CloudWiki

The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance and superannuation and promotes financial system stability in Australia.

Compliance checks for Amazon Web Services

Critical
IAM Role inline policy has over permissive RDS access
Critical
IAM Role inline policy has over permissive KMS access
Critical
IAM Role inline policy has over permissive Kafka access
Critical
IAM Role inline policy has over permissive OpenSearch access
Critical
IAM Role inline policy has over permissive ElastiCache access
Critical
IAM Role inline policy is over permissive
Warning
Ensure Kinesis Data Stream encryption is enabled
Critical
IAM Role with Admin access (*:*)
Critical
IAM Role inline policy has over permissive DynamoDB access
Critical
IAM Role inline policy has over permissive S3 access
Warning
Ensure IAM policies that allow over privileges access to data are not created
Info
EC2 large instance create alarm
Info
Internet Gateway (IGW) changes alarm
Warning
EC2 should have a name set
Info
Ensure EKS Private access is enabled
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
Critical
Ensure default security groups are not in use by VPC Endpoints
Critical
Ensure default security groups are not in use by Lambda
Critical
Ensure default security groups are not in use by ElastiCache
Critical
Ensure default security groups are not in use by OpenSearch
Critical
Ensure default security groups are not in use by ECS
Critical
Ensure default security groups are not in use by ELB
Critical
Ensure default security groups are not in use by RDS
Critical
Ensure default security groups are not in use by ALB
Critical
Ensure default security groups are not in use by MSK
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Critical
Ensure SageMaker Notebook Data is Encrypted
Info
VPC Peering changes alarm
Info
Transit Gateway (TGW) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Warning
Ensure SageMaker Notebook Direct Internet Access is disabled
Warning
Ensure Amazon SageMaker Notebook Instance is in VPC
Critical
IAM Role with inline Admin access (*:*)
Warning
IAM user inline policy is over permissive
Info
Ensure Internet Gateway is attached to a VPC
Warning
IAM Role inline policy is over permissive
Warning
Unused NAT Resources
Warning
AMI (Amazon Machine Images) not in use (12 months)
Critical
Ensure EC2 AMIs are not publicly accessible
Warning
AMI (Amazon Machine Images) not in use
Warning
Ensure EMR clusters are encrypted in-transit and at-rest
Info
Ensure EMR cluster archive log files to S3
Info
Ensure DynamoDB Tables are encrypted with customer managed key
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one lowercase letter
Critical
IAM Role with Admin access (*:*)
Warning
IAM Role with high privileged policies
Warning
Ensure IAM Role has no inline policy
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
Info
Ensure RDS is not using the default port 1433
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
Ensure EC2 instance uses an IAM profile
Warning
Ensure S3 object versioning is enabled
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure IAM Group has no inline policy
Warning
Ensure default security groups do not allow unrestricted traffic
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Warning
Ensure that Cloudfront distribution is not using insecure SSL protocols
Warning
VPC endpoint is publicly accessible
Warning
Ensure IAM User has no inline policy
Warning
Ensure EBS volumes are encrypted
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
Warning
Ensure EKS Public access is disabled
Warning
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Warning
Gateway VPC endpoint is not in use
Warning
Ensure both VPN tunnels are up
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled