| 10.18 | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.18 | 2 | Compliant | - [CachingEnabled]
- [EncryptionAtRest]
| |
| 10.18 | 3 | Compliant | - [EncryptionInTransit]
| |
| 10.18 | 4 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.18 | 5 | Need Attention | - [NeedToEnableCloudTrail]
- [EnableCloudTrailLogging]
- [HasOneMultiRegionTrail]
- [LogFileValidationEnabled]
- [RequiresKmsKey] - Enable SSE
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail
| Encrypt CloudTrail using AWS KMS
CloudTrail Security Best Practices |
| 10.18 | 6 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.18 | 7 | Need Attention | - [KeyRotationEnabled] - Enable Key Rotation
- [ap-southeast-1]5d1b8bdf-8f89-42e1-85be-32f95811c17d
- [us-east-1]a2b67230-2e44-41c3-9176-ae9abaa920a0
| Enable CMK Rotation |
| 10.18 | 8 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.18 | 9 | Need Attention | - [EBSEncrypted] - Enable EBS Encryption
- [ap-southeast-5]EBS::vol-088df622bcebd7a03
- [us-west-2]EBS::vol-058a9449d61cf9461
| Best practices for Amazon EC2 |
| 10.18 | 10 | Compliant | - [EncryptedAtRest]
| |
| 10.18 | 11 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.18 | 12 | Need Attention | - [EBSEncrypted] - Enable EBS Encryption
- [ap-southeast-5]EBS::vol-088df622bcebd7a03
- [us-west-2]EBS::vol-058a9449d61cf9461
| Best practices for Amazon EC2 |
| 10.18 | 13 | Compliant | - [KeyInPendingDeletion]
| |
| 10.18 | 14 | Compliant | - [EncyptionAtRest]
| |
| 10.18 | 15 | Compliant | - [TLSEnforced]
| |
| 10.18 | 16 | Compliant | - [NodeToNodeEncryption]
| |
| 10.18 | 17 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.18 | 18 | Compliant | - [StorageEncrypted]
| |
| 10.18 | 19 | Compliant | - [EncryptedAtRest]
- [AuditLogging]
| |
| 10.18 | 20 | Compliant | - [EncryptedWithKMS]
| |
| 10.18 | 21 | Compliant | - [EncryptedInTransit]
| |
| 10.18 | 22 | Compliant | - [ServerSideEncrypted]
| |
| 10.18 | 23 | Need Attention | - [TlsEnforced] - Enforce Encryption of Data in Transit
- [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory
- [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket
- [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296
| AWS Docs |
| 10.18 | 24 | Compliant | - [SSEWithKMS]
| |
| 10.18 | 25 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.18 | 26 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.18 | 27 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.18 | 28 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.2 | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.2 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.27 | 1 | Compliant | - [ASGELBHealthCheckEnabled]
| |
| 10.27 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.27 | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.27 | 4 | Compliant | - [trailWithoutCWLogs]
| |
| 10.27 | 5 | Compliant | - [rcuServiceLimit]
- [wcuServiceLimit]
| |
| 10.27 | 6 | Need Attention | - [EC2DetailedMonitor] - EC2 Detailed Monitoring
- [ap-southeast-5]EC2::i-0d3a7302b927b49bb
- [us-west-2]EC2::i-0b59b7cd02dba50a8
| Enable Detailed Monitoring |
| 10.27 | 7 | Need Attention | - [lambdaReservedConcurrencyDisabled] - Provisioned Concurrency Disabled
- [us-east-1]Lambda::CidCustomResourceDashboard, Lambda::CidProcessPath-DoNotRun, Lambda::SpringClean-XUG3HH5R-FeatureCheckerFunction-3k0VXgENM2bp, Lambda::cid-CID-Analytics, Lambda::SpringClean-XUG3HH5R-SpringCleanLambda-0qeMWlCDlvit, Lambda::SpringClean-XUG3HH5R-SesVerifyEmailFunction-IVk9Ime4YTt0, Lambda::CidInitialSetup-DoNotRun, Lambda::SpringClean-XUG3HH5R-AutoUpdateLambda-snXPd3AyenOf
| Configuring provisioned concurrency |
| 10.27 | 8 | Compliant | - [ApplicationLogs]
| |
| 10.27 | 9 | Need Attention | - [EnhancedMonitor] - Enable Enhanced Monitoring
- [us-east-1]aurora-mysql::Cluster=myaurora-mysql-ww
| Enable Enhanced Monitoring |
| 10.34 | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.34 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.35 | 1 | Compliant | - [XRayTracing]
| |
| 10.35 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.35 | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.35 | 4 | Need Attention | - [VPCFlowLogEnabled] - Enable VPC Flow Log
- [ap-northeast-1]VPC::vpc-0ab3a8658cd25c109
- [ap-northeast-2]VPC::vpc-0ae9b620559740d70
- [ap-northeast-3]VPC::vpc-06245ca22ea93c96c
- [ap-south-1]VPC::vpc-08fefc19c6abd7d80
- [ap-southeast-1]VPC::vpc-065c917cd817f427e, VPC::vpc-06363c3059916c90e
- [ap-southeast-2]VPC::vpc-0df2ab7aba940c834
- [ap-southeast-3]VPC::vpc-0652d450f2ab35cd2, VPC::vpc-0ffbb3d6d50b9623a
- [ap-southeast-5]VPC::vpc-021cbde25259594b9, VPC::vpc-0ce9c0784ff09b6b1
- [ca-central-1]VPC::vpc-0b24c79e1f3663bd9
- [eu-central-1]VPC::vpc-054f84d91b4742c04
- [eu-north-1]VPC::vpc-085ff029f3856da68
- [eu-west-1]VPC::vpc-030d57af9ec0578bd
- [eu-west-2]VPC::vpc-085d0e0d5a07e9174
- [eu-west-3]VPC::vpc-01ee905f628fedbe1
- [sa-east-1]VPC::vpc-0a2a2cba040ba08c5
- [us-east-1]VPC::vpc-070496984d34d0248, VPC::vpc-0ba693df999b2fbc8
- [us-east-2]VPC::vpc-068471871ab842bb8
- [us-west-1]VPC::vpc-06acdacf8c135f707
- [us-west-2]VPC::vpc-004f7662a794496b9
| Amazon Elastic Compute Cloud controls |
| 10.36 | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.36 | 2 | Compliant | - [EncryptionInTransit]
| |
| 10.36 | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.36 | 4 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.36 | 5 | Compliant | - [ELBCrossZone]
| |
| 10.38 | 1 | Need Attention | - [SetRetentionDays] - Set retention days
- [ap-southeast-1]Log::/aws-glue/crawlers, Log::/aws/lambda/AthenaCURMonthlyStack-AWSCURInitializer-gyhMOAhcBfJE, Log::/aws/lambda/AthenaCURMonthlyStack-AWSS3CURNotification-q651HK0jLpgE, Log::/aws/lambda/AthenaCURdailyStack-AWSCURInitializer-vLgwN5me52VP, Log::/aws/lambda/AthenaCURdailyStack-AWSS3CURNotification-t7HCb9uvReM9, Log::/aws/lambda/CURathenaStack-AWSCURInitializer-WmxJnth9Od47, Log::/aws/lambda/CURathenaStack-AWSS3CURNotification-jTY5a4Z3lgcA, Log::/aws/lambda/SO0111-SHARR-CustomAction, Log::/aws/lambda/aws-security-hub-automate-WaitProviderFunction3D90-2e6tueuCJ9Vl, Log::ECS-RefArch-CF-/var/log/dmesg, Log::ECS-RefArch-CF-/var/log/docker, Log::ECS-RefArch-CF-/var/log/messages, Log::aws-cloudtrail-logs-769655955296-5da8eb52
- [ap-southeast-2]Log::/aws-glue/crawlers, Log::/aws/lambda/AthenaCURDaily-AWSCURInitializer-9ydxqeP70Fsm, Log::/aws/lambda/AthenaCURDaily-AWSS3CURNotification-7wr3Z9bVENWm, Log::/aws/lambda/AthenaCURHourly-AWSCURInitializer-0F5Nh55AAFsA, Log::/aws/lambda/AthenaCURHourly-AWSS3CURNotification-qwSzSJPOJow7, Log::/aws/lambda/AthenaCURMonthly-AWSCURInitializer-4VRs1u1bUUVP, Log::/aws/lambda/AthenaCURMonthly-AWSS3CURNotification-MHDeGO7joDIk
- [us-east-1]Log::/aws-glue/crawlers, Log::/aws/lambda/CidCustomResourceDashboard, Log::/aws/lambda/CidInitialSetup-DoNotRun, Log::/aws/lambda/CidProcessPath-DoNotRun, Log::/aws/lambda/SendSecurityHubFullReportEmail, Log::/aws/lambda/SpringClean-XUG3HH5R-AutoUpdateLambda-snXPd3AyenOf, Log::/aws/lambda/SpringClean-XUG3HH5R-FeatureCheckerFunction-3k0VXgENM2bp, Log::/aws/lambda/SpringClean-XUG3HH5R-SesVerifyEmailFunction-IVk9Ime4YTt0, Log::/aws/lambda/SpringClean-XUG3HH5R-SpringCleanLambda-0qeMWlCDlvit, Log::/aws/lambda/cid-CID-Analytics, Log::/aws/qbusiness/9d185d75-710b-423d-8f62-65c3a6db74aa, Log::/aws/qbusiness/f284b82d-35be-494c-9f7c-22eaed4c9308, Log::/aws/sagemaker/Endpoints/jumpstart-example-infer-model-txt2img-s-2023-06-15-05-17-50-955, Log::/aws/sagemaker/Endpoints/jumpstart-example-infer-model-txt2img-s-2023-06-15-05-31-39-924, Log::/aws/sagemaker/TrainingJobs, Log::/aws/sagemaker/studio, Log::/ecs/aspnetcorefargatetask, Log::/var/log/messages
