
+ "title": "S3 bucket auto-sg-update-stack-cloudtraillogbucket-u990nisosy1p does not have versioning enabled",
90
+ "resourceType": "AWS::S3::Bucket",
91
+ "resourceId": "auto-sg-update-stack-cloudtraillogbucket-u990nisosy1p",
92
+ "resourceArn": "arn:aws-cn:s3:::auto-sg-update-stack-cloudtraillogbucket-u990nisosy1p",
93
+ "region": "cn-northwest-1",
94
+ "description": "Bucket \"auto-sg-update-stack-cloudtraillogbucket-u990nisosy1p\" versioning is not set.",
95
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
96
+ "remediationSteps": [
97
+ "Enable versioning on the bucket.",
98
+ "Consider adding lifecycle rules to manage version storage costs."
99
+ ],
100
+ "severity": "LOW",
101
+ "priority": "P3",
102
+ "module": "s3"
103
+ },
104
+ {
105
+ "riskScore": 3,
106
+ "title": "S3 bucket aws-announcements does not have versioning enabled",
107
+ "resourceType": "AWS::S3::Bucket",
108
+ "resourceId": "aws-announcements",
109
+ "resourceArn": "arn:aws-cn:s3:::aws-announcements",
110
+ "region": "cn-north-1",
111
+ "description": "Bucket \"aws-announcements\" versioning is not set.",
112
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
113
+ "remediationSteps": [
114
+ "Enable versioning on the bucket.",
115
+ "Consider adding lifecycle rules to manage version storage costs."
116
+ ],
117
+ "severity": "LOW",
118
+ "priority": "P3",
119
+ "module": "s3"
120
+ },
121
+ {
122
+ "riskScore": 3,
123
+ "title": "S3 bucket aws-cloudtrail-logs-468254682119-f51cea71 does not have versioning enabled",
124
+ "resourceType": "AWS::S3::Bucket",
125
+ "resourceId": "aws-cloudtrail-logs-468254682119-f51cea71",
126
+ "resourceArn": "arn:aws-cn:s3:::aws-cloudtrail-logs-468254682119-f51cea71",
127
+ "region": "cn-north-1",
128
+ "description": "Bucket \"aws-cloudtrail-logs-468254682119-f51cea71\" versioning is not set.",
129
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
130
+ "remediationSteps": [
131
+ "Enable versioning on the bucket.",
132
+ "Consider adding lifecycle rules to manage version storage costs."
133
+ ],
134
+ "severity": "LOW",
135
+ "priority": "P3",
136
+ "module": "s3"
137
+ },
138
+ {
139
+ "riskScore": 3,
140
+ "title": "S3 bucket aws-logs-468254682119-cn-north-1 does not have versioning enabled",
141
+ "resourceType": "AWS::S3::Bucket",
142
+ "resourceId": "aws-logs-468254682119-cn-north-1",
143
+ "resourceArn": "arn:aws-cn:s3:::aws-logs-468254682119-cn-north-1",
144
+ "region": "cn-north-1",
145
+ "description": "Bucket \"aws-logs-468254682119-cn-north-1\" versioning is not set.",
146
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
147
+ "remediationSteps": [
148
+ "Enable versioning on the bucket.",
149
+ "Consider adding lifecycle rules to manage version storage costs."
150
+ ],
151
+ "severity": "LOW",
152
+ "priority": "P3",
153
+ "module": "s3"
154
+ },
155
+ {
156
+ "riskScore": 3,
157
+ "title": "S3 bucket cf-templates-sa18zsjm1j5a-cn-north-1 does not have versioning enabled",
158
+ "resourceType": "AWS::S3::Bucket",
159
+ "resourceId": "cf-templates-sa18zsjm1j5a-cn-north-1",
160
+ "resourceArn": "arn:aws-cn:s3:::cf-templates-sa18zsjm1j5a-cn-north-1",
161
+ "region": "cn-north-1",
162
+ "description": "Bucket \"cf-templates-sa18zsjm1j5a-cn-north-1\" versioning is not set.",
163
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
164
+ "remediationSteps": [
165
+ "Enable versioning on the bucket.",
166
+ "Consider adding lifecycle rules to manage version storage costs."
167
+ ],
168
+ "severity": "LOW",
169
+ "priority": "P3",
170
+ "module": "s3"
171
+ },
172
+ {
173
+ "riskScore": 3,
174
+ "title": "S3 bucket cf-templates-sa18zsjm1j5a-cn-northwest-1 does not have versioning enabled",
175
+ "resourceType": "AWS::S3::Bucket",
176
+ "resourceId": "cf-templates-sa18zsjm1j5a-cn-northwest-1",
177
+ "resourceArn": "arn:aws-cn:s3:::cf-templates-sa18zsjm1j5a-cn-northwest-1",
178
+ "region": "cn-northwest-1",
179
+ "description": "Bucket \"cf-templates-sa18zsjm1j5a-cn-northwest-1\" versioning is not set.",
180
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
181
+ "remediationSteps": [
182
+ "Enable versioning on the bucket.",
183
+ "Consider adding lifecycle rules to manage version storage costs."
