Service Screener

MSR baseline checks

At AWS, security is our top priority. Partner Migration Security Requirements (MSR) is an APJ Core team initiative to help our partners migrate their custom's workloads securely to AWS.

MSR details security requirements that partners should implement controls for, in line with 5 core security themes of identity and access management, 61 logging and monitoring, infrastructure security, data protection, and incident response. clubbed with additional best practices. MSR will be used by both internal stakeholders like Migration PSA's, relevant account teams and external stakeholders like consulting, migration, and GSI partners to elevate the security posture of workloads being migrated to cloud and ensure ongoing elevated security posture.
Read more

Summary: [Not available:34] | [Compliant:16] | [Need Attention:19]

Breakdown

Framework. MSR baseline checks

Category	Rule ID	Compliance Status	Description	Reference
CW.	1	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
CW.	2	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
CW.	3	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
CW.	4	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
CD.	1	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IAM.	1	Need Attention	[ManagedPolicyFullAccessOneServ] - Limit permissions. [GLOBAL]Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AWSReservedSSO_AWSPowerUserAccess_00098b9536c9ffa7, Role::Cloud-Intelligence-Dashbo-ProcessPathLambdaExecutio-4v29TjzrvQTv, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::MarketplaceFullAccess, Role::OrthancRole [FullAdminAccess] - Limit permissions. [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group [InlinePolicyFullAccessOneServ] - Limit access in policy [GLOBAL]Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA [InlinePolicyFullAdminAccess]	AWS Docs AWS Docs Organization GuardRail Blog AWS Docs
IAM.	2	Compliant	[rootConsoleLogin30days] [rootConsoleLoginFail3x]
IAM.	3	Compliant	[rootHasAccessKey]
IAM.	4	Need Attention	[rootMfaActive] - Enable MFA on root user [GLOBAL]User::root_id	AWS MFA IAM Best Practices
IAM.	5	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IAM.	6	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
DP.	1	Need Attention	[MacieToEnable] - Enable Macie [ap-northeast-1]Macie [ap-northeast-2]Macie [ap-northeast-3]Macie [ap-south-1]Macie [ap-southeast-2]Macie [ca-central-1]Macie [eu-central-1]Macie [eu-north-1]Macie [eu-west-1]Macie [eu-west-2]Macie [eu-west-3]Macie [sa-east-1]Macie [us-east-1]Macie [us-east-2]Macie [us-west-1]Macie [us-west-2]Macie	Getting started with Amazon Macie
DP.	2	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
DP.	3	Compliant	[PublicAccessBlock]
DP.	4	Need Attention	[BucketVersioning] - Enable Versioning [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296	AWS Docs Manage Versioning Example
DP.	5	Need Attention	[MFADelete] - Enable MFA Delete [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296	Prevention for Accidental Deletions on S3 AWS Docs
DP.	6	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
DP.	7	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
DP.	8	Need Attention	[DBwithoutSecretManager] [DBwithSomeSecretsManagerOnly] [Secret__NoRotation] - Setup auto-rotation [us-east-1]SecretsManager::admin_cow_secret [Secret__NotUsed7days] - Review & Remove unused secrets [us-east-1]SecretsManager::admin_cow_secret	Managed Secret Rotation Delete a secet
DP.	9	Compliant	[ServerSideEncrypted]
DP.	10	Compliant	[lambdaPublicAccess]
DP.	11	Need Attention	[KeyRotationEnabled] - Enable Key Rotation [ap-southeast-1]5d1b8bdf-8f89-42e1-85be-32f95811c17d [us-east-1]a2b67230-2e44-41c3-9176-ae9abaa920a0	Enable CMK Rotation
DP.	12	Compliant	[AdminIsGrantor]
DP.	13	Compliant	[SnapshotRDSIsPublic] [snapshotEBSIsPublic]
DP.	14	Need Attention	[ELBSGRulesMatch] - ALB SG Rules Config [ap-southeast-5]ELB::ecs-te-Publi-06Wsj9bSgyQF	Security groups for Applicatoin Load Balancers
DP.	15	Compliant	[SQLServerEOL]
DP.	16	Compliant	[PubliclyAccessible] [SecurityGroupIPRangeNotPrivateCidr]
LM.	1	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
LM.	2	Compliant	[NeedToEnableCloudTrail]
LM.	3	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
LM.	4	Need Attention	[CloudWatchLogsLogGroupArn] - CloudWatch for CloudTrail [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE	Using CloudWatch Logs with CloudTrail
LM.	5	Compliant	[HasOneMultiRegionTrail]
