CloudWiki

The Monetary Authority of Singapore (MAS) is Singapore’s central bank and integrated financial regulator that established the guidelines on outsourcing (MAS Guidelines) to govern outsourcing practices of financial institutions (FIs), while it recognizes cloud services as a form of outsourcing. The Technology Risk Management (TRM) Guidelines were published to help financial firms establish sound technology risk management, strengthen system security, and safeguard sensitive data and transactions. The TRM contains statements of industry best practices that financial institutions conducting business in Singapore are expected to adopt. The MAS makes clear that, while the TRM requirements are not legally binding, they will be a benchmark the MAS uses in assessing the risk of financial institutions.

Compliance checks for Amazon Web Services

Critical
IAM Role inline policy has over permissive RDS access
Critical
IAM Role inline policy has over permissive KMS access
Critical
IAM Role inline policy has over permissive Kafka access
Critical
IAM Role inline policy has over permissive OpenSearch access
Critical
IAM Role inline policy has over permissive ElastiCache access
Critical
IAM Role inline policy is over permissive
Warning
Ensure Kinesis Data Stream encryption is enabled
Critical
IAM Role with Admin access (*:*)
Critical
IAM Role inline policy has over permissive DynamoDB access
Critical
IAM Role inline policy has over permissive S3 access
Warning
Ensure IAM policies that allow over privileges access to data are not created
Info
EC2 large instance create alarm
Info
Internet Gateway (IGW) changes alarm
Warning
EC2 should have a name set
Info
Ensure API Gateway has Content Encoding feature enabled
Info
Ensure EKS Private access is enabled
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
Critical
Ensure default security groups are not in use by VPC Endpoints
Critical
Ensure default security groups are not in use by Lambda
Critical
Ensure default security groups are not in use by ElastiCache
Critical
Ensure default security groups are not in use by OpenSearch
Critical
Ensure default security groups are not in use by ECS
Critical
Ensure default security groups are not in use by ELB
Critical
Ensure default security groups are not in use by RDS
Critical
Ensure default security groups are not in use by ALB
Critical
Ensure default security groups are not in use by MSK
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Critical
Ensure SageMaker Notebook Data is Encrypted
Info
VPC Peering changes alarm
Info
Transit Gateway (TGW) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Warning
Ensure Amazon SageMaker Notebook Instance is in VPC
Warning
IAM user inline policy is over permissive
Info
Ensure Internet Gateway is attached to a VPC
Warning
IAM Role inline policy is over permissive
Warning
Unused NAT Resources
Warning
AMI (Amazon Machine Images) not in use (12 months)
Critical
Ensure EC2 AMIs are not publicly accessible
Warning
AMI (Amazon Machine Images) not in use
Warning
Ensure EMR clusters are encrypted in-transit and at-rest
Info
Ensure EMR cluster archive log files to S3
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one lowercase letter
Critical
IAM Role with Admin access (*:*)
Warning
IAM Role with high privileged policies
Warning
Ensure IAM Role has no inline policy
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
Ensure EC2 instance uses an IAM profile
Warning
EBS volume not in use
Warning
Ensure S3 object versioning is enabled
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure IAM Group has no inline policy
Warning
Ensure default security groups do not allow unrestricted traffic
Warning
Ensure communication between CloudFront distributions and their origins is encrypted using HTTPS
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Warning
Ensure that Cloudfront distribution is not using insecure SSL protocols
Warning
VPC endpoint is publicly accessible
Warning
Ensure IAM User has no inline policy
Warning
Ensure EBS volumes are encrypted
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
Warning
Ensure EKS Public access is disabled
Warning
Gateway VPC endpoint is not in use
Warning
Ensure both VPN tunnels are up
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure S3 buckets have server access logging enabled to track access requests
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest