CloudWiki
Compliance
Detect, troubleshoot & optimize AWS environments in real-time ->

APRA

resize
Visit website

The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance and superannuation and promotes financial system stability in Australia.

Compliance checks for Amazon Web Services

High
Ensure EFS file systems are encrypted using KMS CMK customer-managed keys
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
High
Ensure EFS file systems are encrypted
APRA
MAS
NIST4
GDPR
HIPAA
Low
Ensure Simple Email Service (SES) identities are verified
APRA
MAS
NIST4
High
Ensure Simple Email Service (SES) identities are not exposed
APRA
MAS
NIST4
GDPR
AWS Well-Architected Framework
Low
Ensure DocumentDB clusters have Log Exports feature enabled
APRA
Critical
Ensure access keys are rotated every 90 days or less
CIS
APRA
MAS
NIST4
NIST 800-53
High
IAM Role inline policy has over permissive RDS access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive KMS access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive Kafka access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive OpenSearch access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive ElastiCache access
APRA
MAS
FTR
NIST4
Critical
IAM Role inline policy is over permissive
APRA
MAS
NIST4
FTR
Medium
Ensure Kinesis Data Stream encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
High
IAM Role inline policy has over permissive DynamoDB access
APRA
MAS
FTR
NIST4
High
IAM Role inline policy has over permissive S3 access
APRA
MAS
FTR
NIST4
Medium
Ensure IAM policies that allow over privileges access to data are not created
AWS Well-Architected Framework
CISAWSF
GDPR
FTR
ISO 27001
Low
EC2 large instance create alarm
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Internet Gateway (IGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Medium
EC2 should have a name set
APRA
MAS
Low
Ensure EKS Private access is enabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
APRA
AWS Well-Architected Framework
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by VPC Endpoints
APRA
MAS
NIST4
CIS
Critical
Ensure default security groups are not in use by Lambda
CIS
APRA
MAS
NIST4
Critical
Ensure default security groups are not in use by ElastiCache
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by OpenSearch
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ECS
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ELB
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by RDS
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by ALB
APRA
CISAWSF
MAS
NIST4
Critical
Ensure default security groups are not in use by MSK
APRA
CISAWSF
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
ISO 27001
PCI-DSS
HITRUST
NIST 800-53
CIS
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
ISO 27001
GDPR
PCI-DSS
CIS
CISAWSF
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
CIS
PCI-DSS
APRA
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Route Table changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
IAM Policy changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
S3 Bucket changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Security Group (SG) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
Ensure SageMaker Notebook Data is Encrypted
APRA
GDPR
HIPAA
MAS
NIST4
Low
VPC Peering changes alarm
CIS
PCI-DSS
APRA
MAS
NIST4
Low
Transit Gateway (TGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
NAT Gateway changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
VPC changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Medium
Ensure SageMaker Notebook Direct Internet Access is disabled
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Medium
Ensure Amazon SageMaker Notebook Instance is in VPC
APRA
AWS Well-Architected Framework
MAS
PCI-DSS
Critical
IAM Role with inline Admin access (*:*)
CIS
CISAWSF
APRA
AWS Well-Architected Framework
NIST 800-53
Medium
IAM user inline policy is over permissive
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Ensure Internet Gateway is attached to a VPC
APRA
AWS Well-Architected Framework
MAS
Medium
Unused NAT Resources
APRA
AWS Well-Architected Framework
MAS
Medium
AMI (Amazon Machine Images) not in use (12 months)
APRA
AWS Well-Architected Framework
MAS
Critical
Ensure EC2 AMIs are not publicly accessible
GDPR
APRA
MAS
NIST4
CIS 8
Medium
AMI (Amazon Machine Images) not in use
APRA
AWS Well-Architected Framework
MAS
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Low
Ensure EMR cluster archive log files to S3
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Low
Ensure DynamoDB Tables are encrypted with customer managed key
APRA
AWS Well-Architected Framework
GDPR
NIST4
HITRUST
Critical
Ensure IAM password policy expires passwords within 90 days or less
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Medium
Ensure IAM password policy require at least one symbol
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy requires at least one uppercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
HIPAA
Medium
Ensure IAM password policy require at least one number
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy require at least one lowercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
Critical
IAM Role with Admin access (*:*)
CISAWSF
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure IAM Role has no inline policy
APRA
AWS Well-Architected Framework
MAS
NIST4
FedRAMP
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
APRA
AWS Well-Architected Framework
CISAWSF
GDPR
FTR
Low
Ensure RDS is not using the default port 1433
APRA
AWS Well-Architected Framework
NIST4
PCI-DSS
NIST 800-53
Medium
Ensure security groups do not have ingress open to any (0.0.0.0/0)
CIS
PCI-DSS
APRA
MAS
NIST4
Medium
Ensure security groups do not have all ports open
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
HIPAA
HITRUST
Medium
Ensure EC2 instance uses an IAM profile
APRA
CISAWSF
MAS
NIST4
Medium
Ensure S3 object versioning is enabled
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure VPC flow logging is enabled in all VPCs
CIS
SOC2
GDPR
ISO 27001
PCI-DSS
Medium
Ensure IAM Group has no inline policy
APRA
MAS
NIST4
FedRAMP
Medium
Ensure default security groups do not allow unrestricted traffic
APRA
CISAWSF
SOC2
PCI-DSS
GDPR
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
HIPAA
GDPR
HITRUST
NIST 800-53
APRA
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
HIPAA
GDPR
NIST4
APRA
HITRUST
Medium
Ensure that Cloudfront distribution is not using insecure SSL protocols
APRA
HIPAA
MAS
NIST4
PCI-DSS
Medium
VPC endpoint is publicly accessible
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Medium
Ensure IAM User has no inline policy
APRA
AWS Well-Architected Framework
CISAWSF
SOC2
MAS
Medium
Ensure OpenSearch domains are in a VPC
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
PCI-DSS
GDPR
Medium
Ensure EBS volumes are encrypted
APRA
MAS
NIST4
CIS
ISO 27001
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
CIS
HIPAA
GDPR
APRA
MAS
Medium
Ensure EKS Public access is disabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Medium
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
APRA
CISAWSF
SOC2
PCI-DSS
GDPR
Medium
Gateway VPC endpoint is not in use
APRA
AWS Well-Architected Framework
MAS
All Compliances
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
CCPA
CIS
CIS 8
CIS EKS
CISAWSF
CSA CCM
FTR
FedRAMP
GDPR
HIPAA
HITRUST
ISO 27001
ISO 27701
MAS
NIST 800-53
NIST4
PCI-DSS
SOC2