diff --git a/lib/heimdall_tools/aws_config_mapper.rb b/lib/heimdall_tools/aws_config_mapper.rb index 578b2ec..01cbc6c 100644 --- a/lib/heimdall_tools/aws_config_mapper.rb +++ b/lib/heimdall_tools/aws_config_mapper.rb @@ -38,8 +38,8 @@ def initialize(custom_mapping, endpoint = nil, verbose = false) def to_hdf controls = @issues.map do |issue| @item = {} - @item['id'] = issue[:config_rule_name] - @item['title'] = issue[:config_rule_name] + @item['id'] = issue[:config_rule_id] + @item['title'] = "#{get_account_id(issue[:config_rule_arn])} - #{issue[:config_rule_name]}" @item['desc'] = issue[:description] @item['impact'] = 0.5 @item['tags'] = hdf_tags(issue) @@ -55,6 +55,7 @@ def to_hdf @item end end + results = HeimdallDataFormat.new( profile_name: 'AWS Config', title: 'AWS Config', @@ -67,6 +68,20 @@ def to_hdf private + ## + # Gets the account ID from a config rule ARN + # + # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html + # https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html + # + # Params: + # - arn: The ARN of the config rule + # + # Returns: The account ID portion of the ARN + def get_account_id(arn) + /:(\d{12}):config-rule/.match(arn)&.captures&.first || 'no-account-id' + end + ## # Read in a config rule -> 800-53 control mapping CSV. # @@ -263,7 +278,8 @@ def check_text(config_rule) # If no input parameters, then provide an empty JSON array to the JSON # parser because passing nil to JSON.parse throws an exception. params = (JSON.parse(config_rule[:input_parameters] || '[]').map { |key, value| "#{key}: #{value}" }).join('
') - check_text = config_rule[:config_rule_arn] || '' + check_text = "ARN: #{config_rule[:config_rule_arn] || 'N/A'}" + check_text += "
Source Identifier: #{config_rule.dig(:source, :source_identifier) || 'N/A'}" check_text += "
#{params}" unless params.empty? check_text end diff --git a/sample_jsons/aws_mapper/aws_config_hdf.json b/sample_jsons/aws_mapper/aws_config_hdf.json index a964fec..4e00df7 100644 --- a/sample_jsons/aws_mapper/aws_config_hdf.json +++ b/sample_jsons/aws_mapper/aws_config_hdf.json @@ -1 +1 @@ -{"platform":{"name":"Heimdall Tools","release":"1.3.34.15.g6a3f140.1.dirty.20210301.064713","target_id":""},"version":"1.3.34.15.g6a3f140.1.dirty.20210301.064713","statistics":{"duration":null,"aws_config_sdk_version":"1.56.0"},"profiles":[{"name":"AWS Config","version":null,"title":"AWS Config","maintainer":null,"summary":"AWS Config","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"access-keys-rotated","title":"access-keys-rotated","desc":"Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(j)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-v5wggf
maxAccessKeyAge: 90"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-v5wggf","line":1},"code":"","results":[{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT","start_time":"2021-02-28T11:22:38-07:00","run_time":30.417,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-02-28T11:22:38-07:00","run_time":30.403,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-02-28T11:22:38-07:00","run_time":30.455,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6LQJCXJBN","start_time":"2021-02-28T11:22:38-07:00","run_time":30.413,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-02-28T11:22:38-07:00","run_time":30.426,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354","start_time":"2021-02-28T11:22:38-07:00","run_time":30.435,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-02-28T11:22:38-07:00","run_time":30.408,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-02-28T11:22:38-07:00","run_time":30.421,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF","start_time":"2021-02-28T11:22:38-07:00","run_time":30.46,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-02-28T11:22:38-07:00","run_time":30.43,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-02-28T11:22:38-07:00","run_time":30.439,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-02-28T11:22:38-07:00","run_time":30.443,"status":"passed"}]},{"id":"acm-certificate-expiration-check","title":"acm-certificate-expiration-check","desc":"Checks whether ACM Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import.","impact":0.5,"tags":{"nist":["AC-4","AC-17(2)","SC-12"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mu6ogh
daysToExpiration: 14"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mu6ogh","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:14-07:00","status":"skipped"}]},{"id":"alb-http-drop-invalid-header-enabled","title":"alb-http-drop-invalid-header-enabled","desc":"Checks if rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields.enabled is set to false.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-23"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-166jqk"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-166jqk","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:14-07:00","status":"skipped"}]},{"id":"alb-http-to-https-redirection-check","title":"alb-http-to-https-redirection-check","desc":"Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13","SC-23"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-9x2r4z"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-9x2r4z","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:14-07:00","status":"skipped"}]},{"id":"cloud-trail-cloud-watch-logs-enabled","title":"cloud-trail-cloud-watch-logs-enabled","desc":"Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs. The trail is non-compliant if the CloudWatchLogsLogGroupArn property of the trail is empty.