184
+ ],
185
+ "severity": "LOW",
186
+ "priority": "P3",
187
+ "module": "s3"
188
+ },
189
+ {
190
+ "riskScore": 3,
191
+ "title": "S3 bucket config-bucket-468254682119 does not have versioning enabled",
192
+ "resourceType": "AWS::S3::Bucket",
193
+ "resourceId": "config-bucket-468254682119",
194
+ "resourceArn": "arn:aws-cn:s3:::config-bucket-468254682119",
195
+ "region": "cn-northwest-1",
196
+ "description": "Bucket \"config-bucket-468254682119\" versioning is not set.",
197
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
198
+ "remediationSteps": [
199
+ "Enable versioning on the bucket.",
200
+ "Consider adding lifecycle rules to manage version storage costs."
201
+ ],
202
+ "severity": "LOW",
203
+ "priority": "P3",
204
+ "module": "s3"
205
+ },
206
+ {
207
+ "riskScore": 3,
208
+ "title": "S3 bucket customer-test does not have versioning enabled",
209
+ "resourceType": "AWS::S3::Bucket",
210
+ "resourceId": "customer-test",
211
+ "resourceArn": "arn:aws-cn:s3:::customer-test",
212
+ "region": "cn-north-1",
213
+ "description": "Bucket \"customer-test\" versioning is not set.",
214
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
215
+ "remediationSteps": [
216
+ "Enable versioning on the bucket.",
217
+ "Consider adding lifecycle rules to manage version storage costs."
218
+ ],
219
+ "severity": "LOW",
220
+ "priority": "P3",
221
+ "module": "s3"
222
+ },
223
+ {
224
+ "riskScore": 3,
225
+ "title": "S3 bucket deletetest does not have versioning enabled",
226
+ "resourceType": "AWS::S3::Bucket",
227
+ "resourceId": "deletetest",
228
+ "resourceArn": "arn:aws-cn:s3:::deletetest",
229
+ "region": "cn-northwest-1",
230
+ "description": "Bucket \"deletetest\" versioning is not set.",
231
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
232
+ "remediationSteps": [
233
+ "Enable versioning on the bucket.",
234
+ "Consider adding lifecycle rules to manage version storage costs."
235
+ ],
236
+ "severity": "LOW",
237
+ "priority": "P3",
238
+ "module": "s3"
239
+ },
240
+ {
241
+ "riskScore": 3,
242
+ "title": "S3 bucket elasticbeanstalk-cn-north-1-468254682119 does not have versioning enabled",
243
+ "resourceType": "AWS::S3::Bucket",
244
+ "resourceId": "elasticbeanstalk-cn-north-1-468254682119",
245
+ "resourceArn": "arn:aws-cn:s3:::elasticbeanstalk-cn-north-1-468254682119",
246
+ "region": "cn-north-1",
247
+ "description": "Bucket \"elasticbeanstalk-cn-north-1-468254682119\" versioning is not set.",
248
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
249
+ "remediationSteps": [
250
+ "Enable versioning on the bucket.",
251
+ "Consider adding lifecycle rules to manage version storage costs."
252
+ ],
253
+ "severity": "LOW",
254
+ "priority": "P3",
255
+ "module": "s3"
256
+ },
257
+ {
258
+ "riskScore": 3,
259
+ "title": "S3 bucket flowlog-query does not have versioning enabled",
260
+ "resourceType": "AWS::S3::Bucket",
261
+ "resourceId": "flowlog-query",
262
+ "resourceArn": "arn:aws-cn:s3:::flowlog-query",
263
+ "region": "cn-north-1",
264
+ "description": "Bucket \"flowlog-query\" versioning is not set.",
265
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
266
+ "remediationSteps": [
267
+ "Enable versioning on the bucket.",
268
+ "Consider adding lifecycle rules to manage version storage costs."
269
+ ],
270
+ "severity": "LOW",
271
+ "priority": "P3",
272
+ "module": "s3"
273
+ },
274
+ {
275
+ "riskScore": 3,
276
+ "title": "S3 bucket gluetest123 does not have versioning enabled",
277
+ "resourceType": "AWS::S3::Bucket",
278
+ "resourceId": "gluetest123",
279
+ "resourceArn": "arn:aws-cn:s3:::gluetest123",
280
+ "region": "cn-northwest-1",
281
+ "description": "Bucket \"gluetest123\" versioning is not set.",
282
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
283
+ "remediationSteps": [
284
+ "Enable versioning on the bucket.",
285
+ "Consider adding lifecycle rules to manage version storage costs."
286
+ ],
287
+ "severity": "LOW",
288
+ "priority": "P3",
289
+ "module": "s3"
290
+ },
291
+ {
292
+ "riskScore": 3,
293
+ "title": "S3 bucket new-announcement-1-layerbucket-qq68fwstawit does not have versioning enabled",
294
+ "resourceType": "AWS::S3::Bucket",
295
+ "resourceId": "new-announcement-1-layerbucket-qq68fwstawit",
296
+ "resourceArn": "arn:aws-cn:s3:::new-announcement-1-layerbucket-qq68fwstawit",
297
+ "region": "cn-north-1",
298
+ "description": "Bucket \"new-announcement-1-layerbucket-qq68fwstawit\" versioning is not set.",
299
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
300
+ "remediationSteps": [
301
+ "Enable versioning on the bucket.",
302
+ "Consider adding lifecycle rules to manage version storage costs."
