SecurityHub Rules

Introduction

Most of AWS SecurityHub controls are AWS Config rules. When you enable one of standards, that deploys many controls, SecurityHub turns on AWS Config (if it is not enabled) and deploys rules associated with controls.

We are listing rules used in AWS Foundations Benchmark v1.4.0 and AWS Foundational Security Best Practices standards so that we can avoid duplicates after AWS Config solution deployment. Next to a rule name there is an information about which control uses the rule. List of Security Hub controls.

List does not include rules supported only in US East region.

If rule has a parameter with a value defined by Security Hub, it is listed below the rule.

AWS Foundations Benchmark v1.4.0 rules

• multi-region-cloudtrail-enabled - [CloudTrail.1]

• cloud-trail-encryption-enabled - [CloudTrail.2]

• cloud-trail-log-file-validation-enabled - [CloudTrail.4]

• cloud-trail-cloud-watch-logs-enabled - [CloudTrail.5]

• vpc-default-security-group-closed - [EC2.2]

• nacl-no-unrestricted-ssh-rdp - [EC2.21]

• vpc-flow-logs-enabled - [EC2.6]

  trafficType: REJECT

• ec2-ebs-encryption-by-default - [EC2.7]

• iam-policy-no-statements-with-admin-access - [IAM.1]

  excludePermissionBoundaryPolicy: true

• iam-password-policy (does not check all password requirements, so we are going to additionally deploy this rule with AWS Config solution) - [IAM.15], [IAM.16]

• iam-policy-in-use - [IAM.18]

• iam-user-unused-credentials-check - [IAM.22]

  maxCredentialUsageAge: 45

• access-keys-rotated - [IAM.3]

  maxAccessKeyAge: 90

• iam-root-access-key-check - [IAM.4]

• mfa-enabled-for-iam-console-access - [IAM.5]

• root-account-hardware-mfa-enabled - [IAM.6]

• root-account-mfa-enabled - [IAM.9]

• cmk-backing-key-rotation-enabled - [KMS.4]

• rds-storage-encrypted - [RDS.3]

• s3-account-level-public-access-blocks-periodic - [S3.1]

  ignorePublicAcls: true blockPublicPolicy: true blockPublicAcls: true restrictPublicBuckets: true

• s3-bucket-server-side-encryption-enabled - [S3.4]

• s3-bucket-ssl-requests-only - [S3.5]

• s3-bucket-level-public-access-prohibited - [S3.8]

• s3-bucket-logging-enabled - [S?.?]

• s3-bucket-public-write-prohibited - [S3.8]

AWS Foundational Security Best Practices

• acm-certificate-expiration-check - [ACM.1]

  daysToExpiration: 30

• api-gw-execution-logging-enabled - [APIGateway.1]

• api-gw-ssl-enabled - [APIGateway.2]

• api-gw-xray-enabled - [APIGateway.3]

• api-gw-associated-with-waf - [APIGateway.4]

• api-gw-cache-encrypted (custom Security Hub rule) - [APIGateway.5]

• api-gwv2-authorization-type-configured - [APIGateway.8]

• api-gwv2-access-logs-enabled - [APIGateway.9]

• autoscaling-group-elb-healthcheck-required - [AutoScaling.1]

• autoscaling-multiple-az - [AutoScaling.2]

• autoscaling-launchconfig-requires-imdsv2 - [AutoScaling.3]

• autoscaling-launch-config-hop-limit - [AutoScaling.4]

• autoscaling-launch-config-public-ip-disabled - [AutoScaling.5]

• autoscaling-multiple-instance-types - [AutoScaling.6]

• autoscaling-launch-template - [AutoScaling.9]

• cloudformation-stack-notification-check - [CloudFormation.1]:

• multi-region-cloudtrail-enabled - [CloudTrail.1]

• cloud-trail-encryption-enabled - [CloudTrail.2]

• cloud-trail-log-file-validation-enabled - [CloudTrail.4]

• cloud-trail-cloud-watch-logs-enabled - [CloudTrail.5]

• codebuild-project-source-repo-url-check - [CodeBuild.1]

• codebuild-project-envvar-awscred-check - [CodeBuild.2]

• codebuild-project-s3-logs-encrypted - [CodeBuild.3]

• codebuild-project-logging-enabled - [CodeBuild.4]

