FTR

Assesses an AWS Partner's solution against a specific set of Amazon Web Services (AWS) best practices around security, performance, and operational processes that are most critical for customer success.
Read more

Category	Rule ID	Compliance Status	Description	Reference
Partner hosted	HOST-001	Not available
Support level	SUP-001	Compliant	[supportPlanLowTier]
Architecture review	WAFR-001	Not available
Architecture review	WAFR-002	Not available
AWS root account	ARC-001	Not available
AWS root account	ARC-002	Not available
AWS root account	ARC-003	Need Attention	[rootMfaActive] - Enable MFA on root user [GLOBAL]User::root_id	AWS MFA IAM Best Practices
AWS root account	ARC-004	Compliant	[rootHasAccessKey]
AWS root account	ARC-005	Not available
Communications from AWS	ACOM-001	Compliant	[hasAlternateContact]
Communications from AWS	ACOM-002	Not available
AWS CloudTrail	CTL-001	Not available
AWS CloudTrail	CTL-002	Not available
AWS CloudTrail	CTL-003	Not available
AWS CloudTrail	CTL-004	Not available
Identity and Access Management	IAM-001	Compliant	[mfaActive]
Identity and Access Management	IAM-002	Compliant	[passwordLastChange90] [passwordLastChange365] [hasAccessKeyNoRotate90days] [hasAccessKeyNoRotate365days]
Identity and Access Management	IAM-003	Need Attention	[passwordPolicyWeak] [passwordPolicy] - Set a custom password policy. [GLOBAL]Account::Config	IAM Password Policy
Identity and Access Management	IAM-004	Compliant	[noUsersFound]
Identity and Access Management	IAM-005	Not available
Identity and Access Management	IAM-006	Need Attention	[InlinePolicyFullAccessOneServ] - Limit access in policy [GLOBAL]Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA [InlinePolicyFullAdminAccess] [ManagedPolicyFullAccessOneServ] - Limit permissions. [GLOBAL]Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AWSReservedSSO_AWSPowerUserAccess_00098b9536c9ffa7, Role::Cloud-Intelligence-Dashbo-ProcessPathLambdaExecutio-4v29TjzrvQTv, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::MarketplaceFullAccess, Role::OrthancRole [FullAdminAccess] - Limit permissions. [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group	AWS Docs AWS Docs AWS Docs Organization GuardRail Blog
Identity and Access Management	IAM-007	Need Attention	[consoleLastAccess90] [consoleLastAccess365] [unusedRole] - Review & remove inactive roles [GLOBAL]Role::AccessAnalyzerTrustedService, Role::aspnetecstaskroles, Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURdailyStack-AWSCURCrawlerLambdaExecutor-18PJXDZOQVUT8, Role::AthenaCURdailyStack-AWSS3CURLambdaExecutor-91GHL63BKDPJ, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AthenaCURMonthlyStack-AWSS3CURLambdaExecutor-19ZYBIKM90TK9, Role::AVMContainersUserRole, Role::aws-ec2-spot-fleet-tagging-role, Role::aws-security-hub-automate-orchestratorRole12B410FD-1VFCRA5D658CQ, Role::aws-security-hub-automate-SNS2DeliveryStatusLoggin-1XB1ER18ZZ6IV, Role::awslogs.prod.kelex.molecule.toppatterns, Role::AWSReservedSSO_AWSPowerUserAccess_00098b9536c9ffa7, Role::AWSReservedSSO_AWSReadOnlyAccess_4426e61ec70ce688, Role::AWSReservedSSO_AWSServiceCatalogAdminFullAccess_c710ef77c5721888, Role::AWSReservedSSO_AWSServiceCatalogEndUserAccess_2f1286af87fe02c6, Role::AWSSupportPatchwork-ap-northeast-1-AutomationRole, Role::AWSSupportPatchwork-ap-northeast-2-AutomationRole, Role::AWSSupportPatchwork-ap-south-1-AutomationRole, Role::AWSSupportPatchwork-ap-southeast-2-AutomationRole, Role::AWSSupportPatchwork-ca-central-1-AutomationRole, Role::AWSSupportPatchwork-eu-central-1-AutomationRole, Role::AWSSupportPatchwork-eu-north-1-AutomationRole, Role::AWSSupportPatchwork-eu-west-1-AutomationRole, Role::AWSSupportPatchwork-eu-west-2-AutomationRole, Role::AWSSupportPatchwork-eu-west-3-AutomationRole, Role::AWSSupportPatchwork-sa-east-1-AutomationRole, Role::AWSSupportPatchwork-us-east-1-AutomationRole, Role::AWSSupportPatchwork-us-east-2-AutomationRole, Role::AWSSupportPatchwork-us-west-1-AutomationRole, Role::AWSVAPTAudit, Role::CID-CUR-Destination-CIDLambdaAnalyticsRole-4lnxU3a60sr4, Role::CidExecRole, Role::Cloud-Intelligence-Dashbo-ProcessPathLambdaExecutio-4v29TjzrvQTv, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CloudSecAuditRole, Role::CloudSeerTrustedServiceRole, Role::CodeGuruProfilerForwardToAmazonProfiler, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::CURathenaStack-AWSCURCrawlerLambdaExecutor-WYW3Y5BXZGA, Role::CURathenaStack-AWSS3CURLambdaExecutor-YH390THQNEJX, Role::EC2CapacityReservationService, Role::ecsAutoscaleRole, Role::ecsTaskExecutionRole, Role::MarketplaceFullAccess, Role::rds-monitoring-role, Role::SaltyTrustedService, Role::SecurityHub_CSV_Exporter, Role::ShadowTrooperRole, Role::SO0111-CloudTrailToCloudWatchLogs, Role::SO0111-ConfigureS3BucketLogging, Role::SO0111-ConfigureS3BucketPublicAccessBlock, Role::SO0111-ConfigureS3PublicAccessBlock, Role::SO0111-ConfigureSNSTopicForStack, Role::SO0111-CreateAccessLoggingBucket, Role::SO0111-CreateCloudTrailMultiRegionTrail, Role::SO0111-CreateIAMSupportRole, Role::SO0111-CreateLogMetricFilterAndAlarm, Role::SO0111-DisablePublicAccessForSecurityGroup, Role::SO0111-DisablePublicAccessToRDSInstance, Role::SO0111-DisablePublicAccessToRedshiftCluster, Role::SO0111-DisablePublicIPAutoAssign, Role::SO0111-EnableAutomaticSnapshotsOnRedshiftCluster, Role::SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster, Role::SO0111-EnableAutoScalingGroupELBHealthCheck, Role::SO0111-EnableAWSConfig, Role::SO0111-EnableCloudTrailEncryption, Role::SO0111-EnableCloudTrailLogFileValidation, Role::SO0111-EnableCloudTrailToCloudWatchLogging, Role::SO0111-EnableCopyTagsToSnapshotOnRDSCluster, Role::SO0111-EnableDefaultEncryptionS3, Role::SO0111-EnableDeliveryStatusLoggingForSNSTopic, Role::SO0111-EnableEbsEncryptionByDefault, Role::SO0111-EnableEncryptionForSNSTopic, Role::SO0111-EnableEncryptionForSQSQueue, Role::SO0111-EnableEnhancedMonitoringOnRDSInstance, Role::SO0111-EnableKeyRotation, Role::SO0111-EnableMinorVersionUpgradeOnRDSDBInstance, Role::SO0111-EnableMultiAZOnRDSInstance, Role::SO0111-EnableRDSClusterDeletionProtection, Role::SO0111-EnableRDSInstanceDeletionProtection, Role::SO0111-EnableRedshiftClusterAuditLogging, Role::SO0111-EnableVPCFlowLogs, Role::SO0111-EnableVPCFlowLogs-remediationRole, Role::SO0111-EncryptRDSSnapshot, Role::SO0111-MakeEBSSnapshotsPrivate, Role::SO0111-MakeRDSSnapshotPrivate, Role::SO0111-RDSMonitoring-remediationRole, Role::SO0111-RemoveLambdaPublicAccess, Role::SO0111-RemoveVPCDefaultSecurityGroupRules, Role::SO0111-ReplaceCodeBuildClearTextCredentials, Role::SO0111-RevokeUnrotatedKeys, Role::SO0111-RevokeUnusedIAMUserCredentials, Role::SO0111-S3BlockDenylist, Role::SO0111-SetIAMPasswordPolicy, Role::SO0111-SetSSLBucketPolicy, Role::SO0111-SHARR-Orchestrator-Member, Role::SpringClean-XUG3HH5R-AutoUpdateElevatedRole-1IM6AYMGMCA35, Role::SpringClean-XUG3HH5R-FeatureCheckerFunctionRole-1AH36Y9VYP822, Role::SpringClean-XUG3HH5R-SesVerifyEmailFunctionRole-1TXMG47957RRG, Role::SpringClean-XUG3HH5R-SpringCleanStackSetAdministra-QIMZ48DM5OFV, Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA, Role::testCarbonRole, Role::TurtleRoleManagement, Role::vpcflowCWrole, Role::wwRoleEC2SES, Role::wwRoleLambdaSES, Role::ww_augnhtrole	AWS Blog