303
+ ],
304
+ "severity": "LOW",
305
+ "priority": "P3",
306
+ "module": "s3"
307
+ },
308
+ {
309
+ "riskScore": 3,
310
+ "title": "S3 bucket new-announcement-layerbucket-mrdnacn5wydm does not have versioning enabled",
311
+ "resourceType": "AWS::S3::Bucket",
312
+ "resourceId": "new-announcement-layerbucket-mrdnacn5wydm",
313
+ "resourceArn": "arn:aws-cn:s3:::new-announcement-layerbucket-mrdnacn5wydm",
314
+ "region": "cn-north-1",
315
+ "description": "Bucket \"new-announcement-layerbucket-mrdnacn5wydm\" versioning is not set.",
316
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
317
+ "remediationSteps": [
318
+ "Enable versioning on the bucket.",
319
+ "Consider adding lifecycle rules to manage version storage costs."
320
+ ],
321
+ "severity": "LOW",
322
+ "priority": "P3",
323
+ "module": "s3"
324
+ },
325
+ {
326
+ "riskScore": 3,
327
+ "title": "S3 bucket niodbr does not have versioning enabled",
328
+ "resourceType": "AWS::S3::Bucket",
329
+ "resourceId": "niodbr",
330
+ "resourceArn": "arn:aws-cn:s3:::niodbr",
331
+ "region": "cn-north-1",
332
+ "description": "Bucket \"niodbr\" versioning is not set.",
333
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
334
+ "remediationSteps": [
335
+ "Enable versioning on the bucket.",
336
+ "Consider adding lifecycle rules to manage version storage costs."
337
+ ],
338
+ "severity": "LOW",
339
+ "priority": "P3",
340
+ "module": "s3"
341
+ },
342
+ {
343
+ "riskScore": 3,
344
+ "title": "S3 bucket s3-proxy-test does not have versioning enabled",
345
+ "resourceType": "AWS::S3::Bucket",
346
+ "resourceId": "s3-proxy-test",
347
+ "resourceArn": "arn:aws-cn:s3:::s3-proxy-test",
348
+ "region": "cn-north-1",
349
+ "description": "Bucket \"s3-proxy-test\" versioning is not set.",
350
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
351
+ "remediationSteps": [
352
+ "Enable versioning on the bucket.",
353
+ "Consider adding lifecycle rules to manage version storage costs."
354
+ ],
355
+ "severity": "LOW",
356
+ "priority": "P3",
357
+ "module": "s3"
358
+ },
359
+ {
360
+ "riskScore": 3,
361
+ "title": "S3 bucket s3-sync-source does not have versioning enabled",
362
+ "resourceType": "AWS::S3::Bucket",
363
+ "resourceId": "s3-sync-source",
364
+ "resourceArn": "arn:aws-cn:s3:::s3-sync-source",
365
+ "region": "cn-northwest-1",
366
+ "description": "Bucket \"s3-sync-source\" versioning is not set.",
367
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
368
+ "remediationSteps": [
369
+ "Enable versioning on the bucket.",
370
+ "Consider adding lifecycle rules to manage version storage costs."
371
+ ],
372
+ "severity": "LOW",
373
+ "priority": "P3",
374
+ "module": "s3"
375
+ },
376
+ {
377
+ "riskScore": 3,
378
+ "title": "S3 bucket sagemaker-studio-468254682119-4buvn7imlhw does not have versioning enabled",
379
+ "resourceType": "AWS::S3::Bucket",
380
+ "resourceId": "sagemaker-studio-468254682119-4buvn7imlhw",
381
+ "resourceArn": "arn:aws-cn:s3:::sagemaker-studio-468254682119-4buvn7imlhw",
382
+ "region": "cn-north-1",
383
+ "description": "Bucket \"sagemaker-studio-468254682119-4buvn7imlhw\" versioning is not set.",
384
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
385
+ "remediationSteps": [
386
+ "Enable versioning on the bucket.",
387
+ "Consider adding lifecycle rules to manage version storage costs."
388
+ ],
389
+ "severity": "LOW",
390
+ "priority": "P3",
391
+ "module": "s3"
392
+ },
393
+ {
394
+ "riskScore": 3,
395
+ "title": "S3 bucket sagemaker-studio-468254682119-5rby7mo1jdj does not have versioning enabled",
396
+ "resourceType": "AWS::S3::Bucket",
397
+ "resourceId": "sagemaker-studio-468254682119-5rby7mo1jdj",
398
+ "resourceArn": "arn:aws-cn:s3:::sagemaker-studio-468254682119-5rby7mo1jdj",
399
+ "region": "cn-north-1",
400
+ "description": "Bucket \"sagemaker-studio-468254682119-5rby7mo1jdj\" versioning is not set.",
401
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
402
+ "remediationSteps": [
403
+ "Enable versioning on the bucket.",
404
+ "Consider adding lifecycle rules to manage version storage costs."
405
+ ],
406
+ "severity": "LOW",
407
+ "priority": "P3",
408
+ "module": "s3"
409
+ },
410
+ {
411
+ "riskScore": 3,
412
+ "title": "S3 bucket sagemaker-studio-468254682119-ki9n6806iyk does not have versioning enabled",
413
+ "resourceType": "AWS::S3::Bucket",
414
+ "resourceId": "sagemaker-studio-468254682119-ki9n6806iyk",
415
+ "resourceArn": "arn:aws-cn:s3:::sagemaker-studio-468254682119-ki9n6806iyk",
416
+ "region": "cn-northwest-1",
417
+ "description": "Bucket \"sagemaker-studio-468254682119-ki9n6806iyk\" versioning is not set.",
418
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
419
+ "remediationSteps": [
420
+ "Enable versioning on the bucket.",
421
+ "Consider adding lifecycle rules to manage version storage costs."
422
+ ],
423
+ "severity": "LOW",
424
+ "priority": "P3",
425
+ "module": "s3"
426
+ },
427
+ {
428
+ "riskScore": 3,
429
+ "title": "S3 bucket sagemaker-studio-468254682119-xfg0l0rg8s does not have versioning enabled",
430
+ "resourceType": "AWS::S3::Bucket",
431
+ "resourceId": "sagemaker-studio-468254682119-xfg0l0rg8s",
432
+ "resourceArn": "arn:aws-cn:s3:::sagemaker-studio-468254682119-xfg0l0rg8s",
433
+ "region": "cn-north-1",
434
+ "description": "Bucket \"sagemaker-studio-468254682119-xfg0l0rg8s\" versioning is not set.",
435
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
436
+ "remediationSteps": [
437
+ "Enable versioning on the bucket.",
438
+ "Consider adding lifecycle rules to manage version storage costs."
439
+ ],
440
+ "severity": "LOW",
441
+ "priority": "P3",
442
+ "module": "s3"
443
+ },
444
+ {
445
+ "riskScore": 3,
446
+ "title": "S3 bucket terraform-states-test does not have versioning enabled",
447
+ "resourceType": "AWS::S3::Bucket",
448
+ "resourceId": "terraform-states-test",
449
+ "resourceArn": "arn:aws-cn:s3:::terraform-states-test",
450
+ "region": "cn-north-1",
451
+ "description": "Bucket \"terraform-states-test\" versioning is not set.",
452
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
453
+ "remediationSteps": [
454
+ "Enable versioning on the bucket.",
455
+ "Consider adding lifecycle rules to manage version storage costs."
456
+ ],
457
+ "severity": "LOW",
458
+ "priority": "P3",
459
+ "module": "s3"
460
+ },
461
+ {
462
+ "riskScore": 3,
463
+ "title": "S3 bucket tesla-cur does not have versioning enabled",
464
+ "resourceType": "AWS::S3::Bucket",
465
+ "resourceId": "tesla-cur",
466
+ "resourceArn": "arn:aws-cn:s3:::tesla-cur",
467
+ "region": "cn-north-1",
468
+ "description": "Bucket \"tesla-cur\" versioning is not set.",
469
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
470
+ "remediationSteps": [
471
+ "Enable versioning on the bucket.",
472
+ "Consider adding lifecycle rules to manage version storage costs."
473
+ ],
474
+ "severity": "LOW",
475
+ "priority": "P3",
476
+ "module": "s3"
477
+ },
478
+ {
479
+ "riskScore": 3,
480
+ "title": "S3 bucket tesla-dbr does not have versioning enabled",
481
+ "resourceType": "AWS::S3::Bucket",
482
+ "resourceId": "tesla-dbr",
483
+ "resourceArn": "arn:aws-cn:s3:::tesla-dbr",
484
+ "region": "cn-north-1",
485
+ "description": "Bucket \"tesla-dbr\" versioning is not set.",
486
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
487
+ "remediationSteps": [
488
+ "Enable versioning on the bucket.",
489
+ "Consider adding lifecycle rules to manage version storage costs."
490
+ ],
491
+ "severity": "LOW",
492
+ "priority": "P3",
493
+ "module": "s3"
494
+ },
495
+ {
496
+ "riskScore": 3,
497
+ "title": "S3 bucket test-s3-access-log does not have versioning enabled",
498
+ "resourceType": "AWS::S3::Bucket",
499
+ "resourceId": "test-s3-access-log",
500
+ "resourceArn": "arn:aws-cn:s3:::test-s3-access-log",
501
+ "region": "cn-north-1",
502
+ "description": "Bucket \"test-s3-access-log\" versioning is not set.",
503
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
504
+ "remediationSteps": [
505
+ "Enable versioning on the bucket.",
506
+ "Consider adding lifecycle rules to manage version storage costs."
507
+ ],
508
+ "severity": "LOW",
509
+ "priority": "P3",
510
+ "module": "s3"
511
+ },
512
+ {
513
+ "riskScore": 3,
514
+ "title": "S3 bucket test-volvo does not have versioning enabled",
515
+ "resourceType": "AWS::S3::Bucket",
516
+ "resourceId": "test-volvo",
517
+ "resourceArn": "arn:aws-cn:s3:::test-volvo",
518
+ "region": "cn-north-1",
519
+ "description": "Bucket \"test-volvo\" versioning is not set.",
520
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
521
+ "remediationSteps": [
522
+ "Enable versioning on the bucket.",
523
+ "Consider adding lifecycle rules to manage version storage costs."
524
+ ],
525
+ "severity": "LOW",
526
+ "priority": "P3",
527
+ "module": "s3"
528
+ },
529
+ {
530
+ "riskScore": 3,
531
+ "title": "S3 bucket volvo123 does not have versioning enabled",
532
+ "resourceType": "AWS::S3::Bucket",
533
+ "resourceId": "volvo123",
534
+ "resourceArn": "arn:aws-cn:s3:::volvo123",
535
+ "region": "cn-north-1",
536
+ "description": "Bucket \"volvo123\" versioning is not set.",
537
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
538
+ "remediationSteps": [
539
+ "Enable versioning on the bucket.",
540
+ "Consider adding lifecycle rules to manage version storage costs."
541
+ ],
542
+ "severity": "LOW",
543
+ "priority": "P3",
544
+ "module": "s3"
545
+ },
546
+ {
547
+ "riskScore": 3,
548
+ "title": "S3 bucket webtest does not have versioning enabled",
549
+ "resourceType": "AWS::S3::Bucket",
550
+ "resourceId": "webtest",
551
+ "resourceArn": "arn:aws-cn:s3:::webtest",
552
+ "region": "cn-north-1",
553
+ "description": "Bucket \"webtest\" versioning is not set.",
554
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
555
+ "remediationSteps": [
556
+ "Enable versioning on the bucket.",
557
+ "Consider adding lifecycle rules to manage version storage costs."
558
+ ],
559
+ "severity": "LOW",
560
+ "priority": "P3",
561
+ "module": "s3"
562
+ },
563
+ {
564
+ "riskScore": 3,
565
+ "title": "S3 bucket will does not have versioning enabled",
566
+ "resourceType": "AWS::S3::Bucket",
567
+ "resourceId": "will",
568
+ "resourceArn": "arn:aws-cn:s3:::will",
569
+ "region": "cn-north-1",
570
+ "description": "Bucket \"will\" versioning is not set.",
571
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
572
+ "remediationSteps": [
573
+ "Enable versioning on the bucket.",
574
+ "Consider adding lifecycle rules to manage version storage costs."
575
+ ],
576
+ "severity": "LOW",
577
+ "priority": "P3",
578
+ "module": "s3"
579
+ },
580
+ {
581
+ "riskScore": 3,
582
+ "title": "S3 bucket will-flowlog does not have versioning enabled",
583
+ "resourceType": "AWS::S3::Bucket",
584
+ "resourceId": "will-flowlog",
585
+ "resourceArn": "arn:aws-cn:s3:::will-flowlog",
586
+ "region": "cn-north-1",
587
+ "description": "Bucket \"will-flowlog\" versioning is not set.",
588
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
589
+ "remediationSteps": [
590
+ "Enable versioning on the bucket.",
591
+ "Consider adding lifecycle rules to manage version storage costs."
592
+ ],
593
+ "severity": "LOW",
594
+ "priority": "P3",
595
+ "module": "s3"
596
+ },
597
+ {
598
+ "riskScore": 3,
599
+ "title": "S3 bucket will-pc-backup does not have versioning enabled",
600
+ "resourceType": "AWS::S3::Bucket",
601
+ "resourceId": "will-pc-backup",
602
+ "resourceArn": "arn:aws-cn:s3:::will-pc-backup",
603
+ "region": "cn-north-1",
604
+ "description": "Bucket \"will-pc-backup\" versioning is not set.",
605
+ "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
606
+ "remediationSteps": [
607
+ "Enable versioning on the bucket.",
608
+ "Consider adding lifecycle rules to manage version storage costs."
609
+ ],
610
+ "severity": "LOW",
611
+ "priority": "P3",
612
+ "module": "s3"
613
+ },
614
+ {
615
+ "riskScore": 10,
616
+ "title": "Root account does not have MFA enabled",
617
+ "resourceType": "AWS::IAM::Root",
618
+ "resourceId": "root",
619
+ "resourceArn": "arn:aws-cn:iam::468254682119:root",
620
+ "region": "global",
621
+ "description": "The AWS root account does not have multi-factor authentication enabled.",
622
+ "impact": "Compromised root credentials would grant unrestricted access to all AWS resources with no second factor of authentication.",
623
+ "remediationSteps": [
624
+ "Enable MFA on the root account immediately using a hardware or virtual MFA device.",
625
+ "Store the MFA device in a secure location.",
626
+ "Avoid using the root account for daily operations."