• codebuild-project-environment-privileged-check - [CodeBuild.5]

• dms-replication-not-public - [DMS.1]

• dynamodb-autoscaling-enabled - [DynamoDB.1]

• dynamodb-pitr-enabled - [DynamoDB.2]

• dax-encryption-enabled - [DynamoDB.3]

• ebs-snapshot-public-restorable-check - [EC2.1]

• vpc-default-security-group-closed - [EC2.2]

• encrypted-volumes - [EC2.3]

• ec2-stopped-instance - [EC2.4]

• vpc-flow-logs-enabled - [EC2.6]

• ec2-ebs-encryption-by-default - [EC2.7]

• ec2-imdsv2-check - [EC2.8]

• ec2-instance-no-public-ip - [EC2.9]

• service-vpc-endpoint-enabled - [EC2.10]:

  serviceName: ec2

• subnet-auto-assign-public-ip-disabled - [EC2.15]

• vpc-network-acl-unused-check - [EC2.16]

• ec2-instance-multiple-eni-check - [EC2.17]

• vpc-sg-open-only-to-authorized-ports - [EC2.18]

• vpc-sg-restricted-common-ports (custom Security Hub rule) - [EC2.19]

• vpc-vpn-2-tunnels-up - [EC2.20]

• nacl-no-unrestricted-ssh-rdp - [EC2.21]

• ec2-security-group-attached-to-eni-periodic - [EC2.22]

• ec2-transit-gateway-auto-vpc-attach-disabled - [EC2.23]

• ec2-paravirtual-instance-check - [EC2.24]

• ec2-launch-template-public-ip-disabled - [EC2.25]

• ecr-private-image-scanning-enabled - [ECR.1]

• ecr-private-tag-immutability-enabled - [ECR.2]

• ecr-private-lifecycle-policy-configured - [ECR.3]

• ecs-task-definition-user-for-host-mode-check - [ECS.1]

• ecs-service-assign-public-ip-disabled (custom Security Hub rule) - [ECS.2]

• ecs-task-definition-pid-mode-check - [ECS.3]

• ecs-containers-nonprivileged - [ECS.4]

• ecs-containers-readonly-access - [ECS.5]

• ecs-no-environment-secrets - [ECS.8]:

  secretKeys: AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,ECS_ENGINE_AUTH_DATA

• ecs-fargate-latest-platform-version - [ECS.10]

• ecs-container-insights-enabled - [ECS.12]

• efs-encrypted-check - [EFS.1]

• efs-in-backup-plan - [EFS.2]

• efs-access-point-enforce-root-directory - [EFS.3]

• efs-access-point-enforce-user-identity - [EFS.4]

• eks-endpoint-no-public-access - [EKS.1]

• eks-cluster-supported-version - [EKS.2]

  eks:oldestVersionSupported (Current oldest supported version is 1.22)

• elasticache-redis-cluster-automatic-backup-check - [ElastiCache.1]:

  snapshotRetentionPeriod: 1

• elasticache-auto-minor-version-upgrade-check - [ElastiCache.2]

• elasticache-repl-grp-auto-failover-enabled - [ElastiCache.3]

• elasticache-repl-grp-encrypted-at-rest - [ElastiCache.4]

• elasticache-repl-grp-encrypted-in-transit - [ElastiCache.5]

• elasticache-repl-grp-redis-auth-enabled - [ElastiCache.6]

• elasticache-subnet-group-check - [ElastiCache.7]

• beanstalk-enhanced-health-reporting-enabled - [ElasticBeanstalk.1]

• elastic-beanstalk-managed-updates-enabled - [ElasticBeanstalk.2]

• alb-http-to-https-redirection-check - [ELB.1]

• elb-acm-certificate-required - [ELB.2]

• elb-tls-https-listeners-only - [ELB.3]

• alb-http-drop-invalid-header-enabled - [ELB.4]

• elb-logging-enabled - [ELB.5]

• elb-deletion-protection-enabled - [ELB.6]

• elb-connection-draining-enabled (custom Security Hub rule) - [ELB.7]

• elb-predefined-security-policy-ssl-check - [ELB.8]

• elb-cross-zone-load-balancing-enabled - [ELB.9]

• clb-multiple-az - [ELB.10]

