New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(terraform): Adding yaml based build time policies for corresponding PC run time policies #3962
feat(terraform): Adding yaml based build time policies for corresponding PC run time policies #3962
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice work on the new checks 💪
checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml
Outdated
Show resolved
Hide resolved
checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml
Outdated
Show resolved
Hide resolved
checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml
Outdated
Show resolved
Hide resolved
checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml
Show resolved
Hide resolved
checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml
Outdated
Show resolved
Hide resolved
checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml
Outdated
Show resolved
Hide resolved
tests/terraform/graph/checks/resources/AWSConfigRecorderEnabled/main.tf
Outdated
Show resolved
Hide resolved
…bled.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
…sAllGlobalResources.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
…nfigWithOAI.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
…iguredAutomaticFailOver.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
…d/main.tf Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
…nfigured.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
thanks @gruebel , thanks for thorough review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎄
Thanks @gruebel for the review and approval. |
…ing PC run time policies (#3962) * adding yaml based build time policies for corresponding PC run time policies * Update checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update tests/terraform/graph/checks/test_yaml_policies.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update tests/terraform/graph/checks/resources/AWSConfigRecorderEnabled/main.tf Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix test Co-authored-by: ssiddardha <ssidardha@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
…ing PC run time policies (#3962) * adding yaml based build time policies for corresponding PC run time policies * Update checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update tests/terraform/graph/checks/test_yaml_policies.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update tests/terraform/graph/checks/resources/AWSConfigRecorderEnabled/main.tf Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix test Co-authored-by: ssiddardha <ssidardha@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
…ing PC run time policies (#3962) * adding yaml based build time policies for corresponding PC run time policies * Update checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update tests/terraform/graph/checks/test_yaml_policies.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update tests/terraform/graph/checks/resources/AWSConfigRecorderEnabled/main.tf Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix test Co-authored-by: ssiddardha <ssidardha@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com>
This PR is causing some false positives on WAF/CF, specifically with the requirement of |
hey @MrHash thanks for the feedback. Can you add examples for the false positives you see, then we can better tackle them. |
resource_types: | ||
- aws_cloudfront_distribution | ||
attribute: "origin.*.s3_origin_config" | ||
operator: "exists" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be not_exists
???
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will add a test and file a PR ... and while there also fix the typo in the file name :)
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license
This PR has 6 Yaml - based checks with detailed description below
Checkov Title: Ensure AWS Config recorder is enabled
PC Policy ID - ca5c571e-6930-44af-a47b-ebde3ac20ca5
PC Policy Title - AWS Config recording is disabled
Compliance Standard - ACSC Information Security Manual (ISM)-ISM-0109, ACSC Information Security Manual (ISM)-ISM-1228, API Auto Clone of PIPEDA-4.1.4, APRA (CPS 234) Information Security-CPS234-23, APRA (CPS 234) Information Security-CPS234-27, APRA (CPS 234) Information Security-CPS234-34, APRA (CPS 234) Information Security-CPS234-35, APRA (CPS 234) Information Security-CPS234-36, AWS Foundational Security Best Practices standard-Inventory, Australian Energy Sector Cyber Security Framework (AESCSF)-SA-1B, Brazilian Data Protection Law (LGPD)-Article 31, Brazilian Data Protection Law (LGPD)-Article 48, CCPA 2018-1798.150(a)(1), CIS Controls v7.1-12.5, CIS Controls v7.1-6.2, CIS Controls v8-13.6, CIS Controls v8-8.2, CIS v1.2.0 (AWS)-2.5, CIS v1.3.0 (AWS)-3.5, CIS v1.4.0 (AWS)-3.5, CIS v1.5.0 (AWS) - Level 2-3.5, CSA CCM v3.0.1-AAC-01, CSA CCM v3.0.1-AAC-02, CSA CCM v3.0.1-AIS-01, CSA CCM v3.0.1-DCS-01, CSA CCM v3.0.1-GRM-01, CSA CCM v3.0.1-IAM-13, CSA CCM v3.0.1-IVS-02, CSA CCM v3.0.1-IVS-05, CSA CCM v3.0.1-IVS-07, CSA CCM v3.0.1-MOS-09, CSA CCM v3.0.1-MOS-19, CSA CCM v3.0.1-TVM-02, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 31, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 48, Copy of APRA (CPS 234) Information Security-CPS234-23, Copy of APRA (CPS 234) Information Security-CPS234-27, Copy of APRA (CPS 234) Information Security-CPS234-34, Copy of APRA (CPS 234) Information Security-CPS234-35, Copy of APRA (CPS 234) Information Security-CPS234-36, Copy of Brazilian Data Protection Law (LGPD)-Article 31, Copy of Brazilian Data Protection Law (LGPD)-Article 48, CyberSecurity Law of the People's Republic of China-Article 55, CyberSecurity Law of the People's Republic of China-Article 56, Cybersecurity Maturity Model Certification (CMMC) v.1.02-AU.3.046, FFIEC-D2.MA.Ma.B.1, FFIEC-D3.DC.Ev.B.1, Fedramp (Moderate)-CM-02 (02), GDPR-Article 30, GDPR-Article 32, GDPR-Article 46, HITRUST CSF v.9.6.0-09.aa, HITRUST CSF v.9.6.0-09.ab, HITRUST CSF v.9.6.0-09.m, HITRUST CSF v9.3-Control Reference:05.h, HITRUST CSF v9.3-Control Reference:06.g, HITRUST CSF v9.3-Control Reference:06.h, HITRUST CSF v9.3-Control Reference:10.k, HITRUST CSF v9.3-Control Reference:10.m, HITRUST CSF v9.3-Control Reference:11.b, HITRUST v.9.4.2-Control Reference:09.ab, HITRUST v.9.4.2-Control Reference:09.ac, ISO 27001:2013-A.12.5.1, ISO 27001:2013-A.14.1.3, MAS TRM 