| CIS Cloudwatch Controls |
| 10.51 | 1 | Compliant | - [hasAccessKeyNoRotate90days]
| |
| 10.51 | 2 | Compliant | - [hasOrganization]
| |
| 10.51 | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 4 | Compliant | - [CachingEnabled]
- [EncryptionAtRest]
| |
| 10.51 | 5 | Compliant | - [EncryptionInTransit]
| |
| 10.51 | 6 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 7 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 8 | Need Attention | - [NeedToEnableCloudTrail]
- [EnableCloudTrailLogging]
- [HasOneMultiRegionTrail]
- [LogFileValidationEnabled]
- [RequiresKmsKey] - Enable SSE
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail
| Encrypt CloudTrail using AWS KMS
CloudTrail Security Best Practices |
| 10.51 | 9 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 10 | Need Attention | - [KeyRotationEnabled] - Enable Key Rotation
- [ap-southeast-1]5d1b8bdf-8f89-42e1-85be-32f95811c17d
- [us-east-1]a2b67230-2e44-41c3-9176-ae9abaa920a0
| Enable CMK Rotation |
| 10.51 | 11 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 12 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 13 | Compliant | - [EBSSnapshotIsPublic]
| |
| 10.51 | 14 | Need Attention | - [EBSEncrypted] - Enable EBS Encryption
- [ap-southeast-5]EBS::vol-088df622bcebd7a03
- [us-west-2]EBS::vol-058a9449d61cf9461
| Best practices for Amazon EC2 |
| 10.51 | 15 | Need Attention | - [EC2InstancePublicIP] - EC2 with Public IP
- [ap-southeast-5]EC2::i-0d3a7302b927b49bb
| Amazon EC2 public IP |
| 10.51 | 16 | Compliant | - [EncryptedAtRest]
| |
| 10.51 | 17 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 18 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 19 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 20 | Need Attention | - [EBSEncrypted] - Enable EBS Encryption
- [ap-southeast-5]EBS::vol-088df622bcebd7a03
- [us-west-2]EBS::vol-058a9449d61cf9461
| Best practices for Amazon EC2 |
| 10.51 | 21 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 22 | Need Attention | - [InlinePolicy] - Use managed policies
- [GLOBAL]Role::AccessAnalyzerTrustedService, Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURdailyStack-AWSCURCrawlerLambdaExecutor-18PJXDZOQVUT8, Role::AthenaCURdailyStack-AWSS3CURLambdaExecutor-91GHL63BKDPJ, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AthenaCURMonthlyStack-AWSCURCrawlerLambdaExecutor-17MUZETRCHEGM, Role::AthenaCURMonthlyStack-AWSS3CURLambdaExecutor-19ZYBIKM90TK9, Role::AVMContainersUserRole, Role::aws-security-hub-automate-orchestratorRole12B410FD-1VFCRA5D658CQ, Role::aws-security-hub-automate-SNS2DeliveryStatusLoggin-1XB1ER18ZZ6IV, Role::awslogs.prod.kelex.molecule.toppatterns, Role::AWSReservedSSO_AWSServiceCatalogEndUserAccess_2f1286af87fe02c6, Role::AWSSupportPatchwork-ap-northeast-1-AutomationRole, Role::AWSSupportPatchwork-ap-northeast-2-AutomationRole, Role::AWSSupportPatchwork-ap-south-1-AutomationRole, Role::AWSSupportPatchwork-ap-southeast-1-AutomationRole, Role::AWSSupportPatchwork-ap-southeast-2-AutomationRole, Role::AWSSupportPatchwork-ca-central-1-AutomationRole, Role::AWSSupportPatchwork-eu-central-1-AutomationRole, Role::AWSSupportPatchwork-eu-north-1-AutomationRole, Role::AWSSupportPatchwork-eu-west-1-AutomationRole, Role::AWSSupportPatchwork-eu-west-2-AutomationRole, Role::AWSSupportPatchwork-eu-west-3-AutomationRole, Role::AWSSupportPatchwork-sa-east-1-AutomationRole, Role::AWSSupportPatchwork-us-east-1-AutomationRole, Role::AWSSupportPatchwork-us-east-2-AutomationRole, Role::AWSSupportPatchwork-us-west-1-AutomationRole, Role::AWSSupportPatchwork-us-west-2-AutomationRole, Role::CID-CUR-Destination-CIDLambdaAnalyticsRole-4lnxU3a60sr4, Role::CidExecRole, Role::CidQuickSightDataSourceRole, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CloudSecAuditRole, Role::CloudSeerTrustedServiceRole, Role::CodeGuruProfilerForwardToAmazonProfiler, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::CURathenaStack-AWSCURCrawlerLambdaExecutor-WYW3Y5BXZGA, Role::CURathenaStack-AWSS3CURLambdaExecutor-YH390THQNEJX, Role::IMDSv2-automigrator, Role::OrthancRole, Role::SaltyTrustedService, Role::security-hub-format-LambdaExecutionRole-nFM8xh5M3MeA, Role::ShadowTrooperRole, Role::SO0111-CloudTrailToCloudWatchLogs, Role::SO0111-ConfigureS3BucketLogging, Role::SO0111-ConfigureS3BucketPublicAccessBlock, Role::SO0111-ConfigureS3PublicAccessBlock, Role::SO0111-ConfigureSNSTopicForStack, Role::SO0111-CreateAccessLoggingBucket, Role::SO0111-CreateCloudTrailMultiRegionTrail, Role::SO0111-CreateIAMSupportRole, Role::SO0111-CreateLogMetricFilterAndAlarm, Role::SO0111-DisablePublicAccessForSecurityGroup, Role::SO0111-DisablePublicAccessToRDSInstance, Role::SO0111-DisablePublicAccessToRedshiftCluster, Role::SO0111-DisablePublicIPAutoAssign, Role::SO0111-EnableAutomaticSnapshotsOnRedshiftCluster, Role::SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster, Role::SO0111-EnableAutoScalingGroupELBHealthCheck, Role::SO0111-EnableAWSConfig, Role::SO0111-EnableCloudTrailEncryption, Role::SO0111-EnableCloudTrailLogFileValidation, Role::SO0111-EnableCloudTrailToCloudWatchLogging, Role::SO0111-EnableCopyTagsToSnapshotOnRDSCluster, Role::SO0111-EnableDefaultEncryptionS3, Role::SO0111-EnableDeliveryStatusLoggingForSNSTopic, Role::SO0111-EnableEbsEncryptionByDefault, Role::SO0111-EnableEncryptionForSNSTopic, Role::SO0111-EnableEncryptionForSQSQueue, Role::SO0111-EnableEnhancedMonitoringOnRDSInstance, Role::SO0111-EnableKeyRotation, Role::SO0111-EnableMinorVersionUpgradeOnRDSDBInstance, Role::SO0111-EnableMultiAZOnRDSInstance, Role::SO0111-EnableRDSClusterDeletionProtection, Role::SO0111-EnableRDSInstanceDeletionProtection, Role::SO0111-EnableRedshiftClusterAuditLogging, Role::SO0111-EnableVPCFlowLogs, Role::SO0111-EnableVPCFlowLogs-remediationRole, Role::SO0111-EncryptRDSSnapshot, Role::SO0111-MakeEBSSnapshotsPrivate, Role::SO0111-MakeRDSSnapshotPrivate, Role::SO0111-RDSMonitoring-remediationRole, Role::SO0111-RemoveLambdaPublicAccess, Role::SO0111-RemoveVPCDefaultSecurityGroupRules, Role::SO0111-ReplaceCodeBuildClearTextCredentials, Role::SO0111-RevokeUnrotatedKeys, Role::SO0111-RevokeUnusedIAMUserCredentials, Role::SO0111-S3BlockDenylist, Role::SO0111-SetIAMPasswordPolicy, Role::SO0111-SetSSLBucketPolicy, Role::SO0111-SHARR-Orchestrator-Member, Role::SpringClean-XUG3HH5R-AutoUpdateElevatedRole-1IM6AYMGMCA35, Role::SpringClean-XUG3HH5R-AutoUpdateRole-20LWKR871KYY, Role::SpringClean-XUG3HH5R-FeatureCheckerFunctionRole-1AH36Y9VYP822, Role::SpringClean-XUG3HH5R-SesVerifyEmailFunctionRole-1TXMG47957RRG, Role::SpringClean-XUG3HH5R-SpringCleanRole-LMVT7YWUT75Y, Role::SpringClean-XUG3HH5R-SpringCleanStackSetAdministra-QIMZ48DM5OFV, Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA, Role::testCarbonRole, Role::TurtleRoleManagement, Role::vpcflowCWrole
| AWS Docs |
| 10.51 | 23 | Need Attention | - [passwordPolicy] - Set a custom password policy.