• alb-desync-mode-check - [ELB.12]

  desyncMode: defensive, strictest

• elbv2-multiple-az - [ELB.13]

• clb-desync-mode-check - [ELB.14]

  desyncMode: defensive, strictest

• emr-master-no-public-ip - [EMR.1]

• elasticsearch-encrypted-at-rest - [ES.1]

• elasticsearch-in-vpc-only - [ES.2]

• elasticsearch-node-to-node-encryption-check - [ES.3]

• elasticsearch-logs-to-cloudwatch - [ES.4]

  logtype: 'error'

• elasticsearch-audit-logging-enabled (custom Security Hub rule) - [ES.5]

• elasticsearch-data-node-fault-tolerance (custom Security Hub rule) - [ES.6]

• elasticsearch-primary-node-fault-tolerance (custom Security Hub rule) - [ES.7]

• elasticsearch-https-required (custom Security Hub rule) - [ES.8]

• guardduty-enabled-centralized - [GuardDuty.1]

• iam-policy-no-statements-with-admin-access - [IAM.1]

  excludePermissionBoundaryPolicy: true

• iam-user-no-policies-check - [IAM.2]

• access-keys-rotated - [IAM.3]

  maxAccessKeyAge: 90

• iam-root-access-key-check - [IAM.4]

• mfa-enabled-for-iam-console-access - [IAM.5]

• root-account-hardware-mfa-enabled - [IAM.6]

• iam-password-policy - [IAM.7]

  RequireUppercaseCharacters: true RequireLowercaseCharacters: true RequireSymbols: true RequireNumbers: true MinimumPasswordLength: 8

• iam-user-unused-credentials-check - [IAM.8]

  maxCredentialUsageAge: 90

• iam-policy-no-statements-with-full-access - [IAM.21]

  excludePermissionBoundaryPolicy: True

• kinesis-stream-encrypted - [Kinesis.1]

• iam-customer-policy-blocked-kms-actions - [KMS.1]

  blockedActionsPatterns: kms:ReEncryptFrom, kms:Decrypt excludePermissionBoundaryPolicy: True

• iam-inline-policy-blocked-kms-actions - [KMS.2]

  blockedActionsPatterns: kms:ReEncryptFrom, kms:Decrypt

• kms-cmk-not-scheduled-for-deletion-2 (custom Security Hub rule) - [KMS.3]

• lambda-function-public-access-prohibited - [Lambda.1]

• lambda-function-settings-check - [Lambda.2]

  runtime: nodejs18.x, nodejs16.x, nodejs14.x, nodejs12.x, python3.10, python3.9, python3.8, python3.7, ruby2.7, java11, java8, java8.al2, go1.x, dotnet6

• lambda-vpc-multi-az-check - [Lambda.5]

• netfw-policy-rule-group-associated - [NetworkFirewall.3]

• netfw-policy-default-action-full-packets - [NetworkFirewall.4]

  statelessDefaultActions: aws:drop,aws:forward_to_sfe

• netfw-policy-default-action-fragment-packets - [NetworkFirewall.5]

  statelessFragDefaultActions (Required): aws:drop, aws:forward_to_sfe

• netfw-stateless-rule-group-not-empty - [NetworkFirewall.6]

• opensearch-encrypted-at-rest - [Opensearch.1]

• opensearch-in-vpc-only - [Opensearch.2]

• opensearch-node-to-node-encryption-check - [Opensearch.3]

• opensearch-logs-to-cloudwatch - [Opensearch.4]:

  logtype: 'error'

• opensearch-audit-logging-enabled - [Opensearch.5]

• opensearch-data-node-fault-tolerance - [Opensearch.6]

• opensearch-access-control-enabled - [Opensearch.7]

• opensearch-https-required - [Opensearch.8]

• rds-snapshots-public-prohibited - [RDS.1]

• rds-instance-public-access-check - [RDS.2]

• rds-storage-encrypted - [RDS.3]

• rds-snapshots-encrypted - [RDS.4]

• rds-multi-az-support - [RDS.5]

• rds-enhanced-monitoring-enabled - [RDS.6]

• rds-cluster-deletion-protection-enabled - [RDS.7]

• rds-instance-deletion-protection-enabled - [RDS.8]

  databaseEngines: mariadb,mysql,oracle-ee,oracle-se2,oracle-se1,oracle-se,postgres,sqlserver-ee,sqlserver-se,sqlserver-ex,sqlserver-web

