account_alternate_contact_security_registeredaccount_part_of_organizationsacm_certificate_expires_30_daysacm_certificate_no_failed_certificateacm_certificate_no_pending_validation_certificateacm_certificate_no_wildcard_domain_nameacm_certificate_not_expiredacm_certificate_rsa_key_length_2048_bits_or_greateracm_certificate_transparency_logging_enabledacmpca_root_certificate_authority_disabledapi_gateway_method_authorization_type_configuredapi_gateway_method_request_parameter_validatedapi_gateway_rest_api_public_endpoint_with_authorizerapi_gatewayv2_route_authorization_type_configuredapi_gatewayv2_route_authorizer_configuredapigateway_rest_api_authorizers_configuredapigateway_rest_api_endpoint_restrict_public_accessapigateway_rest_api_stage_use_ssl_certificateapigateway_rest_api_stage_xray_tracing_enabledapigateway_stage_cache_encryption_at_rest_enabledapigateway_stage_logging_enabledapigateway_stage_use_waf_web_aclappstream_fleet_default_internet_access_disabledappstream_fleet_idle_disconnect_timeout_600_secondsappstream_fleet_max_user_duration_36000_secondsappstream_fleet_session_disconnect_timeout_300_secondsappsync_graphql_api_field_level_logging_enabledathena_workgroup_encryption_at_rest_enabledathena_workgroup_enforce_configuration_enabledautoscaling_ec2_launch_configuration_no_sensitive_dataautoscaling_group_multiple_az_configuredautoscaling_group_no_suspended_processautoscaling_group_propagate_tags_to_ec2_instance_enabledautoscaling_group_uses_ec2_launch_templateautoscaling_group_with_lb_use_health_checkautoscaling_launch_config_hop_limitautoscaling_launch_config_public_ip_disabledautoscaling_launch_config_requires_imdsv2autoscaling_use_multiple_instance_types_in_multiple_azbackup_plan_min_retention_35_daysbackup_plan_region_configuredbackup_recovery_point_encryption_enabledbackup_recovery_point_manual_deletion_disabledbackup_recovery_point_min_retention_35_daysbackup_report_plan_configuredbackup_vault_region_configuredcloudformation_stack_drift_detection_checkcloudformation_stack_notifications_enabledcloudformation_stack_output_no_secretscloudformation_stack_rollback_enabledcloudformation_stack_termination_protection_enabledcloudfront_distribution_configured_with_origin_failovercloudfront_distribution_custom_origins_encryption_in_transit_enabledcloudfront_distribution_default_root_object_configuredcloudfront_distribution_encryption_in_transit_enabledcloudfront_distribution_field_level_encryption_enabledcloudfront_distribution_geo_restrictions_enabledcloudfront_distribution_latest_tls_versioncloudfront_distribution_logging_enabledcloudfront_distribution_no_deprecated_ssl_protocolcloudfront_distribution_no_non_existent_s3_origincloudfront_distribution_non_s3_origins_encryption_in_transit_enabledcloudfront_distribution_origin_access_identity_enabledcloudfront_distribution_sni_enabledcloudfront_distribution_use_custom_ssl_certificatecloudfront_distribution_use_secure_ciphercloudfront_distribution_waf_enabledcloudtrail_bucket_not_publiccloudtrail_multi_region_read_write_enabledcloudtrail_multi_region_trail_enabledcloudtrail_multi_region_trail_integrated_with_logscloudtrail_s3_data_events_enabledcloudtrail_s3_logging_enabledcloudtrail_s3_object_read_events_audit_enabledcloudtrail_s3_object_write_events_audit_enabledcloudtrail_security_trail_enabledcloudtrail_trail_bucket_mfa_enabledcloudtrail_trail_enabledcloudtrail_trail_enabled_accountcloudtrail_trail_insight_selectors_and_logging_enabledcloudtrail_trail_integrated_with_logscloudtrail_trail_logs_encrypted_with_kms_cmkcloudtrail_trail_validation_enabledcloudwatch_alarm_action_enabledcloudwatch_alarm_action_enabled_checkcloudwatch_cross_account_sharingcloudwatch_log_group_retention_period_365codebuild_project_artifact_encryption_enabledcodebuild_project_build_greater_then_90_dayscodebuild_project_environment_privileged_mode_disabledcodebuild_project_logging_enabledcodebuild