SPIP

Encompasses a thorough review across six critical phases of cloud security posture management: Infrastructure Protection and Visibility, Identity Protection, Asset Management, Detection & Mitigation, DevSecOps, and Centralization.
Read more

Category	Rule ID	Compliance Status	Description	Reference
Identity Protection	P1.1	Need Attention	[rootMfaActive] - Enable MFA on root user [GLOBAL]User::root_id [mfaActive]	AWS MFA IAM Best Practices
Identity Protection	P1.2	Compliant	[hasAccessKeyNoRotate30days] [hasAccessKeyNoRotate90days]
Identity Protection	P1.3	Need Attention	[passwordPolicy] - Set a custom password policy. [GLOBAL]Account::Config [passwordPolicyWeak] [passwordPolicyReuse] [passwordPolicyLength]	IAM Password Policy
Identity Protection	P1.4	Compliant	[hasSSORoles] [hasExternalIdentityProvider]
Identity Protection	P1.5	Compliant	[SCPEnabled] [hasOrganization]
Identity Protection	P1.6	Not available
Identity Protection	P1.7	Not available
Data Protection	P2.1	Compliant	[PublicAccessBlock] [PublicReadAccessBlock] [PublicWriteAccessBlock]
Data Protection	P2.2	Compliant	[EBSSnapshot] [Backup] [backupStatus] [enabledContinuousBackup] [AutomatedBackup] [AutomaticSnapshots]
Data Protection	P2.3	Need Attention	[ServerSideEncrypted] [SSEWithKMS] [EBSEncrypted] [EncryptedAtRest] [StorageEncrypted] [EncryptedAtRest] [EncryptedWithKMS] [fieldLevelEncryption] - Set-up field-level encryption for your CloudFront distributions. [GLOBAL]Cloudfront::E2X390QMMYIRUF [EncryptionAtRest] [EncryptionInTransit]	AWS Docs
Data Protection	P2.4	Need Attention	[MacieToEnable] - Enable Macie [ap-southeast-1]Macie [us-east-1]Macie	Getting started with Amazon Macie
Data Protection	P2.5	Need Attention	[TlsEnforced] [EncryptedInTransit] [MSSQLorPG__TransportEncrpytionDisabled] [NodeToNodeEncryption] [TLSEnforced] [EncInTransitAndRest] [SGEncryptionInTransit] - Encryption in Transit [ap-southeast-1]SG::sg-34753642 [us-east-1]SG::sg-9b3e45a4 [viewerPolicyHttps] - Configure one or more cache behaviors in your CloudFront distribution to require HTTPS for communication between viewers and CloudFront. [GLOBAL]Cloudfront::E2X390QMMYIRUF	Data protection in Amazon EC2 AWS Docs
Infrastructure Protection and Visibility	P3.1	Need Attention	[SGDefaultInUsed] [SGSensitivePortOpenToAll] [SGAllTCPOpen] [SGAllUDPOpen] [SGAllPortOpen] - All ports open. [ap-southeast-1]SG::sg-34753642 [us-east-1]SG::sg-9b3e45a4	Best practices for Amazon EC2
Infrastructure Protection and Visibility	P3.2	Need Attention	[WAFAssociation] - Use Web Application Firewall (WAF) for enhanced security. [GLOBAL]Cloudfront::E2X390QMMYIRUF	AWS Docs Developer Guide
Infrastructure Protection and Visibility	P3.3	Need Attention	[defaultRootObject] - Specify a default root object for your distribution. [GLOBAL]Cloudfront::E2X390QMMYIRUF	AWS Docs
Infrastructure Protection and Visibility	P3.4	Not available
Infrastructure Protection and Visibility	P3.5	Compliant	[SGSensitivePortOpenToAll]
Infrastructure Protection and Visibility	P3.6	Compliant	[WAFWACL]
Detection & Mitigation	P4.1	Compliant	[NeedToEnableCloudTrail] [EnableCloudTrailLogging] [LogFileValidationEnabled]
Detection & Mitigation	P4.2	Need Attention	[UsageStat] - UsageStat [ap-southeast-1]Detector::24ba5f8bf5889388602c37a54a1069fb [us-east-1]Detector::c2ba5f8bde481aa20a05199471e24808 [Findings] - Findings [ap-southeast-1]Detector::24ba5f8bf5889388602c37a54a1069fb [us-east-1]Detector::c2ba5f8bde481aa20a05199471e24808
Detection & Mitigation	P4.3	Need Attention	[EnableTrailS3BucketLogging] - Enable S3 Bucket Logging [ap-southeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE	Configure S3 Logging Resilience in CloudTrail
Detection & Mitigation	P4.4	Need Attention	[EnableTrailS3BucketMFADelete] - Enable MFA delete [ap-southeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE [EnableTrailS3BucketVersioning] - Enable S3 Bucket versioning [ap-southeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE [MFADelete] - Enable MFA Delete [ap-southeast-1]Bucket::aws-codestar-ap-southeast-1-961319563195, Bucket::aws-codestar-ap-southeast-1-961319563195-dojo-pipe, Bucket::codepipeline-ap-southeast-1-183991447891, Bucket::config-bucket-961319563195, Bucket::documentunderstandingsolutioncic-artifacts3bucket-dtr9a8q6yj2h, Bucket::documentunderstandingsolutioncicd-devoutputbucket-1m11zxjc9fhd6, Bucket::dojo-logs, Bucket::kuettai-solutions-bucket-ap-southeast-1 [us-east-1]Bucket::cloudtrail-awslogs-961319563195-pyvnhwtz-isengard-do-not-delete, Bucket::kuettai-dojo01 [BucketVersioning] - Enable Versioning [ap-southeast-1]Bucket::aws-codestar-ap-southeast-1-961319563195, Bucket::codepipeline-ap-southeast-1-183991447891, Bucket::config-bucket-961319563195, Bucket::documentunderstandingsolutioncicd-devoutputbucket-1m11zxjc9fhd6, Bucket::dojo-logs, Bucket::kuettai-solutions-bucket-ap-southeast-1 [us-east-1]Bucket::cloudtrail-awslogs-961319563195-pyvnhwtz-isengard-do-not-delete, Bucket::kuettai-dojo01 [ObjectLock] - Enable Object Lock [ap-southeast-1]Bucket::aws-codestar-ap-southeast-1-961319563195, Bucket::aws-codestar-ap-southeast-1-961319563195-dojo-pipe, Bucket::codepipeline-ap-southeast-1-183991447891, Bucket::config-bucket-961319563195, Bucket::documentunderstandingsolutioncic-artifacts3bucket-dtr9a8q6yj2h, Bucket::documentunderstandingsolutioncicd-devoutputbucket-1m11zxjc9fhd6, Bucket::dojo-logs, Bucket::kuettai-solutions-bucket-ap-southeast-1 [us-east-1]Bucket::cloudtrail-awslogs-961319563195-pyvnhwtz-isengard-do-not-delete, Bucket::kuettai-dojo01	S3 Enable MFA Delete Delete with MFA enabled file in S3 Configure S3 bucket versioning Resilience in CloudTrail Prevention for Accidental Deletions on S3 AWS Docs AWS Docs Manage Versioning Example AWS Docs
Detection & Mitigation	P4.5	Not available
Detection & Mitigation	P4.6	Not available
Detection & Mitigation	P4.7	Not available
AppSec & DevSecOps	P5.1	Compliant	[DBwithoutSecretManager]
AppSec & DevSecOps	P5.2	Not available
AppSec & DevSecOps	P5.3	Not available
AppSec & DevSecOps	P5.4	Not available
AppSec & DevSecOps	P5.5	Not available