FTR

Assesses an AWS Partner's solution against a specific set of Amazon Web Services (AWS) best practices around security, performance, and operational processes that are most critical for customer success.
Read more

Category	Rule ID	Compliance Status	Description	Reference
Partner hosted	HOST-001	Not available
Support level	SUP-001	Need Attention	[supportPlanLowTier] - Subscribe to the AWS Business Support tier (or higher) [GLOBAL]Account::Config	AWS Support Plan Guide
Architecture review	WAFR-001	Not available
Architecture review	WAFR-002	Not available
AWS root account	ARC-001	Not available
AWS root account	ARC-002	Not available
AWS root account	ARC-003	Need Attention	[rootMfaActive] - Enable MFA on root user [GLOBAL]User::root_id	AWS MFA IAM Best Practices
AWS root account	ARC-004	Compliant	[rootHasAccessKey]
AWS root account	ARC-005	Not available
Communications from AWS	ACOM-001	Need Attention	[hasAlternateContact] - Configure AWS account contacts [GLOBAL]Account::Config	Alternate Contact
Communications from AWS	ACOM-002	Not available
AWS CloudTrail	CTL-001	Not available
AWS CloudTrail	CTL-002	Not available
AWS CloudTrail	CTL-003	Not available
AWS CloudTrail	CTL-004	Not available
Identity and Access Management	IAM-001	Compliant	[mfaActive]
Identity and Access Management	IAM-002	Compliant	[passwordLastChange90] [passwordLastChange365] [hasAccessKeyNoRotate90days] [hasAccessKeyNoRotate365days]
Identity and Access Management	IAM-003	Need Attention	[passwordPolicyWeak] [passwordPolicy] - Set a custom password policy. [GLOBAL]Account::Config	IAM Password Policy
Identity and Access Management	IAM-004	Compliant	[noUsersFound]
Identity and Access Management	IAM-005	Not available
Identity and Access Management	IAM-006	Need Attention	[InlinePolicyFullAccessOneServ] - Limit access in policy [GLOBAL]Role::Cognito_dojoIdPAuth_Role, Role::Cognito_dojoIdPUnauth_Role [InlinePolicyFullAdminAccess] [ManagedPolicyFullAccessOneServ] - Limit permissions. [GLOBAL]Role::CodeStarWorker-dojo-ToolChain, Role::OrthancRole [FullAdminAccess] - Limit permissions. [GLOBAL]Role::AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98, Role::DojoEC2AdminRole, Role::EC2AdminRole, Role::itadmin, Role::OrganizationAccountAccessRole, Role::PACICloudFormationStackSetExecutionRole, Role::ServiceScreenerAutomationRole, Role::stacksets-exec-7ca18804340a75b25a831ca17fba8659	AWS Docs AWS Docs AWS Docs Organization GuardRail Blog
Identity and Access Management	IAM-007	Need Attention	[consoleLastAccess90] [consoleLastAccess365] [unusedRole] - Review & remove inactive roles [GLOBAL]Role::AccessAnalyzerTrustedService, Role::AVMContainersUserRole, Role::aws-ec2-spot-fleet-tagging-role, Role::awslogs.prod.kelex.molecule.toppatterns, Role::AWSVAPTAudit, Role::CloudSecAuditRole, Role::CloudSeerTrustedServiceRole, Role::CodeDeployRole, Role::CodeGuruProfilerForwardToAmazonProfiler, Role::CodeStarWorker-dojo-CloudFormation, Role::CodeStarWorker-dojo-ToolChain, Role::CodeStarWorker-dojo-WebApp, Role::Cognito_dojoIdPAuth_Role, Role::Cognito_dojoIdPUnauth_Role, Role::DocumentUnderstandingSolutionCICD-CICDHelperRole-ERDSGV99V9GT, Role::DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08, Role::DocumentUnderstandingSolutionCICD-CodePipelineRole-12BUYRAKNJIEQ, Role::DojoEC2AdminRole, Role::EC2AdminRole, Role::EC2CapacityReservationService, Role::IMDSv2-automigrator, Role::itadmin, Role::PACICloudFormationStackSetAdministrationRole, Role::PACICloudFormationStackSetExecutionRole, Role::SaltyTrustedService, Role::ServiceScreenerAssumeRole, Role::ServiceScreenerAutomationRole, Role::ShadowTrooperRole, Role::stacksets-exec-7ca18804340a75b25a831ca17fba8659, Role::TurtleRoleManagement	AWS Blog
Identity and Access Management	IAM-008	Not available
Identity and Access Management	IAM-009	Not available
Identity and Access Management	IAM-010	Not available
Identity and Access Management	IAM-011	Not available
Identity and Access Management	IAM-012	Compliant	[mfaActive] [EC2IamProfile]
Operational security	SECOPS-001	Not available
Network security	NETSEC-001	Compliant	[SGDefaultInUsed] [SGSensitivePortOpenToAll] [SGAllOpenToAll] [SGAllOpen]
Network security	NETSEC-002	Not available
Backups and recovery	BAR-001	Compliant	[EBSSnapshot] [Backup] [BackupTooLow] [backupStatus] [enabledContinuousBackup]
Backups and recovery	BAR-002	Not available
Resiliency	RES-001	Not available
Resiliency	RES-002	Not available
Resiliency	RES-003	Not available
Resiliency	RES-004	Not available
Resiliency	RES-005	Not available
Resiliency	RES-006	Not available
Resiliency	RES-007	Not available
Amazon S3 bucket access	S3-001	Not available
Amazon S3 bucket access	S3-002	Compliant	[PublicAccessBlock] [S3AccountPublicAccessBlock]
Amazon S3 bucket access	S3-003	Not available
Cross-account access	CAA-001	Not available
Cross-account access	CAA-002	Not available
Cross-account access	CAA-003	Not available
Cross-account access	CAA-004	Not available
Cross-account access	CAA-005	Not available
Cross-account access	CAA-006	Not available
Cross-account access	CAA-007	Not available
Sensitive data	SDAT-001	Not available
Sensitive data	SDAT-002	Compliant	[EBSEncrypted] [ServerSideEncrypted] [StorageEncrypted]
Sensitive data	SDAT-003	Need Attention	[SGEncryptionInTransit] - Encryption in Transit [ap-southeast-1]SG::sg-34753642 [us-east-1]SG::sg-9b3e45a4 [TlsEnforced] - Enforce Encryption of Data in Transit [ap-southeast-1]Bucket::aws-codestar-ap-southeast-1-961319563195, Bucket::aws-codestar-ap-southeast-1-961319563195-dojo-pipe, Bucket::codepipeline-ap-southeast-1-183991447891, Bucket::config-bucket-961319563195, Bucket::documentunderstandingsolutioncic-artifacts3bucket-dtr9a8q6yj2h, Bucket::documentunderstandingsolutioncicd-devoutputbucket-1m11zxjc9fhd6, Bucket::dojo-logs, Bucket::kuettai-solutions-bucket-ap-southeast-1 [us-east-1]Bucket::cloudtrail-awslogs-961319563195-pyvnhwtz-isengard-do-not-delete, Bucket::kuettai-dojo01	Data protection in Amazon EC2 AWS Docs
Regulatory compliance validation process	RCVP-001	Not available