WAFS

  1. Home
  2. WAFS

AWS Well-Architected Framework - Security Pillar

This framework focuses on the security pillar. This will help you meet your business and regulatory requirements by following current AWS recommendations. It’s intended for those in technology roles, such as chief technology officers (CTOs), chief information security officers (CSOs/CISOs), architects, developers, and operations team members. The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
Read more

Summary: [Not available:44] | [Compliant:6] | [Need Attention:15]

Breakdown

Framework. AWS Well-Architected Framework - Security Pillar

CategoryRule IDCompliance StatusDescriptionReference
SEC01BP01Compliant
[hasOrganization]
SEC01BP02Need Attention
[rootMfaActive] - Enable MFA on root user
  • [GLOBAL]User::root_id
[hasAlternateContact] - Configure AWS account contacts
  • [GLOBAL]Account::Config
[rootHasAccessKey]
[rootConsoleLogin30days]
[passwordPolicy]
[enableGuardDuty]
AWS MFA
IAM Best Practices
Alternate Contact
SEC01BP03Need Attention
[mfaActive]
[passwordPolicyWeak]
[passwordLastChange90] - Rotate password
  • [GLOBAL]User::root_id
[hasAccessKeyNoRotate30days]
Managing IAM Password
SEC01BP04Compliant
[enableGuardDuty]
SEC01BP05Not available
SEC01BP06Not available
SEC01BP07Not available
SEC01BP08Not available
SEC02BP01Need Attention
[mfaActive]
[passwordPolicyWeak]
[passwordLastChange90] - Rotate password
  • [GLOBAL]User::root_id
[hasAccessKeyNoRotate30days]
Managing IAM Password
SEC02BP02Compliant
[EC2IamProfile]
SEC02BP03Not available
SEC02BP04Compliant
[hasExternalIdentityProvider]
SEC02BP05Need Attention
[passwordLastChange90] - Rotate password
  • [GLOBAL]User::root_id
[hasAccessKeyNoRotate30days]
[eksClusterRoleLeastPrivilege]
[InlinePolicyFullAccessOneServ] - Limit access in policy
  • [GLOBAL]Role::AWSReservedSSO_YoPayment-AWS-Data-Pgw-Dev_5af8cd0c694d6669, Role::AWSReservedSSO_YoPayment-AWS-Developer-Pgw-Dev_c207ab9d1e5199f5, Role::AWSReservedSSO_YoPayment-AWS-Platform-Pgw-Dev_c9b162f22c1c139b, Role::YoPayment-AWS-Terraform-Pgw-Dev
[InlinePolicyFullAdminAccess]
[FullAdminAccess] - Limit permissions.
  • [GLOBAL]Role::aws-controltower-AdministratorExecutionRole, Role::AWSControlTowerExecution, Role::AWSReservedSSO_AWSAdministratorAccess_6ad2f92126b0c1d0, Role::AWSReservedSSO_YoPayment-AWS-Admin-Pgw-Dev_999b53209cafbc21, Role::stacksets-exec-bb8cf4473e8495ef76fab8d8a00a5618
[lambdaRoleReused]
[EC2IamProfile]
Managing IAM Password
AWS Docs
AWS Docs
Organization GuardRail Blog
SEC02BP06Need Attention
[userNotUsingGroup] - Place IAM user within User Group
  • [GLOBAL]User::pgw-cassandra-user
[groupEmptyUsers]
IAM Group
SEC03BP01Not available
SEC03BP02Need Attention
[eksClusterRoleLeastPrivilege]
[InlinePolicyFullAccessOneServ] - Limit access in policy
  • [GLOBAL]Role::AWSReservedSSO_YoPayment-AWS-Data-Pgw-Dev_5af8cd0c694d6669, Role::AWSReservedSSO_YoPayment-AWS-Developer-Pgw-Dev_c207ab9d1e5199f5, Role::AWSReservedSSO_YoPayment-AWS-Platform-Pgw-Dev_c9b162f22c1c139b, Role::YoPayment-AWS-Terraform-Pgw-Dev
[InlinePolicyFullAdminAccess]
[FullAdminAccess] - Limit permissions.
  • [GLOBAL]Role::aws-controltower-AdministratorExecutionRole, Role::AWSControlTowerExecution, Role::AWSReservedSSO_AWSAdministratorAccess_6ad2f92126b0c1d0, Role::AWSReservedSSO_YoPayment-AWS-Admin-Pgw-Dev_999b53209cafbc21, Role::stacksets-exec-bb8cf4473e8495ef76fab8d8a00a5618
[lambdaRoleReused]
[EC2IamProfile]
AWS Docs
AWS Docs
Organization GuardRail Blog
SEC03BP03Not available
SEC03BP04Need Attention
[groupEmptyUsers]
[userNoActivity90days] - Inactive user
  • [GLOBAL]User::yopayment-dev-ses-user
[HasDataEventsCaptured]
IAM Credential Reports
Rotate Keys
SEC03BP05Not available
SEC03BP06Need Attention
[userNoActivity90days] - Inactive user
  • [GLOBAL]User::yopayment-dev-ses-user
IAM Credential Reports
Rotate Keys
SEC03BP07Compliant
[PubliclyAccessible]
[S3AccountPublicAccessBlock]
SEC03BP08Compliant
[hasOrganization]
SEC03BP09Not available
SEC04BP01Need Attention
[NeedToEnableCloudTrail]
[HasOneMultiRegionTrail]
[EnableTrailS3BucketLifecycle]
[HasInsightSelectors] - Enable Insight Selectors
  • [ap-southeast-1]Cloudtrail::SWOCloudTrail-Organizational, Cloudtrail::aws-controltower-BaselineCloudTrail
[enableGuardDuty]
Insight events
SEC04BP02Not available
SEC04BP03Not available
SEC04BP04Not available
SEC05BP01Need Attention
[cloudfront] - Need at least 1 cloudfront
    SEC05BP02Need Attention
    [SGSensitivePortOpenToAll]
    [SGAllTCPOpen]
    [SGAllUDPOpen]
    [SGDefaultInUsed]
    [SGEncryptionInTransit] - Encryption in Transit
    • [ap-southeast-1]SG::sg-0251261a4780396ef, SG::sg-0af4192d63016f4c6, SG::sg-084f2463febd93807
    • [us-east-1]SG::sg-03ec10c6bdf83dac6
    [ELBListenerInsecure] - Insecure Listener
    • [ap-southeast-1]ELB::pgw-dev-alb, ELB::pay1-wallet-dev-alb
    [PubliclyAccessible]
    		Data protection in Amazon EC2
    ALB Configuration Guide
    SEC05BP03Not available
    SEC05BP04Not available
    SEC06BP01Not available
    SEC06BP02Not available
    SEC06BP03Need Attention
    [Has 3 actives lambda]
    [Has 3 actives rds]
    [ecs] - Need at least 1 ecs
      [eks] - Need at least 1 eks
        [Has 2 actives dynamodb]
        [Has 4 actives elasticache]

        SEC06BP04Not available
        SEC06BP05Not available
        SEC06BP06Not available
        SEC07BP01Not available
        SEC07BP02Not available
        SEC07BP03Not available
        SEC07BP04Not available
        SEC08BP01Not available
        SEC08BP02Need Attention
        [RequiresKmsKey] - Enable SSE
        • [ap-southeast-1]Cloudtrail::SWOCloudTrail-Organizational
        [EBSEncrypted]
        [EncryptedAtRest]
        [eksSecretsEncryption]
        [lambdaCMKEncryptionDisabled] - Customer Managed Key Not In Used
        • [ap-southeast-1]Lambda::aws-controltower-NotificationForwarder, Lambda::SecretsManagerrds-rotation-lambda
        • [us-east-1]Lambda::aws-controltower-NotificationForwarder
        [StorageEncrypted]
        [ServerSideEncrypted]
        		Encrypt CloudTrail using AWS KMS
        CloudTrail Security Best Practices
        Lambda securing environment variables
        SEC08BP03Not available
        SEC08BP04Need Attention
        [eksClusterRoleLeastPrivilege]
        [InlinePolicyFullAccessOneServ] - Limit access in policy
        • [GLOBAL]Role::AWSReservedSSO_YoPayment-AWS-Data-Pgw-Dev_5af8cd0c694d6669, Role::AWSReservedSSO_YoPayment-AWS-Developer-Pgw-Dev_c207ab9d1e5199f5, Role::AWSReservedSSO_YoPayment-AWS-Platform-Pgw-Dev_c9b162f22c1c139b, Role::YoPayment-AWS-Terraform-Pgw-Dev
        [InlinePolicyFullAdminAccess]
        [FullAdminAccess] - Limit permissions.
        • [GLOBAL]Role::aws-controltower-AdministratorExecutionRole, Role::AWSControlTowerExecution, Role::AWSReservedSSO_AWSAdministratorAccess_6ad2f92126b0c1d0, Role::AWSReservedSSO_YoPayment-AWS-Admin-Pgw-Dev_999b53209cafbc21, Role::stacksets-exec-bb8cf4473e8495ef76fab8d8a00a5618
        [lambdaRoleReused]
        [EC2IamProfile]
        [BucketVersioning] - Enable Versioning
        • [ap-southeast-1]Bucket::archiver-system.dev.sg.pgw, Bucket::images-upload.dev.sgp-pay1-wallet, Bucket::logs.dev.sg.pgw
        [ObjectLock] - Enable Object Lock
        • [ap-southeast-1]Bucket::262130478988-pgw-dev-tf-state, Bucket::archiver-system.dev.sg.pgw, Bucket::images-upload.dev.sg.pgw, Bucket::images-upload.dev.sgp-pay1-wallet, Bucket::logs.dev.sg.pgw, Bucket::payment-gateway-dev-tf-state, Bucket::pgw-config.dev.sg.pgw
        [PublicAccessBlock]
        		AWS Docs
        AWS Docs
        Organization GuardRail Blog
        AWS Docs
        Manage Versioning Example
        AWS Docs
        SEC08BP05Not available
        SEC09BP01Not available
        SEC09BP02Need Attention
        [viewerPolicyHttps]
        [DeprecatedSSLProtocol]
        [SGEncryptionInTransit] - Encryption in Transit
        • [ap-southeast-1]SG::sg-0251261a4780396ef, SG::sg-0af4192d63016f4c6, SG::sg-084f2463febd93807
        • [us-east-1]SG::sg-03ec10c6bdf83dac6
        [ELBListenerInsecure] - Insecure Listener
        • [ap-southeast-1]ELB::pgw-dev-alb, ELB::pay1-wallet-dev-alb
        		Data protection in Amazon EC2
        ALB Configuration Guide
        SEC09BP03Not available
        SEC09BP04Not available
        SEC10BP01Not available
        SEC10BP02Not available
        SEC10BP03Not available
        SEC10BP04Not available
        SEC10BP05Not available
        SEC10BP06Not available
        SEC10BP07Not available
        SEC11BP01Not available
        SEC11BP02Not available
        SEC11BP03Not available
        SEC11BP04Not available
        SEC11BP05Not available
        SEC11BP06Not available
        SEC11BP07Not available
        SEC11BP08Not available