AWS Lacework Security 1.0 | Lacework Documentation

📄️ lacework-global-100

Ensure the attached S3 bucket policy does not grant global 'List' permission

📄️ lacework-global-101

Ensure the attached S3 bucket policy does not grant global 'Put' permission

📄️ lacework-global-102

Redshift Cluster should not be Publicly Accessible

📄️ lacework-global-103

EC2 instance should be deployed in EC2-VPC platform

📄️ lacework-global-104

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 3306 (MySQL)

📄️ lacework-global-105

No IAM users with password-based console access should exist

📄️ lacework-global-106

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5432 (PostgreSQL)

📄️ lacework-global-107

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 1433 (SQLServer)

📄️ lacework-global-108

Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 1434 (SQLServer)

📄️ lacework-global-109

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (MSQL)

📄️ lacework-global-110

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (VNC Listener)

📄️ lacework-global-111

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (VNC Server)

📄️ lacework-global-112

Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 137 (NetBIOS)

📄️ lacework-global-113

Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 138 (NetBIOS)

📄️ lacework-global-114

Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 445 (CIFS)

📄️ lacework-global-115

Ensure access keys are rotated every 30 days or less

📄️ lacework-global-116

Ensure access keys are rotated every 45 days or less

📄️ lacework-global-117

Ensure public ssh keys are rotated every 30 days or less

📄️ lacework-global-118

Ensure public ssh keys are rotated every 45 days or less

📄️ lacework-global-119

Ensure public ssh keys are rotated every 90 days or less

📄️ lacework-global-120

Ensure active access keys are used every 90 days or less

📄️ lacework-global-121

IAM user should not be inactive for more than 30 days

📄️ lacework-global-122

OpenSearch Domain should not be exposed

📄️ lacework-global-123

OpenSearch Domain should be in Virtual Private Cloud (VPC)

📄️ lacework-global-124

OpenSearch Domain should have Encryption At Rest enabled

📄️ lacework-global-125

CloudFront Origin Protocol Policy should use https-only

📄️ lacework-global-126

CloudFront Origin SSL Protocols should not use insecure Cipher(s)

📄️ lacework-global-127

Security group should not allow inbound traffic from all to all ICMP

📄️ lacework-global-128

EC2 instances should not have a Public IP address attached

📄️ lacework-global-129

CloudFront Viewer Protocol Policy should use https-only

📄️ lacework-global-130

Ensure the bucket ACL does not grant 'Everyone' READ permission [list S3 objects]

📄️ lacework-global-131

Ensure the bucket ACL does not grant 'Everyone' WRITE permission [create, overwrite, and delete S3 objects]

📄️ lacework-global-132

Ensure the bucket ACL does not grant 'Everyone' READ_ACP permission [read bucket ACL]

📄️ lacework-global-133

Ensure the bucket ACL does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL]

📄️ lacework-global-134

Ensure the bucket ACL does not grant 'Everyone' FULLCONTROL [READ, WRITE, READACP, WRITE_ACP]

📄️ lacework-global-135

Ensure the bucket ACL does not grant AWS users READ permission [list S3 objects]

📄️ lacework-global-136

Ensure the bucket ACL does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects]

📄️ lacework-global-137

Ensure the bucket ACL does not grant AWS users READ_ACP permission [read bucket ACL]

📄️ lacework-global-138

Ensure the bucket ACL does not grant AWS users WRITE_ACP permission [modify bucket ACL]

📄️ lacework-global-139

Ensure the bucket ACL does not grant AWS users FULLCONTROL [READ, WRITE, READACP, WRITE_ACP]

📄️ lacework-global-140

Ensure the attached S3 bucket policy does not grant 'Allow' permission to everyone

📄️ lacework-global-141

Ensure access keys are rotated every 180 days or less

📄️ lacework-global-142

Ensure access keys are rotated every 350 days or less

📄️ lacework-global-143

Lambda Function should have tracing enabled

📄️ lacework-global-144

Lambda Function should not have VPC access

📄️ lacework-global-145

Network ACLs do not allow unrestricted inbound traffic

📄️ lacework-global-146

Network ACLs do not allow unrestricted outbound traffic

📄️ lacework-global-147

AWS VPC endpoints should not be exposed

📄️ lacework-global-148

Security group inbound traffic should not allow inbound traffic from all

📄️ lacework-global-149

Security group inbound traffic should not allow traffic except port 80 and 443

📄️ lacework-global-150

Security Group should not allow inbound traffic from all to TCP port 9200 or 9300 (Opensearch/Elasticsearch)

📄️ lacework-global-151

Security Group should not allow inbound traffic from all to TCP port 5601 (Kibana)

📄️ lacework-global-152

Security Group should not allow inbound traffic from all to TCP port 6379 (Redis)

📄️ lacework-global-153

Security Group should not allow inbound traffic from all to TCP port 2379 (etcd)

📄️ lacework-global-154

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 23 (Telnet)

📄️ lacework-global-155

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows RPC)

📄️ lacework-global-156

Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows SMB)

📄️ lacework-global-157

No Default VPC should be present in an AWS account

📄️ lacework-global-159

Load Balancers should have Access Logs enabled

📄️ lacework-global-160

Ensure No Public EBS Snapshots

📄️ lacework-global-161

OpenSearch Domain should have Encryption with KMS (Customer Managed Keys)

📄️ lacework-global-171

Ensure RDS database is encrypted with customer managed KMS key

📄️ lacework-global-179

Lambda Function should not have Admin Privileges

📄️ lacework-global-180

Lambda Function should not have Cross Account Access

📄️ lacework-global-181

Ensure non-root user exists in the account

📄️ lacework-global-182

Ensure ELB has latest Secure Cipher policies Configured for Session Encryption

📄️ lacework-global-183

Ensure ELB is not affected by POODLE Vulnerability (CVE-2014-3566)

📄️ lacework-global-184

ELB should not use insecure Cipher(s)

📄️ lacework-global-196

EC2 instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB)

📄️ lacework-global-197

Elastic Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB)

📄️ lacework-global-198

Application Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB)

📄️ lacework-global-199

Security group attached to Application Load Balancer should not allow inbound traffic from all

📄️ lacework-global-217

Ensure the S3 bucket has default server-side encryption enabled

📄️ lacework-global-218

EC2 instance should not allow inbound traffic from all to TCP port 21

📄️ lacework-global-219

EC2 instance should not allow inbound traffic from all to TCP port 20

📄️ lacework-global-220

EC2 instance should not allow inbound traffic from all to TCP port 25

📄️ lacework-global-221

EC2 instance should not allow inbound traffic from all to TCP port 53

📄️ lacework-global-222

EC2 instance should not allow inbound traffic from all to UDP port 53

📄️ lacework-global-223

ELB Security Group should have Outbound Rules attached to it

📄️ lacework-global-224

Ensure ELBv2 has latest Secure Cipher policies Configured for Session Encryption

📄️ lacework-global-225

ELB SSL Certificate expires in 5 Days

📄️ lacework-global-226

ELB SSL Certificate expires in 45 Days

📄️ lacework-global-227

Security groups are not attached to an in-use network interface

📄️ lacework-global-228

Security group attached to EC2 instance should not allow inbound traffic from all ports

📄️ lacework-global-229

Security group attached to RDS DB instance should not allow inbound traffic from all ports

📄️ lacework-global-230

Security group attached to Network Interface should not allow inbound traffic from all ports

📄️ lacework-global-231

Security group attached to Elastic Load Balancer should not allow inbound traffic from all ports

📄️ lacework-global-482

Classic LBs should have a valid and secure security group

📄️ lacework-global-483

ELBs should have a valid and secure security group

📄️ lacework-global-89

EC2 instance does not have any tags

📄️ lacework-global-90

Ensure EBS Volumes are Encrypted

📄️ lacework-global-91

Ensure Redshift Cluster is encrypted

📄️ lacework-global-92

Ensure no server certificate has been uploaded before Heartbleed vulnerability

📄️ lacework-global-93

RDS should not have a Public Interface

📄️ lacework-global-94

Ensure the S3 bucket requires MFA to delete objects

📄️ lacework-global-95

Ensure the S3 bucket has access logging enabled

📄️ lacework-global-96

Ensure all data is transported from the S3 bucket securely

📄️ lacework-global-97

Ensure the S3 bucket has versioning enabled

📄️ lacework-global-98

Ensure the attached S3 bucket policy does not grant global 'Get' permission

📄️ lacework-global-99

Ensure the attached S3 bucket policy does not grant global 'Delete' permission