2021-7.5.7, MLPS 2.0-8.1.5.4, NIST 800-171 Rev1-3.11.3, NIST 800-171 Rev1-3.4.1, NIST 800-171 Rev1-3.4.2, NIST 800-53 Rev 5-Baseline Configuration | Automation Support for Accuracy and Currency, NIST 800-53 Rev 5-Configuration Settings, NIST 800-53 Rev 5-Continuous Monitoring, NIST 800-53 Rev 5-System Component Inventory | Assessed Configurations and Approved Deviations, NIST 800-53 Rev 5-Vulnerability Monitoring and Scanning, NIST 800-53 Rev4-CA-7d, NIST 800-53 Rev4-CM-2 (2), NIST 800-53 Rev4-CM-6c, NIST 800-53 Rev4-CM-6d, NIST 800-53 Rev4-CM-8 (6), NIST 800-53 Rev4-RA-5b.1, NIST CSF-DE.AE-1, NIST CSF-DE.AE-2, NIST CSF-DE.AE-3, NIST CSF-DE.CM-1, NIST CSF-DE.CM-2, NIST CSF-DE.CM-3, NIST CSF-DE.CM-6, NIST CSF-DE.CM-7, NIST CSF-DE.DP-1, NIST CSF-DE.DP-2, NIST CSF-DE.DP-3, NIST CSF-DE.DP-4, NIST CSF-DE.DP-5, NIST CSF-ID.RA-1, NIST CSF-ID.RA-3, NIST CSF-ID.RA-5, NIST CSF-PR.DS-2, NIST CSF-PR.IP-1, NIST CSF-PR.IP-7, NIST CSF-PR.IP-8, NIST CSF-RS.AN-1, NIST CSF-RS.CO-3, NIST CSF-RS.MI-3, NIST SP 800-171 Revision 2-3.3.4, NIST SP 800-172-3.14.2e, PCI DSS v3.2.1-10.2.3, PCI DSS v3.2.1-10.6, PCI DSS v4.0-10.2.1, PCI DSS v4.0-10.2.1.1, PCI DSS v4.0-10.2.1.2, PCI DSS v4.0-10.2.1.3, PCI DSS v4.0-10.2.1.4, PCI DSS v4.0-10.2.1.5, PCI DSS v4.0-10.2.1.6, PCI DSS v4.0-10.2.1.7, PCI DSS v4.0-10.2.2, PCI DSS v4.0-5.3.4, PCI DSS v4.0-6.4.1, PCI DSS v4.0-6.4.2, PIPEDA-4.1.4, Risk Management in Technology (RMiT)-10.61, Risk Management in Technology (RMiT)-10.66, SOC 2-CC6.1, SOC 2-CC6.6, SOC 2-CC7.2, SOC 2-CC7.3, SOC 2-CC7.4, SOC 2-CC7.5, SOC 2-CC8.1, TestCompliance-CPS234-23, TestCompliance-CPS234-27, TestCompliance-CPS234-34, TestCompliance-CPS234-35, TestCompliance-CPS234-36, custom_3002_compliance_standard-S3R3, custom_config-S1R1
Remediation Steps:
If AWS Config set up exists,
If AWS Config set up doesn't exist
Checkov Title: Ensure AWS Config must record all possible resources
PC Policy ID - 4c64a4d6-1b96-4004-8a11-f215aa8ee3ce
PC Policy Title - AWS Config must record all possible resources
Compliance Standard - ACSC Information Security Manual (ISM)-ISM-0109, ACSC Information Security Manual (ISM)-ISM-1228, APRA (CPS 234) Information Security-CPS234-23, APRA (CPS 234) Information Security-CPS234-27, APRA (CPS 234) Information Security-CPS234-34, Australian Energy Sector Cyber Security Framework (AESCSF)-SA-1B, Brazilian Data Protection Law (LGPD)-Article 31, Brazilian Data Protection Law (LGPD)-Article 48, CIS Controls v7.1-12.5, CIS Controls v7.1-6.2, CIS Controls v8-13.6, CIS Controls v8-8.2, CSA CCM v3.0.1-AAC-01, CSA CCM v3.0.1-AAC-02, CSA CCM v3.0.1-AIS-01, CSA CCM v3.0.1-GRM-01, CSA CCM v3.0.1-IAM-13, CSA CCM v3.0.1-IVS-05, CSA CCM v3.0.1-IVS-07, CSA CCM v3.0.1-MOS-19, CSA CCM v3.0.1-TVM-02, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 31, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 48, Copy of APRA (CPS 234) Information Security-CPS234-23, Copy of APRA (CPS 234) Information Security-CPS234-27, Copy of APRA (CPS 234) Information Security-CPS234-34, Copy of Brazilian Data Protection Law (LGPD)-Article 31, Copy of Brazilian Data Protection Law (LGPD)-Article 48, CyberSecurity Law of the People's Republic of China-Article 