Service Screener

AWS Well-Architected Framework - Security Pillar

This framework focuses on the security pillar. This will help you meet your business and regulatory requirements by following current AWS recommendations. It’s intended for those in technology roles, such as chief technology officers (CTOs), chief information security officers (CSOs/CISOs), architects, developers, and operations team members. The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
Read more

Summary: [Not available:44] | [Compliant:11] | [Need Attention:10]

Breakdown

Framework. AWS Well-Architected Framework - Security Pillar

Category	Rule ID	Compliance Status	Description	Reference
SEC01	BP01	Compliant	How do you securely operate your workload? - Separate workloads using accounts [hasOrganization]
SEC01	BP02	Need Attention	How do you securely operate your workload? - Secure account root user and properties [rootMfaActive] - Enable MFA on root user [GLOBAL]User::root_id [hasAlternateContact] [rootHasAccessKey] [rootConsoleLogin30days] [passwordPolicy] - Set a custom password policy. [GLOBAL]Account::Config [enableGuardDuty] [rootConsoleLogin30days]	AWS MFA IAM Best Practices IAM Password Policy
SEC01	BP03	Compliant	How do you securely operate your workload? - Identify and validate control objectives [mfaActive] [passwordPolicyWeak] [passwordLastChange90] [hasAccessKeyNoRotate30days]
SEC01	BP04	Compliant	How do you securely operate your workload? - Stay up to date with security threats and recommendations [enableGuardDuty]
SEC01	BP05	Need Attention	How do you securely operate your workload? - Identify and prioritize risks using a threat model [Has 17 actives lambda] [Has 22 actives rds] [ecs] - Need at least 1 ecs [eks] - Need at least 1 eks [Has 20 actives dynamodb] [elasticache] - Need at least 1 elasticache
SEC01	BP06	Not available	How do you securely operate your workload? - Reduce security management scope
SEC01	BP07	Not available	How do you securely operate your workload? - Automate deployment of standard security controls
SEC01	BP08	Not available	How do you securely operate your workload? - Evaluate and implement new security services and features regularly
SEC02	BP01	Compliant	How do you manage identities for people and machines? - Use strong sign-in mechanisms [mfaActive] [passwordPolicyWeak] [passwordLastChange90] [hasAccessKeyNoRotate30days]
SEC02	BP02	Compliant	How do you manage identities for people and machines? - Use temporary credentials [EC2IamProfile]
SEC02	BP03	Not available	How do you manage identities for people and machines? - Store and use secrets securely
SEC02	BP04	Compliant	How do you manage identities for people and machines? - Rely on a centralized identity provider [hasExternalIdentityProvider]
SEC02	BP05	Need Attention	How do you manage identities for people and machines? - Audit and rotate credentials periodically [passwordLastChange90] [hasAccessKeyNoRotate30days] [eksClusterRoleLeastPrivilege] [InlinePolicyFullAccessOneServ] - Limit access in policy [GLOBAL]Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA [InlinePolicyFullAdminAccess] [FullAdminAccess] - Limit permissions. [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group [lambdaRoleReused] - Execution Role Reused [us-east-1]Lambda::SecHubExportStack_545171356966_sh_csv_exporter, Lambda::SecHubExportStack_545171356966_sh_csv_updater [EC2IamProfile]	AWS Docs AWS Docs Organization GuardRail Blog Lambda execution role
SEC02	BP06	Compliant	How do you manage identities for people and machines? - Employ user groups and attributes [userNotUsingGroup] [groupEmptyUsers]
SEC03	BP01	Not available	How do you manage permissions for people and machines? - Define access requirements
