CloudWiki

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR was designed to protect individuals and their personal information, and to ensure organizations that collect that information do so responsibly. According to GDPR, personal data should also be maintained securely, this means protecting them from unauthorized or unlawful processing, as well as against accidental loss, destruction or damage. The consequences for violating GDPR provisions are severe - up to the greater of 4% of worldwide revenue or €20 million.

Compliance checks for Amazon Web Services

Warning
Ensure Kinesis Data Stream encryption is enabled
Critical
IAM Role with Admin access (*:*)
Critical
IAM User with Admin access (*:*)
Warning
Ensure IAM policies that allow over privileges access to data are not created
Critical
Ensure root user has mfa enabled
Critical
IAM user can execute a Privilege Escalation by using inline PassRole
Info
EC2 large instance create alarm
Info
Ensure IAM password policy has expiration period
Info
Internet Gateway (IGW) changes alarm
Critical
Ensure no root account access key exists
Info
Ensure RDS instances have Performance Insights feature enabled
Info
Ensure EKS Private access is enabled
Warning
Ensure RDS instances have Multi-AZ disabled in dev environments
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Info
Network ACL (NACL) changes alarm
Critical
Ensure SageMaker Notebook Data is Encrypted
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Warning
Ensure SageMaker Notebook Direct Internet Access is disabled
Critical
IAM user can execute a Privilege Escalation by using AttachUserPolicy
Critical
IAM user can execute a Privilege Escalation by using CreatePolicyVersion
Critical
Ensure EBS snapshots are not publicly accessible
Critical
Ensure EC2 AMIs are not publicly accessible
Warning
Ensure EBS snapshots are encrypted
Warning
Ensure EMR clusters are encrypted in-transit and at-rest
Info
Ensure EMR cluster archive log files to S3
Info
Ensure DynamoDB Tables are encrypted with customer managed key
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy requires minimum length of 14 or greater
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one lowercase letter
Warning
Ensure IAM password policy prevents password reuse
Critical
IAM Role with Admin access (*:*)
Critical
Lambda Admin access (*:*)
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
Critical
EC2 with Admin access (*:*)
Info
Ensure RDS is not using the default port 1433
Critical
IAM User with Admin access (*:*)
Warning
Ensure SNS is not publicly accessible
Warning
Ensure SQS is not publicly accessible
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
Ensure that S3 Buckets are configured with "Block public access"
Warning
Ensure Kubernetes API servers are not publicly accessible
Critical
S3 bucket is public
Warning
Ensure AWS EKS cluster has secrets encryption enabled
Warning
Ensure RDS database instances are not publicly accessible
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure OpenSearch domains are configured to enforce HTTPS connections
Warning
Ensure OpenSearch data at rest encryption is enabled
Warning
IAM Group inline policy is over permissive
Warning
Ensure default security groups do not allow unrestricted traffic
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between brokers within a cluster
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Critical
Ensure Lambda function resource based policy does not allow public access
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Warning
DynamoDB tables not in use
Warning
VPC endpoint is publicly accessible
Critical
Ensure all IAM users with console access have MFA enabled
Info
Resource has access to S3 bucket
Warning
Ensure CloudTrail logs are encrypted at rest
Warning
Ensure EBS volumes are encrypted
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
Warning
Ensure EKS Public access is disabled
Warning
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure CloudFront web distributions are configured to compress objects (files) automatically
Warning
Ensure S3 buckets have server access logging enabled to track access requests
Warning
Ensure Geo-Restriction is enabled within CloudFront distribution
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest
Warning
Ensure CloudFront web distributions enforce field-level encryption
Warning
Ensure RDS Instances have IAM Database Authentication enabled
Warning
Ensure DynamoDB tables have point in time recovery enabled
Warning
Ensure RDS instances are configured with Auto Minor Version Upgrade
Warning
Ensure RDS instances have Multi-AZ enabled in Production
Info
Ensure RDS is not using the default port 3306
Info
Ensure RDS is not using the default port 1521
Info
Ensure RDS is not using the default port 5432
Critical
Ensure RDS database instances have storage encryption enabled
Warning
Ensure RDS database instances have Deletion Protection enabled
Info
Ensure RDS database instances have Copy Tags to Snapshots enabled