_project_plaintext_env_variables_no_sensitive_aws_valuescodebuild_project_s3_logs_encryption_enabledcodebuild_project_source_repo_oauth_configuredcodebuild_project_with_user_controlled_buildspeccodedeploy_deployment_group_lambda_allatonce_traffic_shift_disabledconfig_configuration_recorder_no_failed_deliver_logsconfig_enabled_all_regionsdax_cluster_encryption_at_rest_enableddirectory_service_certificate_expires_90_daysdirectory_service_directory_snapshots_limit_2directory_service_directory_sns_notifications_enableddlm_ebs_snapshot_lifecycle_policy_enableddms_certificate_not_expireddms_endpoint_ssl_configureddms_replication_instance_automatic_minor_version_upgrade_enableddms_replication_instance_not_publicly_accessibledms_replication_task_source_database_logging_enableddms_replication_task_target_database_logging_enableddocdb_cluster_backup_retention_period_7_daysdocdb_cluster_deletion_protection_enableddocdb_cluster_encryption_at_rest_enableddocdb_cluster_instance_encryption_at_rest_enableddocdb_cluster_instance_logging_enableddocdb_cluster_snapshot_restrict_public_accessdrs_job_enableddynamodb_table_auto_scaling_enableddynamodb_table_deletion_protection_enableddynamodb_table_encrypted_with_kmsdynamodb_table_encryption_enableddynamodb_table_in_backup_plandynamodb_table_point_in_time_recovery_enableddynamodb_table_protected_by_backup_planebs_attached_volume_delete_on_termination_enabledebs_attached_volume_encryption_enabledebs_encryption_by_default_enabledebs_snapshot_encryption_enabledebs_snapshot_not_publicly_restorableebs_volume_encryption_at_rest_enabledebs_volume_in_backup_planebs_volume_protected_by_backup_planebs_volume_snapshot_existsebs_volume_unusedec2_ami_ebs_encryption_enabledec2_ami_not_older_than_90_daysec2_ami_restrict_public_accessec2_classic_lb_connection_draining_enabledec2_client_vpn_endpoint_client_connection_logging_enabledec2_ebs_default_encryption_enabledec2_instance_attached_ebs_volume_delete_on_termination_enabledec2_instance_detailed_monitoring_enabledec2_instance_ebs_optimizedec2_instance_iam_profile_attachedec2_instance_in_vpcec2_instance_no_amazon_key_pairec2_instance_no_high_level_finding_in_inspector_scanec2_instance_no_iam_passrole_and_lambda_invoke_function_accessec2_instance_no_iam_role_attached_with_credentials_exposure_accessec2_instance_no_iam_role_with_alter_critical_s3_permissions_configurationec2_instance_no_iam_role_with_cloud_log_tampering_accessec2_instance_no_iam_role_with_data_destruction_accessec2_instance_no_iam_role_with_database_management_write_accessec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_accessec2_instance_no_iam_role_with_destruction_kms_accessec2_instance_no_iam_role_with_destruction_rds_accessec2_instance_no_iam_role_with_elastic_ip_hijacking_accessec2_instance_no_iam_role_with_management_level_accessec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_accessec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_accessec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_accessec2_instance_no_iam_role_with_org_write_accessec2_instance_no_iam_role_with_privilege_escalation_risk_accessec2_instance_no_iam_role_with_security_group_write_accessec2_instance_no_iam_role_with_write_access_to_resource_based_policiesec2_instance_no_iam_role_with_write_permission_on_critical_s3_configurationec2_instance_no_iam_with_write_level_accessec2_instance_no_launch_wizard_security_groupec2_instance_not_older_than_180_daysec2_instance_not_publicly_accessibleec2_instance_not_use_multiple_enisec2_instance_protected_by_backup_planec2_instance_publicly_accessible_iam_profile_attachedec2_instance_ssm_managedec2_instance_termination_protection_enabledec2_instance_user_data_no_secretsec2_instance_uses_imdsv2ec2_instance_virtualization_type_no_paravirtualec2_launch_template_not_publicly_accessibleec2_network_interface_unusedec2_stopped_instance_30_daysec2_stopped_instance_90_daysec2_transit_gateway_auto_cross_account_attachment_disabledecr_repository_image_scan_on_push_enabledecr_repository_lifecycle_policy_configuredecr_repository_prohibit_public_accessecr_repository_tag_immutability_enabledecs_cluster_container_insights_enabledecs_cluster_container_instance_agent_connectedecs_cluster_encryption_at_rest_enabledecs_cluster_instance_in_vpcecs_cluster_no_active_services_countecs_cluster_no_registered_container_instanceecs_service_fargate_using_latest_platform_versionecs_service_load_balancer_attachedecs_service_not_publicly_accessibleecs_task_definition_container_environment_no_secretecs_task_definition_container_non_privilegedecs_task_definition_container_readonly_root_filesystemecs_task_definition_logging_enabledecs_task_definition_no_host_pid_modeecs_task_definition_no_root_userecs_task_definition_user_for_host_mode_checkefs_access_point_enforce_root_directoryefs_access_point_enforce_user_identityefs_file_system_encrypt_data_at_restefs_file_system_encrypted_with_cmkefs_file_system_enforces_sslefs_file_system_in_backup_planefs_file_system_protected_by_backup_planefs_file_system_restrict_public_accesseks_cluster_control_plane_audit_logging_enabledeks_cluster_endpoint_public_access_restrictedeks_cluster_endpoint_restrict_public_accesseks_cluster_no_default_vpceks_cluster_no_multiple_security_groupseks_cluster_secrets_encryptedeks_cluster_with_latest_kubernetes_versionelastic_beanstalk_enhanced_health_reporting_enabledelastic_beanstalk_environment_logs_to_cloudwatchelastic_beanstalk_environment_managed_updates_enabledelasticache_cluster_auto_minor_version_upgrade_enabledelasticache_cluster_no_default_subnet_groupelasticache_cluster_no_public_subnetelasticache_redis_cluster_automatic_backup_retention_15_dayselasticache_replication_group_auto_failover_enabledelasticache_replication_group_encryption_at_rest_enabledelasticache_replication_group_encryption_at_rest_enabled_with_kms_cmkelasticache_replication_group_encryption_in_transit_enabledelasticache_replication_group_redis_auth_enabledelb_application_classic_lb_logging_enabledelb_application_classic_network_lb_prohibit_public_accesselb_application_gateway_network_lb_multiple_az_configuredelb_application_lb_deletion_protection_enabledelb_application_lb_desync_mitigation_modeelb_application_lb_drop_http_headerselb_application_lb_listener_certificate_expire_30_dayselb_application_lb_listener_certificate_expire_7_dayselb_application_lb_redirect_http_request_to_httpselb_application_lb_waf_enabledelb_application_lb_with_outbound_ruleelb_application_network_lb_use_listenerselb_application_network_lb_use_ssl_certificateelb_classic_lb_cross_zone_load_balancing_enabledelb_classic_lb_desync_mitigation_modeelb_classic_lb_multiple_az_configuredelb_classic_lb_no_registered_instanceelb_classic_lb_use_ssl_certificateelb_classic_lb_use_tls_https_listenerselb_classic_lb_with_inbound_ruleelb_classic_lb_with_outbound_ruleelb_listener_use_secure_ssl_cipherelb_network_lb_tls_listener_security_policy_configuredelb_tls_listener_protocol_versionemr_account_public_access_blockedemr_cluster_encryption_at_rest_enabledemr_cluster_encryption_at_rest_with_cse_cmkemr_cluster_encryption_at_rest_with_sse_kmsemr_cluster_encryption_in_transit_enabledemr_cluster_kerberos_enabledemr_cluster_local_disk_encrypted_with_cmkemr_cluster_local_disk_encryption_enabledemr_cluster_master_nodes_no_public_ipemr_cluster_security_configuration_enabledes_domain_audit_logging_enabledes_domain_cognito_authentication_enabledes_domain_data_nodes_min_3es_domain_dedicated_master_nodes_min_3es_domain_encrypted_using_tls_1_2es_domain_encryption_at_rest_enabledes_domain_error_logging_enabledes_domain_in_vpces_domain_internal_user_database_enabledes_domain_logs_to_cloudwatches_domain_node_to_node_encryption_enabledeventbridge_custom_bus_resource_based_policy_attachedfsx_file_system_copy_tags_to_backup_and_volume_