627
+ ],
628
+ "severity": "CRITICAL",
629
+ "priority": "P0",
630
+ "module": "iam"
631
+ },
632
+ {
633
+ "riskScore": 9.5,
634
+ "title": "Root account has active access keys",
635
+ "resourceType": "AWS::IAM::Root",
636
+ "resourceId": "root",
637
+ "resourceArn": "arn:aws-cn:iam::468254682119:root",
638
+ "region": "global",
639
+ "description": "The root account has one or more active access keys.",
640
+ "impact": "Access keys for the root account provide unrestricted API access. If leaked, the entire account is compromised.",
641
+ "remediationSteps": [
642
+ "Delete all root account access keys.",
643
+ "Use IAM users or roles with least-privilege policies instead."
644
+ ],
645
+ "severity": "CRITICAL",
646
+ "priority": "P0",
647
+ "module": "iam"
648
+ },
649
+ {
650
+ "riskScore": 7.5,
651
+ "title": "IAM user hzhaoam has access key older than 90 days",
652
+ "resourceType": "AWS::IAM::AccessKey",
653
+ "resourceId": "AKIAW2BRHNQD6OGWH6VQ",
654
+ "resourceArn": "arn:aws-cn:iam::468254682119:user/hzhaoam",
655
+ "region": "global",
656
+ "description": "Access key AKIAW2BRHNQD6OGWH6VQ for user \"hzhaoam\" is 1799 days old.",
657
+ "impact": "Old access keys are more likely to have been exposed or leaked over time.",
658
+ "remediationSteps": [
659
+ "Rotate the access key by creating a new key and deleting the old one.",
660
+ "Implement an access key rotation policy (maximum 90 days).",
661
+ "Consider using IAM roles or temporary credentials instead."
662
+ ],
663
+ "severity": "HIGH",
664
+ "priority": "P1",
665
+ "module": "iam"
666
+ },
667
+ {
668
+ "riskScore": 5.5,
669
+ "title": "CloudTrail trail nwcd-org-cloudtrail-logs not integrated with CloudWatch Logs",
670
+ "resourceType": "AWS::CloudTrail::Trail",
671
+ "resourceId": "nwcd-org-cloudtrail-logs",
672
+ "resourceArn": "arn:aws-cn:cloudtrail:cn-northwest-1:362115975032:trail/nwcd-org-cloudtrail-logs",
673
+ "region": "cn-north-1",
674
+ "description": "Trail \"nwcd-org-cloudtrail-logs\" is not configured to deliver logs to CloudWatch Logs.",
675
+ "impact": "Real-time monitoring and alerting on API activity is not possible without CloudWatch Logs integration.",
676
+ "remediationSteps": [
677
+ "Configure the trail to deliver logs to a CloudWatch Logs log group.",
678
+ "Create metric filters and alarms for critical security events."
679
+ ],
680
+ "severity": "MEDIUM",
681
+ "priority": "P2",
682
+ "module": "cloudtrail"
683
+ },
684
+ {
685
+ "riskScore": 6,
686
+ "title": "CloudTrail trail test-management-events has no log file validation",
687
+ "resourceType": "AWS::CloudTrail::Trail",
688
+ "resourceId": "test-management-events",
689
+ "resourceArn": "arn:aws-cn:cloudtrail:cn-north-1:468254682119:trail/test-management-events",
690
+ "region": "cn-north-1",
691
+ "description": "Trail \"test-management-events\" does not have log file validation enabled.",
692
+ "impact": "Log files could be modified or deleted without detection, undermining audit integrity.",
693
+ "remediationSteps": [
694
+ "Enable log file validation on the trail.",
695
+ "This creates digest files that can be used to verify log integrity."
696
+ ],
697
+ "severity": "MEDIUM",
698
+ "priority": "P2",
699
+ "module": "cloudtrail"
700
+ },
701
+ {
702
+ "riskScore": 5.5,
703
+ "title": "CloudTrail trail test-management-events not integrated with CloudWatch Logs",
704
+ "resourceType": "AWS::CloudTrail::Trail",
705
+ "resourceId": "test-management-events",
706
+ "resourceArn": "arn:aws-cn:cloudtrail:cn-north-1:468254682119:trail/test-management-events",
707
+ "region": "cn-north-1",
708
+ "description": "Trail \"test-management-events\" is not configured to deliver logs to CloudWatch Logs.",
709
+ "impact": "Real-time monitoring and alerting on API activity is not possible without CloudWatch Logs integration.",
710
+ "remediationSteps": [
711
+ "Configure the trail to deliver logs to a CloudWatch Logs log group.",
712
+ "Create metric filters and alarms for critical security events."
