CloudWiki
Compliance
Get a free AWS Well-Architected Assessment ->

APRA

resize
Visit website

The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance and superannuation and promotes financial system stability in Australia.

Compliance checks for Amazon Web Services

Low
Ensure Amazon MQ brokers Log Exports feature is enabled
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Low
Ensure Amazon MQ brokers are using the latest engine version
APRA
HITRUST
MAS
PCI-DSS
Medium
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Medium
Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled
APRA
CCPA
HITRUST
ISO 27001
MAS
Critical
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Redshift clusters are not using default endpoint port
APRA
CCPA
GDPR
HITRUST
ISO 27001
Low
Ensure Redshift clusters are using a custom master user name instead of the default master user name
APRA
CCPA
CIS 8
GDPR
HITRUST
Medium
Ensure Redshift clusters are using desired node types
APRA
AWS Well-Architected Framework
Medium
Ensure Redshift clusters are provisioned within a VPC
APRA
CCPA
GDPR
HIPAA
HITRUST
Medium
Ensure Redshift clusters Version Upgrade feature is enabled
APRA
MAS
NIST4
PCI-DSS
High
Ensure Redshift clusters are not publicly accessible
APRA
GDPR
HIPAA
MAS
NIST4
High
Ensure Redshift clusters are encrypted at-rest
APRA
HIPAA
MAS
NIST4
PCI-DSS
Medium
Ensure AWS Config is configured to include global resources
APRA
GDPR
MAS
NIST4
AWS Well-Architected Framework
High
AWS Config configuration changes alarm
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure Database Migration Service (DMS) replication instances have Auto Minor Version Upgrade feature enabled
APRA
MAS
NIST4
High
Ensure Database Migration Service (DMS) are not publicly accessible
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Medium
Ensure CloudFormation stacks are sending event notifications to an SNS topic
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure CloudFormation stacks Termination Protection feature is enabled
APRA
MAS
AWS Well-Architected Framework
Low
CloudTrail changes alarm
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Ensure CloudTrail Log File Integrity Validation is enabled
CISAWSF
PCI-DSS
HIPAA
GDPR
APRA
Medium
Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs
CISAWSF
PCI-DSS
GDPR
APRA
MAS
Medium
Ensure S3 buckets associated with CloudTrail trails are configured with sever access logging
APRA
CISAWSF
SOC2
PCI-DSS
GDPR
High
Ensure CloudTrail trails record global service events
APRA
PCI-DSS
GDPR
NIST4
MAS
High
Ensure CloudTrail trails have multi-region enabled
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
High
Ensure CloudTrail buckets are configured to use MFA
APRA
MAS
NIST4
GDPR
HIPAA
High
Ensure EFS file systems are encrypted using KMS CMK customer-managed keys
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
High
Ensure EFS file systems are encrypted
APRA
MAS
NIST4
GDPR
HIPAA
Low
Ensure Simple Email Service (SES) identities are verified
APRA
MAS
NIST4
High
Ensure Simple Email Service (SES) identities are not exposed
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
Low
Ensure DocumentDB clusters have Log Exports feature enabled
APRA
Critical
Ensure access keys are rotated every 90 days or less
CIS
APRA
MAS
NIST4
NIST 800-53
High
IAM Role inline policy has over permissive RDS access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive KMS access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive Kafka access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive OpenSearch access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive ElastiCache access
APRA
MAS
FTR
NIST4
Critical
IAM Role inline policy is over permissive
APRA
MAS
NIST4
FTR
Medium
Ensure Kinesis Data Stream encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
High
IAM Role inline policy has over permissive DynamoDB access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive S3 access
APRA
MAS
FTR
NIST4
Medium
Ensure IAM policies that allow over privileges access to data are not created
AWS Well-Architected Framework
CISAWSF
GDPR
FTR
ISO 27001
Low
EC2 large instance create alarm
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Internet Gateway (IGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Medium
EC2 should have a name set
APRA
MAS
Low
Ensure EKS Private access is enabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
APRA
AWS Well-Architected Framework
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by VPC Endpoints
APRA
MAS
NIST4
CIS
Critical
Ensure default security groups are not in use by Lambda
CIS
APRA
MAS
NIST4
Critical
Ensure default security groups are not in use by ElastiCache
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by OpenSearch
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ECS
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ELB
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by RDS
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ALB
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by MSK
APRA
CISAWSF
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
ISO 27001
PCI-DSS
HITRUST
NIST 800-53
CIS
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
ISO 27001
GDPR
PCI-DSS
CIS
CISAWSF
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
CIS
PCI-DSS
APRA
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Route Table changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
IAM Policy changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
S3 Bucket changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Security Group (SG) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
Ensure SageMaker Notebook Data is Encrypted
APRA
GDPR
HIPAA
MAS
NIST4
Low
VPC Peering changes alarm
CIS
PCI-DSS
APRA
MAS
NIST4
Low
Transit Gateway (TGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
NAT Gateway changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
VPC changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Medium
Ensure SageMaker Notebook Direct Internet Access is disabled
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Medium
Ensure Amazon SageMaker Notebook Instance is in VPC
APRA
AWS Well-Architected Framework
MAS
PCI-DSS
Critical
IAM Role with inline Admin access (*:*)
CIS
CISAWSF
APRA
AWS Well-Architected Framework
NIST 800-53
Medium
IAM user inline policy is over permissive
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Ensure Internet Gateway is attached to a VPC
APRA
AWS Well-Architected Framework
MAS
Medium
Unused NAT Resources
APRA
AWS Well-Architected Framework
MAS
Medium
AMI (Amazon Machine Images) not in use (12 months)
APRA
AWS Well-Architected Framework
MAS
Critical
Ensure EC2 AMIs are not publicly accessible
GDPR
APRA
MAS
NIST4
CIS 8
Medium
AMI (Amazon Machine Images) not in use
APRA
AWS Well-Architected Framework
MAS
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Low
Ensure EMR cluster archive log files to S3
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Low
Ensure DynamoDB Tables are encrypted with customer managed key
APRA
AWS Well-Architected Framework
GDPR
NIST4
HITRUST
Critical
Ensure IAM password policy expires passwords within 90 days or less
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Medium
Ensure IAM password policy require at least one symbol
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
All Compliances
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
CCPA
CIS
CIS 8
CIS EKS
CISAWSF
CSA CCM
FTR
FedRAMP
GDPR
HIPAA
HITRUST
ISO 27001
ISO 27701
MAS
NIST 800-53
NIST4
PCI-DSS
SOC2