- [passwordPolicyWeak]
| IAM Password Policy |
| 10.51 | 24 | Need Attention | - [FullAdminAccess] - Limit permissions.
- [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group
- [ManagedPolicyFullAccessOneServ] - Limit permissions.
- [GLOBAL]Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AWSReservedSSO_AWSPowerUserAccess_00098b9536c9ffa7, Role::Cloud-Intelligence-Dashbo-ProcessPathLambdaExecutio-4v29TjzrvQTv, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::MarketplaceFullAccess, Role::OrthancRole
| AWS Docs
Organization GuardRail Blog
AWS Docs |
| 10.51 | 25 | Compliant | - [rootHasAccessKey]
| |
| 10.51 | 26 | Compliant | - [userNotUsingGroup]
| |
| 10.51 | 27 | Need Attention | - [rootMfaActive] - Enable MFA on root user
- [mfaActive]
| AWS MFA
IAM Best Practices |
| 10.51 | 28 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 29 | Compliant | - [consoleLastAccess90]
| |
| 10.51 | 30 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 31 | Compliant | - [KeyInPendingDeletion]
| |
| 10.51 | 32 | Compliant | - [lambdaPublicAccess]
| |
| 10.51 | 33 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 34 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 35 | Compliant | - [EncyptionAtRest]
| |
| 10.51 | 36 | Compliant | - [TLSEnforced]
| |
| 10.51 | 37 | Compliant | - [DomainWithinVPC]
| |
| 10.51 | 38 | Compliant | - [NodeToNodeEncryption]
| |
| 10.51 | 39 | Compliant | - [PubliclyAccessible]
| |
| 10.51 | 40 | Compliant | - [SnapshotRDSIsPublic]
| |
| 10.51 | 41 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 42 | Compliant | - [StorageEncrypted]
| |
| 10.51 | 43 | Compliant | - [EncryptedAtRest]
- [AuditLogging]
| |
| 10.51 | 44 | Compliant | - [EncryptedWithKMS]
| |
| 10.51 | 45 | Compliant | - [PubliclyAccessible]
| |
| 10.51 | 46 | Compliant | - [EnhancedVpcRouting]
| |
| 10.51 | 47 | Compliant | - [EncryptedInTransit]
| |
| 10.51 | 48 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 49 | Need Attention | - [rootMfaActive] - Enable MFA on root user
| AWS MFA
IAM Best Practices |
| 10.51 | 50 | Compliant | - [S3AccountPublicAccessBlock]
| |
| 10.51 | 51 | Compliant | - [PublicReadAccessBlock]
| |
| 10.51 | 52 | Compliant | - [PublicWriteAccessBlock]
| |
| 10.51 | 53 | Compliant | - [ServerSideEncrypted]
| |
| 10.51 | 54 | Need Attention | - [TlsEnforced] - Enforce Encryption of Data in Transit
- [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory
- [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket
- [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296
| AWS Docs |
| 10.51 | 55 | Compliant | - [SSEWithKMS]
| |
| 10.51 | 56 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 57 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 58 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 59 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 60 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.51 | 61 | Need Attention | - [EC2SubnetAutoPublicIP] - EC2 Subnet with Auto Assign IP
- [ap-southeast-5]EC2::i-0d3a7302b927b49bb
- [us-west-2]EC2::i-0b59b7cd02dba50a8
| Amazon EC2 public IP |
| 10.52 | 1 | Compliant | - [hasAccessKeyNoRotate90days]
| |
| 10.52 | 2 | Compliant | - [hasOrganization]
| |
| 10.52 | 3 | Compliant | - [EC2IamProfile]
| |
| 10.52 | 4 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.52 | 5 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.52 | 6 | Need Attention | - [InlinePolicy] - Use managed policies
- [GLOBAL]Role::AccessAnalyzerTrustedService, Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURdailyStack-AWSCURCrawlerLambdaExecutor-18PJXDZOQVUT8, Role::AthenaCURdailyStack-AWSS3CURLambdaExecutor-91GHL63BKDPJ, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AthenaCURMonthlyStack-AWSCURCrawlerLambdaExecutor-17MUZETRCHEGM, Role::AthenaCURMonthlyStack-AWSS3CURLambdaExecutor-19ZYBIKM90TK9, Role::AVMContainersUserRole, Role::aws-security-hub-automate-orchestratorRole12B410FD-1VFCRA5D658CQ, Role::aws-security-hub-automate-SNS2DeliveryStatusLoggin-1XB1ER18ZZ6IV, Role::awslogs.prod.kelex.molecule.toppatterns, Role::AWSReservedSSO_AWSServiceCatalogEndUserAccess_2f1286af87fe02c6, Role::AWSSupportPatchwork-ap-northeast-1-AutomationRole, Role::AWSSupportPatchwork-ap-northeast-2-AutomationRole, Role::AWSSupportPatchwork-ap-south-1-AutomationRole, Role::AWSSupportPatchwork-ap-southeast-1-AutomationRole, Role::AWSSupportPatchwork-ap-southeast-2-AutomationRole, Role::AWSSupportPatchwork-ca-central-1-AutomationRole, Role::AWSSupportPatchwork-eu-central-1-AutomationRole, Role::AWSSupportPatchwork-eu-north-1-AutomationRole, Role::AWSSupportPatchwork-eu-west-1-AutomationRole, Role::AWSSupportPatchwork-eu-west-2-AutomationRole, Role::AWSSupportPatchwork-eu-west-3-AutomationRole, Role::AWSSupportPatchwork-sa-east-1-AutomationRole, Role::AWSSupportPatchwork-us-east-1-AutomationRole, Role::AWSSupportPatchwork-us-east-2-AutomationRole, Role::AWSSupportPatchwork-us-west-1-AutomationRole, Role::AWSSupportPatchwork-us-west-2-AutomationRole, Role::CID-CUR-Destination-CIDLambdaAnalyticsRole-4lnxU3a60sr4, Role::CidExecRole, Role::CidQuickSightDataSourceRole, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CloudSecAuditRole, Role::CloudSeerTrustedServiceRole, Role::CodeGuruProfilerForwardToAmazonProfiler, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::CURathenaStack-AWSCURCrawlerLambdaExecutor-WYW3Y5BXZGA, Role::CURathenaStack-AWSS3CURLambdaExecutor-YH390THQNEJX, Role::IMDSv2-automigrator, Role::OrthancRole, Role::SaltyTrustedService, Role::security-hub-format-LambdaExecutionRole-nFM8xh5M3MeA, Role::ShadowTrooperRole, Role::SO0111-CloudTrailToCloudWatchLogs, Role::SO0111-ConfigureS3BucketLogging, Role::SO0111-ConfigureS3BucketPublicAccessBlock, Role::SO0111-ConfigureS3PublicAccessBlock, Role::SO0111-ConfigureSNSTopicForStack, Role::SO0111-CreateAccessLoggingBucket, Role::SO0111-CreateCloudTrailMultiRegionTrail, Role::SO0111-CreateIAMSupportRole, Role::SO0111-CreateLogMetricFilterAndAlarm, Role::SO0111-DisablePublicAccessForSecurityGroup, Role::SO0111-DisablePublicAccessToRDSInstance, Role::SO0111-DisablePublicAccessToRedshiftCluster, Role::SO0111-DisablePublicIPAutoAssign, Role::SO0111-EnableAutomaticSnapshotsOnRedshiftCluster, Role::SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster, Role::SO0111-EnableAutoScalingGroupELBHealthCheck, Role::SO0111-EnableAWSConfig, Role::SO0111-EnableCloudTrailEncryption, Role::SO0111-EnableCloudTrailLogFileValidation, Role::SO0111-EnableCloudTrailToCloudWatchLogging, Role::SO0111-EnableCopyTagsToSnapshotOnRDSCluster, Role::SO0111-EnableDefaultEncryptionS3, Role::SO0111-EnableDeliveryStatusLoggingForSNSTopic, Role::SO0111-EnableEbsEncryptionByDefault, Role::SO0111-EnableEncryptionForSNSTopic, Role::SO0111-EnableEncryptionForSQSQueue, Role::SO0111-EnableEnhancedMonitoringOnRDSInstance, Role::SO0111-EnableKeyRotation, Role::SO0111-EnableMinorVersionUpgradeOnRDSDBInstance, Role::SO0111-EnableMultiAZOnRDSInstance, Role::SO0111-EnableRDSClusterDeletionProtection, Role::SO0111-EnableRDSInstanceDeletionProtection, Role::SO0111-EnableRedshiftClusterAuditLogging, Role::SO0111-EnableVPCFlowLogs, Role::SO0111-EnableVPCFlowLogs-remediationRole, Role::SO0111-EncryptRDSSnapshot, Role::SO0111-MakeEBSSnapshotsPrivate, Role::SO0111-MakeRDSSnapshotPrivate, Role::SO0111-RDSMonitoring-remediationRole, Role::SO0111-RemoveLambdaPublicAccess, Role::SO0111-RemoveVPCDefaultSecurityGroupRules, Role::SO0111-ReplaceCodeBuildClearTextCredentials, Role::SO0111-RevokeUnrotatedKeys, Role::SO0111-RevokeUnusedIAMUserCredentials, Role::SO0111-S3BlockDenylist, Role::SO0111-SetIAMPasswordPolicy, Role::SO0111-SetSSLBucketPolicy, Role::SO0111-SHARR-Orchestrator-Member, Role::SpringClean-XUG3HH5R-AutoUpdateElevatedRole-1IM6AYMGMCA35, Role::SpringClean-XUG3HH5R-AutoUpdateRole-20LWKR871KYY, Role::SpringClean-XUG3HH5R-FeatureCheckerFunctionRole-1AH36Y9VYP822, Role::SpringClean-XUG3HH5R-SesVerifyEmailFunctionRole-1TXMG47957RRG, Role::SpringClean-XUG3HH5R-SpringCleanRole-LMVT7YWUT75Y, Role::SpringClean-XUG3HH5R-SpringCleanStackSetAdministra-QIMZ48DM5OFV, Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA, Role::testCarbonRole, Role::TurtleRoleManagement, Role::vpcflowCWrole
| AWS Docs |
| 10.52 | 7 | Need Attention | - [passwordPolicy] - Set a custom password policy.