713
+ ],
714
+ "severity": "MEDIUM",
715
+ "priority": "P2",
716
+ "module": "cloudtrail"
717
+ },
718
+ {
719
+ "riskScore": 7,
720
+ "title": "EBS default encryption is not enabled in cn-north-1",
721
+ "resourceType": "AWS::EC2::EBSDefaultEncryption",
722
+ "resourceId": "ebs-default-cn-north-1",
723
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:ebs-default-encryption",
724
+ "region": "cn-north-1",
725
+ "description": "EBS default encryption is not enabled in region cn-north-1.",
726
+ "impact": "Newly created EBS volumes will not be encrypted by default, requiring manual encryption per volume.",
727
+ "remediationSteps": [
728
+ "Enable EBS encryption by default for the region using the EC2 console or API.",
729
+ "This ensures all new volumes and snapshots are automatically encrypted."
730
+ ],
731
+ "severity": "HIGH",
732
+ "priority": "P1",
733
+ "module": "ebs"
734
+ },
735
+ {
736
+ "riskScore": 6,
737
+ "title": "EBS volume vol-0eac0a11ed76b3c38 is not encrypted",
738
+ "resourceType": "AWS::EC2::Volume",
739
+ "resourceId": "vol-0eac0a11ed76b3c38",
740
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:volume/vol-0eac0a11ed76b3c38",
741
+ "region": "cn-north-1",
742
+ "description": "EBS volume \"vol-0eac0a11ed76b3c38\" (200GB, in-use) is not encrypted.",
743
+ "impact": "Data on this volume is stored unencrypted. A compromised snapshot or physical media could expose data.",
744
+ "remediationSteps": [
745
+ "Create an encrypted snapshot of this volume.",
746
+ "Create a new encrypted volume from the snapshot.",
747
+ "Migrate data to the new encrypted volume and delete the old one."
748
+ ],
749
+ "severity": "MEDIUM",
750
+ "priority": "P2",
751
+ "module": "ebs"
752
+ },
753
+ {
754
+ "riskScore": 6,
755
+ "title": "EBS volume vol-0df6a1e35847c7e77 is not encrypted",
756
+ "resourceType": "AWS::EC2::Volume",
757
+ "resourceId": "vol-0df6a1e35847c7e77",
758
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:volume/vol-0df6a1e35847c7e77",
759
+ "region": "cn-north-1",
760
+ "description": "EBS volume \"vol-0df6a1e35847c7e77\" (40GB, in-use) is not encrypted.",
761
+ "impact": "Data on this volume is stored unencrypted. A compromised snapshot or physical media could expose data.",
762
+ "remediationSteps": [
763
+ "Create an encrypted snapshot of this volume.",
764
+ "Create a new encrypted volume from the snapshot.",
765
+ "Migrate data to the new encrypted volume and delete the old one."
766
+ ],
767
+ "severity": "MEDIUM",
768
+ "priority": "P2",
769
+ "module": "ebs"
770
+ },
771
+ {
772
+ "riskScore": 6,
773
+ "title": "EBS volume vol-0c92b56ebb3aa05ae is not encrypted",
774
+ "resourceType": "AWS::EC2::Volume",
775
+ "resourceId": "vol-0c92b56ebb3aa05ae",
776
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:volume/vol-0c92b56ebb3aa05ae",
777
+ "region": "cn-north-1",
778
+ "description": "EBS volume \"vol-0c92b56ebb3aa05ae\" (500GB, in-use) is not encrypted.",
779
+ "impact": "Data on this volume is stored unencrypted. A compromised snapshot or physical media could expose data.",
780
+ "remediationSteps": [
781
+ "Create an encrypted snapshot of this volume.",
782
+ "Create a new encrypted volume from the snapshot.",
783
+ "Migrate data to the new encrypted volume and delete the old one."
784
+ ],
785
+ "severity": "MEDIUM",
786
+ "priority": "P2",
787
+ "module": "ebs"
788
+ },
789
+ {
790
+ "riskScore": 5.5,
791
+ "title": "EBS snapshot snap-055bc19828e4e3092 is not encrypted",
792
+ "resourceType": "AWS::EC2::Snapshot",
793
+ "resourceId": "snap-055bc19828e4e3092",
794
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-055bc19828e4e3092",
795
+ "region": "cn-north-1",
796
+ "description": "EBS snapshot \"snap-055bc19828e4e3092\" (volume: vol-05f6c4160ac0a93e6) is not encrypted.",
797
+ "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
798
+ "remediationSteps": [
799
+ "Copy the snapshot with encryption enabled.",
800
+ "Delete the unencrypted snapshot after verifying the encrypted copy."
801
+ ],
802
+ "severity": "MEDIUM",
803
+ "priority": "P2",
804
+ "module": "ebs"
805
+ },
806
+ {
807
+ "riskScore": 5.5,
808
+ "title": "EBS snapshot snap-031bfc4c9db6428ef is not encrypted",
809
+ "resourceType": "AWS::EC2::Snapshot",
810
+ "resourceId": "snap-031bfc4c9db6428ef",
811
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-031bfc4c9db6428ef",
812
+ "region": "cn-north-1",
813
+ "description": "EBS snapshot \"snap-031bfc4c9db6428ef\" (volume: vol-0d6aaae479efcf0b0) is not encrypted.",
814
+ "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
815
+ "remediationSteps": [
816
+ "Copy the snapshot with encryption enabled.",
817
+ "Delete the unencrypted snapshot after verifying the encrypted copy."