SEC03	BP02	Need Attention	How do you manage permissions for people and machines? - Grant least privilege access [eksClusterRoleLeastPrivilege] [InlinePolicyFullAccessOneServ] - Limit access in policy [GLOBAL]Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA [InlinePolicyFullAdminAccess] [FullAdminAccess] - Limit permissions. [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group [lambdaRoleReused] - Execution Role Reused [us-east-1]Lambda::SecHubExportStack_545171356966_sh_csv_exporter, Lambda::SecHubExportStack_545171356966_sh_csv_updater [EC2IamProfile]	AWS Docs AWS Docs Organization GuardRail Blog Lambda execution role
SEC03	BP03	Not available	How do you manage permissions for people and machines? - Define permission guardrails for your organization
SEC03	BP04	Compliant	How do you manage permissions for people and machines? - Manage access based on lifecycle [groupEmptyUsers] [userNoActivity90days] [HasDataEventsCaptured]
SEC03	BP05	Not available	How do you manage permissions for people and machines? - Establish emergency access process
SEC03	BP06	Compliant	How do you manage permissions for people and machines? - Share resources securely within your organization [userNoActivity90days]
SEC03	BP07	Compliant	How do you manage permissions for people and machines? - Reduce permissions continuously [PubliclyAccessible] [S3AccountPublicAccessBlock]
SEC03	BP08	Compliant	How do you manage permissions for people and machines? - Share resources securely with a third party [hasOrganization]
SEC03	BP09	Not available	How do you manage permissions for people and machines? - Analyze public and cross account access
SEC04	BP01	Need Attention	How do you detect and investigate security events? - Configure service and application logging [NeedToEnableCloudTrail] [HasOneMultiRegionTrail] [EnableTrailS3BucketLifecycle] - Enable S3 Bucket Lifecycle [ap-northeast-1]Cloudtrail::mys3buckettrail [HasInsightSelectors] - Enable Insight Selectors [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail, Cloudtrail::mys3buckettrail [enableGuardDuty]	Configure S3 bucket lifecycle Resilience in CloudTrail Insight events
SEC04	BP02	Not available	How do you detect and investigate security events? - Capture logs, findings, and metrics in standardized locations
SEC04	BP03	Not available	How do you detect and investigate security events? - Initiate remediation for non-compliant resources
SEC04	BP04	Not available	How do you detect and investigate security events? - Correlate and enrich security events
SEC05	BP01	Need Attention	How do you protect your network resources? - Create network layers [cloudfront] - Need at least 1 cloudfront
SEC05	BP02	Need Attention	How do you protect your network resources? - Control traffic within your network layers [SGSensitivePortOpenToAll] [SGAllTCPOpen] [SGAllUDPOpen] [SGDefaultInUsed] - Default Security Group In Use [ap-southeast-5]SG::sg-0340a45e7f6dfdeef [SGEncryptionInTransit] - Encryption in Transit [ap-northeast-1]SG::sg-0a9a9f1599f78e648 [ap-northeast-2]SG::sg-0e2f6a031113c6c65 [ap-northeast-3]SG::sg-0f1c015386fdeaef2 [ap-south-1]SG::sg-0ce181aa24e2327a0 [ap-southeast-1]SG::sg-0c82e152ce9347073, SG::sg-0442088071f74e66b [ap-southeast-2]SG::sg-06a87caeacb9bdc1c [ap-southeast-3]SG::sg-09c69789992976af0, SG::sg-07d450b94849d4deb [ap-southeast-5]SG::sg-0340a45e7f6dfdeef, SG::sg-0d56232f5bc4a6a0d, SG::sg-0cdece98aec7d1e6c [ca-central-1]SG::sg-0807269705e2a7bce [eu-central-1]SG::sg-061edeb40615f37d8 [eu-north-1]SG::sg-0224dd542e0e0a188 [eu-west-1]SG::sg-0ee2cf797712225c6 [eu-west-2]SG::sg-0d712926de8d430e0 [eu-west-3]SG::sg-0d057db4a24c667d8 [sa-east-1]SG::sg-06a16f5c401b779ea [us-east-1]SG::sg-0f4d456d65b49cbcc, SG::sg-0562190d9d9c154da, SG::sg-0fe800a9602ab25ff [us-east-2]SG::sg-05b1211873efb1066 [us-west-1]SG::sg-0ac2b6884d3c7f382 [us-west-2]SG::sg-037dcb16366f739b8 [ELBListenerInsecure] - Insecure Listener [ap-southeast-5]ELB::ecs-te-Publi-06Wsj9bSgyQF [PubliclyAccessible]	Best practices for Amazon EC2 Data protection in Amazon EC2 ALB Configuration Guide
SEC05	BP03	Not available	How do you protect your network resources? - Implement inspection-based protection
SEC05	BP04	Not available	How do you protect your network resources? - Automate network protection
SEC06	BP01	Not available	How do you protect your compute resources? - Perform vulnerability management
SEC06	BP02	Not available	How do you protect your compute resources? - Provision compute from hardened images
SEC06	BP03	Not available	How do you protect your compute resources? - Validate software integrity
SEC06	BP04	Not available	How do you protect your compute resources? - Reduce manual management and interactive access
SEC06	BP05	Not available	How do you protect your compute resources? - Automate compute protection
SEC06	BP06	Not available	How do you protect your compute resources? - None of these
SEC07	BP01	Not available	How do you classify your data? - Understand your data classification scheme
SEC07	BP02	Not available	How do you classify your data? - Apply data protection controls based on data sensitivity
SEC07	BP03	Not available	How do you classify your data? - Define scalable data lifecycle management
SEC07	BP04	Not available	How do you classify your data? - Automate identification and classification
SEC08	BP01	Not available	How do you protect your data at rest? - Implement secure key management
SEC08	BP02	Need Attention	How do you protect your data at rest? - Enforce encryption at rest [RequiresKmsKey] - Enable SSE [ap-northeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE, Cloudtrail::aws-controltower-BaselineCloudTrail [EBSEncrypted] - Enable EBS Encryption [ap-southeast-5]EBS::vol-088df622bcebd7a03 [us-west-2]EBS::vol-058a9449d61cf9461 [EncryptedAtRest] [eksSecretsEncryption] [lambdaCMKEncryptionDisabled] - Customer Managed Key Not In Used [ap-southeast-1]Lambda::AthenaCURMonthlyStack-AWSS3CURNotification-q651HK0jLpgE, Lambda::AthenaCURdailyStack-AWSCURInitializer-vLgwN5me52VP, Lambda::CURathenaStack-AWSCURInitializer-WmxJnth9Od47, Lambda::AthenaCURdailyStack-AWSS3CURNotification-t7HCb9uvReM9, Lambda::CURathenaStack-AWSS3CURNotification-jTY5a4Z3lgcA, Lambda::AthenaCURMonthlyStack-AWSCURInitializer-gyhMOAhcBfJE [us-east-1]Lambda::CidCustomResourceDashboard, Lambda::CidProcessPath-DoNotRun, Lambda::SpringClean-XUG3HH5R-FeatureCheckerFunction-3k0VXgENM2bp, Lambda::cid-CID-Analytics, Lambda::SecHubExportStack_545171356966_sh_csv_exporter, Lambda::SpringClean-XUG3HH5R-SpringCleanLambda-0qeMWlCDlvit, Lambda::SendSecurityHubFullReportEmail, Lambda::SpringClean-XUG3HH5R-SesVerifyEmailFunction-IVk9Ime4YTt0, Lambda::SecHubExportStack_545171356966_sh_csv_updater, Lambda::CidInitialSetup-DoNotRun, Lambda::SpringClean-XUG3HH5R-AutoUpdateLambda-snXPd3AyenOf [StorageEncrypted] [ServerSideEncrypted]	Encrypt CloudTrail using AWS KMS CloudTrail Security Best Practices Best practices for Amazon EC2 Lambda securing environment variables
SEC08	BP03	Not available	How do you protect your data at rest? - Automate data at rest protection
SEC08	BP04	Need Attention	How do you protect your data at rest? - Enforce access control [eksClusterRoleLeastPrivilege] [InlinePolicyFullAccessOneServ] - Limit access in policy [GLOBAL]Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA [InlinePolicyFullAdminAccess] [FullAdminAccess] - Limit permissions. [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group [lambdaRoleReused] - Execution Role Reused [us-east-1]Lambda::SecHubExportStack_545171356966_sh_csv_exporter, Lambda::SecHubExportStack_545171356966_sh_csv_updater [EC2IamProfile] [BucketVersioning] - Enable Versioning [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296 [ObjectLock] - Enable Object Lock [ap-southeast-1]Bucket::aws-athena-query-results-769655955296-ap-southeast-1, Bucket::aws-cloudtrail-logs-769655955296-b457067d, Bucket::cf-templates-axtacndawvmi-ap-southeast-1, Bucket::config-bucket-769655955296, Bucket::tgw-flow-log-s3, Bucket::wwcurbucket, Bucket::wws3inventory [us-east-1]Bucket::aws-athena-query-results-cid-769655955296-us-east-1, Bucket::cf-templates-axtacndawvmi-us-east-1, Bucket::cid-769655955296-shared, Bucket::cloudtrail-awslogs-769655955296-fhklab3h-isengard-do-not-delete, Bucket::sagemaker-studio-769655955296-hn1cxm2eq5, Bucket::sagemaker-studio-edt80ljq4, Bucket::sagemaker-studio-nifj1w84os, Bucket::sagemaker-us-east-1-769655955296, Bucket::security-hub-format-s3bucketname-7uxkruwhbbhe, Bucket::securityhubcsvmanagerstac-securityhubexportbucket0-a2e5yuo0rpvs, Bucket::testcurver2bucket, Bucket::wwsagemakerbucket [us-west-2]Bucket::do-not-delete-gatedgarden-audit-769655955296 [PublicAccessBlock]	AWS Docs AWS Docs Organization GuardRail Blog Lambda execution role AWS Docs Manage Versioning Example AWS Docs