55, CyberSecurity Law of the People's Republic of China-Article 56, Cybersecurity Maturity Model Certification (CMMC) v.1.02-AU.3.046, FFIEC-D2.MA.Ma.B.1, FFIEC-D3.DC.Ev.B.1, Fedramp (Moderate)-CM-02 (02), GDPR-Article 30, GDPR-Article 32, GDPR-Article 46, HITRUST CSF v.9.6.0-09.aa, HITRUST CSF v.9.6.0-09.ab, HITRUST CSF v.9.6.0-09.m, HITRUST CSF v9.3-Control Reference:05.h, HITRUST CSF v9.3-Control Reference:06.g, HITRUST CSF v9.3-Control Reference:06.h, HITRUST CSF v9.3-Control Reference:10.k, HITRUST CSF v9.3-Control Reference:10.m, HITRUST CSF v9.3-Control Reference:11.b, HITRUST v.9.4.2-Control Reference:09.ab, HITRUST v.9.4.2-Control Reference:09.ac, ISO 27001:2013-A.12.5.1, ISO 27001:2013-A.14.1.3, MAS TRM 2021-7.5.7, MLPS 2.0-8.1.5.4, MLPS 2.0-8.2.3.3, NIST 800-171 Rev1-3.11.2, NIST 800-171 Rev1-3.11.3, NIST 800-171 Rev1-3.12.1, NIST 800-171 Rev1-3.12.2, NIST 800-171 Rev1-3.12.3, NIST 800-171 Rev1-3.12.4, NIST 800-171 Rev1-3.4.1, NIST 800-171 Rev1-3.4.2, NIST 800-53 Rev 5-Baseline Configuration | Automation Support for Accuracy and Currency, NIST 800-53 Rev 5-Configuration Settings, NIST 800-53 Rev 5-Continuous Monitoring, NIST 800-53 Rev 5-Vulnerability Monitoring and Scanning, NIST 800-53 Rev4-CA-7d, NIST 800-53 Rev4-CM-2 (2), NIST 800-53 Rev4-CM-6c, NIST 800-53 Rev4-CM-6d, NIST 800-53 Rev4-RA-5b.1, NIST CSF-DE.AE-1, NIST CSF-DE.AE-2, NIST CSF-DE.AE-3, NIST CSF-DE.CM-1, NIST CSF-DE.CM-2, NIST CSF-DE.CM-3, NIST CSF-DE.CM-6, NIST CSF-DE.DP-1, NIST CSF-DE.DP-2, NIST CSF-DE.DP-3, NIST CSF-DE.DP-4, NIST CSF-DE.DP-5, NIST CSF-ID.RA-1, NIST CSF-ID.RA-3, NIST CSF-ID.RA-5, NIST CSF-PR.DS-2, NIST CSF-PR.IP-7, NIST CSF-PR.IP-8, NIST CSF-RS.CO-3, NIST CSF-RS.MI-3, NIST SP 800-171 Revision 2-3.3.4, NIST SP 800-172-3.4.2e, PCI DSS v3.2.1-10.2.3, PCI DSS v3.2.1-10.6, PCI DSS v4.0-10.2.1, PCI DSS v4.0-10.2.1.1, PCI DSS v4.0-10.2.1.2, PCI DSS v4.0-10.2.1.3, PCI DSS v4.0-10.2.1.4, PCI DSS v4.0-10.2.1.5, PCI DSS v4.0-10.2.1.6, PCI DSS v4.0-10.2.1.7, PCI DSS v4.0-10.2.2, PCI DSS v4.0-5.3.4, PCI DSS v4.0-6.4.1, PCI DSS v4.0-6.4.2, SOC 2-CC6.1, SOC 2-CC6.6, SOC 2-CC7.2, SOC 2-CC7.3, SOC 2-CC7.4, SOC 2-CC7.5, SOC 2-CC8.1, TestCompliance-CPS234-23, TestCompliance-CPS234-27, TestCompliance-CPS234-34
Remediation Steps:
3.a Record all resources supported in this region
3.b Include global resources (e.g., AWS IAM resources)
Checkov Title: Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled
PC Policy ID - b0aac456-7422-47fc-9144-9b150bd18a9d
PC Policy Title - AWS Cloudfront Distribution with S3 have Origin Access set to disabled
Compliance Standard - APRA (CPS 234) Information Security-CPS234-23, APRA (CPS 234) Information Security-CPS234-27, APRA (CPS 234) Information Security-CPS234-34, AWS Foundational Security Best Practices standard-Secure access management, Brazilian Data Protection Law (LGPD)-Article 34, CIS Controls v7.1-5.1, CIS Controls v8-4.6, CSA CCM v.4.0.1-AIS-01, CSA CCM v.4.0.1-AIS-02, CSA CCM v.4.0.1-AIS-04, CSA CCM v.4.0.1-CCC-01, CSA CCM v.4.0.1-GRC-03, CSA CCM v.4.0.1-IVS-04, CSA CCM v.4.0.1-UEM-06, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 34, Copy of APRA (CPS 234) Information Security-CPS234-23, Copy