enabledfsx_file_system_protected_by_backup_plangatewayv2_stage_access_logging_enabledglacier_vault_restrict_public_accessglue_connection_ssl_enabledglue_data_catalog_encryption_settings_metadata_encryption_enabledglue_data_catalog_encryption_settings_password_encryption_enabledglue_dev_endpoint_cloudwatch_logs_encryption_enabledglue_dev_endpoint_job_bookmarks_encryption_enabledglue_dev_endpoint_s3_encryption_enabledglue_job_bookmarks_encryption_enabledglue_job_cloudwatch_logs_encryption_enabledglue_job_s3_encryption_enabledguardduty_centrally_configuredguardduty_enabledguardduty_finding_archivedguardduty_no_high_severity_findingsiam_access_analyzer_enablediam_access_analyzer_enabled_without_findingsiam_account_password_policy_min_length_14iam_account_password_policy_one_lowercase_letteriam_account_password_policy_one_numberiam_account_password_policy_one_symboliam_account_password_policy_one_uppercase_letteriam_account_password_policy_reuse_24iam_account_password_policy_strong_min_length_8iam_account_password_policy_strong_min_reuse_24iam_all_policy_no_service_wild_cardiam_custom_policy_unattached_no_star_stariam_group_not_emptyiam_group_user_role_no_inline_policiesiam_inline_policy_no_administrative_privilegesiam_managed_policy_attached_to_roleiam_password_policy_expire_90iam_policy_all_attached_no_star_stariam_policy_custom_attached_no_star_stariam_policy_custom_no_assume_roleiam_policy_custom_no_blocked_kms_actionsiam_policy_custom_no_permissive_role_assumptioniam_policy_inline_no_blocked_kms_actionsiam_policy_no_full_access_to_cloudtrailiam_policy_no_full_access_to_kmsiam_policy_no_star_stariam_policy_unusediam_role_cross_account_read_only_access_policyiam_role_no_administrator_access_policy_attachediam_role_unused_60iam_root_last_usediam_root_user_hardware_mfa_enablediam_root_user_mfa_enablediam_root_user_no_access_keysiam_security_audit_roleiam_server_certificate_not_expirediam_support_roleiam_user_access_key_age_365iam_user_access_key_age_90iam_user_access_key_unused_45iam_user_access_keys_and_password_at_setupiam_user_console_access_mfa_enablediam_user_console_access_unused_45iam_user_group_role_cloudshell_fullaccess_restrictediam_user_hardware_mfa_enablediam_user_in_groupiam_user_mfa_enablediam_user_no_inline_attached_policiesiam_user_no_policiesiam_user_one_active_keyiam_user_unused_credentials_45iam_user_unused_credentials_90iam_user_with_administrator_access_mfa_enabledkinesis_firehose_delivery_stream_server_side_encryption_enabledkinesis_stream_encrypted_with_kms_cmkkinesis_stream_server_side_encryption_enabledkms_cmk_policy_prohibit_public_accesskms_cmk_rotation_enabledkms_cmk_unusedkms_key_decryption_restricted_in_iam_customer_managed_policykms_key_decryption_restricted_in_iam_inline_policykms_key_not_pending_deletionlambda_function_cloudtrail_logging_enabledlambda_function_cloudwatch_insights_enabledlambda_function_concurrent_execution_limit_configuredlambda_function_cors_configurationlambda_function_dead_letter_queue_configuredlambda_function_encryption_enabledlambda_function_in_vpclambda_function_logging_config_enabledlambda_function_multiple_az_configuredlambda_function_restrict_public_accesslambda_function_restrict_public_urllambda_function_tracing_enabledlambda_function_use_latest_runtimelambda_function_variables_no_sensitive_datalightsail_instance_ipv6_networking_disabledlightsail_instance_rdp_restricted_iplightsail_instance_ssh_rdp_http_ports_disabledlightsail_instance_ssh_restricted_iplog_group_encryption_at_rest_enabledlog_metric_filter_bucket_policylog_metric_filter_cloudtrail_configurationlog_metric_filter_config_configurationlog_metric_filter_console_authentication_failurelog_metric_filter_console_login_mfalog_metric_filter_disable_or_delete_cmklog_metric_filter_iam_policylog_metric_filter_network_acllog_metric_filter_network_gatewaylog_metric_filter_organizationlog_metric_filter_root_loginlog_metric_filter_route_tablelog_metric_filter_security_grouplog_metric_filter_unauthorized_apilog_metric_filter_vpcmanual_controlmq_broker_restrict_public_accessmsk_cluster_encryption_in_transit_with_tls_enabledneptune_db_cluster_audit_logging_enabledneptune_db_cluster_automated_backup_enabledneptune_db_cluster_copy_tags_to_snapshot_enabledneptune_db_cluster_deletion_protection_enabledneptune_db_cluster_encryption_at_rest_enabledneptune_db_cluster_iam_authentication_enabledneptune_db_cluster_no_public_subnetneptune_db_cluster_snapshot_encryption_at_rest_enabledneptune_db_cluster_snapshot_prohibit_public_accessnetworkfirewall_firewall_deletion_protection_enablednetworkfirewall_firewall_in_vpcnetworkfirewall_firewall_logging_enablednetworkfirewall_firewall_policy_default_stateless_action_check_fragmented_packetsnetworkfirewall_firewall_policy_default_stateless_action_check_full_packetsnetworkfirewall_firewall_policy_rule_group_not_emptynetworkfirewall_stateless_rule_group_not_emptyopensearch_domain_audit_logging_enabledopensearch_domain_cognito_authentication_enabled_for_kibanaopensearch_domain_data_node_fault_toleranceopensearch_domain_encryption_at_rest_enabledopensearch_domain_fine_grained_access_enabledopensearch_domain_https_requiredopensearch_domain_in_vpcopensearch_domain_internal_user_database_disabledopensearch_domain_logs_to_cloudwatchopensearch_domain_node_to_node_encryption_enabledopensearch_domain_updated_with_latest_service_software_versionorganizational_tag_policies_enabledrds_db_cluster_aurora_backtracking_enabledrds_db_cluster_aurora_mysql_audit_logging_enabledrds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerabilityrds_db_cluster_aurora_protected_by_backup_planrds_db_cluster_automatic_minor_version_upgrade_enabledrds_db_cluster_copy_tags_to_snapshot_enabledrds_db_cluster_deletion_protection_enabledrds_db_cluster_encrypted_with_cmkrds_db_cluster_encryption_at_rest_enabledrds_db_cluster_events_subscriptionrds_db_cluster_iam_authentication_enabledrds_db_cluster_multiple_az_enabledrds_db_cluster_no_default_admin_namerds_db_instance_and_cluster_enhanced_monitoring_enabledrds_db_instance_and_cluster_no_default_portrds_db_instance_automatic_minor_version_upgrade_enabledrds_db_instance_backup_enabledrds_db_instance_backup_retention_period_less_than_7rds_db_instance_ca_certificate_expires_7_daysrds_db_instance_cloudwatch_logs_enabledrds_db_instance_connections_encryption_enabledrds_db_instance_copy_tags_to_snapshot_enabledrds_db_instance_deletion_protection_enabledrds_db_instance_encryption_at_rest_enabledrds_db_instance_events_subscriptionrds_db_instance_iam_authentication_enabledrds_db_instance_in_backup_planrds_db_instance_in_vpcrds_db_instance_logging_enabledrds_db_instance_multiple_az_enabledrds_db_instance_no_default_admin_namerds_db_instance_no_public_subnetrds_db_instance_postgres_not_exposed_to_local_file_read_vulnerabilityrds_db_instance_prohibit_public_accessrds_db_instance_protected_by_backup_planrds_db_parameter_group_events_subscriptionrds_db_security_group_events_subscriptionrds_db_snapshot_encrypted_at_restrds_db_snapshot_prohibit_public_accessredshift_cluster_audit_logging_enabledredshift_cluster_automatic_snapshots_min_7_daysredshift_cluster_automatic_upgrade_major_versions_enabledredshift_cluster_encrypted_with_cmkredshift_cluster_encryption_in_transit_enabledredshift_cluster_encryption_logging_enabledredshift_cluster_enhanced_vpc_routing_enabledredshift_cluster_kms_enabledredshift_cluster_maintenance_settings_checkredshift_cluster_no_default_admin_nameredshift_cluster_no_default_database_nameredshift_cluster_prohibit_public_accessroute53_domain_auto_renew_enabledroute53_domain_expires_30_daysroute53_domain_expires_7_daysroute53_domain_not_expiredroute53_domain_privacy_protection_enabledroute53_domain_transfer_lock_enabledroute53_zone_query_logging_enableds3_access_point_restrict_public_accesss3_