SEC08	BP05	Not available	How do you protect your data at rest? - None of these
SEC09	BP01	Not available	How do you protect your data in transit? - Implement secure key and certificate management
SEC09	BP02	Need Attention	How do you protect your data in transit? - Enforce encryption in transit [viewerPolicyHttps] [DeprecatedSSLProtocol] [SGEncryptionInTransit] - Encryption in Transit [ap-northeast-1]SG::sg-0a9a9f1599f78e648 [ap-northeast-2]SG::sg-0e2f6a031113c6c65 [ap-northeast-3]SG::sg-0f1c015386fdeaef2 [ap-south-1]SG::sg-0ce181aa24e2327a0 [ap-southeast-1]SG::sg-0c82e152ce9347073, SG::sg-0442088071f74e66b [ap-southeast-2]SG::sg-06a87caeacb9bdc1c [ap-southeast-3]SG::sg-09c69789992976af0, SG::sg-07d450b94849d4deb [ap-southeast-5]SG::sg-0340a45e7f6dfdeef, SG::sg-0d56232f5bc4a6a0d, SG::sg-0cdece98aec7d1e6c [ca-central-1]SG::sg-0807269705e2a7bce [eu-central-1]SG::sg-061edeb40615f37d8 [eu-north-1]SG::sg-0224dd542e0e0a188 [eu-west-1]SG::sg-0ee2cf797712225c6 [eu-west-2]SG::sg-0d712926de8d430e0 [eu-west-3]SG::sg-0d057db4a24c667d8 [sa-east-1]SG::sg-06a16f5c401b779ea [us-east-1]SG::sg-0f4d456d65b49cbcc, SG::sg-0562190d9d9c154da, SG::sg-0fe800a9602ab25ff [us-east-2]SG::sg-05b1211873efb1066 [us-west-1]SG::sg-0ac2b6884d3c7f382 [us-west-2]SG::sg-037dcb16366f739b8 [ELBListenerInsecure] - Insecure Listener [ap-southeast-5]ELB::ecs-te-Publi-06Wsj9bSgyQF	Data protection in Amazon EC2 ALB Configuration Guide
SEC09	BP03	Not available	How do you protect your data in transit? - Authenticate network communications
SEC09	BP04	Not available	How do you protect your data in transit? - None of these
SEC10	BP01	Not available	How do you anticipate, respond to, and recover from incidents? - Identify key personnel and external resources
SEC10	BP02	Not available	How do you anticipate, respond to, and recover from incidents? - Develop incident management plans
SEC10	BP03	Not available	How do you anticipate, respond to, and recover from incidents? - Prepare forensic capabilities
SEC10	BP04	Not available	How do you anticipate, respond to, and recover from incidents? - Develop and test security incident response playbooks
SEC10	BP05	Not available	How do you anticipate, respond to, and recover from incidents? - Pre-provision access
SEC10	BP06	Not available	How do you anticipate, respond to, and recover from incidents? - Run simulations
SEC10	BP07	Not available	How do you anticipate, respond to, and recover from incidents? - Establish a framework for learning from incidents
SEC11	BP01	Not available	How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Perform regular penetration testing
SEC11	BP02	Not available	How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Deploy software programmatically
SEC11	BP03	Not available	How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Regularly assess security properties of the pipelines
SEC11	BP04	Not available	How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Train for application security
SEC11	BP05	Not available	How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Automate testing throughout the development and release lifecycle
SEC11	BP06	Not available	How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Manual code reviews
SEC11	BP07	Not available	How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Centralize services for packages and dependencies
SEC11	BP08	Not available	How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Build a program that embeds security ownership in workload teams