818
+ ],
819
+ "severity": "MEDIUM",
820
+ "priority": "P2",
821
+ "module": "ebs"
822
+ },
823
+ {
824
+ "riskScore": 5.5,
825
+ "title": "EBS snapshot snap-0f4dbd4e045f4f9e3 is not encrypted",
826
+ "resourceType": "AWS::EC2::Snapshot",
827
+ "resourceId": "snap-0f4dbd4e045f4f9e3",
828
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-0f4dbd4e045f4f9e3",
829
+ "region": "cn-north-1",
830
+ "description": "EBS snapshot \"snap-0f4dbd4e045f4f9e3\" (volume: vol-0be166f626acbc0c3) is not encrypted.",
831
+ "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
832
+ "remediationSteps": [
833
+ "Copy the snapshot with encryption enabled.",
834
+ "Delete the unencrypted snapshot after verifying the encrypted copy."
835
+ ],
836
+ "severity": "MEDIUM",
837
+ "priority": "P2",
838
+ "module": "ebs"
839
+ },
840
+ {
841
+ "riskScore": 5.5,
842
+ "title": "EBS snapshot snap-0ef0b31b558e620d4 is not encrypted",
843
+ "resourceType": "AWS::EC2::Snapshot",
844
+ "resourceId": "snap-0ef0b31b558e620d4",
845
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-0ef0b31b558e620d4",
846
+ "region": "cn-north-1",
847
+ "description": "EBS snapshot \"snap-0ef0b31b558e620d4\" (volume: vol-0df6a1e35847c7e77) is not encrypted.",
848
+ "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
849
+ "remediationSteps": [
850
+ "Copy the snapshot with encryption enabled.",
851
+ "Delete the unencrypted snapshot after verifying the encrypted copy."
852
+ ],
853
+ "severity": "MEDIUM",
854
+ "priority": "P2",
855
+ "module": "ebs"
856
+ },
857
+ {
858
+ "riskScore": 5.5,
859
+ "title": "EBS snapshot snap-0e0f19b1ae5393d69 is not encrypted",
860
+ "resourceType": "AWS::EC2::Snapshot",
861
+ "resourceId": "snap-0e0f19b1ae5393d69",
862
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-0e0f19b1ae5393d69",
863
+ "region": "cn-north-1",
864
+ "description": "EBS snapshot \"snap-0e0f19b1ae5393d69\" (volume: vol-0df6a1e35847c7e77) is not encrypted.",
865
+ "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
866
+ "remediationSteps": [
867
+ "Copy the snapshot with encryption enabled.",
868
+ "Delete the unencrypted snapshot after verifying the encrypted copy."
869
+ ],
870
+ "severity": "MEDIUM",
871
+ "priority": "P2",
872
+ "module": "ebs"
873
+ },
874
+ {
875
+ "riskScore": 5.5,
876
+ "title": "EBS snapshot snap-050d8b9be81aa28a7 is not encrypted",
877
+ "resourceType": "AWS::EC2::Snapshot",
878
+ "resourceId": "snap-050d8b9be81aa28a7",
879
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-050d8b9be81aa28a7",
880
+ "region": "cn-north-1",
881
+ "description": "EBS snapshot \"snap-050d8b9be81aa28a7\" (volume: vol-019b7411771fdd09d) is not encrypted.",
882
+ "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
883
+ "remediationSteps": [
884
+ "Copy the snapshot with encryption enabled.",
885
+ "Delete the unencrypted snapshot after verifying the encrypted copy."
886
+ ],
887
+ "severity": "MEDIUM",
888
+ "priority": "P2",
889
+ "module": "ebs"
890
+ },
891
+ {
892
+ "riskScore": 5.5,
893
+ "title": "EBS snapshot snap-00b95c437eab79cf6 is not encrypted",
894
+ "resourceType": "AWS::EC2::Snapshot",
895
+ "resourceId": "snap-00b95c437eab79cf6",
896
+ "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-00b95c437eab79cf6",
897
+ "region": "cn-north-1",
898
+ "description": "EBS snapshot \"snap-00b95c437eab79cf6\" (volume: vol-0eac0a11ed76b3c38) is not encrypted.",
899
+ "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
900
+ "remediationSteps": [
901
+ "Copy the snapshot with encryption enabled.",
902
+ "Delete the unencrypted snapshot after verifying the encrypted copy."
903
+ ],
904
+ "severity": "MEDIUM",
905
+ "priority": "P2",
906
+ "module": "ebs"
907
+ }
908
+ ]
909
+ },
910
+ "history": [
911
+ {
912
+ "date": "2026-04-10",
913
+ "score": 13,
914
+ "critical": 2,
915
+ "high": 3,
916
+ "medium": 13,
917
+ "low": 32,
918
+ "totalFindings": 50
919
+ }
920
+ ],
921
+ "meta": {
922
+ "generatedAt": "2026-04-10T09:39:57.024Z",
923
+ "version": "1.0.0",
924
+ "dataRetentionDays": 30
925
+ }
926
+ }