of APRA (CPS 234) Information Security-CPS234-27, Copy of APRA (CPS 234) Information Security-CPS234-34, Copy of Brazilian Data Protection Law (LGPD)-Article 34, Cybersecurity Maturity Model Certification (CMMC) v.1.02-CM.2.062, HITRUST CSF v.9.6.0-10.k, HITRUST CSF v.9.6.0-10.m, HITRUST v.9.4.2-Control Reference:10.a, ISO/IEC 27002:2013-12.1.2, ISO/IEC 27002:2013-14.1.1, ISO/IEC 27002:2013-14.1.2, ISO/IEC 27002:2013-14.2.1, ISO/IEC 27002:2013-14.2.2, ISO/IEC 27017:2015-12.1.2, ISO/IEC 27017:2015-14.1.1, ISO/IEC 27017:2015-14.1.2, ISO/IEC 27017:2015-14.2.1, ISO/IEC 27017:2015-14.2.5, ISO/IEC 27017:2015-5.1.1, ISO/IEC 27018:2019-12.1.2, MAS TRM 2021-7.2.1, MAS TRM 2021-7.2.2, NIST 800-53 Rev 5-Boundary Protection | Connections to Public Networks, NIST 800-53 Rev4-CA-3 (4), NIST CSF-PR.IP-1, NIST SP 800-171 Revision 2-3.4.2, NIST SP 800-172-3.4.1e, NIST SP 800-172-3.4.2e, PCI DSS v3.2.1-6.3, TestCompliance-CPS234-23, TestCompliance-CPS234-27, TestCompliance-CPS234-34
Remediation Steps:
Checkov Title: Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
PC Policy ID - 955b15c5-fd5c-4b27-892e-fc14d50045eb
PC Policy Title - AWS CloudFront attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
Compliance Standard - ACSC Information Security Manual (ISM)-ISM-1028, ACSC Information Security Manual (ISM)-ISM-1030, ACSC Information Security Manual (ISM)-ISM-1416, Australian Energy Sector Cyber Security Framework (AESCSF)-TVM-AP2, CIS Controls v7.1-18.8, CIS Controls v8-7.5, Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)-SI.L1-3.14.5, FFIEC-D3.DC.Th.B.1, PCI DSS v4.0-11.3.1, PCI DSS v4.0-11.3.1.1, PCI DSS v4.0-11.3.1.2, PCI DSS v4.0-11.3.1.3
Remediation Steps:
Checkov Title: Ensure AWS Database Migration Service endpoint have SSL configured
PC Policy ID - 447fc9ef-a871-4e4b-b34c-46d4aad81f51
PC Policy Title - AWS Database Migration Service endpoint do not have SSL configured
Compliance Standard - ACSC Information Security Manual (ISM)-ISM-0469, ACSC Information Security Manual (ISM)-ISM-1552, APRA (CPS 234) Information Security-CPS234-15, APRA (CPS 234) Information Security-CPS234-16, APRA (CPS 234) Information Security-CPS234-17, APRA (CPS 234) Information Security-CPS234-21, APRA (CPS 234) Information Security-CPS234-23, APRA (CPS 234) Information Security-CPS234-27, APRA (CPS 234) Information Security-CPS234-34, Brazilian Data Protection Law (LGPD)-Article 49, CIS Controls v7.1-14.4, CIS Controls v7.1-16.5, CIS Controls v8-3.10, CSA CCM v.4.0.1-CEK-03, CSA CCM v.4.0.1-DSP-10, CSA CCM v.4.0.1-IVS-03, CSA CCM v.4.0.1-UEM-11, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 49, Copy of APRA (CPS 234) Information Security-CPS234-15, Copy of APRA (CPS 234) Information Security-CPS234-16, Copy of APRA (CPS 234) Information Security-CPS234-17, Copy of APRA (CPS 234) Information Security-CPS234-21, Copy of APRA (CPS 234) Information Security-CPS234-23, Copy of APRA (CPS 234) Information Security-CPS234-27, Copy of APRA (CPS 234) Information Security-CPS234-34, Copy of Brazilian Data Protection Law (LGPD)-Article 49, Cybersecurity Maturity Model Certification (CMMC) v.1.02-SC.3.185, FFIEC-D1.RM.Au.B.2, HITRUST CSF