diff --git a/README.md b/README.md index 57d40a6..d83a94a 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ HeimdallTools supplies several methods to convert output from various tools to " - **nikto_mapper** - open-source web server scanner - **jfrog_xray_mapper** - package vulnerability scanner - **dbprotect_mapper** - database vulnerability scanner +- **aws_config_mapper** - assess, audit, and evaluate AWS resources Ruby 2.4 or higher (check using "ruby -v") @@ -213,6 +214,26 @@ FLAGS: example: heimdall_tools dbprotect_mapper -x check_results_details_report.xml -o db_protect_hdf.json ``` +## aws_config_mapper + +aws_config_mapper pulls Ruby AWS SDK data to translate AWS Config Rule results into HDF format json to be viewable in Heimdall + +### AWS Config Rule Mapping: + The mapping of AWS Config Rules to 800-53 Controls was sourced from [this link](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html). + +### Authentication with AWS: + [Developer Guide for configuring Ruby AWS SDK for authentication](https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html) + +``` +USAGE: heimdall_tools aws_config_mapper [OPTIONS] -o + +FLAGS: + -o --output : path to output scan-results json. + -V --verbose : verbose run [optional]. + +example: heimdall_tools aws_config_mapper -o aws_config_results_hdf.json +``` + ## version Prints out the gem version diff --git a/heimdall_tools.gemspec b/heimdall_tools.gemspec index 1492574..85e4f13 100644 --- a/heimdall_tools.gemspec +++ b/heimdall_tools.gemspec @@ -26,6 +26,7 @@ Gem::Specification.new do |spec| # rubocop:disable Metrics/BlockLength spec.test_files = spec.files.grep(%r{^(test|spec|features)/}) spec.require_paths = ['lib'] + spec.add_runtime_dependency 'aws-sdk-configservice', '~> 1' spec.add_runtime_dependency 'nokogiri', '~> 1.10.9' spec.add_runtime_dependency 'thor', '~> 0.19' spec.add_runtime_dependency 'json', '~> 2.3' diff --git a/lib/data/aws-config-mapping.csv b/lib/data/aws-config-mapping.csv new file mode 100644 index 0000000..ae830a3 --- /dev/null +++ b/lib/data/aws-config-mapping.csv @@ -0,0 +1,107 @@ +AwsConfigRuleName,NIST-ID,Rev +secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4 +iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4 +iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4 +access-keys-rotated,AC-2(1)|AC-2(j),4 +iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4 +securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4 +guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4 +cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4 +cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4 +redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4 +iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4 +s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4 +emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4 +iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4 +iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4 +iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4 +s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4 +s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +lambda-inside-vpc,AC-4|SC-7|SC-7(3),4 +ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4 +restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4 +restricted-ssh,AC-4|SC-7|SC-7(3),4 +vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4 +vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4 +acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4 +ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4 +emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4 +internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4 +codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4 +ec2-imdsv2-check,AC-6,4 +iam-no-inline-policy-check,AC-6,4 +alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4 +redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4 +s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4 +elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4 +alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4 +elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4 +api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4 +elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4 +vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4 +wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4 +cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4 +cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4 +s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4 +cw-loggroup-retention-period-check,AU-11|SI-12,4 +ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4 +rds-enhanced-monitoring-enabled,CA-7(a)(b),4 +ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4 +ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4 +ec2-stopped-instance,CM-2,4 +ec2-volume-inuse-check,CM-2|SC-4,4 +elb-deletion-protection-enabled,CM-2|CP-10,4 +cloudtrail-security-trail-enabled,CM-2,4 +ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4 +db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4 +dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4 +elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4 +dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4 +ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4 +efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4 +rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4 +dynamodb-autoscaling-enabled,CP-10|SC-5,4 +rds-multi-az-support,CP-10|SC-5|SC-36,4 +s3-bucket-versioning-enabled,CP-10|SI-12,4 +vpc-vpn-2-tunnels-up,CP-10,4 +elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4 +root-account-hardware-mfa-enabled,IA-2(1)(11),4 +mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4 +iam-user-mfa-enabled,IA-2(1)(2)(11),4 +guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4 +codebuild-project-source-repo-url-check,SA-3(a),4 +autoscaling-group-elb-healthcheck-required,SC-5,4 +rds-instance-deletion-protection-enabled,SC-5,4 +alb-waf-enabled,SC-7|SI-4(a)(b)(c),4 +elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4 +cmk-backing-key-rotation-enabled,SC-12,4 +kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4 +api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4 +efs-encrypted-check,SC-13|SC-28,4 +elasticsearch-encrypted-at-rest,SC-13|SC-28,4 +encrypted-volumes,SC-13|SC-28,4 +rds-storage-encrypted,SC-13|SC-28,4 +s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4 +sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4 +sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4 +sns-encrypted-kms,SC-13|SC-28,4 +dynamodb-table-encrypted-kms,SC-13,4 +s3-bucket-default-lock-enabled,SC-28,4 +ec2-ebs-encryption-by-default,SC-28,4 +rds-snapshot-encrypted,SC-28,4 +cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4 diff --git a/lib/heimdall_tools.rb b/lib/heimdall_tools.rb index 28a7955..3932476 100644 --- a/lib/heimdall_tools.rb +++ b/lib/heimdall_tools.rb @@ -14,4 +14,5 @@ module HeimdallTools autoload :NiktoMapper, 'heimdall_tools/nikto_mapper' autoload :JfrogXrayMapper, 'heimdall_tools/jfrog_xray_mapper' autoload :DBProtectMapper, 'heimdall_tools/dbprotect_mapper' + autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper' end diff --git a/lib/heimdall_tools/aws_config_mapper.rb b/lib/heimdall_tools/aws_config_mapper.rb new file mode 100644 index 0000000..5666185 --- /dev/null +++ b/lib/heimdall_tools/aws_config_mapper.rb @@ -0,0 +1,284 @@ +require 'aws-sdk-configservice' +require 'heimdall_tools/hdf' +require 'csv' +require 'json' + +RESOURCE_DIR = Pathname.new(__FILE__).join('../../data') + +AWS_CONFIG_MAPPING_FILE = File.join(RESOURCE_DIR, 'aws-config-mapping.csv') + +NOT_APPLICABLE_MSG = 'No AWS resources found to evaluate complaince for this rule'.freeze +INSUFFICIENT_DATA_MSG = 'Not enough data has been collectd to determine compliance yet.'.freeze + +## +# HDF mapper for use with AWS Config rules. +# +# Ruby AWS Ruby SDK for ConfigService: +# - https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ConfigService/Client.html +# +# rubocop:disable Metrics/AbcSize, Metrics/ClassLength +module HeimdallTools + class AwsConfigMapper + def initialize(custom_mapping, verbose = false) + @verbose = verbose + @default_mapping = get_rule_mapping(AWS_CONFIG_MAPPING_FILE) + @custom_mapping = custom_mapping.nil? ? {} : get_rule_mapping(custom_mapping) + @client = Aws::ConfigService::Client.new + @issues = get_all_config_rules + end + + ## + # Convert to HDF + # + # If there is overlap in rule names from @default_mapping and @custom_mapping, + # then the tags from both will be added to the rule. + def to_hdf + controls = @issues.map do |issue| + @item = {} + @item['id'] = issue[:config_rule_name] + @item['title'] = issue[:config_rule_name] + @item['desc'] = issue[:description] + @item['impact'] = 0.5 + @item['tags'] = hdf_tags(issue) + @item['descriptions'] = hdf_descriptions(issue) + @item['refs'] = NA_ARRAY + @item['source_location'] = { ref: issue[:config_rule_arn], line: 1 } + @item['code'] = '' + @item['results'] = issue[:results] + # Avoid duplicating rules that exist in the custom mapping as 'unmapped' in this loop + if @custom_mapping.include?(issue[:config_rule_name]) && !@default_mapping.include?(issue[:config_rule_name]) + nil + else + @item + end + end + results = HeimdallDataFormat.new( + profile_name: 'AWS Config', + title: 'AWS Config', + summary: 'AWS Config', + controls: controls, + statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION } + ) + results.to_hdf + end + + private + + ## + # Read in a config rule -> 800-53 control mapping CSV. + # + # Params: + # - path: The file path to the CSV file + # + # Returns: A mapped version of the csv in the format { rule_name: row, ... } + def get_rule_mapping(path) + Hash[CSV.read(path, headers: true).map { |row| [row[0], row] }] + end + + ## + # Fetches information on all of the config rules available to the + # AWS account. + # + # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ConfigService/Client.html#describe_config_rules-instance_method + # + # Returns: list of hash for all config rules available + def get_all_config_rules + config_rules = [] + + # Fetch all rules with pagination + response = @client.describe_config_rules + config_rules += response.config_rules + while response.next_token + response = @client.describe_config_rules(next_token: response.next_token) + config_rules += response.config_rules + end + config_rules = config_rules.map(&:to_h) + + # Add necessary data to rules using helpers + add_compliance_to_config_rules(config_rules) + add_results_to_config_rules(config_rules) + end + + ## + # Adds compliance information for config rules to the config rule hash + # from AwsConfigMapper::get_all_config_rules. + # + # `complaince_type` may be any of the following: + # ["COMPLIANT", "NON_COMPLIANT", "NOT_APPLICABLE", "INSUFFICIENT_DATA"] + # + # Params: + # - config_rules: The list of hash from AwsConfigMapper::get_all_config_rules + # + # Returns: The same config_rules array with `compliance` key added to each rule + def add_compliance_to_config_rules(config_rules) + mapped_compliance_results = fetch_all_compliance_info(config_rules) + + # Add compliance to config_rules + config_rules.each do |rule| + rule[:compliance] = mapped_compliance_results[rule[:config_rule_name]]&.dig(:compliance, :compliance_type) + end + + config_rules + end + + ## + # Fetch and combine all compliance information for the config rules. + # + # AWS allows passing up to 25 rules at a time to this endpoint. + # + # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ConfigService/Client.html#describe_compliance_by_config_rule-instance_method + # + # Params: + # - config_rules: The list of hash from AwsConfigMapper::get_all_config_rules + # + # Returns: Results mapped by config rule in the format { name: {}, ... } + def fetch_all_compliance_info(config_rules) + compliance_results = [] + + config_rules.each_slice(25).each do |slice| + config_rule_names = slice.map { |r| r[:config_rule_name] } + response = @client.describe_compliance_by_config_rule(config_rule_names: config_rule_names) + compliance_results += response.compliance_by_config_rules + end + + # Map based on name for easy lookup + Hash[compliance_results.collect { |r| [r.config_rule_name, r.to_h] }] + end + + ## + # Takes in config rules and formats the results for hdf format. + # + # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ConfigService/Client.html#get_compliance_details_by_config_rule-instance_method + # + # Example hdf results: + # [ + # { + # "code_desc": "This rule...", + # "run_time": 0.314016, + # "start_time": "2018-11-18T20:21:40-05:00", + # "status": "passed" + # }, + # ... + # ] + # + # Status may be any of the following: ['passed', 'failed', 'skipped', 'loaded'] + # + # Params: + # - rule: Rules from AwsConfigMapper::get_all_config_rules + # + # Returns: The same config_rules array with `results` key added to each rule. + def add_results_to_config_rules(config_rules) + config_rules.each do |rule| + response = @client.get_compliance_details_by_config_rule(config_rule_name: rule[:config_rule_name], limit: 100) + rule_results = response.to_h[:evaluation_results] + while response.next_token + response = @client.get_compliance_details_by_config_rule(next_token: response.next_token, limit: 100) + rule_results += response.to_h[:evaluation_results] + end + + rule[:results] = [] + rule_results.each do |result| + hdf_result = {} + # code_desc + hdf_result['code_desc'] = result.dig(:evaluation_result_identifier, :evaluation_result_qualifier)&.map do |k, v| + "#{k}: #{v}" + end&.join(', ') + # start_time + hdf_result['start_time'] = if result.key?(:config_rule_invoked_time) + DateTime.parse(result[:config_rule_invoked_time].to_s).strftime('%Y-%m-%dT%H:%M:%S%:z') + end + # run_time + hdf_result['run_time'] = if result.key?(:result_recorded_time) && result.key?(:config_rule_invoked_time) + (result[:result_recorded_time] - result[:config_rule_invoked_time]).round(6) + end + # status + hdf_result['status'] = case result.dig(:compliance_type) + when 'COMPLIANT' + 'passed' + when 'NON_COMPLIANT' + 'failed' + else + 'skipped' + end + hdf_result['message'] = "(#{hdf_result['code_desc']}): #{result[:annotation] || 'Rule does not pass rule compliance'}" if hdf_result['status'] == 'failed' + rule[:results] << hdf_result + end + next unless rule[:results].empty? + + case rule[:compliance] + when 'NOT_APPLICABLE' + rule[:impact] = 0 + rule[:results] << { + 'run_time': 0, + 'code_desc': NOT_APPLICABLE_MSG, + 'skip_message': NOT_APPLICABLE_MSG, + 'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'), + 'status': 'skipped' + } + when 'INSUFFICIENT_DATA' + rule[:results] << { + 'run_time': 0, + 'code_desc': INSUFFICIENT_DATA_MSG, + 'skip_message': INSUFFICIENT_DATA_MSG, + 'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'), + 'status': 'skipped' + } + end + end + + config_rules + end + + ## + # Takes in a config rule and pulls out tags that are useful for HDF. + # + # Params: + # - config_rule: A single config rule from AwsConfigMapper::get_all_config_rules + # + # Returns: Hash containing all relevant HDF tags + def hdf_tags(config_rule) + result = {} + + @default_mapping + @custom_mapping + + # NIST tag + result['nist'] = [] + default_mapping_match = @default_mapping[config_rule[:config_rule_name]] + + result['nist'] += default_mapping_match[1].split('|') unless default_mapping_match.nil? + + custom_mapping_match = @custom_mapping[config_rule[:config_rule_name]] + + result['nist'] += custom_mapping_match[1].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil? + + result['nist'] = ['unmapped'] if result['nist'].empty? + + result + end + + def check_text(config_rule) + params = (JSON.parse(config_rule[:input_parameters]).map { |key, value| "#{key}: #{value}" }).join('
') + check_text = config_rule[:config_rule_arn] + check_text += "
#{params}" unless params.empty? + check_text + end + + ## + # Takes in a config rule and pulls out information for the descriptions array + # + # Params: + # - config_rule: A single config rule from AwsConfigMapper::get_all_config_rules + # + # Returns: Array containing all relevant descriptions information + def hdf_descriptions(config_rule) + [ + { + 'label': 'check', + 'data': check_text(config_rule) + } + ] + end + end +end +# rubocop:enable Metrics/AbcSize, Metrics/ClassLength diff --git a/lib/heimdall_tools/cli.rb b/lib/heimdall_tools/cli.rb index 315130b..6ec08c7 100644 --- a/lib/heimdall_tools/cli.rb +++ b/lib/heimdall_tools/cli.rb @@ -98,7 +98,7 @@ def jfrog_xray_mapper puts "\r\HDF Generated:\n" puts "#{options[:output]}" end - + desc 'dbprotect_mapper', 'dbprotect_mapper translates dbprotect results xml to HDF format Json be viewed on Heimdall' long_desc Help.text(:dbprotect_mapper) option :xml, required: true, aliases: '-x' @@ -111,6 +111,18 @@ def dbprotect_mapper puts "#{options[:output]}" end + desc 'aws_config_mapper', 'aws_config_mapper pulls Ruby AWS SDK data to translate AWS Config Rule results into HDF format Json to be viewable in Heimdall' + long_desc Help.text(:aws_config_mapper) + # option :custom_mapping, required: false, aliases: '-m' + option :output, required: true, aliases: '-o' + option :verbose, type: :boolean, aliases: '-V' + def aws_config_mapper + hdf = HeimdallTools::AwsConfigMapper.new(options[:custom_mapping]).to_hdf + File.write(options[:output], hdf) + puts "\r\HDF Generated:\n" + puts "#{options[:output]}" + end + desc 'version', 'prints version' def version puts VERSION diff --git a/lib/heimdall_tools/hdf.rb b/lib/heimdall_tools/hdf.rb index 4dd998c..5eba87e 100644 --- a/lib/heimdall_tools/hdf.rb +++ b/lib/heimdall_tools/hdf.rb @@ -29,7 +29,8 @@ def initialize(profile_name: NA_TAG, groups: NA_ARRAY, status: 'loaded', controls: NA_TAG, - target_id: NA_TAG) + target_id: NA_TAG, + statistics: NA_HASH) @results_json = {} @results_json['platform'] = {} @@ -40,6 +41,7 @@ def initialize(profile_name: NA_TAG, @results_json['statistics'] = {} @results_json['statistics']['duration'] = duration || NA_TAG + @results_json['statistics'].merge! statistics @results_json['profiles'] = [] diff --git a/lib/heimdall_tools/help/aws_config_mapper.md b/lib/heimdall_tools/help/aws_config_mapper.md new file mode 100644 index 0000000..c70ed52 --- /dev/null +++ b/lib/heimdall_tools/help/aws_config_mapper.md @@ -0,0 +1,30 @@ + aws_config_mapper pulls Ruby AWS SDK data to translate AWS Config Rule results into HDF format json to be viewable in Heimdall + +AWS Config Rule Mapping: + The mapping of AWS Config Rules to 800-53 Controls was sourced from [this link](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html). + +Authentication with AWS: + [Developer Guide for configuring Ruby AWS SDK for authentication](https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html) + + Authentication Example: + + - Create `~/.aws/credentials` + - Add contents to file, replacing with your access ID and key + + ``` + [default] + aws_access_key_id = your_access_key_id + aws_secret_access_key = your_secret_access_key + ``` + + - (optional) set AWS region through `~/.aws/config` file with contents + + ``` + [default] + output = json + region = us-gov-west-1 + ``` + +Examples: + + heimdall_tools aws_config_mapper -o aws_config_results.json diff --git a/sample_jsons/aws_mapper/aws_config_hdf.json b/sample_jsons/aws_mapper/aws_config_hdf.json new file mode 100644 index 0000000..a964fec --- /dev/null +++ b/sample_jsons/aws_mapper/aws_config_hdf.json @@ -0,0 +1 @@ +{"platform":{"name":"Heimdall Tools","release":"1.3.34.15.g6a3f140.1.dirty.20210301.064713","target_id":""},"version":"1.3.34.15.g6a3f140.1.dirty.20210301.064713","statistics":{"duration":null,"aws_config_sdk_version":"1.56.0"},"profiles":[{"name":"AWS Config","version":null,"title":"AWS Config","maintainer":null,"summary":"AWS Config","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"access-keys-rotated","title":"access-keys-rotated","desc":"Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(j)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-v5wggf
