AWS Compliance

Analyzer: AWS Compliance

The AWS Compliance Analyzer offers comprehensive insights into the security and compliance of AWS accounts hosting Symframe infrastructure and applications. It assists IT Operations (IT Ops) and Security Operations (Sec Ops) engineers by automating compliance assessments, identifying misconfigurations, and ensuring adherence to security and operational best practices.

From a security perspective, the analyzer highlights potential vulnerabilities, such as public access configurations, insecure policies, and misconfigured access controls. For compliance, it ensures resources meet regulatory and organizational standards. In terms of operational observability, it provides insights that help optimize performance, improve security postures, and streamline resource management.

Sightline: Opensearch

The Opensearch sightline evaluates the security and accessibility of Opensearch domains. It provides IT Ops and Sec Ops engineers with actionable insights into potential misconfigurations, such as public or anonymous access to domains.

Widgets:

• All Opensearch Domains

• OpenSearch Domain with Public Access

• OpenSearch Domain with Anonymous Access

Sightline: EC2

The EC2 sightline monitors instance configurations for security vulnerabilities and operational inefficiencies. It helps IT Ops and Sec Ops engineers ensure compliance with best practices, such as avoiding public access or deprecated configurations.

Widgets:

• EC2 Instance with Public IP

• Public EC2 Instances with Unrestricted Traffic Through Subnets

• EC2 Instances Not Using IMDSv2

• EC2 Instances Launching in EC2-Classic

• EC2 Instance with Public IP

• EC2 Security Group with unrestricted uncommon ports access

Sightline: Lambda

The Lambda sightline focuses on identifying insecure configurations and excessive privileges in Lambda functions. It supports Sec Ops engineers by highlighting functions with no authentication or those associated with overly permissive policies.

Widgets:

• Lambda Function with Auth Type Set to None

• Lambda Function Associated with Privileged Policy

Sightline: S3

The S3 sightline examines bucket policies to identify public access and overly permissive actions. This helps Sec Ops secure data and IT Ops maintain compliance with organizational and regulatory policies.

Widgets:

• S3 Buckets with Policy Allowing ‘List’ Action for All Principals

• S3 Buckets with Policy Allowing All Actions for All Principals

• S3 Buckets with Policy Allowing ‘Put’ Actions for All Principals

• S3 Buckets with Policy Allowing ‘Get’ Actions for All Principals

• S3 Buckets with Policy Allowing ‘Delete’ Actions for All Principals

Sightline: S3 ACL Global Access

The S3 ACL Global Access sightline analyzes ACL configurations to detect buckets exposed to global read or write access. This helps Sec Ops prevent unauthorized access and maintain data confidentiality.

Widgets:

• S3 Buckets That Have ACL That Allow Global Write Access

• S3 Buckets That Have ACL That Allow Global ACL Write Access

• S3 Buckets That Have ACL That Allow Global Read Access

• S3 Buckets That Have ACL That Allow Global ACL Read Access

• S3 Buckets That Allow Any Global Access

Sightline: RDS

The RDS sightline identifies security and operational risks in relational database service instances. It provides Sec Ops with actionable insights into encryption and access vulnerabilities while aiding IT Ops in maintaining optimal configurations.

Widgets:

• Publicly Accessible RDS Instances

• RDS Instances with Encryption Disabled

• Postgres RDS Clusters with Local File Read Vulnerability

• Postgres RDS Instances with Local File Read Vulnerability

• RDS Instances Associated with Public Subnets

• RDS Database Instances with Last Restorable Time More Than a Week

Sightline: S3 Public Access

The S3 Public Access sightline evaluates bucket-level settings to detect public access vulnerabilities. This ensures compliance with organizational policies and protects sensitive data.

Widgets:

• S3 Buckets Publicly Exposed to the Internet

• S3 Buckets with All 'Block Public Access' Settings Not Enabled

• Bucket-Level 'Block Public Access' Settings Allowing Creation of New Public Policies

• Bucket-Level 'Block Public Access' Settings Allowing Public Access Through Policies

• Bucket-Level 'Block Public Access' Settings Allowing Public Access Through ACLs

• CloudTrail S3 Buckets Allowing Public Access

Sightline: VPC Remote Services Access

The VPC Remote Services Access sightline identifies security groups that allow unrestricted remote service access, helping Sec Ops secure these entry points and prevent unauthorized access.

Widgets:

• EC2 Security Groups Not Restricting VNC Server Access

• EC2 Security Groups Not Restricting VNC Listener Access

• EC2 Security Groups Not Restricting Telnet Access

• EC2 Security Groups Not Restricting SSH Access

Sightline: VPC Application Services Access

The VPC Application Services Access sightline monitors security group configurations that control access to application services. It helps IT Ops and Sec Ops engineers ensure that access is restricted to authorized entities, minimizing the risk of unauthorized use or exploitation.

