Rules by Category

Security & Compliance

Lightlytics predefined security rules help you identify risks and gaps in your cloud environment, fix issues such as overly permissive resources, weak password policies, unrestricted network access, unencrypted resources, and many more, to meet security industry compliance benchmarks and best practices.
More Categories
AWS Cost Optimization
Availability
Other
Header image
CloudWiki
Rule Categories
High
AWS Config configuration changes alarm
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Access allowed from VPN
No items found.
Low
CloudTrail changes alarm
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Connections towards S3 should be via VPC endpoint
CCPA
Low
Cross peering connectivity is allowed by EC2
CISAWSF
Low
Cross peering connectivity is allowed by ECS Task
CISAWSF
Low
Cross peering connectivity is allowed by Lambda
CISAWSF
Low
Cross peering connectivity is allowed by Pod
CISAWSF
Low
Cross transit connectivity is allowed by EC2
CISAWSF
Low
Cross transit connectivity is allowed by ECS
CISAWSF
Low
Cross transit connectivity is allowed by Lambda
CISAWSF
Low
Cross transit connectivity is allowed by Pod
CISAWSF
Low
EC2 large instance create alarm
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
EC2 with Admin access (*:*)
CIS
GDPR
HITRUST
NIST 800-53
ISO 27701
Medium
EC2 with high privileged policies
No items found.
Critical
ECS task with Admin access (*:*)
CIS
Medium
ECS task with high privileged policies
No items found.
Medium
Ensure AWS Config is configured to include global resources
APRA
GDPR
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure AWS EKS cluster has secrets encryption enabled
CIS
CISAWSF
CIS EKS
HITRUST
NIST 800-53
Medium
Ensure Amazon MQ broker instances are using desired instance types
AWS Well-Architected Framework
Medium
Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled
APRA
CCPA
HITRUST
ISO 27001
MAS
Low
Ensure Amazon MQ brokers Log Exports feature is enabled
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Medium
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Critical
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Amazon MQ brokers are using the latest engine version
APRA
HITRUST
MAS
PCI-DSS
Medium
Ensure Amazon SageMaker Notebook Instance is in VPC
APRA
AWS Well-Architected Framework
MAS
PCI-DSS
Medium
Ensure Application Load Balancer (ALB) has access logging enabled
No items found.
Medium
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
NIST 800-53
CSA CCM
AWS Foundational Security Best Practices Controls
Medium
Ensure CloudFormation stacks Termination Protection feature is enabled
APRA
MAS
AWS Well-Architected Framework
Medium
Ensure CloudFormation stacks are sending event notifications to an SNS topic
APRA
MAS
NIST4
AWS Well-Architected Framework
Medium
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
AWS Well-Architected Framework
HIPAA
NIST4
PCI-DSS
CIS 8
Medium
Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2
PCI-DSS
HIPAA
Medium
Ensure CloudFront has WAF attached
NIST 800-53
AWS Foundational Security Best Practices Controls
Medium
Ensure CloudFront web distributions enforce field-level encryption
APRA
AWS Well-Architected Framework
GDPR
HIPAA
NIST4
Medium
Ensure CloudTrail Log File Integrity Validation is enabled
CISAWSF
PCI-DSS
HIPAA
GDPR
APRA
High
Ensure CloudTrail buckets are configured to use MFA
APRA
MAS
NIST4
GDPR
HIPAA
Medium
Ensure CloudTrail logs are encrypted at rest
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
High
Ensure CloudTrail trails have multi-region enabled
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
High
Ensure CloudTrail trails record global service events
APRA
PCI-DSS
GDPR
NIST4
MAS
Medium
Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs
CISAWSF
PCI-DSS
GDPR
APRA
MAS
Critical
Ensure DMS instances are not accessible via Internet (Network and API)
CIS
SOC2
PCI-DSS
FedRAMP
AWS Well-Architected Framework
High
Ensure Database Migration Service (DMS) are not publicly accessible
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Medium
Ensure Database Migration Service (DMS) replication instances have Auto Minor Version Upgrade feature enabled
APRA
MAS
NIST4
Low
Ensure DocumentDB clusters have Log Exports feature enabled
APRA
Critical
Ensure DocumentDB database instances are not accessible via Internet (Network and API)
CIS
SOC2
PCI-DSS
Critical
Ensure DocumentDB database instances have storage encryption enabled
GDPR
NIST4
NIST 800-53
HIPAA
MAS
Low
Ensure DynamoDB Tables are encrypted with customer managed key
APRA
AWS Well-Architected Framework
GDPR
NIST4
HITRUST
Medium
Ensure EBS snapshots are encrypted
PCI-DSS
GDPR
HIPAA
NIST4
HITRUST
Critical
Ensure EBS snapshots are not publicly accessible
GDPR
NIST4
PCI-DSS
AWS Well-Architected Framework
HITRUST
Medium
Ensure EBS volumes are encrypted
APRA
MAS