bucket_acls_should_prohibit_user_accesss3_bucket_cross_region_replication_enableds3_bucket_default_encryption_enableds3_bucket_default_encryption_enabled_kmss3_bucket_enforces_ssls3_bucket_event_notifications_enableds3_bucket_lifecycle_policy_enableds3_bucket_logging_enableds3_bucket_mfa_delete_enableds3_bucket_not_accessible_to_all_authenticated_users3_bucket_object_lock_enableds3_bucket_object_logging_enableds3_bucket_policy_restrict_public_accesss3_bucket_policy_restricts_cross_account_permission_changess3_bucket_protected_by_macies3_bucket_restrict_public_read_accesss3_bucket_restrict_public_write_accesss3_bucket_static_website_hosting_disableds3_bucket_versioning_and_lifecycle_policy_enableds3_bucket_versioning_enableds3_public_access_block_accounts3_public_access_block_buckets3_public_access_block_bucket_accountsagemaker_endpoint_configuration_encryption_at_rest_enabledsagemaker_model_in_vpcsagemaker_model_network_isolation_enabledsagemaker_notebook_instance_direct_internet_access_disabledsagemaker_notebook_instance_encrypted_with_kms_cmksagemaker_notebook_instance_encryption_at_rest_enabledsagemaker_notebook_instance_in_vpcsagemaker_notebook_instance_root_access_disabledsagemaker_training_job_in_vpcsagemaker_training_job_inter_container_traffic_encryption_enabledsagemaker_training_job_network_isolation_enabledsagemaker_training_job_volume_and_data_encryption_enabledsecretsmanager_secret_automatic_rotation_enabledsecretsmanager_secret_automatic_rotation_lambda_enabledsecretsmanager_secret_encrypted_with_kms_cmksecretsmanager_secret_last_changed_365_daysecretsmanager_secret_last_changed_90_daysecretsmanager_secret_last_used_1_daysecretsmanager_secret_rotated_as_scheduledsecretsmanager_secret_unused_90_daysecurityhub_enabledsfn_state_machine_logging_enabledsns_topic_encrypted_at_restsns_topic_notification_delivery_status_enabledsns_topic_policy_prohibit_cross_account_accesssns_topic_policy_prohibit_public_accesssns_topic_policy_prohibit_publishing_accesssns_topic_policy_prohibit_subscription_accesssqs_queue_dead_letter_queue_configuredsqs_queue_encrypted_at_restsqs_queue_encrypted_with_kms_cmksqs_queue_policy_prohibit_public_accessssm_document_prohibit_public_accessssm_managed_instance_compliance_association_compliantssm_managed_instance_compliance_patch_compliantssm_parameter_encryption_enabledvpc_configured_to_use_vpc_endpointsvpc_default_security_group_restricts_all_trafficvpc_eip_associatedvpc_endpoint_service_acceptance_required_enabledvpc_flow_logs_enabledvpc_gateway_endpoint_restrict_public_accessvpc_igw_attached_to_authorized_vpcvpc_in_more_than_one_regionvpc_network_acl_remote_administrationvpc_network_acl_unusedvpc_not_in_usevpc_peering_connection_no_cross_account_accessvpc_peering_connection_route_table_least_privilegevpc_route_table_restrict_public_access_to_igwvpc_security_group_allows_ingress_authorized_portsvpc_security_group_allows_ingress_to_cassandra_portsvpc_security_group_allows_ingress_to_memcached_portvpc_security_group_allows_ingress_to_mongodb_portsvpc_security_group_allows_ingress_to_oracle_portsvpc_security_group_associated_to_enivpc_security_group_not_uses_launch_wizard_sgvpc_security_group_remote_administrationvpc_security_group_remote_administration_ipv4vpc_security_group_remote_administration_ipv6vpc_security_group_restrict_ingress_cifs_port_allvpc_security_group_restrict_ingress_common_ports_allvpc_security_group_restrict_ingress_kafka_portvpc_security_group_restrict_ingress_kibana_portvpc_security_group_restrict_ingress_rdp_allvpc_security_group_restrict_ingress_redis_portvpc_security_group_restrict_ingress_ssh_allvpc_security_group_restrict_ingress_tcp_udp_allvpc_security_group_restricted_common_portsvpc_security_group_unusedvpc_subnet_auto_assign_public_ip_disabledvpc_subnet_multi_az_enabledvpc_subnet_public_and_privatevpc_vpn_gateway_per_region_less_then_4vpc_vpn_tunnel_upwaf_regional_rule_condition_attachedwaf_regional_rule_group_rule_attachedwaf_regional_web_acl_rule_attachedwaf_rule_condition_attachedwaf_rule_group_rule_attachedwaf_web_acl_logging_enabledwaf_web_acl_resource_associatedwaf_web_acl_rule_attachedwafv2_rule_group_logging_enabledwafv2_web_acl_logging_enabledwafv2_web_acl_rule_attachedworkspaces_workspace_volume_encryption_enabled
