CloudWiki

Security & Compliance

Lightlytics predefined security rules help you identify risks and gaps in your cloud environment, fix issues such as overly permissive resources, weak password policies, unrestricted network access, unencrypted resources, and many more, to meet security industry compliance benchmarks and best practices.

Info
Access allowed from VPN
No items found.
Warning
Connections towards DynamoDB should be via VPC endpoints
No items found.
Warning
Connections towards S3 should be via VPC endpoint
No items found.
Info
Cross peering connectivity is allowed by EC2
Info
Cross peering connectivity is allowed by ECS Task
Info
Cross peering connectivity is allowed by Lambda
Info
Cross peering connectivity is allowed by Pod
Info
Cross transit connectivity is allowed by EC2
Info
Cross transit connectivity is allowed by ECS
Info
Cross transit connectivity is allowed by Lambda
Info
Cross transit connectivity is allowed by Pod
Info
EC2 large instance create alarm
Critical
EC2 with Admin access (*:*)
Warning
EC2 with high privileged policies
No items found.
Critical
ECS task with Admin access (*:*)
Warning
ECS task with high privileged policies
No items found.
Warning
Ensure Amazon SageMaker Notebook Instance is in VPC
Warning
Ensure AWS EKS cluster has secrets encryption enabled
Warning
Ensure Application Load Balancer (ALB) has access logging enabled
No items found.
Warning
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Warning
Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2
Warning
Ensure CloudFront has WAF attached
Warning
Ensure CloudFront web distributions enforce field-level encryption
Warning
Ensure CloudTrail logs are encrypted at rest
Info
Ensure DynamoDB Tables are encrypted with customer managed key
Warning
Ensure EBS snapshots are encrypted
Critical
Ensure EBS snapshots are not publicly accessible
Warning
Ensure EBS volumes are encrypted
Critical
Ensure EC2 AMIs are not publicly accessible
Warning
Ensure EC2 instance uses an IAM profile
Warning
Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)
Info
Ensure EKS Private access is enabled
Warning
Ensure EKS Public access is disabled
Critical
Ensure EKS Public access is restricted to specific sources
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
Warning
Ensure EMR clusters are encrypted in-transit and at-rest
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Warning
Ensure Geo-Restriction is enabled within CloudFront distribution
Warning
Ensure IAM Group has no inline policy
Warning
Ensure IAM Role has no inline policy
Warning
Ensure IAM User has no inline policy
Critical
Ensure IAM password policy expires passwords within 90 days or less
Info
Ensure IAM password policy has expiration period
Warning
Ensure IAM password policy prevents password reuse
Warning
Ensure IAM password policy require at least one lowercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy requires minimum length of 14 or greater
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
Warning
Ensure IAM policies that allow over privileges access to data are not created
Warning
Ensure IAM users are members of at least one IAM group
Warning
Ensure IAM users receive permissions only through groups
Warning
Ensure Ingress does not use unsafe annotations
No items found.
Warning
Ensure Kinesis Data Stream encryption is enabled
Warning
Ensure Kubernetes API servers are not publicly accessible
Critical
Ensure Kubernetes Service is not using an external IP
No items found.
Warning
Ensure Lambda environment variables are encrypted using customer-managed Customer Master Keys (CMKs)
Warning
Ensure Lambda environment variables are using customer-managed Customer Master Keys
No items found.
Critical
Ensure Lambda function resource based policy does not allow public access
Critical
Ensure Lambda functions prohibit public access
Critical
Ensure MSK (Kafka) broker instances are not publicly accessible
Info
Ensure MSK (Kafka) cluster is not using an unsupported Kafka version (2.4.1)
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between brokers within a cluster
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS
Warning
Ensure OpenSearch Service Domain AdvancedSecurityOptions are enabled
No items found.
Warning
Ensure OpenSearch data at rest encryption is enabled
Warning
Ensure OpenSearch domains are configured to enforce HTTPS connections
Warning
Ensure Pods are not deployed in the default namespace
No items found.
Warning
Ensure RDS Instances have IAM Database Authentication enabled
Critical
Ensure RDS database instances are not accessible via Internet (Network and API)
Warning
Ensure RDS database instances are not publicly accessible
Critical
Ensure RDS database instances have storage encryption enabled
Warning
Ensure RDS instances are configured with Auto Minor Version Upgrade
Info
Ensure RDS instances have Performance Insights feature enabled
Info
Ensure RDS is not using the default port 1433
Info
Ensure RDS is not using the default port 1521
Info
Ensure RDS is not using the default port 3306
Info
Ensure RDS is not using the default port 5432
Warning
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Warning
Ensure S3 buckets have server access logging enabled to track access requests
Warning
Ensure S3 object versioning is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure SNS is not publicly accessible
Warning
Ensure SQS encryption is enabled
Warning
Ensure SQS is not publicly accessible
Critical
Ensure SageMaker Notebook Data is Encrypted
Warning
Ensure SageMaker Notebook Direct Internet Access is disabled
Warning
Ensure Transit Gateway 'Auto Accept Shared Attachments' is disabled
No items found.
Warning
Ensure Transit Gateway VPC associations and propagations are disabled
No items found.
Info
Ensure VPC Endpoint policy doesn't allow all actions
No items found.
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure WAF has associated rules or rule group
No items found.
Warning
Ensure WAF rule-group is not empty
No items found.
Critical
Ensure all IAM users with console access have MFA enabled
Warning
Ensure communication between CloudFront distributions and their origins is encrypted using HTTPS