- [passwordPolicyWeak]
| IAM Password Policy |
| 10.52 | 8 | Need Attention | - [FullAdminAccess] - Limit permissions.
- [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group
- [ManagedPolicyFullAccessOneServ] - Limit permissions.
- [GLOBAL]Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AWSReservedSSO_AWSPowerUserAccess_00098b9536c9ffa7, Role::Cloud-Intelligence-Dashbo-ProcessPathLambdaExecutio-4v29TjzrvQTv, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::MarketplaceFullAccess, Role::OrthancRole
| AWS Docs
Organization GuardRail Blog
AWS Docs |
| 10.52 | 9 | Compliant | - [rootHasAccessKey]
| |
| 10.52 | 10 | Compliant | - [userNotUsingGroup]
| |
| 10.52 | 11 | Compliant | - [mfaActive]
| |
| 10.52 | 12 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.52 | 13 | Compliant | - [consoleLastAccess90]
| |
| 10.52 | 14 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.52 | 15 | Need Attention | - [rootMfaActive] - Enable MFA on root user
| AWS MFA
IAM Best Practices |
| 10.53(b)(h)(i) | 1 | Compliant | - [rootHasAccessKey]
| |
| 10.53(b) | 1 | Compliant | - [EC2IamProfile]
| |
| 10.53(b) | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.53(b) | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.53(b) | 4 | Need Attention | - [InlinePolicy] - Use managed policies
- [GLOBAL]Role::AccessAnalyzerTrustedService, Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURdailyStack-AWSCURCrawlerLambdaExecutor-18PJXDZOQVUT8, Role::AthenaCURdailyStack-AWSS3CURLambdaExecutor-91GHL63BKDPJ, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AthenaCURMonthlyStack-AWSCURCrawlerLambdaExecutor-17MUZETRCHEGM, Role::AthenaCURMonthlyStack-AWSS3CURLambdaExecutor-19ZYBIKM90TK9, Role::AVMContainersUserRole, Role::aws-security-hub-automate-orchestratorRole12B410FD-1VFCRA5D658CQ, Role::aws-security-hub-automate-SNS2DeliveryStatusLoggin-1XB1ER18ZZ6IV, Role::awslogs.prod.kelex.molecule.toppatterns, Role::AWSReservedSSO_AWSServiceCatalogEndUserAccess_2f1286af87fe02c6, Role::AWSSupportPatchwork-ap-northeast-1-AutomationRole, Role::AWSSupportPatchwork-ap-northeast-2-AutomationRole, Role::AWSSupportPatchwork-ap-south-1-AutomationRole, Role::AWSSupportPatchwork-ap-southeast-1-AutomationRole, Role::AWSSupportPatchwork-ap-southeast-2-AutomationRole, Role::AWSSupportPatchwork-ca-central-1-AutomationRole, Role::AWSSupportPatchwork-eu-central-1-AutomationRole, Role::AWSSupportPatchwork-eu-north-1-AutomationRole, Role::AWSSupportPatchwork-eu-west-1-AutomationRole, Role::AWSSupportPatchwork-eu-west-2-AutomationRole, Role::AWSSupportPatchwork-eu-west-3-AutomationRole, Role::AWSSupportPatchwork-sa-east-1-AutomationRole, Role::AWSSupportPatchwork-us-east-1-AutomationRole, Role::AWSSupportPatchwork-us-east-2-AutomationRole, Role::AWSSupportPatchwork-us-west-1-AutomationRole, Role::AWSSupportPatchwork-us-west-2-AutomationRole, Role::CID-CUR-Destination-CIDLambdaAnalyticsRole-4lnxU3a60sr4, Role::CidExecRole, Role::CidQuickSightDataSourceRole, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CloudSecAuditRole, Role::CloudSeerTrustedServiceRole, Role::CodeGuruProfilerForwardToAmazonProfiler, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::CURathenaStack-AWSCURCrawlerLambdaExecutor-WYW3Y5BXZGA, Role::CURathenaStack-AWSS3CURLambdaExecutor-YH390THQNEJX, Role::IMDSv2-automigrator, Role::OrthancRole, Role::SaltyTrustedService, Role::security-hub-format-LambdaExecutionRole-nFM8xh5M3MeA, Role::ShadowTrooperRole, Role::SO0111-CloudTrailToCloudWatchLogs, Role::SO0111-ConfigureS3BucketLogging, Role::SO0111-ConfigureS3BucketPublicAccessBlock, Role::SO0111-ConfigureS3PublicAccessBlock, Role::SO0111-ConfigureSNSTopicForStack, Role::SO0111-CreateAccessLoggingBucket, Role::SO0111-CreateCloudTrailMultiRegionTrail, Role::SO0111-CreateIAMSupportRole, Role::SO0111-CreateLogMetricFilterAndAlarm, Role::SO0111-DisablePublicAccessForSecurityGroup, Role::SO0111-DisablePublicAccessToRDSInstance, Role::SO0111-DisablePublicAccessToRedshiftCluster, Role::SO0111-DisablePublicIPAutoAssign, Role::SO0111-EnableAutomaticSnapshotsOnRedshiftCluster, Role::SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster, Role::SO0111-EnableAutoScalingGroupELBHealthCheck, Role::SO0111-EnableAWSConfig, Role::SO0111-EnableCloudTrailEncryption, Role::SO0111-EnableCloudTrailLogFileValidation, Role::SO0111-EnableCloudTrailToCloudWatchLogging, Role::SO0111-EnableCopyTagsToSnapshotOnRDSCluster, Role::SO0111-EnableDefaultEncryptionS3, Role::SO0111-EnableDeliveryStatusLoggingForSNSTopic, Role::SO0111-EnableEbsEncryptionByDefault, Role::SO0111-EnableEncryptionForSNSTopic, Role::SO0111-EnableEncryptionForSQSQueue, Role::SO0111-EnableEnhancedMonitoringOnRDSInstance, Role::SO0111-EnableKeyRotation, Role::SO0111-EnableMinorVersionUpgradeOnRDSDBInstance, Role::SO0111-EnableMultiAZOnRDSInstance, Role::SO0111-EnableRDSClusterDeletionProtection, Role::SO0111-EnableRDSInstanceDeletionProtection, Role::SO0111-EnableRedshiftClusterAuditLogging, Role::SO0111-EnableVPCFlowLogs, Role::SO0111-EnableVPCFlowLogs-remediationRole, Role::SO0111-EncryptRDSSnapshot, Role::SO0111-MakeEBSSnapshotsPrivate, Role::SO0111-MakeRDSSnapshotPrivate, Role::SO0111-RDSMonitoring-remediationRole, Role::SO0111-RemoveLambdaPublicAccess, Role::SO0111-RemoveVPCDefaultSecurityGroupRules, Role::SO0111-ReplaceCodeBuildClearTextCredentials, Role::SO0111-RevokeUnrotatedKeys, Role::SO0111-RevokeUnusedIAMUserCredentials, Role::SO0111-S3BlockDenylist, Role::SO0111-SetIAMPasswordPolicy, Role::SO0111-SetSSLBucketPolicy, Role::SO0111-SHARR-Orchestrator-Member, Role::SpringClean-XUG3HH5R-AutoUpdateElevatedRole-1IM6AYMGMCA35, Role::SpringClean-XUG3HH5R-AutoUpdateRole-20LWKR871KYY, Role::SpringClean-XUG3HH5R-FeatureCheckerFunctionRole-1AH36Y9VYP822, Role::SpringClean-XUG3HH5R-SesVerifyEmailFunctionRole-1TXMG47957RRG, Role::SpringClean-XUG3HH5R-SpringCleanRole-LMVT7YWUT75Y, Role::SpringClean-XUG3HH5R-SpringCleanStackSetAdministra-QIMZ48DM5OFV, Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA, Role::testCarbonRole, Role::TurtleRoleManagement, Role::vpcflowCWrole
| AWS Docs |
| 10.53(b) | 5 | Need Attention | - [FullAdminAccess] - Limit permissions.
- [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group
- [ManagedPolicyFullAccessOneServ] - Limit permissions.
- [GLOBAL]Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AWSReservedSSO_AWSPowerUserAccess_00098b9536c9ffa7, Role::Cloud-Intelligence-Dashbo-ProcessPathLambdaExecutio-4v29TjzrvQTv, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::MarketplaceFullAccess, Role::OrthancRole
| AWS Docs
Organization GuardRail Blog
AWS Docs |
| 10.53(b) | 6 | Compliant | - [userNotUsingGroup]
| |
| 10.53(b) | 7 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.53(c)(f) | 1 | Need Attention | - [passwordPolicy] - Set a custom password policy.
- [passwordPolicyWeak]
| IAM Password Policy |
| 10.53(f)(h) | 1 | Compliant | - [mfaActive]
| |
| 10.53(f)(h) | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.53(f)(h) | 3 | Need Attention | - [rootMfaActive] - Enable MFA on root user
| AWS MFA
IAM Best Practices |
| 10.54 | 1 | Compliant | - [mfaActive]
| |
| 10.54 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.54 | 3 | Need Attention | - [rootMfaActive] - Enable MFA on root user
| AWS MFA
IAM Best Practices |
| 10.55 | 1 | Need Attention | - [passwordPolicy] - Set a custom password policy.
- [passwordPolicyWeak]
| IAM Password Policy |
| 10.56 | 1 | Compliant | - [mfaActive]
| |
| 10.56 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.56 | 3 | Need Attention | - [rootMfaActive] - Enable MFA on root user
| AWS MFA
IAM Best Practices |
| 10.59 | 1 | Compliant | - [hasAccessKeyNoRotate90days]
| |
| 10.59 | 2 | Compliant | - [hasOrganization]
| |
| 10.59 | 3 | Compliant | - [ExecutionLogging]
| |
| 10.59 | 4 | Need Attention | - [EnableTrailS3BucketLogging] - Enable S3 Bucket Logging
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::mys3buckettrail
| Configure S3 Logging
Resilience in CloudTrail |
| 10.59 | 5 | Need Attention | - [NeedToEnableCloudTrail]
- [EnableCloudTrailLogging]
- [HasOneMultiRegionTrail]
- [LogFileValidationEnabled]
- [RequiresKmsKey] - Enable SSE
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail
| Encrypt CloudTrail using AWS KMS
CloudTrail Security Best Practices |
| 10.59 | 6 | Need Attention | - [CloudWatchLogsLogGroupArn] - CloudWatch for CloudTrail
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE
| Using CloudWatch Logs with CloudTrail |
| 10.59 | 7 | Need Attention | - [SetRetentionDays] - Set retention days
- [ap-southeast-1]Log::/aws-glue/crawlers, Log::/aws/lambda/AthenaCURMonthlyStack-AWSCURInitializer-gyhMOAhcBfJE, Log::/aws/lambda/AthenaCURMonthlyStack-AWSS3CURNotification-q651HK0jLpgE, Log::/aws/lambda/AthenaCURdailyStack-AWSCURInitializer-vLgwN5me52VP, Log::/aws/lambda/AthenaCURdailyStack-AWSS3CURNotification-t7HCb9uvReM9, Log::/aws/lambda/CURathenaStack-AWSCURInitializer-WmxJnth9Od47, Log::/aws/lambda/CURathenaStack-AWSS3CURNotification-jTY5a4Z3lgcA, Log::/aws/lambda/SO0111-SHARR-CustomAction, Log::/aws/lambda/aws-security-hub-automate-WaitProviderFunction3D90-2e6tueuCJ9Vl, Log::ECS-RefArch-CF-/var/log/dmesg, Log::ECS-RefArch-CF-/var/log/docker, Log::ECS-RefArch-CF-/var/log/messages, Log::aws-cloudtrail-logs-769655955296-5da8eb52
- [ap-southeast-2]Log::/aws-glue/crawlers, Log::/aws/lambda/AthenaCURDaily-AWSCURInitializer-9ydxqeP70Fsm, Log::/aws/lambda/AthenaCURDaily-AWSS3CURNotification-7wr3Z9bVENWm, Log::/aws/lambda/AthenaCURHourly-AWSCURInitializer-0F5Nh55AAFsA, Log::/aws/lambda/AthenaCURHourly-AWSS3CURNotification-qwSzSJPOJow7, Log::/aws/lambda/AthenaCURMonthly-AWSCURInitializer-4VRs1u1bUUVP, Log::/aws/lambda/AthenaCURMonthly-AWSS3CURNotification-MHDeGO7joDIk
- [us-east-1]Log::/aws-glue/crawlers, Log::/aws/lambda/CidCustomResourceDashboard, Log::/aws/lambda/CidInitialSetup-DoNotRun, Log::/aws/lambda/CidProcessPath-DoNotRun, Log::/aws/lambda/SendSecurityHubFullReportEmail, Log::/aws/lambda/SpringClean-XUG3HH5R-AutoUpdateLambda-snXPd3AyenOf, Log::/aws/lambda/SpringClean-XUG3HH5R-FeatureCheckerFunction-3k0VXgENM2bp, Log::/aws/lambda/SpringClean-XUG3HH5R-SesVerifyEmailFunction-IVk9Ime4YTt0, Log::/aws/lambda/SpringClean-XUG3HH5R-SpringCleanLambda-0qeMWlCDlvit, Log::/aws/lambda/cid-CID-Analytics, Log::/aws/qbusiness/9d185d75-710b-423d-8f62-65c3a6db74aa, Log::/aws/qbusiness/f284b82d-35be-494c-9f7c-22eaed4c9308, Log::/aws/sagemaker/Endpoints/jumpstart-example-infer-model-txt2img-s-2023-06-15-05-17-50-955, Log::/aws/sagemaker/Endpoints/jumpstart-example-infer-model-txt2img-s-2023-06-15-05-31-39-924, Log::/aws/sagemaker/TrainingJobs, Log::/aws/sagemaker/studio, Log::/ecs/aspnetcorefargatetask, Log::/var/log/messages
| CIS Cloudwatch Controls |
| 10.59 | 8 | Compliant | - [EC2IamProfile]
| |
| 10.59 | 9 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.59 | 10 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.59 | 11 | Need Attention | - [passwordPolicy] - Set a custom password policy.
- [passwordPolicyWeak]
| IAM Password Policy |
| 10.59 | 12 | Need Attention | - [FullAdminAccess] - Limit permissions.
- [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group
- [ManagedPolicyFullAccessOneServ] - Limit permissions.
- [GLOBAL]Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AWSReservedSSO_AWSPowerUserAccess_00098b9536c9ffa7, Role::Cloud-Intelligence-Dashbo-ProcessPathLambdaExecutio-4v29TjzrvQTv, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::MarketplaceFullAccess, Role::OrthancRole
| AWS Docs
Organization GuardRail Blog
AWS Docs |
| 10.59 | 13 | Compliant | - [rootHasAccessKey]
| |
| 10.59 | 14 | Compliant | - [userNotUsingGroup]
| |
| 10.59 | 15 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.59 | 16 | Compliant | - [ApplicationLogs]
| |
| 10.59 | 17 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.59 | 18 | Compliant | - [EncryptedAtRest]
- [AuditLogging]
| |
| 10.59 | 19 | Need Attention | - [BucketLogging] - Enable Server Access Logging
- [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory
- [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket
- [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296
| AWS Docs |
| 10.59 | 20 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.6 | 1 | Need Attention | - [CloudWatchLogsLogGroupArn] - CloudWatch for CloudTrail
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE
| Using CloudWatch Logs with CloudTrail |
| 10.6 | 2 | Compliant | - [enableGuardDuty]
| |
| 10.6 | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.61 | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.61 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.61 | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.61 | 4 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.61 | 5 | Compliant | - [AutomaticUpgrades]
| |
| 10.64(a) | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(a) | 2 | Compliant | - [CachingEnabled]
- [EncryptionAtRest]
| |
| 10.64(a) | 3 | Compliant | - [EncryptionInTransit]
| |
| 10.64(a) | 4 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(a) | 5 | Need Attention | - [NeedToEnableCloudTrail]
- [EnableCloudTrailLogging]
- [HasOneMultiRegionTrail]
- [LogFileValidationEnabled]
- [RequiresKmsKey] - Enable SSE
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail
| Encrypt CloudTrail using AWS KMS
CloudTrail Security Best Practices |
| 10.64(a) | 6 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(a) | 7 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(a) | 8 | Need Attention | - [EBSEncrypted] - Enable EBS Encryption
- [ap-southeast-5]EBS::vol-088df622bcebd7a03
- [us-west-2]EBS::vol-058a9449d61cf9461
| Best practices for Amazon EC2 |
| 10.64(a) | 9 | Compliant | - [EncryptedAtRest]
| |
| 10.64(a) | 10 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(a) | 11 | Need Attention | - [EBSEncrypted] - Enable EBS Encryption
- [ap-southeast-5]EBS::vol-088df622bcebd7a03
- [us-west-2]EBS::vol-058a9449d61cf9461
| Best practices for Amazon EC2 |
| 10.64(a) | 12 | Compliant | - [EncyptionAtRest]
| |
| 10.64(a) | 13 | Compliant | - [TLSEnforced]
| |
| 10.64(a) | 14 | Compliant | - [NodeToNodeEncryption]
| |
| 10.64(a) | 15 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(a) | 16 | Compliant | - [StorageEncrypted]
| |
| 10.64(a) | 17 | Compliant | - [EncryptedAtRest]
- [AuditLogging]
| |
| 10.64(a) | 18 | Compliant | - [EncryptedWithKMS]
| |
| 10.64(a) | 19 | Compliant | - [EncryptedInTransit]
| |
| 10.64(a) | 20 | Compliant | - [ServerSideEncrypted]
| |
| 10.64(a) | 21 | Need Attention | - [TlsEnforced] - Enforce Encryption of Data in Transit
- [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory
- [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket
- [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296
| AWS Docs |
| 10.64(a) | 22 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(a) | 23 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(a) | 24 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(a) | 25 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(b) | 1 | Compliant | - [autoScalingStatus]
| |
| 10.64(b) | 2 | Compliant | - [EC2Active]
| |
| 10.64(b) | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(b) | 4 | Compliant | - [ELBCrossZone]
| |
| 10.64(b) | 5 | Compliant | - [DeleteProtection]
| |
| 10.64(b) | 6 | Need Attention | - [MultiAZ] - Enable MultiAZ
- [us-east-1]aurora-mysql::Cluster=myaurora-mysql-ww
| What Is MultiAZ
Guide |
| 10.64(b) | 7 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(d) | 1 | Compliant | - [ExecutionLogging]
| |
| 10.64(d) | 2 | Compliant | - [ASGELBHealthCheckEnabled]
| |
| 10.64(d) | 3 | Need Attention | - [EnableTrailS3BucketLogging] - Enable S3 Bucket Logging
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::mys3buckettrail
| Configure S3 Logging
Resilience in CloudTrail |
| 10.64(d) | 4 | Need Attention | - [NeedToEnableCloudTrail]
- [EnableCloudTrailLogging]
- [HasOneMultiRegionTrail]
- [LogFileValidationEnabled]
- [RequiresKmsKey] - Enable SSE
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail
| Encrypt CloudTrail using AWS KMS
CloudTrail Security Best Practices |
| 10.64(d) | 5 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(d) | 6 | Need Attention | - [CloudWatchLogsLogGroupArn] - CloudWatch for CloudTrail
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE
| Using CloudWatch Logs with CloudTrail |
| 10.64(d) | 7 | Compliant | - [rcuServiceLimit]
- [wcuServiceLimit]
| |
| 10.64(d) | 8 | Need Attention | - [EC2DetailedMonitor] - EC2 Detailed Monitoring
- [ap-southeast-5]EC2::i-0d3a7302b927b49bb
- [us-west-2]EC2::i-0b59b7cd02dba50a8
| Enable Detailed Monitoring |
| 10.64(d) | 9 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(d) | 10 | Compliant | - [enableGuardDuty]
| |
| 10.64(d) | 11 | Compliant | - [ApplicationLogs]
| |
| 10.64(d) | 12 | Need Attention | - [EnhancedMonitor] - Enable Enhanced Monitoring
- [us-east-1]aurora-mysql::Cluster=myaurora-mysql-ww
| Enable Enhanced Monitoring |
| 10.64(d) | 13 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(d) | 14 | Compliant | - [EncryptedAtRest]
- [AuditLogging]
| |
| 10.64(d) | 15 | Need Attention | - [BucketLogging] - Enable Server Access Logging
- [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory
- [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket
- [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296
| AWS Docs |
| 10.64(d) | 16 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(d) | 17 | Need Attention | - [VPCFlowLogEnabled] - Enable VPC Flow Log
- [ap-northeast-1]VPC::vpc-0ab3a8658cd25c109
- [ap-northeast-2]VPC::vpc-0ae9b620559740d70
- [ap-northeast-3]VPC::vpc-06245ca22ea93c96c
- [ap-south-1]VPC::vpc-08fefc19c6abd7d80
- [ap-southeast-1]VPC::vpc-065c917cd817f427e, VPC::vpc-06363c3059916c90e
- [ap-southeast-2]VPC::vpc-0df2ab7aba940c834
- [ap-southeast-3]VPC::vpc-0652d450f2ab35cd2, VPC::vpc-0ffbb3d6d50b9623a
- [ap-southeast-5]VPC::vpc-021cbde25259594b9, VPC::vpc-0ce9c0784ff09b6b1
- [ca-central-1]VPC::vpc-0b24c79e1f3663bd9
- [eu-central-1]VPC::vpc-054f84d91b4742c04
- [eu-north-1]VPC::vpc-085ff029f3856da68
- [eu-west-1]VPC::vpc-030d57af9ec0578bd
- [eu-west-2]VPC::vpc-085d0e0d5a07e9174
- [eu-west-3]VPC::vpc-01ee905f628fedbe1
- [sa-east-1]VPC::vpc-0a2a2cba040ba08c5
- [us-east-1]VPC::vpc-070496984d34d0248, VPC::vpc-0ba693df999b2fbc8
- [us-east-2]VPC::vpc-068471871ab842bb8
- [us-west-1]VPC::vpc-06acdacf8c135f707
- [us-west-2]VPC::vpc-004f7662a794496b9
| Amazon Elastic Compute Cloud controls |
| 10.64(d) | 18 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(e) | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(e) | 2 | Compliant | - [Backup]
| |
| 10.64(e) | 3 | Need Attention | - [disabledPointInTimeRecovery] - Point In Time Recovery backup is disabled
- [us-east-1]Dynamodb::SpringClean-XUG3HH5R-SpringCleanDDBTable-4DMHX1YQNK31
| DDB PITR |
| 10.64(e) | 4 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(e) | 5 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(e) | 6 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(e) | 7 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(e) | 8 | Compliant | - [AutomatedBackup]
| |
| 10.64(e) | 9 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(e) | 10 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 10.64(e) | 11 | Compliant | - [AutomaticSnapshots]
| |
| 10.64(e) | 12 | Need Attention | - [BucketVersioning] - Enable Versioning
- [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory
- [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket
- [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296
| AWS Docs
Manage Versioning Example |
| 10.64(e) | 13 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 11.7 | 1 | Compliant | - [enableGuardDuty]
| |
| 11.7 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 11.8 | 1 | Compliant | - [enableGuardDuty]
| |
| 11.8 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| 11.18(c)(f) | 1 | Compliant | - [enableGuardDuty]
| |
| 11.18(c)(f) | 2 | Compliant | - [FailMeetingCompliances]
| |
| 11.18(c)(f) | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 5.1 | 1 | Compliant | - [enableGuardDuty]
| |
| Appendix 5.1 | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 5.5(b) | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 5.5(b) | 2 | Compliant | - [EncryptionInTransit]
| |
| Appendix 5.5(b) | 3 | Compliant | - [TLSEnforced]
| |
| Appendix 5.5(b) | 4 | Compliant | - [NodeToNodeEncryption]
| |
| Appendix 5.5(b) | 5 | Compliant | - [EncryptedInTransit]
| |
| Appendix 5.5(b) | 6 | Need Attention | - [TlsEnforced] - Enforce Encryption of Data in Transit
- [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory
- [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket
- [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296
| AWS Docs |
| Appendix 5.5(c) | 1 | Compliant | - [enableGuardDuty]
| |
| Appendix 5.5(c) | 2 | Need Attention | - [SGDefaultInUsed] - Default Security Group In Use
- [ap-southeast-5]SG::sg-0340a45e7f6dfdeef
| Best practices for Amazon EC2 |
| Appendix 5.5(c) | 3 | Need Attention | - [SGSensitivePortOpenToAll] - Sensitive port open to all.
- [ap-southeast-5]SG::sg-0d56232f5bc4a6a0d
- [SGAllTCPOpen]
- [SGAllUDPOpen]
- [SGAllPortOpen] - All ports open.
- [ap-northeast-1]SG::sg-0a9a9f1599f78e648
- [ap-northeast-2]SG::sg-0e2f6a031113c6c65
- [ap-northeast-3]SG::sg-0f1c015386fdeaef2
- [ap-south-1]SG::sg-0ce181aa24e2327a0
- [ap-southeast-1]SG::sg-0c82e152ce9347073, SG::sg-0442088071f74e66b
- [ap-southeast-2]SG::sg-06a87caeacb9bdc1c
- [ap-southeast-3]SG::sg-09c69789992976af0, SG::sg-07d450b94849d4deb
- [ap-southeast-5]SG::sg-0340a45e7f6dfdeef, SG::sg-0d56232f5bc4a6a0d, SG::sg-0cdece98aec7d1e6c
- [ca-central-1]SG::sg-0807269705e2a7bce
- [eu-central-1]SG::sg-061edeb40615f37d8
- [eu-north-1]SG::sg-0224dd542e0e0a188
- [eu-west-1]SG::sg-0ee2cf797712225c6
- [eu-west-2]SG::sg-0d712926de8d430e0
- [eu-west-3]SG::sg-0d057db4a24c667d8
- [sa-east-1]SG::sg-06a16f5c401b779ea
- [us-east-1]SG::sg-0f4d456d65b49cbcc, SG::sg-0562190d9d9c154da, SG::sg-0fe800a9602ab25ff
- [us-east-2]SG::sg-05b1211873efb1066
- [us-west-1]SG::sg-0ac2b6884d3c7f382
- [us-west-2]SG::sg-037dcb16366f739b8
- [SGAllPortOpenToAll] - All ports open to all
- [ap-southeast-5]SG::sg-0d56232f5bc4a6a0d
| Best practices for Amazon EC2
Best practices for Amazon EC2
Best practices for Amazon EC2 |
| Appendix 5.6 | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 5.6 | 2 | Compliant | - [EncryptionInTransit]
| |
| Appendix 5.6 | 3 | Compliant | - [TLSEnforced]
| |
| Appendix 5.6 | 4 | Compliant | - [EncryptedInTransit]
| |
| Appendix 5.6 | 5 | Need Attention | - [SGDefaultInUsed] - Default Security Group In Use
- [ap-southeast-5]SG::sg-0340a45e7f6dfdeef
| Best practices for Amazon EC2 |
| Appendix 5.6 | 6 | Need Attention | - [SGSensitivePortOpenToAll] - Sensitive port open to all.
- [ap-southeast-5]SG::sg-0d56232f5bc4a6a0d
- [SGAllTCPOpen]
- [SGAllUDPOpen]
- [SGAllPortOpen] - All ports open.
- [ap-northeast-1]SG::sg-0a9a9f1599f78e648
- [ap-northeast-2]SG::sg-0e2f6a031113c6c65
- [ap-northeast-3]SG::sg-0f1c015386fdeaef2
- [ap-south-1]SG::sg-0ce181aa24e2327a0
- [ap-southeast-1]SG::sg-0c82e152ce9347073, SG::sg-0442088071f74e66b
- [ap-southeast-2]SG::sg-06a87caeacb9bdc1c
- [ap-southeast-3]SG::sg-09c69789992976af0, SG::sg-07d450b94849d4deb
- [ap-southeast-5]SG::sg-0340a45e7f6dfdeef, SG::sg-0d56232f5bc4a6a0d, SG::sg-0cdece98aec7d1e6c
- [ca-central-1]SG::sg-0807269705e2a7bce
- [eu-central-1]SG::sg-061edeb40615f37d8
- [eu-north-1]SG::sg-0224dd542e0e0a188
- [eu-west-1]SG::sg-0ee2cf797712225c6
- [eu-west-2]SG::sg-0d712926de8d430e0
- [eu-west-3]SG::sg-0d057db4a24c667d8
- [sa-east-1]SG::sg-06a16f5c401b779ea
- [us-east-1]SG::sg-0f4d456d65b49cbcc, SG::sg-0562190d9d9c154da, SG::sg-0fe800a9602ab25ff
- [us-east-2]SG::sg-05b1211873efb1066
- [us-west-1]SG::sg-0ac2b6884d3c7f382
- [us-west-2]SG::sg-037dcb16366f739b8
- [SGAllPortOpenToAll] - All ports open to all
- [ap-southeast-5]SG::sg-0d56232f5bc4a6a0d
| Best practices for Amazon EC2
Best practices for Amazon EC2
Best practices for Amazon EC2 |
| Appendix 10 Part B - 1 (a) | 1 | Compliant | - [hasOrganization]
| |
| Appendix 10 Part B - 1 (b) | 1 | Need Attention | - [ELBEnableWAF] - ALB Web Application Firewall
- [ap-southeast-5]ELB::ecs-te-Publi-06Wsj9bSgyQF
| AWS WAF for Applicatoin Load Balancers |
| Appendix 10 Part B - 1 (b) | 2 | Need Attention | - [EC2SubnetAutoPublicIP] - EC2 Subnet with Auto Assign IP
- [ap-southeast-5]EC2::i-0d3a7302b927b49bb
- [us-west-2]EC2::i-0b59b7cd02dba50a8
| Amazon EC2 public IP |
| Appendix 10 Part B - 1 (b) | 3 | Need Attention | - [SGDefaultInUsed] - Default Security Group In Use
- [ap-southeast-5]SG::sg-0340a45e7f6dfdeef
| Best practices for Amazon EC2 |
| Appendix 10 Part B - 1 (b) | 4 | Need Attention | - [SGSensitivePortOpenToAll] - Sensitive port open to all.
- [ap-southeast-5]SG::sg-0d56232f5bc4a6a0d
- [SGAllTCPOpen]
- [SGAllUDPOpen]
- [SGAllPortOpen] - All ports open.