v.9.6.0-01.d, HITRUST CSF v.9.6.0-01.n, HITRUST CSF v.9.6.0-06.d, HITRUST v.9.4.2-Control Reference:09.s, ISO/IEC 27002:2013-10.1.1, ISO/IEC 27002:2013-12.2.1, ISO/IEC 27002:2013-12.3.1, ISO/IEC 27002:2013-13.1.1, ISO/IEC 27002:2013-13.1.2, ISO/IEC 27002:2013-13.1.3, ISO/IEC 27002:2013-13.2.1, ISO/IEC 27002:2013-13.2.3, ISO/IEC 27002:2013-14.1.2, ISO/IEC 27002:2013-14.1.3, ISO/IEC 27002:2013-18.1.3, ISO/IEC 27002:2013-8.3.1, ISO/IEC 27002:2013-8.3.3, ISO/IEC 27017:2015-10.1.1, ISO/IEC 27017:2015-10.1.2, ISO/IEC 27017:2015-6.1.1, ISO/IEC 27018:2019-10.1.2, ISO/IEC 27018:2019-12.3.1, MAS TRM 2021-11.1.1, MAS TRM 2021-14.1.2, NIST CSF-PR.DS-2, NIST CSF-PR.DS-5, NIST SP 800-171 Revision 2-3.13.8, NIST SP 800-172-3.1.3e, PCI DSS v3.2.1-2.3, PCI DSS v3.2.1-4.1, PCI DSS v4.0-1.3.1, Risk Management in Technology (RMiT)-10.68, TestCompliance-CPS234-15, TestCompliance-CPS234-16, TestCompliance-CPS234-17, TestCompliance-CPS234-21, TestCompliance-CPS234-23, TestCompliance-CPS234-27, TestCompliance-CPS234-34
Remediation Steps:
NOTE: Before modifying the SSL setting, you should be configured with the proper certificate you want to use for SSL connection under the DMS 'Certificate' service. Not all databases use SSL in the same way. An Amazon Redshift endpoint already uses an SSL connection and does not require an SSL connection set up by AWS DMS. So there are some exlcusions included in policy to report only those endpoints which can be configured using DMS SSL feature.
Checkov Title: Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled
PC Policy ID - 99f6fc8c-27a7-4f30-84ef-9a2388e8e938
PC Policy Title - AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to disabled
Compliance Standard - ACSC Information Security Manual (ISM)-ISM-1431, APRA (CPS 234) Information Security-CPS234-23, APRA (CPS 234) Information Security-CPS234-27, APRA (CPS 234) Information Security-CPS234-34, Brazilian Data Protection Law (LGPD)-Article 49, CIS Controls v7.1-5.1, CIS Controls v8-4.6, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 49, Copy of APRA (CPS 234) Information Security-CPS234-23, Copy of APRA (CPS 234) Information Security-CPS234-27, Copy of APRA (CPS 234) Information Security-CPS234-34, Copy of Brazilian Data Protection Law (LGPD)-Article 49, CyberSecurity Law of the People's Republic of China-Article 34, Cybersecurity Maturity Model Certification (CMMC) v.1.02-SC.3.183, Cybersecurity Maturity Model Certification (CMMC) v.1.02-SI.2.216, HITRUST CSF v.9.6.0-10.k, HITRUST CSF v.9.6.0-10.m, HITRUST v.9.4.2-Control Reference:10.a, MAS TRM 2021-7.2.1, MAS TRM 2021-7.2.2, MLPS 2.0-8.1.4.9, NIST 800-53 Rev 5-Predictable Failure Prevention | Failover Capability, NIST 800-53 Rev4-SI-13 (5), NIST CSF-PR.MA-1, NIST SP 800-171 Revision 2-3.7.1, NIST SP 800-172-3.4.1e, NIST SP 800-172-3.4.2e, PCI DSS v3.2.1-6.3, TestCompliance-CPS234-23, TestCompliance-CPS234-27, TestCompliance-CPS234-34
Remediation Steps:
a. Set 'Multi-AZ' to 'Yes'
b. Select 'Apply Immediately' checkbox, to apply the configuration changes immediately. If Apply Immediately is not selected, the changes will be processed during the next maintenance window.
c. Click on 'Modify'