Identity and Access Management	IAM-008	Not available
Identity and Access Management	IAM-009	Not available
Identity and Access Management	IAM-010	Not available
Identity and Access Management	IAM-011	Not available
Identity and Access Management	IAM-012	Compliant	[mfaActive] [EC2IamProfile]
Operational security	SECOPS-001	Not available
Network security	NETSEC-001	Need Attention	[SGDefaultInUsed] - Default Security Group In Use [ap-southeast-5]SG::sg-0340a45e7f6dfdeef [SGSensitivePortOpenToAll] - Sensitive port open to all. [ap-southeast-5]SG::sg-0d56232f5bc4a6a0d [SGAllOpenToAll] [SGAllOpen]	Best practices for Amazon EC2 Best practices for Amazon EC2
Network security	NETSEC-002	Not available
Backups and recovery	BAR-001	Need Attention	[EBSSnapshot] - Enable EBS Snapshot [ap-southeast-5]EBS::vol-088df622bcebd7a03 [us-west-2]EBS::vol-058a9449d61cf9461 [Backup] [BackupTooLow] - Enable backup >= 7 days [us-east-1]aurora-mysql::Cluster=myaurora-mysql-ww [backupStatus] [enabledContinuousBackup]	Best practices for Amazon EC2 Free backup storage up to allocated Guide
Backups and recovery	BAR-002	Not available
Resiliency	RES-001	Not available
Resiliency	RES-002	Not available
Resiliency	RES-003	Not available
Resiliency	RES-004	Not available
Resiliency	RES-005	Not available
Resiliency	RES-006	Not available
Resiliency	RES-007	Not available
Amazon S3 bucket access	S3-001	Not available
Amazon S3 bucket access	S3-002	Compliant	[PublicAccessBlock] [S3AccountPublicAccessBlock]
Amazon S3 bucket access	S3-003	Not available
Cross-account access	CAA-001	Not available
Cross-account access	CAA-002	Not available
Cross-account access	CAA-003	Not available
Cross-account access	CAA-004	Not available
Cross-account access	CAA-005	Not available
Cross-account access	CAA-006	Not available
Cross-account access	CAA-007	Not available
Sensitive data	SDAT-001	Not available
Sensitive data	SDAT-002	Need Attention	[EBSEncrypted] - Enable EBS Encryption [ap-southeast-5]EBS::vol-088df622bcebd7a03 [us-west-2]EBS::vol-058a9449d61cf9461 [ServerSideEncrypted] [StorageEncrypted]	Best practices for Amazon EC2
Sensitive data	SDAT-003	Need Attention	[SGEncryptionInTransit] - Encryption in Transit [ap-northeast-1]SG::sg-0a9a9f1599f78e648 [ap-northeast-2]SG::sg-0e2f6a031113c6c65 [ap-northeast-3]SG::sg-0f1c015386fdeaef2 [ap-south-1]SG::sg-0ce181aa24e2327a0 [ap-southeast-1]SG::sg-0c82e152ce9347073, SG::sg-0442088071f74e66b [ap-southeast-2]SG::sg-06a87caeacb9bdc1c [ap-southeast-3]SG::sg-09c69789992976af0, SG::sg-07d450b94849d4deb [ap-southeast-5]SG::sg-0340a45e7f6dfdeef, SG::sg-0d56232f5bc4a6a0d, SG::sg-0cdece98aec7d1e6c [ca-central-1]SG::sg-0807269705e2a7bce [eu-central-1]SG::sg-061edeb40615f37d8 [eu-north-1]SG::sg-0224dd542e0e0a188 [eu-west-1]SG::sg-0ee2cf797712225c6 [eu-west-2]SG::sg-0d712926de8d430e0 [eu-west-3]SG::sg-0d057db4a24c667d8 [sa-east-1]SG::sg-06a16f5c401b779ea [us-east-1]SG::sg-0f4d456d65b49cbcc, SG::sg-0562190d9d9c154da, SG::sg-0fe800a9602ab25ff [us-east-2]SG::sg-05b1211873efb1066 [us-west-1]SG::sg-0ac2b6884d3c7f382 [us-west-2]SG::sg-037dcb16366f739b8 [TlsEnforced] - Enforce Encryption of Data in Transit [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296	Data protection in Amazon EC2 AWS Docs
Regulatory compliance validation process	RCVP-001	Not available