- [ap-northeast-1]SG::sg-0a9a9f1599f78e648
- [ap-northeast-2]SG::sg-0e2f6a031113c6c65
- [ap-northeast-3]SG::sg-0f1c015386fdeaef2
- [ap-south-1]SG::sg-0ce181aa24e2327a0
- [ap-southeast-1]SG::sg-0c82e152ce9347073, SG::sg-0442088071f74e66b
- [ap-southeast-2]SG::sg-06a87caeacb9bdc1c
- [ap-southeast-3]SG::sg-09c69789992976af0, SG::sg-07d450b94849d4deb
- [ap-southeast-5]SG::sg-0340a45e7f6dfdeef, SG::sg-0d56232f5bc4a6a0d, SG::sg-0cdece98aec7d1e6c
- [ca-central-1]SG::sg-0807269705e2a7bce
- [eu-central-1]SG::sg-061edeb40615f37d8
- [eu-north-1]SG::sg-0224dd542e0e0a188
- [eu-west-1]SG::sg-0ee2cf797712225c6
- [eu-west-2]SG::sg-0d712926de8d430e0
- [eu-west-3]SG::sg-0d057db4a24c667d8
- [sa-east-1]SG::sg-06a16f5c401b779ea
- [us-east-1]SG::sg-0f4d456d65b49cbcc, SG::sg-0562190d9d9c154da, SG::sg-0fe800a9602ab25ff
- [us-east-2]SG::sg-05b1211873efb1066
- [us-west-1]SG::sg-0ac2b6884d3c7f382
- [us-west-2]SG::sg-037dcb16366f739b8
- [SGAllPortOpenToAll] - All ports open to all
- [ap-southeast-5]SG::sg-0d56232f5bc4a6a0d
| Best practices for Amazon EC2
Best practices for Amazon EC2
Best practices for Amazon EC2 |
| Appendix 10 Part B - 1 (c) | 1 | Compliant | - [enableGuardDuty]
| |
| Appendix 10 Part B - 1 (c) | 2 | Need Attention | - [VPCFlowLogEnabled] - Enable VPC Flow Log
- [ap-northeast-1]VPC::vpc-0ab3a8658cd25c109
- [ap-northeast-2]VPC::vpc-0ae9b620559740d70
- [ap-northeast-3]VPC::vpc-06245ca22ea93c96c
- [ap-south-1]VPC::vpc-08fefc19c6abd7d80
- [ap-southeast-1]VPC::vpc-065c917cd817f427e, VPC::vpc-06363c3059916c90e
- [ap-southeast-2]VPC::vpc-0df2ab7aba940c834
- [ap-southeast-3]VPC::vpc-0652d450f2ab35cd2, VPC::vpc-0ffbb3d6d50b9623a
- [ap-southeast-5]VPC::vpc-021cbde25259594b9, VPC::vpc-0ce9c0784ff09b6b1
- [ca-central-1]VPC::vpc-0b24c79e1f3663bd9
- [eu-central-1]VPC::vpc-054f84d91b4742c04
- [eu-north-1]VPC::vpc-085ff029f3856da68
- [eu-west-1]VPC::vpc-030d57af9ec0578bd
- [eu-west-2]VPC::vpc-085d0e0d5a07e9174
- [eu-west-3]VPC::vpc-01ee905f628fedbe1
- [sa-east-1]VPC::vpc-0a2a2cba040ba08c5
- [us-east-1]VPC::vpc-070496984d34d0248, VPC::vpc-0ba693df999b2fbc8
- [us-east-2]VPC::vpc-068471871ab842bb8
- [us-west-1]VPC::vpc-06acdacf8c135f707
- [us-west-2]VPC::vpc-004f7662a794496b9
| Amazon Elastic Compute Cloud controls |
| Appendix 10 Part B - 1 (d) | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 1 (d) | 2 | Need Attention | - [TlsEnforced] - Enforce Encryption of Data in Transit
- [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory
- [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket
- [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296
| AWS Docs |
| Appendix 10 Part B - 1 (f) i) | 1 | Compliant | - [AuthorizationType]
| |
| Appendix 10 Part B - 1 (f) ii) | 1 | Compliant | - [WAFWACL]
| |
| Appendix 10 Part B - 1 (f) ii) | 2 | Compliant | - [ExecutionLogging]
| |
| Appendix 10 Part B - 2 (b) ii) | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 3 (b) vi) | 1 | Need Attention | - [NeedToEnableCloudTrail]
- [EnableCloudTrailLogging]
- [HasOneMultiRegionTrail]
- [LogFileValidationEnabled]
- [RequiresKmsKey] - Enable SSE
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail
| Encrypt CloudTrail using AWS KMS
CloudTrail Security Best Practices |
| Appendix 10 Part B - 5 (a) i) | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 5 (a) i) | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 5 (a) i) | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 5 (a) i) | 4 | Compliant | - [AutomatedBackup]
| |
| Appendix 10 Part B - 5 (a) i) | 5 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 5 (a) i) | 6 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 5 (b) | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 5 (c) i) | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 5 (d) i) | 1 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 5 (d) i) | 2 | Compliant | - [ELBCrossZone]
| |
| Appendix 10 Part B - 5 (d) i) | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 5 (d) i) | 4 | Compliant | - [ELBCrossZone]
| |
| Appendix 10 Part B - 5 (d) i) | 5 | Need Attention | - [MultiAZ] - Enable MultiAZ
- [us-east-1]aurora-mysql::Cluster=myaurora-mysql-ww
| What Is MultiAZ
Guide |
| Appendix 10 Part B - 5 (d) i) | 6 | Need Attention | - [MultiAZ] - Enable MultiAZ
- [us-east-1]aurora-mysql::Cluster=myaurora-mysql-ww
| What Is MultiAZ
Guide |
| Appendix 10 Part B - 8 (a) | 1 | Compliant | - [CachingEnabled]
- [EncryptionAtRest]
| |
| Appendix 10 Part B - 8 (a) | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 8 (a) | 3 | Need Attention | - [NeedToEnableCloudTrail]
- [EnableCloudTrailLogging]
- [HasOneMultiRegionTrail]
- [LogFileValidationEnabled]
- [RequiresKmsKey] - Enable SSE
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail
| Encrypt CloudTrail using AWS KMS
CloudTrail Security Best Practices |
| Appendix 10 Part B - 8 (a) | 4 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 8 (a) | 5 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 8 (a) | 6 | Need Attention | - [EBSEncrypted] - Enable EBS Encryption
- [ap-southeast-5]EBS::vol-088df622bcebd7a03
- [us-west-2]EBS::vol-058a9449d61cf9461
| Best practices for Amazon EC2 |
| Appendix 10 Part B - 8 (a) | 7 | Compliant | - [EncryptedAtRest]
| |
| Appendix 10 Part B - 8 (a) | 8 | Compliant | - [eksSecretsEncryption]
| |
| Appendix 10 Part B - 8 (a) | 9 | Need Attention | - [EBSEncrypted] - Enable EBS Encryption
- [ap-southeast-5]EBS::vol-088df622bcebd7a03
- [us-west-2]EBS::vol-058a9449d61cf9461
| Best practices for Amazon EC2 |
| Appendix 10 Part B - 8 (a) | 10 | Compliant | - [EncyptionAtRest]
| |
| Appendix 10 Part B - 8 (a) | 11 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 8 (a) | 12 | Compliant | - [EncryptedWithKMS]
| |
| Appendix 10 Part B - 8 (a) | 13 | Compliant | - [SSEWithKMS]
| |
| Appendix 10 Part B - 8 (a) | 14 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 8 (a) | 15 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 8 (d) | 1 | Need Attention | - [KeyRotationEnabled] - Enable Key Rotation
- [ap-southeast-1]5d1b8bdf-8f89-42e1-85be-32f95811c17d
- [us-east-1]a2b67230-2e44-41c3-9176-ae9abaa920a0
| Enable CMK Rotation |
| Appendix 10 Part B - 8 (d) | 2 | Compliant | - [KeyInPendingDeletion]
| |
| Appendix 10 Part B - 9 (a) ii) | 1 | Need Attention | - [passwordPolicy] - Set a custom password policy.
- [passwordPolicyWeak]
| IAM Password Policy |
| Appendix 10 Part B - 9 (a) ii) | 2 | Compliant | - [mfaActive]
| |
| Appendix 10 Part B - 9 (a) ii) | 3 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 9 (a) ii) | 4 | Need Attention | - [rootMfaActive] - Enable MFA on root user
| AWS MFA
IAM Best Practices |
| Appendix 10 Part B - 9 (a) iii) | 1 | Need Attention | - [FullAdminAccess] - Limit permissions.
- [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group
- [ManagedPolicyFullAccessOneServ] - Limit permissions.
- [GLOBAL]Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AWSReservedSSO_AWSPowerUserAccess_00098b9536c9ffa7, Role::Cloud-Intelligence-Dashbo-ProcessPathLambdaExecutio-4v29TjzrvQTv, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::MarketplaceFullAccess, Role::OrthancRole
| AWS Docs
Organization GuardRail Blog
AWS Docs |
| Appendix 10 Part B - 9 (a) iii) | 2 | Not available | Please refer to the BNM RMiT section for further details. Kindly provide evidence or artifacts demonstrating compliance with the respective RMiT control. | |
| Appendix 10 Part B - 9 (a) iv) | 1 | Need Attention | - [NeedToEnableCloudTrail]
- [EnableCloudTrailLogging]
- [HasOneMultiRegionTrail]
- [LogFileValidationEnabled]
- [RequiresKmsKey] - Enable SSE
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail
| Encrypt CloudTrail using AWS KMS
CloudTrail Security Best Practices |
| Appendix 10 Part B - 9 (a) iv) | 2 | Need Attention | - [CloudWatchLogsLogGroupArn] - CloudWatch for CloudTrail
- [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE
| Using CloudWatch Logs with CloudTrail |
| Appendix 10 Part B - 12 (a) | 1 | Compliant | - [enableGuardDuty]
| |
| Appendix 10 Part B - 12 (a) | 2 | Need Attention | - [MacieToEnable] - Enable Macie
- [ap-northeast-1]Macie
- [ap-northeast-2]Macie
- [ap-northeast-3]Macie
- [ap-south-1]Macie
- [ap-southeast-2]Macie
- [ca-central-1]Macie
- [eu-central-1]Macie
- [eu-north-1]Macie
- [eu-west-1]Macie
- [eu-west-2]Macie
- [eu-west-3]Macie
- [sa-east-1]Macie
- [us-east-1]Macie
- [us-east-2]Macie
- [us-west-1]Macie
- [us-west-2]Macie
| Getting started with Amazon Macie |
| Appendix 10 Part B - 14 (c) i) | 1 | Compliant | - [enableGuardDuty]
| |
| Appendix 10 Part B - 14 (c) i) | 2 | Compliant | - [FailMeetingCompliances]
| |