| Partner hosted | HOST-001 | Not available | | |
| Support level | SUP-001 | Need Attention | - [supportPlanLowTier] - Subscribe to the AWS Business Support tier (or higher)
| AWS Support Plan
Guide |
| Architecture review | WAFR-001 | Not available | | |
| Architecture review | WAFR-002 | Not available | | |
| AWS root account | ARC-001 | Not available | | |
| AWS root account | ARC-002 | Not available | | |
| AWS root account | ARC-003 | Need Attention | - [rootMfaActive] - Enable MFA on root user
| AWS MFA
IAM Best Practices |
| AWS root account | ARC-004 | Compliant | - [rootHasAccessKey]
| |
| AWS root account | ARC-005 | Not available | | |
| Communications from AWS | ACOM-001 | Need Attention | - [hasAlternateContact] - Configure AWS account contacts
| Alternate Contact |
| Communications from AWS | ACOM-002 | Not available | | |
| AWS CloudTrail | CTL-001 | Not available | | |
| AWS CloudTrail | CTL-002 | Not available | | |
| AWS CloudTrail | CTL-003 | Not available | | |
| AWS CloudTrail | CTL-004 | Not available | | |
| Identity and Access Management | IAM-001 | Compliant | - [mfaActive]
| |
| Identity and Access Management | IAM-002 | Need Attention | - [passwordLastChange90] - Rotate password
- [passwordLastChange365]
- [hasAccessKeyNoRotate90days] - Rotate credentials regularly
- [GLOBAL]User::yopayment-dev-ses-user
- [hasAccessKeyNoRotate365days]
| Managing IAM Password
Rotate access key |
| Identity and Access Management | IAM-003 | Compliant | - [passwordPolicyWeak]
- [passwordPolicy]
| |
| Identity and Access Management | IAM-004 | Compliant | - [noUsersFound]
| |
| Identity and Access Management | IAM-005 | Not available | | |
| Identity and Access Management | IAM-006 | Need Attention | - [InlinePolicyFullAccessOneServ] - Limit access in policy
- [GLOBAL]Role::AWSReservedSSO_YoPayment-AWS-Data-Pgw-Dev_5af8cd0c694d6669, Role::AWSReservedSSO_YoPayment-AWS-Developer-Pgw-Dev_c207ab9d1e5199f5, Role::AWSReservedSSO_YoPayment-AWS-Platform-Pgw-Dev_c9b162f22c1c139b, Role::YoPayment-AWS-Terraform-Pgw-Dev
- [InlinePolicyFullAdminAccess]
- [ManagedPolicyFullAccessOneServ] - Limit permissions.
- [GLOBAL]Role::AWSReservedSSO_AWSOrganizationsFullAccess_159dbe7c34ff4f78, Role::AWSReservedSSO_AWSPowerUserAccess_7a9fc77c08f63f11, Role::AWSReservedSSO_YoPayment-AWS-Developer-Pgw-Dev_c207ab9d1e5199f5, Role::PyraCloudRole, Role::YoPayment-AWS-Terraform-Pgw-Dev
- [FullAdminAccess] - Limit permissions.
- [GLOBAL]Role::aws-controltower-AdministratorExecutionRole, Role::AWSControlTowerExecution, Role::AWSReservedSSO_AWSAdministratorAccess_6ad2f92126b0c1d0, Role::AWSReservedSSO_YoPayment-AWS-Admin-Pgw-Dev_999b53209cafbc21, Role::stacksets-exec-bb8cf4473e8495ef76fab8d8a00a5618
| AWS Docs
AWS Docs
AWS Docs
Organization GuardRail Blog |
| Identity and Access Management | IAM-007 | Need Attention | - [consoleLastAccess90] - Validate IAM user console access
- [consoleLastAccess365]
- [unusedRole] - Review & remove inactive roles
- [GLOBAL]Role::aws-controltower-AdministratorExecutionRole, Role::aws-controltower-ConfigRecorderRole, Role::aws-controltower-ReadOnlyExecutionRole, Role::AWSControlTower_VPCFlowLogsRole, Role::AWSReservedSSO_AWSAdministratorAccess_6ad2f92126b0c1d0, Role::AWSReservedSSO_AWSOrganizationsFullAccess_159dbe7c34ff4f78, Role::AWSReservedSSO_AWSPowerUserAccess_7a9fc77c08f63f11, Role::AWSReservedSSO_AWSReadOnlyAccess_52218f0875a67871, Role::AWSReservedSSO_YoPayment-AWS-Data-Pgw-Dev_5af8cd0c694d6669, Role::AWSReservedSSO_YoPayment-AWS-ViewOnly-Dev_8b8524750ae8d9c7, Role::backend-pgw-core-pgw-dev-codedeploy-role, Role::backend-pgw-ipn-processor-pgw-dev-codedeploy-role, Role::backend-v1-backoffice-pgw-dev-codedeploy-role-cmc, Role::backend-v1-epay-processor-pgw-dev-codedeploy-role-cmc, Role::backend-v1-mbbank-processor-pgw-dev-codedeploy-role-cmc, Role::backend-v1-merchant-service-pgw-dev-codedeploy-role-cmc, Role::backend-v1-momo-processor-pgw-dev-codedeploy-role-cmc, Role::backend-v1-napas-processor-pgw-dev-codedeploy-role-cmc, Role::backend-v1-payment-service-pgw-dev-codedeploy-role-cmc, Role::backend-v1-pgw-core-pgw-dev-codedeploy-role-cmc, Role::backend-v1-schedule-pgw-dev-codedeploy-role-cmc, Role::backend-v1-zalopay-processor-pgw-dev-codedeploy-role-cmc, Role::ec2-ssm-role, Role::ecs-iam-service, Role::ecsAutoscaleRole, Role::ecsEventsRole, Role::frontend-backoffice-pgw-dev-codedeploy-role, Role::frontend-gateway-core-pgw-dev-codedeploy-role, Role::pay1-wallet-debezium-connector-pgw-dev-codedeploy-role-cmc, Role::pay1-wallet-kafka-ui-pgw-dev-codedeploy-role-cmc, Role::pgw-dev-backend-v1-pgw-core-dev-codedeploy-role-cmc, Role::pgw-dev-ecs-backend-pgw-ipn-processor-task-execution-role, Role::pgw-dev-ecs-backend-pgw-ipn-processor-task-role, Role::pgw-dev-ecs-backend-v1-backoffice-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-backoffice-task-role-cmc, Role::pgw-dev-ecs-backend-v1-epay-processor-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-epay-processor-task-role-cmc, Role::pgw-dev-ecs-backend-v1-mbbank-processor-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-mbbank-processor-task-role-cmc, Role::pgw-dev-ecs-backend-v1-merchant-service-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-merchant-service-task-role-cmc, Role::pgw-dev-ecs-backend-v1-momo-processor-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-momo-processor-task-role-cmc, Role::pgw-dev-ecs-backend-v1-napas-processor-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-napas-processor-task-role-cmc, Role::pgw-dev-ecs-backend-v1-payment-service-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-payment-service-task-role-cmc, Role::pgw-dev-ecs-backend-v1-pgw-core-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-pgw-core-task-role-cmc, Role::pgw-dev-ecs-backend-v1-scheduler-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-scheduler-task-role-cmc, Role::pgw-dev-ecs-backend-v1-zalopay-processor-task-execution-role-cmc, Role::pgw-dev-ecs-backend-v1-zalopay-processor-task-role-cmc, Role::pgw-dev-ecs-frontend-backoffice-task-execution-role, Role::pgw-dev-ecs-frontend-backoffice-task-role, Role::pgw-dev-ecs-frontend-gateway-core-task-execution-role, Role::pgw-dev-ecs-frontend-gateway-core-task-role, Role::pgw-dev-keyspaces-role, Role::pgw-dev-msk-connector-archiver-sink-connector-s3-role, Role::pipeline-cross-account, Role::SecretsManagerRDSPostgreS-SecretsManagerRDSPostgreS-EmjcCJ2iYcSd, Role::stacksets-exec-bb8cf4473e8495ef76fab8d8a00a5618
| Finds unused credentials
AWS Blog |
| Identity and Access Management | IAM-008 | Not available | | |
| Identity and Access Management | IAM-009 | Not available | | |
| Identity and Access Management | IAM-010 | Not available | | |
| Identity and Access Management | IAM-011 | Not available | | |
| Identity and Access Management | IAM-012 | Compliant | - [mfaActive]
- [EC2IamProfile]
| |
| Operational security | SECOPS-001 | Not available | | |
| Network security | NETSEC-001 | Compliant | - [SGDefaultInUsed]
- [SGSensitivePortOpenToAll]
- [SGAllOpenToAll]
- [SGAllOpen]
| |
| Network security | NETSEC-002 | Not available | | |
| Backups and recovery | BAR-001 | Need Attention | - [EBSSnapshot] - Enable EBS Snapshot
- [ap-southeast-1]EBS::vol-04d74d0b594581dea
- [Backup]
- [BackupTooLow]
- [backupStatus]
- [enabledContinuousBackup]
| Best practices for Amazon EC2 |
| Backups and recovery | BAR-002 | Not available | | |
| Resiliency | RES-001 | Not available | | |
| Resiliency | RES-002 | Not available | | |
| Resiliency | RES-003 | Not available | | |
| Resiliency | RES-004 | Not available | | |
| Resiliency | RES-005 | Not available | | |
| Resiliency | RES-006 | Not available | | |
| Resiliency | RES-007 | Not available | | |
| Amazon S3 bucket access | S3-001 | Not available | | |
| Amazon S3 bucket access | S3-002 | Compliant | - [PublicAccessBlock]
- [S3AccountPublicAccessBlock]
| |
| Amazon S3 bucket access | S3-003 | Not available | | |
| Cross-account access | CAA-001 | Not available | | |
| Cross-account access | CAA-002 | Not available | | |
| Cross-account access | CAA-003 | Not available | | |
| Cross-account access | CAA-004 | Not available | | |
| Cross-account access | CAA-005 | Not available | | |
| Cross-account access | CAA-006 | Not available | | |
| Cross-account access | CAA-007 | Not available | | |
| Sensitive data | SDAT-001 | Not available | | |
| Sensitive data | SDAT-002 | Compliant | - [EBSEncrypted]
- [ServerSideEncrypted]
- [StorageEncrypted]
| |
| Sensitive data | SDAT-003 | Need Attention | - [SGEncryptionInTransit] - Encryption in Transit
- [ap-southeast-1]SG::sg-0251261a4780396ef, SG::sg-0af4192d63016f4c6, SG::sg-084f2463febd93807
- [us-east-1]SG::sg-03ec10c6bdf83dac6
- [TlsEnforced] - Enforce Encryption of Data in Transit
- [ap-southeast-1]Bucket::262130478988-pgw-dev-tf-state, Bucket::archiver-system.dev.sg.pgw, Bucket::images-upload.dev.sg.pgw, Bucket::images-upload.dev.sgp-pay1-wallet, Bucket::logs.dev.sg.pgw, Bucket::payment-gateway-dev-tf-state, Bucket::pgw-config.dev.sg.pgw
| Data protection in Amazon EC2
AWS Docs |
| Regulatory compliance validation process | RCVP-001 | Not available | | |