Widgets:

• EC2 Security Groups That Allow SQL Analysis Access Services

• EC2 Security Groups That Allow Solr Access

• EC2 Security Groups That Allow SMTP Access

• EC2 Security Groups That Allow SMB Access

• EC2 Security Groups That Allow RPC Access

• EC2 Security Groups That Allow Riak Access

Sightline: VPC Database Services Access

The VPC Database Services Access sightline evaluates security groups to ensure database service access configurations are secure and compliant. It helps IT Ops and Sec Ops engineers safeguard sensitive data and maintain optimal configurations.

Widgets:

• Security Groups That Allow RethinkDB Access

• Security Groups That Allow Redis Access

• Security Groups That Allow RDP Access

• Security Groups That Allow PostgreSQL Access

• Security Groups That Allow POP3 Access

• Security Groups That Allow NFS Access

Sightline: VPC Communication Services Access

The VPC Communication Services Access sightline identifies risks in communication protocol access. This helps IT Ops and Sec Ops engineers secure communication channels and prevent unauthorized access to sensitive services.

Widgets:

• Security Groups That Allow NetBIOS Access

• Security Groups That Allow Neo4J Access

• Security Groups That Allow MySQL Access

• Security Groups That Allow MSSQL Access (UDP:1434)

• Security Groups That Allow MSSQL Access (TCP:1433)

• Security Groups That Allow Mini SQL (mSQL) Access

Sightline: VPC Data Services Access

The VPC Data Services Access sightline analyzes security group configurations for data service access. It helps IT Ops and Sec Ops engineers maintain secure and efficient access control to data services.

Widgets:

• Security Groups That Allow Memcached Access

• Security Groups That Allow MaxDB Access

• Security Groups That Allow LDAP Access

• Security Groups That Allow Kibana Access

• Security Groups That Allow FTP Data Access

• Security Groups That Allow FTP Access

Sightline: VPC Directory Services Access

The VPC Directory Services Access sightline ensures the security of directory service access. It helps IT Ops and Sec Ops engineers protect sensitive directories and maintain controlled access.

Widgets:

• Security Groups That Allow etcd Access

• Security Groups That Allow ElasticSearch Access

• Security Groups That Allow DNS Access (UDP:53)

• Security Groups That Allow DNS Access (TCP:53)

• Security Groups That Allow CouchDB Access

• Security Groups That Allow CIFS Access

Sightline: VPC Restricted Protocol and Database Access

The VPC Restricted Protocol and Database Access sightline identifies unrestricted access to sensitive protocols and databases. This helps IT Ops and Sec Ops engineers mitigate risks and enforce secure access policies.

Widgets:

• Security Groups That Allow UDP Access

• Security Groups That Allow TCP Access

• Security Groups That Allow Cassandra Access

• Security Groups That Allow ArangoDB Access

Sightline: IAM

The IAM sightline highlights overly permissive identity and access management (IAM) configurations. It helps IT Ops and Sec Ops engineers identify and address security gaps in IAM policies.

Widgets:

• Resource Policy That Allows Principals with a Condition of ForAllValues and PrincipalArn

• IAM Roles That Allow All Principals and Services to Assume

• Resource Policy That Allows All Actions for All Principals

• Public ECR Repository policies that allows write actions for all principals

• Identity Stores with Overly Permissive Configurations

Sightline: Cognito Identity Pool

The Cognito Identity Pool sightline identifies insecure configurations in Cognito identity pools. It helps IT Ops and Sec Ops engineers secure identity pools and enforce access control best practices.

Widgets:

• Cognito Identity Pools with Unauthenticated Guest Access

• Cognito Identity Pools with Basic Flow Authentication

Sightline: Redshift

The Redshift sightline evaluates Redshift cluster configurations for public access and encryption. It helps IT Ops and Sec Ops engineers secure Redshift deployments and ensure compliance with security best practices.

Widgets:

• Publicly Accessible Redshift Clusters

• Unencrypted Redshift Clusters

Sightline: WAF

The WAF Sightline sightline evaluates Web Application Firewall (WAF) configurations by focusing on two key areas: WAF Known Bad Inputs that monitors and flags inputs that are recognized as malicious, aiding in early threat detection and WAF Rule Groups that assesses the configuration and effectiveness of rule groups to ensure they are properly set up to block malicious traffic.

This sightline helps IT Ops and Sec Ops engineers enhance web application security and maintain compliance with industry best practices.

Widgets:

• WAF Known Bad Inputs

• WAF Rule Groups

Alerts

Count of RDS Instances Associated with Public Subnets

The Count of RDS Instances Associated with Public Subnets alert identifies databases placed in public subnets. For Sec Ops, this highlights potential data exposure risks that need to be secured. IT Ops can use this alert to ensure proper network configurations for databases.

Count of RDS Database Instances with Last Restorable Time More Than a Week

The Count of RDS Database Instances with Last Restorable Time More Than a Week alert notifies IT Ops when database recovery points exceed a week. This helps enforce backup policies to maintain disaster recovery readiness.

Count of Publicly Accessible RDS Instances

The Count of Publicly Accessible RDS Instances alert highlights databases exposed to the internet. Sec Ops can use this alert to restrict public access and safeguard sensitive data.

Count of RDS Instances with Encryption Disabled

The Count of RDS Instances with Encryption Disabled alert flags databases that do not use encryption. This alert is critical for IT Ops to ensure compliance with data security policies and protect against unauthorized access.

Count of Postgres RDS Clusters with Local File Read Vulnerability

The Count of Postgres RDS Clusters with Local File Read Vulnerability alert identifies clusters susceptible to local file read exploits. Sec Ops teams can use this alert to prioritize patching and reduce vulnerabilities.

Count of Postgres RDS Instances with Local File Read Vulnerability

The Count of Postgres RDS Instances with Local File Read Vulnerability alert provides visibility into specific instances at risk. This helps Sec Ops implement targeted remediations to mitigate risks.

Count of S3 Buckets with ACL Allowing Global ‘Write’ Access

The Count of S3 Buckets with ACL Allowing Global ‘Write’ Access alert identifies buckets that permit unauthorized data modifications. This alert helps Sec Ops address security gaps and IT Ops ensure proper configurations.

Count of S3 Buckets with ACL Allowing Global ‘Write_ACP’ Access

The Count of S3 Buckets with ACL Allowing Global ‘Write_ACP’ Access alert flags buckets where ACLs permit modifications to bucket permissions globally. This helps Sec Ops prevent privilege escalations and unauthorized changes.

Count of S3 Buckets with ACL Allowing Global ‘Read’ Access

The Count of S3 Buckets with ACL Allowing Global ‘Read’ Access alert notifies Sec Ops of publicly readable buckets, reducing the risk of data exposure.

Count of S3 Buckets with ACL Allowing Global ‘Read_ACP’ Access

The Count of S3 Buckets with ACL Allowing Global ‘Read_ACP’ Access alert identifies buckets where permissions can be viewed globally. This helps Sec Ops address misconfigurations and protect sensitive data.

Count of Security Groups That Allow SQL Analysis Services Access

The Count of Security Groups That Allow SQL Analysis Services Access alert highlights unrestricted SQL service access. This helps Sec Ops limit access to prevent unauthorized queries and data leaks.

Count of Security Groups That Allow Solr Access

The Count of Security Groups That Allow Solr Access alert flags misconfigurations exposing Solr services. This helps Sec Ops prevent unauthorized data access.

Count of Security Groups That Allow SMTP Access

The Count of Security Groups That Allow SMTP Access alert identifies open email services that could be exploited for spam or phishing. IT Ops can use this to secure communication channels.

Count of Security Groups That Allow SMB Access

The Count of Security Groups That Allow SMB Access alert detects file-sharing vulnerabilities. This enables Sec Ops to secure access to SMB services and mitigate risks.

Count of Security Groups That Allow RPC Access

The Count of Security Groups That Allow RPC Access alert flags unrestricted remote procedure calls, helping Sec Ops secure remote access and prevent exploitation.

Count of Security Groups That Allow Riak Access

The Count of Security Groups That Allow Riak Access alert identifies misconfigurations exposing Riak services. This allows Sec Ops to secure the service and prevent unauthorized access.

Count of EC2 Security Groups Not Restricting VNC Server Access

The Count of EC2 Security Groups Not Restricting VNC Server Access alert highlights open VNC ports. Sec Ops can use this to secure remote management services.

Count of EC2 Security Groups Not Restricting VNC Listener Access

The Count of EC2 Security Groups Not Restricting VNC Listener Access alert flags VNC listener access vulnerabilities. This helps IT Ops ensure secure configurations.

Count of EC2 Security Groups Not Restricting Telnet Access

The Count of EC2 Security Groups Not Restricting Telnet Access alert identifies unsecured Telnet services, allowing Sec Ops to close potential attack vectors.

Count of EC2 Security Groups Not Restricting SSH Access

The Count of EC2 Security Groups Not Restricting SSH Access alert highlights misconfigurations in SSH access. Sec Ops can use this to strengthen access controls.

Count of EC2 Security Groups Not Restricting RethinkDB Access

The Count of EC2 Security Groups Not Restricting RethinkDB Access alert flags open RethinkDB access. This helps Sec Ops protect database integrity.

Count of EC2 Security Groups Not Restricting Redis Access

The Count of EC2 Security Groups Not Restricting Redis Access alert highlights Redis instances with unrestricted access, enabling Sec Ops to address security gaps.

Count of EC2 Security Groups Not Restricting RDP Access

The Count of EC2 Security Groups Not Restricting RDP Access alert flags unsecured remote desktop services, allowing IT Ops to enforce proper security measures.

Count of EC2 Security Groups Not Restricting PostgreSQL Access

The Count of EC2 Security Groups Not Restricting PostgreSQL Access alert identifies open PostgreSQL access points. This helps Sec Ops secure sensitive data.

Count of EC2 Security Groups Not Restricting POP3 Access

The Count of EC2 Security Groups Not Restricting POP3 Access alert flags misconfigurations exposing email retrieval services. This helps IT Ops secure communication protocols.

Count of EC2 Security Groups Not Restricting NFS Access

The Count of EC2 Security Groups Not Restricting NFS Access alert highlights vulnerabilities in file-sharing protocols, enabling Sec Ops to mitigate risks.