maxAccessKeyAge: 90"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-v5wggf","line":1},"code":"","results":[{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT","start_time":"2021-02-28T11:22:38-07:00","run_time":30.417,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-02-28T11:22:38-07:00","run_time":30.403,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-02-28T11:22:38-07:00","run_time":30.455,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6LQJCXJBN","start_time":"2021-02-28T11:22:38-07:00","run_time":30.413,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-02-28T11:22:38-07:00","run_time":30.426,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354","start_time":"2021-02-28T11:22:38-07:00","run_time":30.435,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-02-28T11:22:38-07:00","run_time":30.408,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-02-28T11:22:38-07:00","run_time":30.421,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF","start_time":"2021-02-28T11:22:38-07:00","run_time":30.46,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-02-28T11:22:38-07:00","run_time":30.43,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-02-28T11:22:38-07:00","run_time":30.439,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-02-28T11:22:38-07:00","run_time":30.443,"status":"passed"}]},{"id":"acm-certificate-expiration-check","title":"acm-certificate-expiration-check","desc":"Checks whether ACM Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import.","impact":0.5,"tags":{"nist":["AC-4","AC-17(2)","SC-12"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mu6ogh
daysToExpiration: 14"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mu6ogh","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:14-07:00","status":"skipped"}]},{"id":"alb-http-drop-invalid-header-enabled","title":"alb-http-drop-invalid-header-enabled","desc":"Checks if rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields.enabled is set to false.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-23"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-166jqk"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-166jqk","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:14-07:00","status":"skipped"}]},{"id":"alb-http-to-https-redirection-check","title":"alb-http-to-https-redirection-check","desc":"Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13","SC-23"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-9x2r4z"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-9x2r4z","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:14-07:00","status":"skipped"}]},{"id":"cloud-trail-cloud-watch-logs-enabled","title":"cloud-trail-cloud-watch-logs-enabled","desc":"Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs. The trail is non-compliant if the CloudWatchLogsLogGroupArn property of the trail is empty.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-6(1)(3)","AU-7(1)","AU-12(a)(c)","CA-7(a)(b)","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-poppks"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-poppks","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloud-trail-cloud-watch-logs-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default","start_time":"2021-02-28T11:22:38-07:00","run_time":0.361,"status":"failed","message":"(config_rule_name: cloud-trail-cloud-watch-logs-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default): The CloudTrail trail is not associated with any CloudWatch Logs log group ARN."}]},{"id":"cloud-trail-encryption-enabled","title":"cloud-trail-encryption-enabled","desc":"Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is compliant if the KmsKeyId is defined.","impact":0.5,"tags":{"nist":["AU-9","SC-13","SC-28"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dgphg5"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dgphg5","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloud-trail-encryption-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default","start_time":"2021-02-28T11:22:38-07:00","run_time":0.221,"status":"failed","message":"(config_rule_name: cloud-trail-encryption-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default): Rule does not pass rule compliance"}]},{"id":"cloudtrail-enabled","title":"cloudtrail-enabled","desc":"Checks whether AWS CloudTrail is enabled in your AWS account.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rql8wz"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rql8wz","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloudtrail-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":0.173,"status":"passed"}]},{"id":"cloudtrail-s3-dataevents-enabled","title":"cloudtrail-s3-dataevents-enabled","desc":"Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails log data events for S3 buckets is not configured.","impact":0.5,"tags":{"nist":["AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wyiaz7"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wyiaz7","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloudtrail-s3-dataevents-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":2.354,"status":"failed","message":"(config_rule_name: cloudtrail-s3-dataevents-enabled, resource_type: AWS::::Account, resource_id: 060708420889): No AWS CloudTrail Trail is configured to log data events for Amazon S3."}]},{"id":"cloudwatch-alarm-action-check","title":"cloudwatch-alarm-action-check","desc":"Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled. Optionally, checks whether any of the actions matches one of the specified ARNs.","impact":0.5,"tags":{"nist":["AC-2(4)","AU-6(1)(3)","AU-7(1)","CA-7(a)(b)","IR-4(1)","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-knb0eo
alarmActionRequired: true
insufficientDataActionRequired: true
okActionRequired: false"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-knb0eo","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:16-07:00","status":"skipped"}]},{"id":"cloudwatch-log-group-encrypted","title":"cloudwatch-log-group-encrypted","desc":"Checks whether a log group in Amazon CloudWatch Logs is encrypted. The rule is NON_COMPLIANT if CloudWatch Logs has log group without encryption enabled.","impact":0.5,"tags":{"nist":["AU-9","SC-13","SC-28"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-8qyc2w"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-8qyc2w","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/Config-to-HDF-Pusher","start_time":"2021-02-28T11:22:38-07:00","run_time":2.258,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/Config-to-HDF-Pusher): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.262,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_NOT_PUBLIC_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.266,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_NOT_PUBLIC_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OUTDATED_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.27,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OUTDATED_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OWNERID_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.274,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OWNERID_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_NOT_EDGE_OPTIMISED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.278,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_NOT_EDGE_OPTIMISED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_PRIVATE_RESTRICTED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.282,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_PRIVATE_RESTRICTED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_RESTRICTED_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.286,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_RESTRICTED_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-BUSINESS_SUPPORT_OR_ABOVE_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.29,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-BUSINESS_SUPPORT_OR_ABOVE_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_ENABLED_V2","start_time":"2021-02-28T11:22:38-07:00","run_time":2.293,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_ENABLED_V2): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_S3_DATAEVENTS_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.298,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_S3_DATAEVENTS_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDWATCH_LOG_GROUP_ENCRYPTED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.302,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDWATCH_LOG_GROUP_ENCRYPTED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DMS_REPLICATION_NOT_PUBLIC","start_time":"2021-02-28T11:22:38-07:00","run_time":2.305,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DMS_REPLICATION_NOT_PUBLIC): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DYNAMODB_ENCRYPTED_CUSTOM","start_time":"2021-02-28T11:22:38-07:00","run_time":2.309,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DYNAMODB_ENCRYPTED_CUSTOM): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_ENCRYPTED_VOLUMES_V2","start_time":"2021-02-28T11:22:38-07:00","run_time":2.313,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_ENCRYPTED_VOLUMES_V2): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.317,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_INSTANCE_NO_PUBLIC_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.321,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_INSTANCE_NO_PUBLIC_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_Instance_No_Public_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.325,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_Instance_No_Public_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_BADINGRESS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.329,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_BADINGRESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_NOT_USED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.333,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_NOT_USED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME","start_time":"2021-02-28T11:22:38-07:00","run_time":2.337,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECR_REPOSITORY_SCAN_ON_PUSH_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.34,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECR_REPOSITORY_SCAN_ON_PUSH_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_AWSLOGS_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.344,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_AWSLOGS_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_ECRIMAGE_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.348,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_ECRIMAGE_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EFS_ENCRYPTED_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.352,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EFS_ENCRYPTED_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_LOGGING_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.356,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_LOGGING_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_PUBLIC_ACCESS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.36,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_PUBLIC_ACCESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.364,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_ENCRYPTED_AT_REST","start_time":"2021-02-28T11:22:38-07:00","run_time":2.368,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_ENCRYPTED_AT_REST): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_IN_VPC_ONLY","start_time":"2021-02-28T11:22:38-07:00","run_time":2.372,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_IN_VPC_ONLY): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_ALB_PREDEFINED_SSL_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.376,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_ALB_PREDEFINED_SSL_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_DELETION_PROTECTION_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.38,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_DELETION_PROTECTION_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_KERBEROS_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.384,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_KERBEROS_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_MASTER_NO_PUBLIC_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.388,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_MASTER_NO_PUBLIC_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_SECURITY_GROUPS_RESTRICTED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.392,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_SECURITY_GROUPS_RESTRICTED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ENTERPRISE_SUPPORT_PLAN_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.396,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ENTERPRISE_SUPPORT_PLAN_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-GUARDDUTY_UNTREATED_FINDINGS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.4,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-GUARDDUTY_UNTREATED_FINDINGS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ACCESS_KEY_ROTATED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.404,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ACCESS_KEY_ROTATED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_GROUP_NO_POLICY_FULL_STAR","start_time":"2021-02-28T11:22:38-07:00","run_time":2.408,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_GROUP_NO_POLICY_FULL_STAR): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_IP_RESTRICTION","start_time":"2021-02-28T11:22:38-07:00","run_time":2.412,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_IP_RESTRICTION): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_NO_USER","start_time":"2021-02-28T11:22:38-07:00","run_time":2.416,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_NO_USER): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_POLICY_REQUIRED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.42,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_POLICY_REQUIRED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ROLE_NO_POLICY_FULL_STAR","start_time":"2021-02-28T11:22:38-07:00","run_time":2.424,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ROLE_NO_POLICY_FULL_STAR): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MATCHES_REGEX_PATTERN","start_time":"2021-02-28T11:22:38-07:00","run_time":2.428,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MATCHES_REGEX_PATTERN): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MFA_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.432,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MFA_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_NO_POLICY_FULL_STAR","start_time":"2021-02-28T11:22:38-07:00","run_time":2.436,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_NO_POLICY_FULL_STAR): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_PERMISSION_BOUNDARY_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.44,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_PERMISSION_BOUNDARY_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_USED_LAST_90_DAYS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.444,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_USED_LAST_90_DAYS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INSTANCE_PROFILE_HAVE_DEFINED_POLICIES","start_time":"2021-02-28T11:22:38-07:00","run_time":2.448,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INSTANCE_PROFILE_HAVE_DEFINED_POLICIES): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INTERNET_GATEWAY_AUTHORIZED_ONLY","start_time":"2021-02-28T11:22:38-07:00","run_time":2.452,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INTERNET_GATEWAY_AUTHORIZED_ONLY): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-KMS_KEYS_TO_NOT_DELETE","start_time":"2021-02-28T11:22:38-07:00","run_time":2.456,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-KMS_KEYS_TO_NOT_DELETE): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CODE_IS_VERSIONED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.459,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CODE_IS_VERSIONED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CONCURRENCY_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.463,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CONCURRENCY_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_DLQ_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.467,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_DLQ_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_INSIDE_VPC","start_time":"2021-02-28T11:22:38-07:00","run_time":2.471,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_INSIDE_VPC): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_ROLE_ALLOWED_ON_LOGGING","start_time":"2021-02-28T11:22:38-07:00","run_time":2.476,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_ROLE_ALLOWED_ON_LOGGING): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-REST_API_GW_CUSTOMDOMAIN_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.48,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-REST_API_GW_CUSTOMDOMAIN_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ROOT_NO_ACCESS_KEY","start_time":"2021-02-28T11:22:38-07:00","run_time":2.484,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ROOT_NO_ACCESS_KEY): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_BUCKET_NAMING_CONVENTION","start_time":"2021-02-28T11:22:38-07:00","run_time":2.488,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_BUCKET_NAMING_CONVENTION): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT","start_time":"2021-02-28T11:22:38-07:00","run_time":2.492,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_VPC_ENDPOINT_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.496,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_VPC_ENDPOINT_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.499,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_KMS_CONFIGURED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.503,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_KMS_CONFIGURED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.507,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-07_EC2_Instance_No_Public_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.511,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-07_EC2_Instance_No_Public_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-7_EC2_Instance_No_Public_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.515,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-7_EC2_Instance_No_Public_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SECRETSMANAGER_MAX_SECRET_AGE","start_time":"2021-02-28T11:22:38-07:00","run_time":2.519,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SECRETSMANAGER_MAX_SECRET_AGE): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SHIELD_DRT_ACCESS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.523,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SHIELD_DRT_ACCESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_ENCRYPTED_TOPIC_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.527,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_ENCRYPTED_TOPIC_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_TOPIC_EMAIL_SUB_IN_DOMAINS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.53,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_TOPIC_EMAIL_SUB_IN_DOMAINS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_ENCRYPTION_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.534,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_ENCRYPTION_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_PUBLIC_ACCESS_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.538,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_PUBLIC_ACCESS_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_TRANSIT_ENCRYPTION_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.542,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_TRANSIT_ENCRYPTION_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_ENDPOINT_MANUAL_ACCEPTANCE","start_time":"2021-02-28T11:22:38-07:00","run_time":2.546,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_ENDPOINT_MANUAL_ACCEPTANCE): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_FLOW_LOGS_ENABLED_CUSTOM","start_time":"2021-02-28T11:22:38-07:00","run_time":2.55,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_FLOW_LOGS_ENABLED_CUSTOM): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.554,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-WAFV2_WEBACL_LOGGING_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.558,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-WAFV2_WEBACL_LOGGING_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ec2-instance-no-public-ip","start_time":"2021-02-28T11:22:38-07:00","run_time":2.562,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ec2-instance-no-public-ip): This log group is not encrypted."}]},{"id":"cmk-backing-key-rotation-enabled","title":"cmk-backing-key-rotation-enabled","desc":"Checks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK). The rule is compliant, if the key rotation is enabled for specific key object.","impact":0.5,"tags":{"nist":["SC-12"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-16580a"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-16580a","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:17-07:00","status":"skipped"}]},{"id":"dms-replication-not-public","title":"dms-replication-not-public","desc":"Checks whether AWS Database Migration Service replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is True.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-loe6n7"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-loe6n7","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:17-07:00","status":"skipped"}]},{"id":"ebs-snapshot-public-restorable-check","title":"ebs-snapshot-public-restorable-check","desc":"Checks whether Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with RestorableByUserIds field are set to all, that is, Amazon EBS snapshots are public.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ltytju"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ltytju","line":1},"code":"","results":[{"code_desc":"config_rule_name: ebs-snapshot-public-restorable-check, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":0.705,"status":"passed"}]},{"id":"ec2-instance-detailed-monitoring-enabled","title":"ec2-instance-detailed-monitoring-enabled","desc":"Checks whether detailed monitoring is enabled for EC2 instances.","impact":0.5,"tags":{"nist":["CA-7(a)(b)","SI-4(2)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-eraa14"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-eraa14","line":1},"code":"","results":[{"code_desc":"config_rule_name: ec2-instance-detailed-monitoring-enabled, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048","start_time":"2021-02-17T11:12:46-07:00","run_time":0.178,"status":"failed","message":"(config_rule_name: ec2-instance-detailed-monitoring-enabled, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048): Rule does not pass rule compliance"}]},{"id":"ec2-instance-managed-by-systems-manager","title":"ec2-instance-managed-by-systems-manager","desc":"Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.","impact":0.5,"tags":{"nist":["CM-2","CM-7(a)","CM-8(1)","CM-8(3)(a)","SA-3(a)","SA-10","SI-2(2)","SI-7(1)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w4lbsi"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w4lbsi","line":1},"code":"","results":[{"code_desc":"config_rule_name: ec2-instance-managed-by-systems-manager, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048","start_time":"2021-02-17T11:11:06-07:00","run_time":0.572,"status":"failed","message":"(config_rule_name: ec2-instance-managed-by-systems-manager, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048): Rule does not pass rule compliance"}]},{"id":"ec2-instance-no-public-ip","title":"ec2-instance-no-public-ip","desc":"Checks whether Amazon EC2 instances have a public IP association or not. The rule is NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4.","impact":0.5,"tags":{"nist":["AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-hlen6p"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-hlen6p","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"ec2-instances-in-vpc","title":"ec2-instances-in-vpc","desc":"EC2_Instances_In_VPC","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pjmvt8"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pjmvt8","line":1},"code":"","results":[{"code_desc":"config_rule_name: ec2-instances-in-vpc, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048","start_time":"2021-02-17T11:17:29-07:00","run_time":0.131,"status":"passed"}]},{"id":"ec2-managedinstance-association-compliance-status-check","title":"ec2-managedinstance-association-compliance-status-check","desc":"Checks whether the compliance status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.","impact":0.5,"tags":{"nist":["CM-2","CM-7(a)","CM-8(3)(a)","SI-2(2)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0hrtk5"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0hrtk5","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"ec2-managedinstance-patch-compliance-status-check","title":"ec2-managedinstance-patch-compliance-status-check","desc":"Checks whether the compliance status of the AWS Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.","impact":0.5,"tags":{"nist":["CM-8(3)(a)","SI-2(2)","SI-7(1)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1sinhu"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1sinhu","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"elasticsearch-in-vpc-only","title":"elasticsearch-in-vpc-only","desc":"Checks whether Amazon Elasticsearch Service domains are in Amazon Virtual Private Cloud (VPC). The rule is NON_COMPLIANT if ElasticSearch Service domain endpoint is public.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-7wte5c"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-7wte5c","line":1},"code":"","results":[{"code_desc":"config_rule_name: elasticsearch-in-vpc-only, resource_type: AWS::Elasticsearch::Domain, resource_id: nnc-aws-rdk-controls-es","start_time":"2021-02-28T11:22:38-07:00","run_time":0.628,"status":"failed","message":"(config_rule_name: elasticsearch-in-vpc-only, resource_type: AWS::Elasticsearch::Domain, resource_id: nnc-aws-rdk-controls-es): This ElasticSearch Domain is not attached to a VPC."}]},{"id":"elasticsearch-node-to-node-encryption-check","title":"elasticsearch-node-to-node-encryption-check","desc":"Check that Amazon ElasticSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is disabled on the domain.","impact":0.5,"tags":{"nist":["SC-7","SC-8","SC-8(1)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pxx8ma"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pxx8ma","line":1},"code":"","results":[{"code_desc":"config_rule_name: elasticsearch-node-to-node-encryption-check, resource_type: AWS::Elasticsearch::Domain, resource_id: 060708420889/nnc-aws-rdk-controls-es","start_time":"2021-02-17T11:12:43-07:00","run_time":0.489,"status":"passed"}]},{"id":"elb-acm-certificate-required","title":"elb-acm-certificate-required","desc":"This rule checks whether the Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager. You must use an SSL or HTTPS listener with your Elastic Load Balancer to use this rule.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-qyb8d3"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-qyb8d3","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"elb-tls-https-listeners-only","title":"elb-tls-https-listeners-only","desc":"Checks whether your Classic Load Balancer's listeners are configured with SSL or HTTPS","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-23"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-eaftm7"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-eaftm7","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"emr-kerberos-enabled","title":"emr-kerberos-enabled","desc":"The rule is NON_COMPLIANT if a security configuration is not attached to the cluster or the security configuration does not satisfy the specified rule parameters.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-t4onyu"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-t4onyu","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:19-07:00","status":"skipped"}]},{"id":"emr-master-no-public-ip","title":"emr-master-no-public-ip","desc":"Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs. The rule is NON_COMPLIANT if the master node has a public IP.","impact":0.5,"tags":{"nist":["AC-4","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bngk57"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bngk57","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:19-07:00","status":"skipped"}]},{"id":"guardduty-enabled-centralized","title":"guardduty-enabled-centralized","desc":"Checks whether GuardDuty is enabled. You can optionally verify that the results are centralized in a specific AWS Account.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(4)","AC-2(12)(a)","AC-2(g)","AC-17(1)","AU-6(1)(3)","CA-7(a)(b)","RA-5","SA-10","SI-4(1)","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(16)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-lai5cq"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-lai5cq","line":1},"code":"","results":[{"code_desc":"config_rule_name: guardduty-enabled-centralized, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":0.447,"status":"failed","message":"(config_rule_name: guardduty-enabled-centralized, resource_type: AWS::::Account, resource_id: 060708420889): Amazon GuardDuty is not configured."}]},{"id":"guardduty-non-archived-findings","title":"guardduty-non-archived-findings","desc":"Checks whether Amazon GuardDuty has findings that are non archived. The rule is NON_COMPLIANT if Amazon GuardDuty has non archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/daysHighSev parameter.","impact":0.5,"tags":{"nist":["IR-4(1)","IR-6(1)","IR-7(1)","RA-5","SA-10","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-5mr2cf
daysLowSev: 30
daysMediumSev: 7
daysHighSev: 1"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-5mr2cf","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:20-07:00","status":"skipped"}]},{"id":"iam-group-has-users-check","title":"iam-group-has-users-check","desc":"Checks whether IAM groups have at least one IAM user.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6","SC-2"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-fhqaic"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-fhqaic","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UM5IB6AKZCE","start_time":"2021-02-17T11:17:30-07:00","run_time":8.416,"status":"passed"},{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMYT3T7DO6V","start_time":"2021-02-17T11:17:31-07:00","run_time":8.719,"status":"passed"},{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMZCIN36XBA","start_time":"2021-02-17T11:17:30-07:00","run_time":8.358,"status":"passed"},{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMZNTX7A2AR","start_time":"2021-02-17T11:17:23-07:00","run_time":8.466,"status":"passed"}]},{"id":"iam-password-policy","title":"iam-password-policy","desc":"Checks whether the account password policy for IAM users meets the specified requirements indicated in the parameters. This rule is NON_COMPLIANT if the account password policy does not meet the specified requirements.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(f)","AC-2(j)","IA-2","IA-5(1)(a)(d)(e)","IA-5(4)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-kvi8mf
RequireUppercaseCharacters: true
RequireLowercaseCharacters: true
RequireSymbols: true
RequireNumbers: true
MinimumPasswordLength: 14
PasswordReusePrevention: 24
MaxPasswordAge: 90"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-kvi8mf","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-password-policy, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":0.351,"status":"failed","message":"(config_rule_name: iam-password-policy, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"iam-policy-no-statements-with-admin-access","title":"iam-policy-no-statements-with-admin-access","desc":"Checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\", the rule is non-compliant.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6","SC-2"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-lqfcz3"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-lqfcz3","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:20-07:00","status":"skipped"}]},{"id":"iam-root-access-key-check","title":"iam-root-access-key-check","desc":"Checks whether the root user access key is available. The rule is compliant if the user access key does not exist.","impact":0.5,"tags":{"nist":["AC-2(f)","AC-2(j)","AC-3","AC-6","AC-6(10)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-4yxvot"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-4yxvot","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-root-access-key-check, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.473,"status":"failed","message":"(config_rule_name: iam-root-access-key-check, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"iam-user-group-membership-check","title":"iam-user-group-membership-check","desc":"Checks whether IAM users are members of at least one IAM group.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(j)","AC-3","AC-6"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w1kvo8"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w1kvo8","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT","start_time":"2021-02-17T11:12:46-07:00","run_time":0.115,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-02-17T11:12:45-07:00","run_time":0.244,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-02-17T11:12:42-07:00","run_time":0.145,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6LQJCXJBN","start_time":"2021-02-17T11:12:43-07:00","run_time":0.122,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-02-17T11:12:43-07:00","run_time":0.142,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354","start_time":"2021-02-17T11:12:44-07:00","run_time":0.12,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-02-17T11:12:41-07:00","run_time":0.138,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-02-17T11:12:42-07:00","run_time":0.129,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF","start_time":"2021-02-17T11:12:51-07:00","run_time":0.6,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-02-17T11:12:44-07:00","run_time":0.134,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-02-17T11:12:44-07:00","run_time":0.147,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-02-17T11:12:43-07:00","run_time":0.196,"status":"passed"}]},{"id":"iam-user-no-policies-check","title":"iam-user-no-policies-check","desc":"Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ebzliy"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ebzliy","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT","start_time":"2021-02-17T11:15:02-07:00","run_time":0.14,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-02-17T11:15:03-07:00","run_time":0.184,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-02-17T11:15:05-07:00","run_time":0.246,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6LQJCXJBN","start_time":"2021-02-17T11:15:02-07:00","run_time":0.142,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-02-17T11:15:10-07:00","run_time":0.272,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF","start_time":"2021-02-17T11:15:05-07:00","run_time":0.129,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-02-17T11:15:03-07:00","run_time":0.167,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354","start_time":"2021-02-17T11:15:04-07:00","run_time":0.13,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-02-17T11:15:05-07:00","run_time":0.157,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-02-17T11:15:11-07:00","run_time":0.262,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-02-17T11:15:08-07:00","run_time":0.159,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-02-17T11:14:16-07:00","run_time":0.351,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4): Rule does not pass rule compliance"}]},{"id":"iam-user-unused-credentials-check","title":"iam-user-unused-credentials-check","desc":"Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(3)","AC-2(f)","AC-3","AC-6"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-xzeiso
maxCredentialUsageAge: 90"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-xzeiso","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-02-28T11:22:39-07:00","run_time":2.062,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-02-28T11:22:39-07:00","run_time":2.113,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6LQJCXJBN","start_time":"2021-02-28T11:22:39-07:00","run_time":2.072,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-02-28T11:22:39-07:00","run_time":2.088,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354","start_time":"2021-02-28T11:22:39-07:00","run_time":2.098,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-02-28T11:22:39-07:00","run_time":2.067,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-02-28T11:22:39-07:00","run_time":2.083,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-02-28T11:22:39-07:00","run_time":2.093,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-02-28T11:22:39-07:00","run_time":2.103,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-02-28T11:22:39-07:00","run_time":2.108,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT","start_time":"2021-02-28T11:22:39-07:00","run_time":2.077,"status":"failed","message":"(config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF","start_time":"2021-02-28T11:22:39-07:00","run_time":2.119,"status":"failed","message":"(config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF): Rule does not pass rule compliance"}]},{"id":"internet-gateway-authorized-vpc-only","title":"internet-gateway-authorized-vpc-only","desc":"Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.","impact":0.5,"tags":{"nist":["AC-4","AC-17(3)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-34y1ut"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-34y1ut","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:21-07:00","status":"skipped"}]},{"id":"kms-cmk-not-scheduled-for-deletion","title":"kms-cmk-not-scheduled-for-deletion","desc":"Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS). The rule is NON_COMPLAINT if CMKs are scheduled for deletion.","impact":0.5,"tags":{"nist":["SC-12","SC-28"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dkoqk2"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dkoqk2","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:21-07:00","status":"skipped"}]},{"id":"lambda-function-public-access-prohibited","title":"lambda-function-public-access-prohibited","desc":"Checks whether the Lambda function policy prohibits public access.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ta3ouk"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ta3ouk","line":1},"code":"","results":[{"code_desc":"config_rule_name: lambda-function-public-access-prohibited, resource_type: AWS::Lambda::Function, resource_id: Config-to-HDF-Pusher","start_time":"2021-02-17T11:10:26-07:00","run_time":0.241,"status":"passed"},{"code_desc":"config_rule_name: lambda-function-public-access-prohibited, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-EC2_Instance_No_Public_IP","start_time":"2021-02-17T11:10:18-07:00","run_time":0.233,"status":"passed"},{"code_desc":"config_rule_name: lambda-function-public-access-prohibited, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-ec2-instance-no-public-ip","start_time":"2021-02-17T11:17:05-07:00","run_time":0.171,"status":"passed"}]},{"id":"lambda-inside-vpc","title":"lambda-inside-vpc","desc":"Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud. The rule is NON_COMPLIANT if the Lambda function is not in a VPC.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-luli0h"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-luli0h","line":1},"code":"","results":[{"code_desc":"config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: Config-to-HDF-Pusher","start_time":"2021-02-17T11:12:45-07:00","run_time":0.141,"status":"failed","message":"(config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: Config-to-HDF-Pusher): This AWS Lambda function is not in VPC."},{"code_desc":"config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-EC2_Instance_No_Public_IP","start_time":"2021-02-17T11:12:43-07:00","run_time":0.128,"status":"failed","message":"(config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-EC2_Instance_No_Public_IP): This AWS Lambda function is not in VPC."},{"code_desc":"config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-ec2-instance-no-public-ip","start_time":"2021-02-17T11:17:05-07:00","run_time":0.123,"status":"failed","message":"(config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-ec2-instance-no-public-ip): This AWS Lambda function is not in VPC."}]},{"id":"multi-region-cloudtrail-enabled","title":"multi-region-cloudtrail-enabled","desc":"Checks that there is at least one multi-region AWS CloudTrail. The rule is non-compliant if the trails do not match input parameters","impact":0.5,"tags":{"nist":["AC-2(4)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-unsu8r"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-unsu8r","line":1},"code":"","results":[{"code_desc":"config_rule_name: multi-region-cloudtrail-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.206,"status":"failed","message":"(config_rule_name: multi-region-cloudtrail-enabled, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"rds-instance-public-access-check","title":"rds-instance-public-access-check","desc":"Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.","impact":0.5,"tags":{"nist":["AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rgmlwy"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rgmlwy","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:22-07:00","status":"skipped"}]},{"id":"rds-logging-enabled","title":"rds-logging-enabled","desc":"Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is NON_COMPLIANT if any log types are not enabled.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wxgs9r"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wxgs9r","line":1},"code":"","results":[{"code_desc":"config_rule_name: rds-logging-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.31,"status":"failed","message":"(config_rule_name: rds-logging-enabled, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"rds-snapshots-public-prohibited","title":"rds-snapshots-public-prohibited","desc":"AC-03_RDS_Snapshots_Public_Prohibited","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1nyo5j"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1nyo5j","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:22-07:00","status":"skipped"}]},{"id":"redshift-cluster-configuration-check","title":"redshift-cluster-configuration-check","desc":"Checks whether Amazon Redshift clusters have the specified settings.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)","SC-13","SC-28"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nck5qw
clusterDbEncrypted: true
loggingEnabled: true
nodeTypes: dc1.large"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nck5qw","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:23-07:00","status":"skipped"}]},{"id":"redshift-cluster-public-access-check","title":"redshift-cluster-public-access-check","desc":"Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the publicly accessible field is true in the cluster configuration item.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bk3a9o"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bk3a9o","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:23-07:00","status":"skipped"}]},{"id":"redshift-require-tls-ssl","title":"redshift-require-tls-ssl","desc":"Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0zcjv3"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0zcjv3","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:23-07:00","status":"skipped"}]},{"id":"restricted-common-ports","title":"restricted-common-ports","desc":"Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified ports.","impact":0.5,"tags":{"nist":["AC-4","CM-2","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dedood
blockedPort1: 20
blockedPort2: 21
blockedPort3: 3389
blockedPort4: 3306
