npm - aws-security-mcp - Versions diffs - 0.3.0 → 0.4.0 - Mend

aws-security-mcp 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +118 -42
package/dashboard/dist/assets/index-CQyERuqT.css +2 -0
package/dashboard/dist/data.json +167 -758
package/dashboard/dist/index.html +2 -2
package/dist/bin/aws-security-mcp.js +2812 -3517
package/dist/bin/aws-security-mcp.js.map +1 -1
package/dist/src/index.d.ts +38 -1
package/dist/src/index.js +2803 -3496
package/dist/src/index.js.map +1 -1
package/package.json +4 -4
package/templates/stackset-audit-role.json +55 -0
package/templates/stackset-audit-role.yaml +44 -0
package/dashboard/dist/assets/index-DCplBiuM.css +0 -2
/package/dashboard/dist/assets/{index-jFq0Af8S.js → index-BYE-UdjR.js} +0 -0

package/dashboard/dist/data.json CHANGED Viewed

@@ -5,887 +5,296 @@
     "region": "cn-north-1",
     "accountId": "468254682119",
     "summary": {
-      "totalFindings": 48,
+      "totalFindings": 12,
       "critical": 0,
-      "high": 3,
-      "medium": 13,
-      "low": 32,
-      "modulesSuccess": 8,
+      "high": 2,
+      "medium": 5,
+      "low": 5,
+      "modulesSuccess": 14,
       "modulesError": 0
     },
     "modules": [
       {
-        "module": "security_group",
-        "findingsCount": 0,
-        "status": "success"
-      },
-      {
-        "module": "s3",
-        "findingsCount": 33,
+        "module": "service_detection",
+        "findingsCount": 2,
         "status": "success"
       },
       {
-        "module": "iam",
-        "findingsCount": 1,
+        "module": "secret_exposure",
+        "findingsCount": 0,
         "status": "success"
       },
       {
-        "module": "cloudtrail",
-        "findingsCount": 3,
+        "module": "ssl_certificate",
+        "findingsCount": 0,
         "status": "success"
       },
       {
-        "module": "rds",
+        "module": "dns_dangling",
         "findingsCount": 0,
         "status": "success"
       },
       {
-        "module": "ebs",
-        "findingsCount": 11,
+        "module": "network_reachability",
+        "findingsCount": 1,
         "status": "success"
       },
       {
-        "module": "vpc",
-        "findingsCount": 0,
+        "module": "iam_privilege_escalation",
+        "findingsCount": 1,
         "status": "success"
       },
       {
-        "module": "service_detection",
+        "module": "public_access_verify",
         "findingsCount": 0,
         "status": "success"
-      }
-    ],
-    "findings": [
-      {
-        "riskScore": 8.5,
-        "title": "Account-level S3 Block Public Access is not configured",
-        "resourceType": "AWS::S3::AccountPublicAccessBlock",
-        "resourceId": "468254682119",
-        "resourceArn": "arn:aws-cn:iam::468254682119:root",
-        "region": "global",
-        "description": "Account 468254682119 has no Block Public Access configuration set at the account level.",
-        "impact": "There is no account-level safeguard against public S3 bucket access.",
-        "remediationSteps": [
-          "Enable all four Block Public Access settings at the account level."
