Ninja Docs Help

Conformance Packs Description

Revision

Date

Description

1.0

24.07.2024

Init Changelog

Introduction

Rules in these conformance packs are supplementary to controls in AWS Security Hub Benchmarks.

OperationalBestPracticesForSecurityServices

Set of rules that checks best practices.

A set of rules that checks for best practices related to security and security monitoring services such as: CloudTrail, GuardDuty, IAM, Secret Managers, and SecurityHub.

Below is a list of rules in this conformance pack with their parameters and corresponding values listed:

  • account-part-of-organizations

  • acm-certificate-expiration-check

    daysToExpiration: 60

  • guardduty-enabled-centralized

  • guardduty-non-archived-findings

    daysLowSev: 30 daysMediumSev: 7 daysHighSev: 1

  • iam-group-has-users-check

  • iam-password-policy

    RequireUppercaseCharacters: true RequireLowercaseCharacters: true RequireSymbols: true RequireNumbers: true MinimumPasswordLength: 20 PasswordReusePrevention: 24 MaxPasswordAge: 90

  • iam-user-group-membership-check

  • securityhub-enabled

  • wafv2-logging-enabled

  • secretsmanager-secret-periodic-rotation

    maxDaysSinceRotation: 90

  • iam-user-unused-credentials-check (replacing IAM.8 Security Hub control due to shorter maxCredentialUsageAge)

    maxCredentialUsageAge: 30

OperationalBestPracticesForEncryptionAndKeys

A set of rules that checks for best practices related to encryption and keys.

Below is a list of rules in this conformance pack with their parameters and corresponding values listed:

  • api-gw-cache-enabled-and-encrypted

  • elasticsearch-node-to-node-encryption-check

  • elbv2-acm-certificate-required

  • sagemaker-endpoint-configuration-kms-key-configured

  • sagemaker-notebook-instance-kms-key-configured

  • RdsClusterStorageEncrypted

  • ElasticacheRedisEncryptedAtRest

  • ElasticacheRedisTransitEncryption

  • dynamodb-table-encryption-enabled

  • kinesis-stream-encrypted

  • api-gw-ssl-enabled

  • s3-default-encryption-kms

OperationalBestPracticesForStorageServices

A set of rules that checks for best practices related to data storage services, focused mainly on backups.

Below is a list of rules in this conformance pack with their parameters and corresponding values listed:

  • fsx-resources-protected-by-backup-plan

  • storagegateway-resources-protected-by-backup-plan

  • virtualmachine-resources-protected-by-backup-plan

  • dynamodb-in-backup-plan

  • rds-resources-protected-by-backup-plan

  • rds-in-backup-plan

  • ec2-resources-protected-by-backup-plan

AdditionalSecurityComplianceChecks

A set of rules that checks for best practices related to security and log collection. This is a package that extends the "OperationalBestPracticesForSecurityServices".

Below is a list of rules in this conformance pack with their parameters and corresponding values listed:

  • emr-kerberos-enabled

  • cloudtrail-s3-dataevents-enabled

  • cloudtrail-security-trail-enabled

  • cloudwatch-alarm-action-check

    alarmActionRequired: true insufficientDataActionRequired: true okActionRequired: true

  • cw-loggroup-retention-period-check

    MinRetentionTime: 7

  • restricted-ssh (ID: INCOMING_SSH_DISABLED)

  • ec2-instances-in-vpc (ID: INSTANCES_IN_VPC)

  • ec2-no-amazon-key-pair

  • ec2-volume-inuse-check

  • ecs-task-definition-nonroot-user

  • ecs-task-definition-memory-hard-limit

  • autoscaling-capacity-rebalancing

  • eks-endpoint-no-public-access

  • approved-amis-by-tag

    amisByTagKeyAndValue: "hardened:true"

  • CheckSNSEmailSubscribers

    domain_regex: “^.*?t-mobile\.pl$”

ISO27001ConformancePack

A set of rules that checks if AWS resources comply with ISO27001 standards.

Below is a list of rules in this conformance pack with their parameters and corresponding values listed:

  • EksAuditLoggingEnabledRule

  • NoEC2InstanceOlderThanYear

    Age: 365

  • AccessAnalyzerNoFindings

  • ACMCertificateTransparencyLogging

  • AllElasticLoadBalancersAreNotInternetFacing

  • AmisArePrivate

  • CheckTrustedAdvisor

  • CloudtrailLogsBucketIsPrivate

  • Ec2SnapshotsAreEncrypted

  • EcrReposArePrivate

  • EcrScanFoundVulnerabilities

  • IAMUserActiveKeys

  • LambdasInvokeAPICloudtrail

  • PublicHostedZonesLogging

  • SecurityGroupNoEmptyIngress

  • SgHasNoPublicIngress

  • SNSAccessNotPublic

  • SQSAccessNotPublic

  • SqsEncryptedAtRest

  • SsmSessionDocumentsHaveLogging

  • eip-attached

  • ec2-instance-profile-attached

TagEnforcingConformancePack

A set of rules that checks if AWS resources are tagged according to established policies.

Tags that will be checked by rules are defined according to Naming and Tagging convention document.

Below is a list of checked resource types. Each resource type has its own rule:

  • AWS::EC2::CustomerGateway

  • AWS::EC2::InternetGateway

  • AWS::EC2::RouteTable

  • AWS::EC2::Subnet

  • AWS::EC2::VPC

  • AWS::EC2::VPNConnection

  • AWS::EC2::VPNGateway

  • AWS::EC2::Instance

  • AWS::EC2::SecurityGroup

  • AWS::EC2::NatGateway

  • AWS::EC2::TransitGateway

  • AWS::EC2::VPCEndpoint

  • AWS::EC2::VPCEndpointService

  • AWS::EC2::VPCPeeringConnection

  • AWS::RDS::DBInstance

  • AWS::RDS::DBCluster

  • AWS::EKS::Cluster

  • AWS::ECS::Cluster

  • AWS::Lambda::Function

  • AWS::S3::Bucket

  • AWS::DynamoDB::Table

  • AWS::AutoScaling::AutoScalingGroup

  • AWS::ElasticLoadBalancingV2::LoadBalancer

Last modified: 17 February 2025
SecurityHub RulesRules List