WAFS

AWS Well-Architected Framework - Security Pillar

Summary: [Not available:44] | [Compliant:11] | [Need Attention:10]

Breakdown

Framework. AWS Well-Architected Framework - Security Pillar

How do you securely operate your workload? - Separate workloads using accounts

How do you securely operate your workload? - Secure account root user and properties

How do you securely operate your workload? - Identify and validate control objectives

How do you securely operate your workload? - Stay up to date with security threats and recommendations

How do you securely operate your workload? - Identify and prioritize risks using a threat model

How do you securely operate your workload? - Reduce security management scope

How do you securely operate your workload? - Automate deployment of standard security controls

How do you securely operate your workload? - Evaluate and implement new security services and features regularly

How do you manage identities for people and machines? - Use strong sign-in mechanisms

How do you manage identities for people and machines? - Use temporary credentials

How do you manage identities for people and machines? - Store and use secrets securely

How do you manage identities for people and machines? - Rely on a centralized identity provider

How do you manage identities for people and machines? - Audit and rotate credentials periodically

How do you manage identities for people and machines? - Employ user groups and attributes

How do you manage permissions for people and machines? - Define access requirements

How do you manage permissions for people and machines? - Grant least privilege access

How do you manage permissions for people and machines? - Define permission guardrails for your organization

How do you manage permissions for people and machines? - Manage access based on lifecycle

How do you manage permissions for people and machines? - Establish emergency access process

How do you manage permissions for people and machines? - Share resources securely within your organization

How do you manage permissions for people and machines? - Reduce permissions continuously

How do you manage permissions for people and machines? - Share resources securely with a third party

How do you manage permissions for people and machines? - Analyze public and cross account access

How do you detect and investigate security events? - Configure service and application logging

How do you detect and investigate security events? - Capture logs, findings, and metrics in standardized locations

How do you detect and investigate security events? - Initiate remediation for non-compliant resources

How do you detect and investigate security events? - Correlate and enrich security events

How do you protect your network resources? - Create network layers

How do you protect your network resources? - Control traffic within your network layers

How do you protect your network resources? - Implement inspection-based protection

How do you protect your network resources? - Automate network protection

How do you protect your compute resources? - Perform vulnerability management

How do you protect your compute resources? - Provision compute from hardened images

How do you protect your compute resources? - Validate software integrity

How do you protect your compute resources? - Reduce manual management and interactive access

How do you protect your compute resources? - Automate compute protection

How do you protect your compute resources? - None of these

How do you classify your data? - Understand your data classification scheme

How do you classify your data? - Apply data protection controls based on data sensitivity

How do you classify your data? - Define scalable data lifecycle management

How do you classify your data? - Automate identification and classification

How do you protect your data at rest? - Implement secure key management

How do you protect your data at rest? - Enforce encryption at rest

How do you protect your data at rest? - Automate data at rest protection

How do you protect your data at rest? - Enforce access control

How do you protect your data at rest? - None of these

How do you protect your data in transit? - Implement secure key and certificate management

How do you protect your data in transit? - Enforce encryption in transit

How do you protect your data in transit? - Authenticate network communications

How do you protect your data in transit? - None of these

How do you anticipate, respond to, and recover from incidents? - Identify key personnel and external resources

How do you anticipate, respond to, and recover from incidents? - Develop incident management plans

How do you anticipate, respond to, and recover from incidents? - Prepare forensic capabilities

How do you anticipate, respond to, and recover from incidents? - Develop and test security incident response playbooks

How do you anticipate, respond to, and recover from incidents? - Pre-provision access

How do you anticipate, respond to, and recover from incidents? - Run simulations

How do you anticipate, respond to, and recover from incidents? - Establish a framework for learning from incidents

How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Perform regular penetration testing

How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Deploy software programmatically

How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Regularly assess security properties of the pipelines

How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Train for application security

How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Automate testing throughout the development and release lifecycle

How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Manual code reviews

How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Centralize services for packages and dependencies

How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle? - Build a program that embeds security ownership in workload teams