-        ],
-        "severity": "HIGH",
-        "priority": "P1",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket auto-sg-update-stack-cloudtraillogbucket-6xueze51oacf does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "auto-sg-update-stack-cloudtraillogbucket-6xueze51oacf",
-        "resourceArn": "arn:aws-cn:s3:::auto-sg-update-stack-cloudtraillogbucket-6xueze51oacf",
-        "region": "cn-north-1",
-        "description": "Bucket \"auto-sg-update-stack-cloudtraillogbucket-6xueze51oacf\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket auto-sg-update-stack-cloudtraillogbucket-u990nisosy1p does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "auto-sg-update-stack-cloudtraillogbucket-u990nisosy1p",
-        "resourceArn": "arn:aws-cn:s3:::auto-sg-update-stack-cloudtraillogbucket-u990nisosy1p",
-        "region": "cn-northwest-1",
-        "description": "Bucket \"auto-sg-update-stack-cloudtraillogbucket-u990nisosy1p\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket aws-announcements does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "aws-announcements",
-        "resourceArn": "arn:aws-cn:s3:::aws-announcements",
-        "region": "cn-north-1",
-        "description": "Bucket \"aws-announcements\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
       },
       {
-        "riskScore": 3,
-        "title": "S3 bucket aws-cloudtrail-logs-468254682119-f51cea71 does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "aws-cloudtrail-logs-468254682119-f51cea71",
-        "resourceArn": "arn:aws-cn:s3:::aws-cloudtrail-logs-468254682119-f51cea71",
-        "region": "cn-north-1",
-        "description": "Bucket \"aws-cloudtrail-logs-468254682119-f51cea71\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket aws-logs-468254682119-cn-north-1 does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "aws-logs-468254682119-cn-north-1",
-        "resourceArn": "arn:aws-cn:s3:::aws-logs-468254682119-cn-north-1",
-        "region": "cn-north-1",
-        "description": "Bucket \"aws-logs-468254682119-cn-north-1\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket cf-templates-sa18zsjm1j5a-cn-north-1 does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "cf-templates-sa18zsjm1j5a-cn-north-1",
-        "resourceArn": "arn:aws-cn:s3:::cf-templates-sa18zsjm1j5a-cn-north-1",
-        "region": "cn-north-1",
-        "description": "Bucket \"cf-templates-sa18zsjm1j5a-cn-north-1\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket cf-templates-sa18zsjm1j5a-cn-northwest-1 does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "cf-templates-sa18zsjm1j5a-cn-northwest-1",
-        "resourceArn": "arn:aws-cn:s3:::cf-templates-sa18zsjm1j5a-cn-northwest-1",
-        "region": "cn-northwest-1",
-        "description": "Bucket \"cf-templates-sa18zsjm1j5a-cn-northwest-1\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket config-bucket-468254682119 does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "config-bucket-468254682119",
-        "resourceArn": "arn:aws-cn:s3:::config-bucket-468254682119",
-        "region": "cn-northwest-1",
-        "description": "Bucket \"config-bucket-468254682119\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket customer-test does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "customer-test",
-        "resourceArn": "arn:aws-cn:s3:::customer-test",
-        "region": "cn-north-1",
-        "description": "Bucket \"customer-test\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket deletetest does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "deletetest",
-        "resourceArn": "arn:aws-cn:s3:::deletetest",
-        "region": "cn-northwest-1",
-        "description": "Bucket \"deletetest\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket elasticbeanstalk-cn-north-1-468254682119 does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "elasticbeanstalk-cn-north-1-468254682119",
-        "resourceArn": "arn:aws-cn:s3:::elasticbeanstalk-cn-north-1-468254682119",
-        "region": "cn-north-1",
-        "description": "Bucket \"elasticbeanstalk-cn-north-1-468254682119\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket flowlog-query does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "flowlog-query",
-        "resourceArn": "arn:aws-cn:s3:::flowlog-query",
-        "region": "cn-north-1",
-        "description": "Bucket \"flowlog-query\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket gluetest123 does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "gluetest123",
-        "resourceArn": "arn:aws-cn:s3:::gluetest123",
-        "region": "cn-northwest-1",
-        "description": "Bucket \"gluetest123\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket new-announcement-1-layerbucket-qq68fwstawit does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "new-announcement-1-layerbucket-qq68fwstawit",
-        "resourceArn": "arn:aws-cn:s3:::new-announcement-1-layerbucket-qq68fwstawit",
-        "region": "cn-north-1",
-        "description": "Bucket \"new-announcement-1-layerbucket-qq68fwstawit\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket new-announcement-layerbucket-mrdnacn5wydm does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "new-announcement-layerbucket-mrdnacn5wydm",
-        "resourceArn": "arn:aws-cn:s3:::new-announcement-layerbucket-mrdnacn5wydm",
-        "region": "cn-north-1",
-        "description": "Bucket \"new-announcement-layerbucket-mrdnacn5wydm\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket niodbr does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "niodbr",
-        "resourceArn": "arn:aws-cn:s3:::niodbr",
-        "region": "cn-north-1",
-        "description": "Bucket \"niodbr\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket s3-proxy-test does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "s3-proxy-test",
-        "resourceArn": "arn:aws-cn:s3:::s3-proxy-test",
-        "region": "cn-north-1",
-        "description": "Bucket \"s3-proxy-test\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket s3-sync-source does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "s3-sync-source",
-        "resourceArn": "arn:aws-cn:s3:::s3-sync-source",
-        "region": "cn-northwest-1",
-        "description": "Bucket \"s3-sync-source\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket sagemaker-studio-468254682119-4buvn7imlhw does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "sagemaker-studio-468254682119-4buvn7imlhw",
-        "resourceArn": "arn:aws-cn:s3:::sagemaker-studio-468254682119-4buvn7imlhw",
-        "region": "cn-north-1",
-        "description": "Bucket \"sagemaker-studio-468254682119-4buvn7imlhw\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket sagemaker-studio-468254682119-5rby7mo1jdj does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "sagemaker-studio-468254682119-5rby7mo1jdj",
-        "resourceArn": "arn:aws-cn:s3:::sagemaker-studio-468254682119-5rby7mo1jdj",
-        "region": "cn-north-1",
-        "description": "Bucket \"sagemaker-studio-468254682119-5rby7mo1jdj\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket sagemaker-studio-468254682119-ki9n6806iyk does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "sagemaker-studio-468254682119-ki9n6806iyk",
-        "resourceArn": "arn:aws-cn:s3:::sagemaker-studio-468254682119-ki9n6806iyk",
-        "region": "cn-northwest-1",
-        "description": "Bucket \"sagemaker-studio-468254682119-ki9n6806iyk\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket sagemaker-studio-468254682119-xfg0l0rg8s does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "sagemaker-studio-468254682119-xfg0l0rg8s",
-        "resourceArn": "arn:aws-cn:s3:::sagemaker-studio-468254682119-xfg0l0rg8s",
-        "region": "cn-north-1",
-        "description": "Bucket \"sagemaker-studio-468254682119-xfg0l0rg8s\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket terraform-states-test does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "terraform-states-test",
-        "resourceArn": "arn:aws-cn:s3:::terraform-states-test",
-        "region": "cn-north-1",
-        "description": "Bucket \"terraform-states-test\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket tesla-cur does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "tesla-cur",
-        "resourceArn": "arn:aws-cn:s3:::tesla-cur",
-        "region": "cn-north-1",
-        "description": "Bucket \"tesla-cur\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket tesla-dbr does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "tesla-dbr",
-        "resourceArn": "arn:aws-cn:s3:::tesla-dbr",
-        "region": "cn-north-1",
-        "description": "Bucket \"tesla-dbr\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
-      {
-        "riskScore": 3,
-        "title": "S3 bucket test-s3-access-log does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "test-s3-access-log",
-        "resourceArn": "arn:aws-cn:s3:::test-s3-access-log",
-        "region": "cn-north-1",
-        "description": "Bucket \"test-s3-access-log\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
+        "module": "tag_compliance",
+        "findingsCount": 3,
+        "status": "success"
       },
       {
-        "riskScore": 3,
-        "title": "S3 bucket test-volvo does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "test-volvo",
-        "resourceArn": "arn:aws-cn:s3:::test-volvo",
-        "region": "cn-north-1",
-        "description": "Bucket \"test-volvo\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
+        "module": "idle_resources",
+        "findingsCount": 2,
+        "status": "success"
       },
       {
-        "riskScore": 3,
-        "title": "S3 bucket volvo123 does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "volvo123",
-        "resourceArn": "arn:aws-cn:s3:::volvo123",
-        "region": "cn-north-1",
-        "description": "Bucket \"volvo123\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
+        "module": "disaster_recovery",
+        "findingsCount": 1,
+        "status": "success"
       },
       {
-        "riskScore": 3,
-        "title": "S3 bucket webtest does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "webtest",
-        "resourceArn": "arn:aws-cn:s3:::webtest",
-        "region": "cn-north-1",
-        "description": "Bucket \"webtest\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
+        "module": "security_hub_findings",
+        "findingsCount": 2,
+        "status": "success"
       },
       {
-        "riskScore": 3,
-        "title": "S3 bucket will does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "will",
-        "resourceArn": "arn:aws-cn:s3:::will",
-        "region": "cn-north-1",
-        "description": "Bucket \"will\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
+        "module": "guardduty_findings",
+        "findingsCount": 0,
+        "status": "success"
       },
       {
-        "riskScore": 3,
-        "title": "S3 bucket will-flowlog does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "will-flowlog",
-        "resourceArn": "arn:aws-cn:s3:::will-flowlog",
-        "region": "cn-north-1",
-        "description": "Bucket \"will-flowlog\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
+        "module": "inspector_findings",
+        "findingsCount": 0,
+        "status": "success"
       },
       {
-        "riskScore": 3,
-        "title": "S3 bucket will-pc-backup does not have versioning enabled",
-        "resourceType": "AWS::S3::Bucket",
-        "resourceId": "will-pc-backup",
-        "resourceArn": "arn:aws-cn:s3:::will-pc-backup",
-        "region": "cn-north-1",
-        "description": "Bucket \"will-pc-backup\" versioning is not set.",
-        "impact": "Accidental deletion or overwrite of objects cannot be recovered.",
-        "remediationSteps": [
-          "Enable versioning on the bucket.",
-          "Consider adding lifecycle rules to manage version storage costs."