blockedPort5: 4333"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dedood","line":1},"code":"","results":[{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-05fa730c7a3ec90ee","start_time":"2021-02-17T11:17:30-07:00","run_time":0.105,"status":"passed"},{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee","start_time":"2021-02-17T11:17:23-07:00","run_time":0.094,"status":"passed"},{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d","start_time":"2021-02-17T11:17:25-07:00","run_time":0.098,"status":"passed"}]},{"id":"restricted-ssh","title":"restricted-ssh","desc":"Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-z3n2ot"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-z3n2ot","line":1},"code":"","results":[{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-05fa730c7a3ec90ee","start_time":"2021-02-17T11:12:43-07:00","run_time":0.09,"status":"passed"},{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee","start_time":"2021-02-17T11:12:44-07:00","run_time":0.105,"status":"passed"},{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d","start_time":"2021-02-17T11:12:42-07:00","run_time":0.109,"status":"passed"}]},{"id":"s3-account-level-public-access-blocks","title":"s3-account-level-public-access-blocks","desc":"Checks whether the required public access block settings are configured from account level. The rule is NON_COMPLIANT when the public access block settings are not configured from account level.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nf9cc9
IgnorePublicAcls: true
BlockPublicPolicy: true
BlockPublicAcls: true
RestrictPublicBuckets: true"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nf9cc9","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:23-07:00","status":"skipped"}]},{"id":"s3-bucket-logging-enabled","title":"s3-bucket-logging-enabled","desc":"Checks whether logging is enabled for your S3 buckets.","impact":0.5,"tags":{"nist":["AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w0vbgo"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w0vbgo","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-02-17T11:17:22-07:00","run_time":0.208,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-02-17T11:17:21-07:00","run_time":0.14,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-02-17T11:17:28-07:00","run_time":0.12,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-02-17T11:17:23-07:00","run_time":0.136,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-02-17T11:17:29-07:00","run_time":0.126,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-02-17T11:17:29-07:00","run_time":0.163,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-keys2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-02-17T11:17:21-07:00","run_time":0.113,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-02-17T11:17:25-07:00","run_time":0.133,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-02-17T11:17:30-07:00","run_time":0.14,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-temp): Rule does not pass rule compliance"}]},{"id":"s3-bucket-policy-grantee-check","title":"s3-bucket-policy-grantee-check","desc":"Checks that the access granted by the Amazon S3 bucket is restricted to any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.","impact":0.5,"tags":{"nist":["AC-3","AC-6","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pvpyca"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pvpyca","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-02-17T11:13:48-07:00","run_time":8.568,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-02-17T11:13:48-07:00","run_time":8.457,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-02-17T11:13:47-07:00","run_time":0.391,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-02-17T11:13:48-07:00","run_time":8.341,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-02-17T11:13:48-07:00","run_time":8.285,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-02-17T11:13:48-07:00","run_time":8.498,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-02-17T11:13:48-07:00","run_time":8.268,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-02-17T11:13:48-07:00","run_time":9.301,"status":"failed","message":"(config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634): The S3 bucket policy allows other principals, IP addresses and/or VPC IDs than those specified."},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-02-17T11:13:48-07:00","run_time":0.428,"status":"failed","message":"(config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889): The S3 bucket policy allows other principals, IP addresses and/or VPC IDs than those specified."}]},{"id":"s3-bucket-public-read-prohibited","title":"s3-bucket-public-read-prohibited","desc":"Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0b0dyu"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0b0dyu","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-02-28T11:22:39-07:00","run_time":0.321,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.304,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-02-28T11:22:39-07:00","run_time":0.317,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-02-28T11:22:39-07:00","run_time":0.291,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-02-28T11:22:39-07:00","run_time":0.295,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-02-28T11:22:39-07:00","run_time":0.326,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-02-28T11:22:39-07:00","run_time":0.313,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-02-28T11:22:39-07:00","run_time":0.3,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-02-28T11:22:39-07:00","run_time":0.308,"status":"passed"}]},{"id":"s3-bucket-ssl-requests-only","title":"s3-bucket-ssl-requests-only","desc":"Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-91k8vf"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-91k8vf","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-02-17T11:17:22-07:00","run_time":0.215,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-02-17T11:17:21-07:00","run_time":0.205,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-02-17T11:17:28-07:00","run_time":0.117,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-02-17T11:17:23-07:00","run_time":0.093,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-02-17T11:17:29-07:00","run_time":0.192,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-02-17T11:17:29-07:00","run_time":0.101,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-keys2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-02-17T11:17:21-07:00","run_time":0.102,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-02-17T11:17:25-07:00","run_time":0.103,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-02-17T11:17:30-07:00","run_time":0.116,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-temp): Rule does not pass rule compliance"}]},{"id":"sagemaker-notebook-no-direct-internet-access","title":"sagemaker-notebook-no-direct-internet-access","desc":"Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if Amazon SageMaker notebook instances are internet-enabled.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-sickrp"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-sickrp","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:25-07:00","status":"skipped"}]},{"id":"secretsmanager-scheduled-rotation-success-check","title":"secretsmanager-scheduled-rotation-success-check","desc":"Checks whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule. The rule returns NON_COMPLIANT if RotationOccurringAsScheduled is false.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(j)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wovrr3"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wovrr3","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:25-07:00","status":"skipped"}]},{"id":"securityhub-enabled","title":"securityhub-enabled","desc":"Checks that AWS Security Hub is enabled for an AWS Account. The rule is NON_COMPLIANT if AWS Security Hub is not enabled.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(4)","AC-2(12)(a)","AC-2(g)","AC-17(1)","AU-6(1)(3)","CA-7(a)(b)","SA-10","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(16)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-6tbsrs"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-6tbsrs","line":1},"code":"","results":[{"code_desc":"config_rule_name: securityhub-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.463,"status":"failed","message":"(config_rule_name: securityhub-enabled, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"vpc-default-security-group-closed","title":"vpc-default-security-group-closed","desc":"Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule is non-compliant if the default security group has one or more inbound or outbound traffic.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nlfsem"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nlfsem","line":1},"code":"","results":[{"code_desc":"config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee","start_time":"2021-02-17T11:10:24-07:00","run_time":0.143,"status":"failed","message":"(config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d","start_time":"2021-02-17T11:10:30-07:00","run_time":0.144,"status":"failed","message":"(config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d): Rule does not pass rule compliance"}]},{"id":"vpc-sg-open-only-to-authorized-ports","title":"vpc-sg-open-only-to-authorized-ports","desc":"Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-swvu7j"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-swvu7j","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:26-07:00","status":"skipped"}]}],"sha256":"f26dbcc316182f27c49acfc797c417c059477394d7b37edcae945bb039b2a5cc"}]} \ No newline at end of file