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-6(1)(3)","AU-7(1)","AU-12(a)(c)","CA-7(a)(b)","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-poppks"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-poppks","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloud-trail-cloud-watch-logs-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default","start_time":"2021-02-28T11:22:38-07:00","run_time":0.361,"status":"failed","message":"(config_rule_name: cloud-trail-cloud-watch-logs-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default): The CloudTrail trail is not associated with any CloudWatch Logs log group ARN."}]},{"id":"cloud-trail-encryption-enabled","title":"cloud-trail-encryption-enabled","desc":"Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is compliant if the KmsKeyId is defined.","impact":0.5,"tags":{"nist":["AU-9","SC-13","SC-28"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dgphg5"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dgphg5","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloud-trail-encryption-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default","start_time":"2021-02-28T11:22:38-07:00","run_time":0.221,"status":"failed","message":"(config_rule_name: cloud-trail-encryption-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default): Rule does not pass rule compliance"}]},{"id":"cloudtrail-enabled","title":"cloudtrail-enabled","desc":"Checks whether AWS CloudTrail is enabled in your AWS account.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rql8wz"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rql8wz","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloudtrail-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":0.173,"status":"passed"}]},{"id":"cloudtrail-s3-dataevents-enabled","title":"cloudtrail-s3-dataevents-enabled","desc":"Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails log data events for S3 buckets is not configured.","impact":0.5,"tags":{"nist":["AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wyiaz7"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wyiaz7","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloudtrail-s3-dataevents-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":2.354,"status":"failed","message":"(config_rule_name: cloudtrail-s3-dataevents-enabled, resource_type: AWS::::Account, resource_id: 060708420889): No AWS CloudTrail Trail is configured to log data events for Amazon S3."}]},{"id":"cloudwatch-alarm-action-check","title":"cloudwatch-alarm-action-check","desc":"Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled. Optionally, checks whether any of the actions matches one of the specified ARNs.","impact":0.5,"tags":{"nist":["AC-2(4)","AU-6(1)(3)","AU-7(1)","CA-7(a)(b)","IR-4(1)","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-knb0eo
alarmActionRequired: true
insufficientDataActionRequired: true
okActionRequired: false"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-knb0eo","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:16-07:00","status":"skipped"}]},{"id":"cloudwatch-log-group-encrypted","title":"cloudwatch-log-group-encrypted","desc":"Checks whether a log group in Amazon CloudWatch Logs is encrypted. The rule is NON_COMPLIANT if CloudWatch Logs has log group without encryption enabled.","impact":0.5,"tags":{"nist":["AU-9","SC-13","SC-28"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-8qyc2w"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-8qyc2w","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/Config-to-HDF-Pusher","start_time":"2021-02-28T11:22:38-07:00","run_time":2.258,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/Config-to-HDF-Pusher): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.262,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_NOT_PUBLIC_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.266,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_NOT_PUBLIC_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OUTDATED_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.27,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OUTDATED_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OWNERID_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.274,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OWNERID_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_NOT_EDGE_OPTIMISED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.278,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_NOT_EDGE_OPTIMISED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_PRIVATE_RESTRICTED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.282,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_PRIVATE_RESTRICTED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_RESTRICTED_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.286,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_RESTRICTED_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-BUSINESS_SUPPORT_OR_ABOVE_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.29,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-BUSINESS_SUPPORT_OR_ABOVE_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_ENABLED_V2","start_time":"2021-02-28T11:22:38-07:00","run_time":2.293,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_ENABLED_V2): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_S3_DATAEVENTS_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.298,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_S3_DATAEVENTS_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDWATCH_LOG_GROUP_ENCRYPTED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.302,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDWATCH_LOG_GROUP_ENCRYPTED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DMS_REPLICATION_NOT_PUBLIC","start_time