-        ],
-        "severity": "LOW",
-        "priority": "P3",
-        "module": "s3"
-      },
+        "module": "trusted_advisor_findings",
+        "findingsCount": 0,
+        "status": "success"
+      }
+    ],
+    "findings": [
       {
         "riskScore": 7.5,
-        "title": "IAM user hzhaoam has access key older than 90 days",
-        "resourceType": "AWS::IAM::AccessKey",
-        "resourceId": "AKIAW2BRHNQD6OGWH6VQ",
-        "resourceArn": "arn:aws-cn:iam::468254682119:user/hzhaoam",
-        "region": "global",
-        "description": "Access key AKIAW2BRHNQD6OGWH6VQ for user \"hzhaoam\" is 1800 days old.",
-        "impact": "Old access keys are more likely to have been exposed or leaked over time.",
+        "title": "GuardDuty is not enabled",
+        "resourceType": "AWS::GuardDuty::Detector",
+        "resourceId": "guardduty-cn-north-1",
+        "resourceArn": "arn:aws-cn:guardduty:cn-north-1:468254682119:detector/not-enabled",
+        "region": "cn-north-1",
+        "description": "Amazon GuardDuty is not enabled in cn-north-1.",
+        "impact": "No continuous threat detection for account compromise, instance compromise, or reconnaissance.",
         "remediationSteps": [
-          "Rotate the access key by creating a new key and deleting the old one.",
-          "Implement an access key rotation policy (maximum 90 days).",
-          "Consider using IAM roles or temporary credentials instead."
+          "Enable GuardDuty in the AWS console or via API.",
+          "GuardDuty offers a 30-day free trial."
         ],
         "severity": "HIGH",
         "priority": "P1",
-        "module": "iam"
+        "module": "service_detection"
       },
       {
-        "riskScore": 5.5,
-        "title": "CloudTrail trail nwcd-org-cloudtrail-logs not integrated with CloudWatch Logs",
-        "resourceType": "AWS::CloudTrail::Trail",
-        "resourceId": "nwcd-org-cloudtrail-logs",
-        "resourceArn": "arn:aws-cn:cloudtrail:cn-northwest-1:362115975032:trail/nwcd-org-cloudtrail-logs",
-        "region": "cn-north-1",
-        "description": "Trail \"nwcd-org-cloudtrail-logs\" is not configured to deliver logs to CloudWatch Logs.",
-        "impact": "Real-time monitoring and alerting on API activity is not possible without CloudWatch Logs integration.",
-        "remediationSteps": [
-          "Configure the trail to deliver logs to a CloudWatch Logs log group.",
-          "Create metric filters and alarms for critical security events."
-        ],
-        "severity": "MEDIUM",
-        "priority": "P2",
-        "module": "cloudtrail"
-      },
-      {
-        "riskScore": 6,
-        "title": "CloudTrail trail test-management-events has no log file validation",
-        "resourceType": "AWS::CloudTrail::Trail",
-        "resourceId": "test-management-events",
-        "resourceArn": "arn:aws-cn:cloudtrail:cn-north-1:468254682119:trail/test-management-events",
+        "riskScore": 6.0,
+        "title": "Inspector is not enabled",
+        "resourceType": "AWS::Inspector2::Inspector",
+        "resourceId": "inspector-cn-north-1",
+        "resourceArn": "arn:aws-cn:inspector2:cn-north-1:468254682119:inspector/not-enabled",
         "region": "cn-north-1",
-        "description": "Trail \"test-management-events\" does not have log file validation enabled.",
-        "impact": "Log files could be modified or deleted without detection, undermining audit integrity.",
+        "description": "Amazon Inspector is not enabled in cn-north-1.",
+        "impact": "No automated vulnerability scanning for EC2 instances, Lambda functions, or container images.",
         "remediationSteps": [
-          "Enable log file validation on the trail.",
-          "This creates digest files that can be used to verify log integrity."
+          "Enable Inspector in the AWS console.",
+          "Inspector offers a 15-day free trial."
         ],
         "severity": "MEDIUM",
         "priority": "P2",
-        "module": "cloudtrail"
+        "module": "service_detection"
       },
       {
-        "riskScore": 5.5,
-        "title": "CloudTrail trail test-management-events not integrated with CloudWatch Logs",
-        "resourceType": "AWS::CloudTrail::Trail",
-        "resourceId": "test-management-events",
-        "resourceArn": "arn:aws-cn:cloudtrail:cn-north-1:468254682119:trail/test-management-events",
+        "riskScore": 8.0,
+        "title": "EC2 instance i-0abc123 has SSH (22) reachable from 0.0.0.0/0",
+        "resourceType": "AWS::EC2::Instance",
+        "resourceId": "i-0abc123",
+        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:instance/i-0abc123",
         "region": "cn-north-1",
-        "description": "Trail \"test-management-events\" is not configured to deliver logs to CloudWatch Logs.",
-        "impact": "Real-time monitoring and alerting on API activity is not possible without CloudWatch Logs integration.",
+        "description": "Instance i-0abc123 has SSH port 22 reachable from the internet via SG + NACL analysis.",
+        "impact": "SSH exposed to the internet increases brute-force and credential stuffing risk.",
         "remediationSteps": [
-          "Configure the trail to deliver logs to a CloudWatch Logs log group.",
-          "Create metric filters and alarms for critical security events."
-        ],
-        "severity": "MEDIUM",
-        "priority": "P2",
-        "module": "cloudtrail"
-      },
-      {
-        "riskScore": 7,
-        "title": "EBS default encryption is not enabled in cn-north-1",
-        "resourceType": "AWS::EC2::EBSDefaultEncryption",
-        "resourceId": "ebs-default-cn-north-1",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:ebs-default-encryption",
-        "region": "cn-north-1",
-        "description": "EBS default encryption is not enabled in region cn-north-1.",
-        "impact": "Newly created EBS volumes will not be encrypted by default, requiring manual encryption per volume.",
-        "remediationSteps": [
-          "Enable EBS encryption by default for the region using the EC2 console or API.",
-          "This ensures all new volumes and snapshots are automatically encrypted."
+          "Restrict port 22 to known IP ranges.",
+          "Use AWS Systems Manager Session Manager instead of SSH."
         ],
         "severity": "HIGH",
         "priority": "P1",
-        "module": "ebs"
-      },
-      {
-        "riskScore": 6,
-        "title": "EBS volume vol-0eac0a11ed76b3c38 is not encrypted",
-        "resourceType": "AWS::EC2::Volume",
-        "resourceId": "vol-0eac0a11ed76b3c38",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:volume/vol-0eac0a11ed76b3c38",
-        "region": "cn-north-1",
-        "description": "EBS volume \"vol-0eac0a11ed76b3c38\" (200GB, in-use) is not encrypted.",
-        "impact": "Data on this volume is stored unencrypted. A compromised snapshot or physical media could expose data.",
-        "remediationSteps": [
-          "Create an encrypted snapshot of this volume.",
-          "Create a new encrypted volume from the snapshot.",
-          "Migrate data to the new encrypted volume and delete the old one."
-        ],
-        "severity": "MEDIUM",
-        "priority": "P2",
-        "module": "ebs"
+        "module": "network_reachability"
       },
       {
-        "riskScore": 6,
-        "title": "EBS volume vol-0df6a1e35847c7e77 is not encrypted",
-        "resourceType": "AWS::EC2::Volume",
-        "resourceId": "vol-0df6a1e35847c7e77",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:volume/vol-0df6a1e35847c7e77",
-        "region": "cn-north-1",
-        "description": "EBS volume \"vol-0df6a1e35847c7e77\" (40GB, in-use) is not encrypted.",
-        "impact": "Data on this volume is stored unencrypted. A compromised snapshot or physical media could expose data.",
+        "riskScore": 7.0,
+        "title": "IAM user admin-user can escalate privileges via iam:CreatePolicyVersion",
+        "resourceType": "AWS::IAM::User",
+        "resourceId": "admin-user",
+        "resourceArn": "arn:aws-cn:iam::468254682119:user/admin-user",
+        "region": "global",
+        "description": "User admin-user has iam:CreatePolicyVersion permission which allows creating a new policy version with full admin access.",
+        "impact": "Privilege escalation to full administrator access.",
         "remediationSteps": [
-          "Create an encrypted snapshot of this volume.",
-          "Create a new encrypted volume from the snapshot.",
-          "Migrate data to the new encrypted volume and delete the old one."
+          "Remove iam:CreatePolicyVersion from the user's permissions.",
+          "Use AWS Organizations SCPs to prevent privilege escalation."
         ],
         "severity": "MEDIUM",
         "priority": "P2",
-        "module": "ebs"
+        "module": "iam_privilege_escalation"
       },
       {
-        "riskScore": 6,
-        "title": "EBS volume vol-0c92b56ebb3aa05ae is not encrypted",
-        "resourceType": "AWS::EC2::Volume",
-        "resourceId": "vol-0c92b56ebb3aa05ae",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:volume/vol-0c92b56ebb3aa05ae",
+        "riskScore": 3.5,
+        "title": "EC2 instance i-0def456 missing required tag: Environment",
+        "resourceType": "AWS::EC2::Instance",
+        "resourceId": "i-0def456",
+        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:instance/i-0def456",
         "region": "cn-north-1",
-        "description": "EBS volume \"vol-0c92b56ebb3aa05ae\" (500GB, in-use) is not encrypted.",
-        "impact": "Data on this volume is stored unencrypted. A compromised snapshot or physical media could expose data.",
+        "description": "Instance i-0def456 is missing the required 'Environment' tag.",
+        "impact": "Cannot determine resource environment for cost allocation and access control.",
         "remediationSteps": [
-          "Create an encrypted snapshot of this volume.",
-          "Create a new encrypted volume from the snapshot.",
-          "Migrate data to the new encrypted volume and delete the old one."
+          "Add the 'Environment' tag with an appropriate value (e.g., production, staging, dev)."
         ],
-        "severity": "MEDIUM",
-        "priority": "P2",
-        "module": "ebs"
+        "severity": "LOW",
+        "priority": "P3",
+        "module": "tag_compliance"
       },
       {
-        "riskScore": 5.5,
-        "title": "EBS snapshot snap-055bc19828e4e3092 is not encrypted",
-        "resourceType": "AWS::EC2::Snapshot",
-        "resourceId": "snap-055bc19828e4e3092",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-055bc19828e4e3092",
+        "riskScore": 3.5,
+        "title": "EC2 instance i-0def456 missing required tag: Project",
+        "resourceType": "AWS::EC2::Instance",
+        "resourceId": "i-0def456",
+        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:instance/i-0def456",
         "region": "cn-north-1",
-        "description": "EBS snapshot \"snap-055bc19828e4e3092\" (volume: vol-05f6c4160ac0a93e6) is not encrypted.",
-        "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
+        "description": "Instance i-0def456 is missing the required 'Project' tag.",
+        "impact": "Cannot determine project ownership for cost allocation.",
         "remediationSteps": [
-          "Copy the snapshot with encryption enabled.",
-          "Delete the unencrypted snapshot after verifying the encrypted copy."
+          "Add the 'Project' tag with the appropriate project name."