LM.	6	Need Attention	[MacieToEnable] - Enable Macie [ap-northeast-1]Macie [ap-northeast-2]Macie [ap-northeast-3]Macie [ap-south-1]Macie [ap-southeast-2]Macie [ca-central-1]Macie [eu-central-1]Macie [eu-north-1]Macie [eu-west-1]Macie [eu-west-2]Macie [eu-west-3]Macie [sa-east-1]Macie [us-east-1]Macie [us-east-2]Macie [us-west-1]Macie [us-west-2]Macie	Getting started with Amazon Macie
LM.	7	Need Attention	[EnableTrailS3BucketLogging] - Enable S3 Bucket Logging [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::mys3buckettrail	Configure S3 Logging Resilience in CloudTrail
LM.	8	Need Attention	[EnableTrailS3BucketMFADelete] - Enable MFA delete [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::mys3buckettrail	S3 Enable MFA Delete Delete with MFA enabled file in S3
LM.	9	Compliant	[ServerSideEncrypted]
LM.	10	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
LM.	11	Compliant	[supportPlanLowTier]
LM.	12	Need Attention	[BucketLogging] - Enable Server Access Logging [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296	AWS Docs
LM.	13	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
LM.	14	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
LM.	15	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IP.	1	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IP.	2	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IP.	3	Compliant	[enableGuardDuty]
IP.	4	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IP.	5	Need Attention	[EC2InstanceAutoPublicIP] - EC2 with Auto Assign IP [ap-southeast-5]EC2::i-0d3a7302b927b49bb	Amazon EC2 public IP
IP.	6	Need Attention	[EC2SubnetAutoPublicIP] - EC2 Subnet with Auto Assign IP [ap-southeast-5]EC2::i-0d3a7302b927b49bb [us-west-2]EC2::i-0b59b7cd02dba50a8	Amazon EC2 public IP
IP.	7	Need Attention	[WAFAssociation] [ELBEnableWAF] - ALB Web Application Firewall [ap-southeast-5]ELB::ecs-te-Publi-06Wsj9bSgyQF	AWS WAF for Applicatoin Load Balancers
IP.	8	Need Attention	[EnableTrailS3BucketMFADelete] - Enable MFA delete [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::mys3buckettrail	S3 Enable MFA Delete Delete with MFA enabled file in S3
IP.	9	Need Attention	[DBwithoutSecretManager] [DBwithSomeSecretsManagerOnly] [Secret__NoRotation] - Setup auto-rotation [us-east-1]SecretsManager::admin_cow_secret [Secret__NotUsed7days] - Review & Remove unused secrets [us-east-1]SecretsManager::admin_cow_secret	Managed Secret Rotation Delete a secet
IP.	10	Need Attention	[SGDefaultDisallowTraffic] - Default Security Group with Rules [ap-northeast-1]SG::sg-0a9a9f1599f78e648 [ap-northeast-2]SG::sg-0e2f6a031113c6c65 [ap-northeast-3]SG::sg-0f1c015386fdeaef2 [ap-south-1]SG::sg-0ce181aa24e2327a0 [ap-southeast-1]SG::sg-0c82e152ce9347073, SG::sg-0442088071f74e66b [ap-southeast-2]SG::sg-06a87caeacb9bdc1c [ap-southeast-3]SG::sg-09c69789992976af0, SG::sg-07d450b94849d4deb [ap-southeast-5]SG::sg-0340a45e7f6dfdeef, SG::sg-0cdece98aec7d1e6c [ca-central-1]SG::sg-0807269705e2a7bce [eu-central-1]SG::sg-061edeb40615f37d8 [eu-north-1]SG::sg-0224dd542e0e0a188 [eu-west-1]SG::sg-0ee2cf797712225c6 [eu-west-2]SG::sg-0d712926de8d430e0 [eu-west-3]SG::sg-0d057db4a24c667d8 [sa-east-1]SG::sg-06a16f5c401b779ea [us-east-1]SG::sg-0f4d456d65b49cbcc, SG::sg-0562190d9d9c154da, SG::sg-0fe800a9602ab25ff [us-east-2]SG::sg-05b1211873efb1066 [us-west-1]SG::sg-0ac2b6884d3c7f382 [us-west-2]SG::sg-037dcb16366f739b8 [SecurityGroupDefault] - Create custom Security Group [us-east-1]RDS_SG::sg-0fe800a9602ab25ff	VPC default security group rules Default Security Group
IP.	11	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IP.	12	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IP.	13	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IP.	14	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IP.	15	Compliant	[ASGIMDSv2]
IP.	16	Compliant	[lambdaRuntimeUpdate]
IR.	1	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	2	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	3	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	4	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	5	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	6	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	7	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	8	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	9	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	10	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.
IR.	11	Not available	Please refer to the Partner Security Requirement (PSR) ID section for further details in the main sheet in the Partner Migration Security Requirements (MSR) sheet. Kindly upload the artefacts in the Artefacts tabs in the MSR sheet corresponding to the respective PSR ID.