":"2021-02-28T11:22:38-07:00","run_time":2.305,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DMS_REPLICATION_NOT_PUBLIC): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DYNAMODB_ENCRYPTED_CUSTOM","start_time":"2021-02-28T11:22:38-07:00","run_time":2.309,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DYNAMODB_ENCRYPTED_CUSTOM): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_ENCRYPTED_VOLUMES_V2","start_time":"2021-02-28T11:22:38-07:00","run_time":2.313,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_ENCRYPTED_VOLUMES_V2): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.317,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_INSTANCE_NO_PUBLIC_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.321,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_INSTANCE_NO_PUBLIC_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_Instance_No_Public_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.325,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_Instance_No_Public_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_BADINGRESS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.329,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_BADINGRESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_NOT_USED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.333,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_NOT_USED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME","start_time":"2021-02-28T11:22:38-07:00","run_time":2.337,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECR_REPOSITORY_SCAN_ON_PUSH_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.34,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECR_REPOSITORY_SCAN_ON_PUSH_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_AWSLOGS_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.344,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_AWSLOGS_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_ECRIMAGE_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.348,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_ECRIMAGE_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EFS_ENCRYPTED_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.352,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EFS_ENCRYPTED_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_LOGGING_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.356,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_LOGGING_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_PUBLIC_ACCESS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.36,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_PUBLIC_ACCESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.364,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_ENCRYPTED_AT_REST","start_time":"2021-02-28T11:22:38-07:00","run_time":2.368,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_ENCRYPTED_AT_REST): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_IN_VPC_ONLY","start_time":"2021-02-28T11:22:38-07:00","run_time":2.372,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_IN_VPC_ONLY): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_ALB_PREDEFINED_SSL_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.376,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_ALB_PREDEFINED_SSL_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_DELETION_PROTECTION_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.38,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_DELETION_PROTECTION_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_KERBEROS_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.384,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_KERBEROS_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_MASTER_NO_PUBLIC_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.388,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_MASTER_NO_PUBLIC_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_SECURITY_GROUPS_RESTRICTED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.392,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_SECURITY_GROUPS_RESTRICTED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ENTERPRISE_SUPPORT_PLAN_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.396,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ENTERPRISE_SUPPORT_PLAN_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-GUARDDUTY_UNTREATED_FINDINGS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.4,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-GUARDDUTY_UNTREATED_FINDINGS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ACCESS_KEY_ROTATED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.404,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ACCESS_KEY_ROTATED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_GROUP_NO_POLICY_FULL_STAR","start_time":"2021-02-28T11:22:38-07:00","run_time":2.408,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_GROUP_NO_POLICY_FULL_STAR): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_IP_RESTRICTION","start_time":"2021-02-28T11:22:38-07:00","run_time":2.412,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_IP_RESTRICTION): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_NO_USER","start_time":"2021-02-28T11:22:38-07:00","run_time":2.416,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_NO_USER): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_POLICY_REQUIRED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.42,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_POLICY_REQUIRED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ROLE_NO_POLICY_FULL_STAR","start_time":"2021-02-28T11:22:38-07:00","run_time":2.424,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ROLE_NO_POLICY_FULL_STAR): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MATCHES_REGEX_PATTERN","start_time":"2021-02-28T11:22:38-07:00","run_time":2.428,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MATCHES_REGEX_PATTERN): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MFA_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.432,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MFA_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_NO_POLICY_FULL_STAR","start_time":"2021-02-28T11:22:38-07:00","run_time":2.436,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_NO_POLICY_FULL_STAR): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_PERMISSION_BOUNDARY_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.44,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_PERMISSION_BOUNDARY_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_USED_LAST_90_DAYS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.444,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_USED_LAST_90_DAYS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INSTANCE_PROFILE_HAVE_DEFINED_POLICIES","start_time":"2021-02-28T11:22:38-07:00","run_time":2.448,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INSTANCE_PROFILE_HAVE_DEFINED_POLICIES): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INTERNET_GATEWAY_AUTHORIZED_ONLY","start_time":"2021-02-28T11:22:38-07:00","run_time":2.452,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INTERNET_GATEWAY_AUTHORIZED_ONLY): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-KMS_KEYS_TO_NOT_DELETE","start_time":"2021-02-28T11:22:38-07:00","run_time":2.456,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-KMS_KEYS_TO_NOT_DELETE): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CODE_IS_VERSIONED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.459,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CODE_IS_VERSIONED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CONCURRENCY_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.463,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CONCURRENCY_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_DLQ_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.467,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_DLQ_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_INSIDE_VPC","start_time":"2021-02-28T11:22:38-07:00","run_time":2.471,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_INSIDE_VPC): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_ROLE_ALLOWED_ON_LOGGING","start_time":"2021-02-28T11:22:38-07:00","run_time":2.476,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_ROLE_ALLOWED_ON_LOGGING): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-REST_API_GW_CUSTOMDOMAIN_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.48,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-REST_API_GW_CUSTOMDOMAIN_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ROOT_NO_ACCESS_KEY","start_time":"2021-02-28T11:22:38-07:00","run_time":2.484,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ROOT_NO_ACCESS_KEY): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_BUCKET_NAMING_CONVENTION","start_time":"2021-02-28T11:22:38-07:00","run_time":2.488,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_BUCKET_NAMING_CONVENTION): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT","start_time":"2021-02-28T11:22:38-07:00","run_time":2.492,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_VPC_ENDPOINT_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.496,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_VPC_ENDPOINT_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.499,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_KMS_CONFIGURED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.503,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_KMS_CONFIGURED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.507,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-07_EC2_Instance_No_Public_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.511,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-07_EC2_Instance_No_Public_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-7_EC2_Instance_No_Public_IP","start_time":"2021-02-28T11:22:38-07:00","run_time":2.515,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-7_EC2_Instance_No_Public_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SECRETSMANAGER_MAX_SECRET_AGE","start_time":"2021-02-28T11:22:38-07:00","run_time":2.519,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SECRETSMANAGER_MAX_SECRET_AGE): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SHIELD_DRT_ACCESS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.523,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SHIELD_DRT_ACCESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_ENCRYPTED_TOPIC_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.527,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_ENCRYPTED_TOPIC_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_TOPIC_EMAIL_SUB_IN_DOMAINS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.53,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_TOPIC_EMAIL_SUB_IN_DOMAINS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_ENCRYPTION_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.534,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_ENCRYPTION_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_PUBLIC_ACCESS_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.538,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_PUBLIC_ACCESS_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_TRANSIT_ENCRYPTION_CHECK","start_time":"2021-02-28T11:22:38-07:00","run_time":2.542,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_TRANSIT_ENCRYPTION_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_ENDPOINT_MANUAL_ACCEPTANCE","start_time":"2021-02-28T11:22:38-07:00","run_time":2.546,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_ENDPOINT_MANUAL_ACCEPTANCE): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_FLOW_LOGS_ENABLED_CUSTOM","start_time":"2021-02-28T11:22:38-07:00","run_time":2.55,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_FLOW_LOGS_ENABLED_CUSTOM): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS","start_time":"2021-02-28T11:22:38-07:00","run_time":2.554,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-WAFV2_WEBACL_LOGGING_ENABLED","start_time":"2021-02-28T11:22:38-07:00","run_time":2.558,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-WAFV2_WEBACL_LOGGING_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ec2-instance-no-public-ip","start_time":"2021-02-28T11:22:38-07:00","run_time":2.562,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ec2-instance-no-public-ip): This log group is not encrypted."}]},{"id":"cmk-backing-key-rotation-enabled","title":"cmk-backing-key-rotation-enabled","desc":"Checks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK). The rule is compliant, if the key rotation is enabled for specific key object.","impact":0.5,"tags":{"nist":["SC-12"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-16580a"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-16580a","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:17-07:00","status":"skipped"}]},{"id":"dms-replication-not-public","title":"dms-replication-not-public","desc":"Checks whether AWS Database Migration Service replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is True.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-loe6n7"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-loe6n7","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:17-07:00","status":"skipped"}]},{"id":"ebs-snapshot-public-restorable-check","title":"ebs-snapshot-public-restorable-check","desc":"Checks whether Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with RestorableByUserIds field are set to all, that is, Amazon EBS snapshots are public.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ltytju"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ltytju","line":1},"code":"","results":[{"code_desc":"config_rule_name: ebs-snapshot-public-restorable-check, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":0.705,"status":"passed"}]},{"id":"ec2-instance-detailed-monitoring-enabled","title":"ec2-instance-detailed-monitoring-enabled","desc":"Checks whether detailed monitoring is enabled for EC2 instances.","impact":0.5,"tags":{"nist":["CA-7(a)(b)","SI-4(2)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-eraa14"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-eraa14","line":1},"code":"","results":[{"code_desc":"config_rule_name: ec2-instance-detailed-monitoring-enabled, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048","start_time":"2021-02-17T11:12:46-07:00","run_time":0.178,"status":"failed","message":"(config_rule_name: ec2-instance-detailed-monitoring-enabled, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048): Rule does not pass rule compliance"}]},{"id":"ec2-instance-managed-by-systems-manager","title":"ec2-instance-managed-by-systems-manager","desc":"Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.","impact":0.5,"tags":{"nist":["CM-2","CM-7(a)","CM-8(1)","CM-8(3)(a)","SA-3(a)","SA-10","SI-2(2)","SI-7(1)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w4lbsi"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w4lbsi","line":1},"code":"","results":[{"code_desc":"config_rule_name: ec2-instance-managed-by-systems-manager, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048","start_time":"2021-02-17T11:11:06-07:00","run_time":0.572,"status":"failed","message":"(config_rule_name: ec2-instance-managed-by-systems-manager, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048): Rule does not pass rule compliance"}]},{"id":"ec2-instance-no-public-ip","title":"ec2-instance-no-public-ip","desc":"Checks whether Amazon EC2 instances have a public IP association or not. The rule is NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4.","impact":0.5,"tags":{"nist":["AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-hlen6p"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-hlen6p","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"ec2-instances-in-vpc","title":"ec2-instances-in-vpc","desc":"EC2_Instances_In_VPC","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pjmvt8"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pjmvt8","line":1},"code":"","results":[{"code_desc":"config_rule_name: ec2-instances-in-vpc, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048","start_time":"2021-02-17T11:17:29-07:00","run_time":0.131,"status":"passed"}]},{"id":"ec2-managedinstance-association-compliance-status-check","title":"ec2-managedinstance-association-compliance-status-check","desc":"Checks whether the compliance status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.","impact":0.5,"tags":{"nist":["CM-2","CM-7(a)","CM-8(3)(a)","SI-2(2)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0hrtk5"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0hrtk5","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"ec2-managedinstance-patch-compliance-status-check","title":"ec2-managedinstance-patch-compliance-status-check","desc":"Checks whether the compliance status of the AWS Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.","impact":0.5,"tags":{"nist":["CM-8(3)(a)","SI-2(2)","SI-7(1)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1sinhu"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1sinhu","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"elasticsearch-in-vpc-only","title":"elasticsearch-in-vpc-only","desc":"Checks whether Amazon Elasticsearch Service domains are in Amazon Virtual Private Cloud (VPC). The rule is NON_COMPLIANT if ElasticSearch Service domain endpoint is public.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-7wte5c"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-7wte5c","line":1},"code":"","results":[{"code_desc":"config_rule_name: elasticsearch-in-vpc-only, resource_type: AWS::Elasticsearch::Domain, resource_id: nnc-aws-rdk-controls-es","start_time":"2021-02-28T11:22:38-07:00","run_time":0.628,"status":"failed","message":"(config_rule_name: elasticsearch-in-vpc-only, resource_type: AWS::Elasticsearch::Domain, resource_id: nnc-aws-rdk-controls-es): This ElasticSearch Domain is not attached to a VPC."}]},{"id":"elasticsearch-node-to-node-encryption-check","title":"elasticsearch-node-to-node-encryption-check","desc":"Check that Amazon ElasticSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is disabled on the domain.","impact":0.5,"tags":{"nist":["SC-7","SC-8","SC-8(1)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pxx8ma"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pxx8ma","line":1},"code":"","results":[{"code_desc":"config_rule_name: elasticsearch-node-to-node-encryption-check, resource_type: AWS::Elasticsearch::Domain, resource_id: 060708420889/nnc-aws-rdk-controls-es","start_time":"2021-02-17T11:12:43-07:00","run_time":0.489,"status":"passed"}]},{"id":"elb-acm-certificate-required","title":"elb-acm-certificate-required","desc":"This rule checks whether the Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager. You must use an SSL or HTTPS listener with your Elastic Load Balancer to use this rule.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-qyb8d3"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-qyb8d3","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"elb-tls-https-listeners-only","title":"elb-tls-https-listeners-only","desc":"Checks whether your Classic Load Balancer's listeners are configured with SSL or HTTPS","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-23"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-eaftm7"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-eaftm7","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:18-07:00","status":"skipped"}]},{"id":"emr-kerberos-enabled","title":"emr-kerberos-enabled","desc":"The rule is NON_COMPLIANT if a security configuration is not attached to the cluster or the security configuration does not satisfy the specified rule parameters.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-t4onyu"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-t4onyu","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:19-07:00","status":"skipped"}]},{"id":"emr-master-no-public-ip","title":"emr-master-no-public-ip","desc":"Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs. The rule is NON_COMPLIANT if the master node has a public IP.","impact":0.5,"tags":{"nist":["AC-4","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bngk57"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bngk57","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:19-07:00","status":"skipped"}]},{"id":"guardduty-enabled-centralized","title":"guardduty-enabled-centralized","desc":"Checks whether GuardDuty is enabled. You can optionally verify that the results are centralized in a specific AWS Account.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(4)","AC-2(12)(a)","AC-2(g)","AC-17(1)","AU-6(1)(3)","CA-7(a)(b)","RA-5","SA-10","SI-4(1)","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(16)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-lai5cq"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-lai5cq","line":1},"code":"","results":[{"code_desc":"config_rule_name: guardduty-enabled-centralized, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":0.447,"status":"failed","message":"(config_rule_name: guardduty-enabled-centralized, resource_type: AWS::::Account, resource_id: 060708420889): Amazon GuardDuty is not configured."}]},{"id":"guardduty-non-archived-findings","title":"guardduty-non-archived-findings","desc":"Checks whether Amazon GuardDuty has findings that are non archived. The rule is NON_COMPLIANT if Amazon GuardDuty has non archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/daysHighSev parameter.","impact":0.5,"tags":{"nist":["IR-4(1)","IR-6(1)","IR-7(1)","RA-5","SA-10","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-5mr2cf
daysLowSev: 30
daysMediumSev: 7
daysHighSev: 1"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-5mr2cf","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:20-07:00","status":"skipped"}]},{"id":"iam-group-has-users-check","title":"iam-group-has-users-check","desc":"Checks whether IAM groups have at least one IAM user.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6","SC-2"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-fhqaic"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-fhqaic","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UM5IB6AKZCE","start_time":"2021-02-17T11:17:30-07:00","run_time":8.416,"status":"passed"},{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMYT3T7DO6V","start_time":"2021-02-17T11:17:31-07:00","run_time":8.719,"status":"passed"},{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMZCIN36XBA","start_time":"2021-02-17T11:17:30-07:00","run_time":8.358,"status":"passed"},{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMZNTX7A2AR","start_time":"2021-02-17T11:17:23-07:00","run_time":8.466,"status":"passed"}]},{"id":"iam-password-policy","title":"iam-password-policy","desc":"Checks whether the account password policy for IAM users meets the specified requirements indicated in the parameters. This rule is NON_COMPLIANT if the account password policy does not meet the specified requirements.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(f)","AC-2(j)","IA-2","IA-5(1)(a)(d)(e)","IA-5(4)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-kvi8mf