Query: kms_cmk_policy_prohibit_public_access
Usage
powerpipe query aws_compliance.query.kms_cmk_policy_prohibit_public_accessSteampipe Tables
SQL
with wildcard_action_policies as ( select arn, count(*) as statements_num from aws_kms_key, jsonb_array_elements(policy_std -> 'Statement') as s where s ->> 'Effect' = 'Allow' -- kms:CallerAccount and s -> 'Condition' -> 'StringEquals' -> 'kms:calleraccount' is null and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'kms:calleraccount' is null and ( s -> 'Condition' -> 'StringLike' -> 'kms:calleraccount' is null or s -> 'Condition' -> 'StringLike' -> 'kms:calleraccount' ? '*' ) -- aws:SourceOwner and s -> 'Condition' -> 'StringEquals' -> 'aws:sourceowner' is null and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:sourceowner' is null and ( s -> 'Condition' -> 'StringLike' -> 'aws:sourceowner' is null or s -> 'Condition' -> 'StringLike' -> 'aws:sourceowner' ? '*' ) -- aws:SourceAccount and s -> 'Condition' -> 'StringEquals' -> 'aws:sourceaccount' is null and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:sourceaccount' is null and ( s -> 'Condition' -> 'StringLike' -> 'aws:sourceaccount' is null or s -> 'Condition' -> 'StringLike' -> 'aws:sourceaccount' ? '*' ) -- aws:PrincipalOrgID and s -> 'Condition' -> 'StringEquals' -> 'aws:principalorgid' is null and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:principalorgid' is null and ( s -> 'Condition' -> 'StringLike' -> 'aws:principalorgid' is null or s -> 'Condition' -> 'StringLike' -> 'aws:principalorgid' ? '*' ) -- aws:PrincipalAccount and s -> 'Condition' -> 'StringEquals' -> 'aws:principalaccount' is null and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:principalaccount' is null and ( s -> 'Condition' -> 'StringLike' -> 'aws:principalaccount' is null or s -> 'Condition' -> 'StringLike' -> 'aws:principalaccount' ? '*' ) -- aws:PrincipalArn and s -> 'Condition' -> 'StringEquals' -> 'aws:principalarn' is null and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:principalarn' is null and ( s -> 'Condition' -> 'StringLike' -> 'aws:principalarn' is null or s -> 'Condition' -> 'StringLike' -> 'aws:principalarn' ? '*' ) and ( s -> 'Condition' -> 'ArnEquals' -> 'aws:principalarn' is null or s -> 'Condition' -> 'ArnEquals' -> 'aws:principalarn' ? '*' ) and ( s -> 'Condition' -> 'ArnLike' -> 'aws:principalarn' is null or s -> 'Condition' -> 'ArnLike' -> 'aws:principalarn' ? '*' ) -- aws:SourceArn and s -> 'Condition' -> 'StringEquals' -> 'aws:sourcearn' is null and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:sourcearn' is null and ( s -> 'Condition' -> 'StringLike' -> 'aws:sourcearn' is null or s -> 'Condition' -> 'StringLike' -> 'aws:sourcearn' ? '*' ) and ( s -> 'Condition' -> 'ArnEquals' -> 'aws:sourcearn' is null or s -> 'Condition' -> 'ArnEquals' -> 'aws:sourcearn' ? '*' ) and ( s -> 'Condition' -> 'ArnLike' -> 'aws:sourcearn' is null or s -> 'Condition' -> 'ArnLike' -> 'aws:sourcearn' ? '*' ) and ( s -> 'Principal' -> 'AWS' = '["*"]' or s ->> 'Principal' = '*' ) group by arn)select k.arn as resource, case when p.arn is null then 'ok' else 'alarm' end status, case when p.arn is null then title || ' does not allow public access.' else title || ' contains ' || coalesce(p.statements_num, 0) || ' statements that allow public access.' end as reason , k.region, k.account_idfrom aws_kms_key as k left join wildcard_action_policies as p on p.arn = k.arnwhere key_manager = 'CUSTOMER';
Controls
The query is being used by the following controls: