feat: Add NZISM3.6 #1431
Open
feat: Add NZISM3.6 #1431
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Closed
dontirun
requested changes
Sep 4, 2023
…hiftClusterConfiguraiton from .ERROR to .WARNING as the CIDare SHOULD, not MUST
dontirun
requested changes
Sep 20, 2023
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
Co-authored-by: Arun Donti <dontirun@gmail.com>
dontirun
requested changes
Oct 2, 2023
| | NZISM3.6-SecretsManagerUsingKMSKey | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | | ||
| | NZISM3.6-SNSEncryptedKMS | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | | ||
| | NZISM3.6-EC2SecurityGroupOnlyTcp443 | Only port tcp 443 shoudl be permitted in ingress security group. | Not allowing ingress (or remote) traffic to ports other than tcp port 443 helps improve security | 18.1.13.C.02[CID:3205] | | ||
| | Rule ID | Cause | Explanation | Relevent Control ID(s) | |
There was a problem hiding this comment.
Relevant Control ID(s) should follow the format from above
example SHOULD(16.6.10.C.02[CID:2013], 20.4.4.C.02[CID:4441], 20.4.5.C.02[CID:4445]), MUST(23.5.11.C.01[CID:7496])
| | NZISM3.6-VPCDefaultSecurityGroupClosed | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon | | ||
| | NZSISM3.6-VPCFlowLogs | VPC does not have an Assocated Flow Log. | Enable a Flow Log for the VPC | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | | ||
| | NZISM3.6-WAFv2LoggingEnabled | The WAFv2 web ACL does not have logging enabled. | AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched. | [CID:2013], 23.5.11.C.01[CID:7496] | | ||
| | Rule ID | Cause | Explanation | Relevent Control ID(s) | |
| | NZISM3.6-WAFv2LoggingEnabled | The WAFv2 web ACL does not have logging enabled. | AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched. | [CID:2013], 23.5.11.C.01[CID:7496] | | ||
| | Rule ID | Cause | Explanation | Relevent Control ID(s) | | ||
| | ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | NZISM3.6-APIGWExecutionLoggingEnabled | The API Gateway stage does not have execution logging enabled for all methods. | API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities. | Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]) | |
There was a problem hiding this comment.
Since the column name is Relevant Control ID(s) we can remove the Control IDs: text from each of the individual rules
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #1067
Reverted to using IMDVSv2 rule, that has been created.
Fixed bug in ec2securitygroupOnlyTcp443
Added ruleSuffixOverideNames