NIST4
CIS
ISO 27001
Critical
Ensure EC2 AMIs are not publicly accessible
GDPR
APRA
MAS
NIST4
CIS 8
Medium
Ensure EC2 instance uses an IAM profile
APRA
CISAWSF
MAS
NIST4
Medium
Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)
AWS Foundational Security Best Practices Controls
NIST 800-53
HITRUST
Low
Ensure EKS Private access is enabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Medium
Ensure EKS Public access is disabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Critical
Ensure EKS Public access is restricted to specific sources
ISO 27001
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
HIPAA
GDPR
NIST4
APRA
HITRUST
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
HIPAA
GDPR
HITRUST
NIST 800-53
APRA
Medium
Ensure Geo-Restriction is enabled within CloudFront distribution
GDPR
Medium
Ensure IAM Group has no inline policy
APRA
MAS
NIST4
FedRAMP
Medium
Ensure IAM Role has no inline policy
APRA
AWS Well-Architected Framework
MAS
NIST4
FedRAMP
Medium
Ensure IAM User has no inline policy
APRA
AWS Well-Architected Framework
CISAWSF
SOC2
MAS
Critical
Ensure IAM password policy expires passwords within 90 days or less
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Low
Ensure IAM password policy has expiration period
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Medium
Ensure IAM password policy prevents password reuse
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Medium
Ensure IAM password policy require at least one lowercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
Medium
Ensure IAM password policy require at least one number
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy require at least one symbol
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy requires at least one uppercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
HIPAA
Medium
Ensure IAM password policy requires minimum length of 14 or greater
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
APRA
AWS Well-Architected Framework
CISAWSF
GDPR
FTR
Medium
Ensure IAM policies that allow over privileges access to data are not created
AWS Well-Architected Framework
CISAWSF
GDPR
FTR
ISO 27001
Medium
Ensure IAM users are members of at least one IAM group
AWS Well-Architected Framework
CISAWSF
Medium
Ensure IAM users receive permissions only through groups
AWS Well-Architected Framework
CIS
CISAWSF
SOC2
PCI-DSS
Medium
Ensure Ingress does not use unsafe annotations
No items found.
Medium
Ensure Kinesis Data Stream encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Medium
Ensure Kubernetes API servers are not publicly accessible
CIS EKS
HITRUST
GDPR
ISO 27701
Critical
Ensure Kubernetes Service is not using an external IP
No items found.
Medium
Ensure Lambda environment variables are encrypted using customer-managed Customer Master Keys (CMKs)
AWS Well-Architected Framework
Medium
Ensure Lambda environment variables are using customer-managed Customer Master Keys
No items found.
Critical
Ensure Lambda function resource based policy does not allow public access
GDPR
PCI-DSS
Critical
Ensure Lambda functions prohibit public access
PCI-DSS
HITRUST
ISO 27701
AWS Foundational Security Best Practices Controls
Critical
Ensure MSK (Kafka) broker instances are not publicly accessible
CSA CCM
ISO 27701
Low
Ensure MSK (Kafka) cluster is not using an unsupported Kafka version (2.4.1)
SOC2
CIS 8
CSA CCM
Medium
Ensure MSK (Kafka) clusters have encryption in transit enabled between brokers within a cluster
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Medium
Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Medium
Ensure OpenSearch Service Domain AdvancedSecurityOptions are enabled
No items found.
Medium
Ensure OpenSearch data at rest encryption is enabled
AWS Foundational Security Best Practices Controls
PCI-DSS
CIS 8
NIST 800-53
CSA CCM
Medium
Ensure OpenSearch domains are configured to enforce HTTPS connections
NIST 800-53
HITRUST
GDPR
AWS Foundational Security Best Practices Controls
Medium
Ensure OpenSearch domains are in a VPC
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
PCI-DSS
GDPR
Medium
Ensure Pods are not deployed in the default namespace
No items found.
Medium
Ensure RDS Instances have IAM Database Authentication enabled
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
HITRUST
MAS
Critical
Ensure RDS database instances are not accessible via Internet (Network and API)
CIS
SOC2
PCI-DSS
Medium
Ensure RDS database instances are not publicly accessible
NIST 800-53
HITRUST
GDPR
CSA CCM
ISO 27701
Critical
Ensure RDS database instances have storage encryption enabled
GDPR
NIST4
HIPAA
MAS
PCI-DSS
Medium
Ensure RDS instances are configured with Auto Minor Version Upgrade
AWS Foundational Security Best Practices Controls
SOC2
HITRUST
NIST 800-53
GDPR
Low
Ensure RDS instances have Performance Insights feature enabled
HITRUST
NIST 800-53
GDPR
CSA CCM