         ],
-        "severity": "MEDIUM",
-        "priority": "P2",
-        "module": "ebs"
+        "severity": "LOW",
+        "priority": "P3",
+        "module": "tag_compliance"
       },
       {
-        "riskScore": 5.5,
-        "title": "EBS snapshot snap-031bfc4c9db6428ef is not encrypted",
-        "resourceType": "AWS::EC2::Snapshot",
-        "resourceId": "snap-031bfc4c9db6428ef",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-031bfc4c9db6428ef",
+        "riskScore": 3.5,
+        "title": "EC2 instance i-0def456 missing required tag: Owner",
+        "resourceType": "AWS::EC2::Instance",
+        "resourceId": "i-0def456",
+        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:instance/i-0def456",
         "region": "cn-north-1",
-        "description": "EBS snapshot \"snap-031bfc4c9db6428ef\" (volume: vol-0d6aaae479efcf0b0) is not encrypted.",
-        "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
+        "description": "Instance i-0def456 is missing the required 'Owner' tag.",
+        "impact": "Cannot determine resource ownership.",
         "remediationSteps": [
-          "Copy the snapshot with encryption enabled.",
-          "Delete the unencrypted snapshot after verifying the encrypted copy."
+          "Add the 'Owner' tag with the responsible team or individual."
         ],
-        "severity": "MEDIUM",
-        "priority": "P2",
-        "module": "ebs"
+        "severity": "LOW",
+        "priority": "P3",
+        "module": "tag_compliance"
       },
       {
-        "riskScore": 5.5,
-        "title": "EBS snapshot snap-0f4dbd4e045f4f9e3 is not encrypted",
-        "resourceType": "AWS::EC2::Snapshot",
-        "resourceId": "snap-0f4dbd4e045f4f9e3",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-0f4dbd4e045f4f9e3",
+        "riskScore": 4.0,
+        "title": "Unattached EBS volume vol-0aaa111",
+        "resourceType": "AWS::EC2::Volume",
+        "resourceId": "vol-0aaa111",
+        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:volume/vol-0aaa111",
         "region": "cn-north-1",
-        "description": "EBS snapshot \"snap-0f4dbd4e045f4f9e3\" (volume: vol-0be166f626acbc0c3) is not encrypted.",
-        "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
+        "description": "EBS volume vol-0aaa111 (100GB, gp3) is not attached to any instance.",
+        "impact": "Unused volume incurs storage costs and may contain stale data.",
         "remediationSteps": [
-          "Copy the snapshot with encryption enabled.",
-          "Delete the unencrypted snapshot after verifying the encrypted copy."
+          "Snapshot the volume if data is needed, then delete it.",
+          "Attach it to an instance if still required."
         ],
         "severity": "MEDIUM",
         "priority": "P2",
-        "module": "ebs"
+        "module": "idle_resources"
       },
       {
-        "riskScore": 5.5,
-        "title": "EBS snapshot snap-0ef0b31b558e620d4 is not encrypted",
-        "resourceType": "AWS::EC2::Snapshot",
-        "resourceId": "snap-0ef0b31b558e620d4",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-0ef0b31b558e620d4",
+        "riskScore": 3.5,
+        "title": "Unused Elastic IP 1.2.3.4",
+        "resourceType": "AWS::EC2::EIP",
+        "resourceId": "eipalloc-0bbb222",
+        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:elastic-ip/eipalloc-0bbb222",
         "region": "cn-north-1",
-        "description": "EBS snapshot \"snap-0ef0b31b558e620d4\" (volume: vol-0df6a1e35847c7e77) is not encrypted.",
-        "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
+        "description": "Elastic IP 1.2.3.4 is not associated with any instance or network interface.",
+        "impact": "Unused EIPs incur hourly charges.",
         "remediationSteps": [
-          "Copy the snapshot with encryption enabled.",
-          "Delete the unencrypted snapshot after verifying the encrypted copy."
+          "Release the Elastic IP if no longer needed."
         ],
-        "severity": "MEDIUM",
-        "priority": "P2",
-        "module": "ebs"
+        "severity": "LOW",
+        "priority": "P3",
+        "module": "idle_resources"
       },
       {
         "riskScore": 5.5,
-        "title": "EBS snapshot snap-0e0f19b1ae5393d69 is not encrypted",
-        "resourceType": "AWS::EC2::Snapshot",
-        "resourceId": "snap-0e0f19b1ae5393d69",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-0e0f19b1ae5393d69",
+        "title": "RDS instance mydb-prod does not have Multi-AZ enabled",
+        "resourceType": "AWS::RDS::DBInstance",
+        "resourceId": "mydb-prod",
+        "resourceArn": "arn:aws-cn:rds:cn-north-1:468254682119:db:mydb-prod",
         "region": "cn-north-1",
-        "description": "EBS snapshot \"snap-0e0f19b1ae5393d69\" (volume: vol-0df6a1e35847c7e77) is not encrypted.",
-        "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
+        "description": "RDS instance mydb-prod is not configured for Multi-AZ deployment.",
+        "impact": "Single point of failure — an AZ outage will cause database downtime.",
         "remediationSteps": [
-          "Copy the snapshot with encryption enabled.",
-          "Delete the unencrypted snapshot after verifying the encrypted copy."
+          "Enable Multi-AZ for the RDS instance.",
+          "This provides automatic failover to a standby in a different AZ."
         ],
         "severity": "MEDIUM",
         "priority": "P2",
-        "module": "ebs"
+        "module": "disaster_recovery"
       },
       {
         "riskScore": 5.5,
-        "title": "EBS snapshot snap-050d8b9be81aa28a7 is not encrypted",
-        "resourceType": "AWS::EC2::Snapshot",
-        "resourceId": "snap-050d8b9be81aa28a7",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-050d8b9be81aa28a7",
+        "title": "[Security Hub] S3.8 — S3 Block Public Access setting should be enabled at the bucket level",
+        "resourceType": "AWS::S3::Bucket",
+        "resourceId": "example-bucket",
+        "resourceArn": "arn:aws-cn:s3:::example-bucket",
         "region": "cn-north-1",
-        "description": "EBS snapshot \"snap-050d8b9be81aa28a7\" (volume: vol-019b7411771fdd09d) is not encrypted.",
-        "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
+        "description": "FSBP control S3.8: S3 Block Public Access not enabled at bucket level.",
+        "impact": "Bucket may be publicly accessible.",
         "remediationSteps": [
-          "Copy the snapshot with encryption enabled.",
-          "Delete the unencrypted snapshot after verifying the encrypted copy."
+          "Enable S3 Block Public Access at the bucket level."
         ],
         "severity": "MEDIUM",
         "priority": "P2",
-        "module": "ebs"
+        "module": "security_hub_findings"
       },
       {
         "riskScore": 5.5,
-        "title": "EBS snapshot snap-00b95c437eab79cf6 is not encrypted",
-        "resourceType": "AWS::EC2::Snapshot",
-        "resourceId": "snap-00b95c437eab79cf6",
-        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:snapshot/snap-00b95c437eab79cf6",
+        "title": "[Security Hub] EC2.2 — VPC default security group should not allow inbound or outbound traffic",
+        "resourceType": "AWS::EC2::SecurityGroup",
+        "resourceId": "sg-default",
+        "resourceArn": "arn:aws-cn:ec2:cn-north-1:468254682119:security-group/sg-default",
         "region": "cn-north-1",
-        "description": "EBS snapshot \"snap-00b95c437eab79cf6\" (volume: vol-0eac0a11ed76b3c38) is not encrypted.",
-        "impact": "Unencrypted snapshots can be copied or shared, exposing data without encryption protection.",
+        "description": "FSBP control EC2.2: Default VPC security group allows traffic.",
+        "impact": "Resources using the default security group may have unintended network access.",
         "remediationSteps": [
-          "Copy the snapshot with encryption enabled.",
-          "Delete the unencrypted snapshot after verifying the encrypted copy."
+          "Remove all inbound and outbound rules from the default security group."
         ],
         "severity": "MEDIUM",
         "priority": "P2",
-        "module": "ebs"
+        "module": "security_hub_findings"
       }
     ]
   },
   "history": [
     {
       "date": "2026-04-10",
-      "score": 43,
+      "score": 72,
       "critical": 0,
-      "high": 3,
-      "medium": 13,
-      "low": 32,
-      "totalFindings": 48
+      "high": 2,
+      "medium": 5,
+      "low": 5,
+      "totalFindings": 12
     }
   ],
   "meta": {
@@ -893,4 +302,4 @@
     "version": "1.0.0",
     "dataRetentionDays": 30
   }
-}
+}