• rds-logging-enabled - [RDS.9]

• rds-instance-iam-authentication-enabled - [RDS.10]

• db-instance-backup-enabled - [RDS.11]

  backupRetentionMinimum: 7

• rds-cluster-iam-authentication-enabled - [RDS.12]

• rds-automatic-minor-version-upgrade-enabled - [RDS.13]

• aurora-mysql-backtracking-enabled - [RDS.14]

• rds-cluster-multi-az-enabled - [RDS.15]

• rds-cluster-copy-tags-to-snapshots-enabled (custom Security Hub rule) - [RDS.16]

• rds-instance-copy-tags-to-snapshots-enabled (custom Security Hub rule) - [RDS.17]

• rds-deployed-in-vpc (custom Security Hub rule) - [RDS.18]

• rds-cluster-event-notifications-configured (custom Security Hub rule) - [RDS.19]

• rds-instance-event-notifications-configured (custom Security Hub rule) - [RDS.20]

• rds-pg-event-notifications-configured (custom Security Hub rule) - [RDS.21]

• rds-sg-event-notifications-configured (custom Security Hub rule) - [RDS.22]

• rds-no-default-ports (custom Security Hub rule) - [RDS.23]

• rds-cluster-default-admin-check - [RDS.24]

• rds-instance-default-admin-check - [RDS.25]

• redshift-cluster-public-access-check - [Redshift.1]

• redshift-require-tls-ssl - [Redshift.2]

• redshift-backup-enabled - [Redshift.3]

  MinRetentionPeriod: 7

• redshift-cluster-audit-logging-enabled (custom Security Hub rule) - [Redshift.4]

  loggingEnabled: true

• redshift-cluster-maintenancesettings-check - [Redshift.6]

  allowVersionUpgrade: true

• redshift-enhanced-vpc-routing-enabled - [Redshift.7]

• redshift-default-admin-check - [Redshift.8]

• redshift-default-db-name-check - [Redshift.9]

• redshift-cluster-kms-enabled - [Redshift.10]

• s3-account-level-public-access-blocks-periodic - [S3.1]

  ignorePublicAcls: true blockPublicPolicy: true blockPublicAcls: true restrictPublicBuckets: true

• s3-bucket-public-read-prohibited - [S3.2]

• s3-bucket-public-write-prohibited - [S3.3]

• s3-bucket-server-side-encryption-enabled - [S3.4]

• s3-bucket-ssl-requests-only - [S3.5]

• s3-bucket-blacklisted-actions-prohibited - [S3.6]

  blacklistedactionpatterns: s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, s3:PutObjectAcl

• s3-bucket-level-public-access-prohibited - [S3.8]

• s3-bucket-logging-enabled - [S3.9]

• s3-version-lifecycle-policy-check - [S3.10]

• s3-event-notifications-enabled - [S3.11]

• s3-bucket-acl-prohibited - [S3.12]

• s3-lifecycle-policy-check - [S3.13]

• sagemaker-notebook-no-direct-internet-access - [SageMaker.1]

• sagemaker-notebook-instance-inside-vpc - [SageMaker.2]

• sagemaker-notebook-instance-root-access-check - [SageMaker.3]

• secretsmanager-rotation-enabled-check - [SecretsManager.1]

• secretsmanager-scheduled-rotation-success-check - [SecretsManager.2]

• secretsmanager-secret-unused - [SecretsManager.3]

• secretsmanager-secret-periodic-rotation - [SecretsManager.4]

• sns-encrypted-kms - [SNS.1]

• sns-topic-message-delivery-notification-enabled - [SNS.2]

• sqs-queue-encrypted (custom Security Hub rule) - [SQS.1]

• ec2-instance-managed-by-systems-manager - [SSM.1]

• ec2-managedinstance-patch-compliance-status-check - [SSM.2]

• ec2-managedinstance-association-compliance-status-check - [SSM.3]

• ssm-document-not-public - [SSM.4]

• waf-regional-rule-not-empty - [WAF.2]

• waf-regional-rulegroup-not-empty - [WAF.3]

• waf-regional-webacl-not-empty - [WAF.4]

• wafv2-webacl-not-empty - [WAF.10]