RequireUppercaseCharacters: true
RequireLowercaseCharacters: true
RequireSymbols: true
RequireNumbers: true
MinimumPasswordLength: 14
PasswordReusePrevention: 24
MaxPasswordAge: 90"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-kvi8mf","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-password-policy, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:38-07:00","run_time":0.351,"status":"failed","message":"(config_rule_name: iam-password-policy, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"iam-policy-no-statements-with-admin-access","title":"iam-policy-no-statements-with-admin-access","desc":"Checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\", the rule is non-compliant.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6","SC-2"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-lqfcz3"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-lqfcz3","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:20-07:00","status":"skipped"}]},{"id":"iam-root-access-key-check","title":"iam-root-access-key-check","desc":"Checks whether the root user access key is available. The rule is compliant if the user access key does not exist.","impact":0.5,"tags":{"nist":["AC-2(f)","AC-2(j)","AC-3","AC-6","AC-6(10)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-4yxvot"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-4yxvot","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-root-access-key-check, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.473,"status":"failed","message":"(config_rule_name: iam-root-access-key-check, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"iam-user-group-membership-check","title":"iam-user-group-membership-check","desc":"Checks whether IAM users are members of at least one IAM group.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(j)","AC-3","AC-6"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w1kvo8"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w1kvo8","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT","start_time":"2021-02-17T11:12:46-07:00","run_time":0.115,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-02-17T11:12:45-07:00","run_time":0.244,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-02-17T11:12:42-07:00","run_time":0.145,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6LQJCXJBN","start_time":"2021-02-17T11:12:43-07:00","run_time":0.122,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-02-17T11:12:43-07:00","run_time":0.142,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354","start_time":"2021-02-17T11:12:44-07:00","run_time":0.12,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-02-17T11:12:41-07:00","run_time":0.138,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-02-17T11:12:42-07:00","run_time":0.129,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF","start_time":"2021-02-17T11:12:51-07:00","run_time":0.6,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-02-17T11:12:44-07:00","run_time":0.134,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-02-17T11:12:44-07:00","run_time":0.147,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-02-17T11:12:43-07:00","run_time":0.196,"status":"passed"}]},{"id":"iam-user-no-policies-check","title":"iam-user-no-policies-check","desc":"Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ebzliy"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ebzliy","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT","start_time":"2021-02-17T11:15:02-07:00","run_time":0.14,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-02-17T11:15:03-07:00","run_time":0.184,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-02-17T11:15:05-07:00","run_time":0.246,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6LQJCXJBN","start_time":"2021-02-17T11:15:02-07:00","run_time":0.142,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-02-17T11:15:10-07:00","run_time":0.272,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF","start_time":"2021-02-17T11:15:05-07:00","run_time":0.129,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-02-17T11:15:03-07:00","run_time":0.167,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354","start_time":"2021-02-17T11:15:04-07:00","run_time":0.13,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-02-17T11:15:05-07:00","run_time":0.157,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-02-17T11:15:11-07:00","run_time":0.262,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-02-17T11:15:08-07:00","run_time":0.159,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-02-17T11:14:16-07:00","run_time":0.351,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4): Rule does not pass rule compliance"}]},{"id":"iam-user-unused-credentials-check","title":"iam-user-unused-credentials-check","desc":"Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(3)","AC-2(f)","AC-3","AC-6"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-xzeiso
maxCredentialUsageAge: 90"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-xzeiso","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-02-28T11:22:39-07:00","run_time":2.062,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-02-28T11:22:39-07:00","run_time":2.113,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6LQJCXJBN","start_time":"2021-02-28T11:22:39-07:00","run_time":2.072,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-02-28T11:22:39-07:00","run_time":2.088,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ6TS75354","start_time":"2021-02-28T11:22:39-07:00","run_time":2.098,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-02-28T11:22:39-07:00","run_time":2.067,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-02-28T11:22:39-07:00","run_time":2.083,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-02-28T11:22:39-07:00","run_time":2.093,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-02-28T11:22:39-07:00","run_time":2.103,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-02-28T11:22:39-07:00","run_time":2.108,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT","start_time":"2021-02-28T11:22:39-07:00","run_time":2.077,"status":"failed","message":"(config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM3HHXJ3IDT): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF","start_time":"2021-02-28T11:22:39-07:00","run_time":2.119,"status":"failed","message":"(config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXI6CHWBBF): Rule does not pass rule compliance"}]},{"id":"internet-gateway-authorized-vpc-only","title":"internet-gateway-authorized-vpc-only","desc":"Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.","impact":0.5,"tags":{"nist":["AC-4","AC-17(3)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-34y1ut"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-34y1ut","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:21-07:00","status":"skipped"}]},{"id":"kms-cmk-not-scheduled-for-deletion","title":"kms-cmk-not-scheduled-for-deletion","desc":"Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS). The rule is NON_COMPLAINT if CMKs are scheduled for deletion.","impact":0.5,"tags":{"nist":["SC-12","SC-28"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dkoqk2"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dkoqk2","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:21-07:00","status":"skipped"}]},{"id":"lambda-function-public-access-prohibited","title":"lambda-function-public-access-prohibited","desc":"Checks whether the Lambda function policy prohibits public access.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ta3ouk"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ta3ouk","line":1},"code":"","results":[{"code_desc":"config_rule_name: lambda-function-public-access-prohibited, resource_type: AWS::Lambda::Function, resource_id: Config-to-HDF-Pusher","start_time":"2021-02-17T11:10:26-07:00","run_time":0.241,"status":"passed"},{"code_desc":"config_rule_name: lambda-function-public-access-prohibited, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-EC2_Instance_No_Public_IP","start_time":"2021-02-17T11:10:18-07:00","run_time":0.233,"status":"passed"},{"code_desc":"config_rule_name: lambda-function-public-access-prohibited, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-ec2-instance-no-public-ip","start_time":"2021-02-17T11:17:05-07:00","run_time":0.171,"status":"passed"}]},{"id":"lambda-inside-vpc","title":"lambda-inside-vpc","desc":"Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud. The rule is NON_COMPLIANT if the Lambda function is not in a VPC.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-luli0h"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-luli0h","line":1},"code":"","results":[{"code_desc":"config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: Config-to-HDF-Pusher","start_time":"2021-02-17T11:12:45-07:00","run_time":0.141,"status":"failed","message":"(config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: Config-to-HDF-Pusher): This AWS Lambda function is not in VPC."},{"code_desc":"config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-EC2_Instance_No_Public_IP","start_time":"2021-02-17T11:12:43-07:00","run_time":0.128,"status":"failed","message":"(config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-EC2_Instance_No_Public_IP): This AWS Lambda function is not in VPC."},{"code_desc":"config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-ec2-instance-no-public-ip","start_time":"2021-02-17T11:17:05-07:00","run_time":0.123,"status":"failed","message":"(config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-ec2-instance-no-public-ip): This AWS Lambda function is not in VPC."}]},{"id":"multi-region-cloudtrail-enabled","title":"multi-region-cloudtrail-enabled","desc":"Checks that there is at least one multi-region AWS CloudTrail. The rule is non-compliant if the trails do not match input parameters","impact":0.5,"tags":{"nist":["AC-2(4)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-unsu8r"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-unsu8r","line":1},"code":"","results":[{"code_desc":"config_rule_name: multi-region-cloudtrail-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.206,"status":"failed","message":"(config_rule_name: multi-region-cloudtrail-enabled, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"rds-instance-public-access-check","title":"rds-instance-public-access-check","desc":"Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.","impact":0.5,"tags":{"nist":["AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rgmlwy"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rgmlwy","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:22-07:00","status":"skipped"}]},{"id":"rds-logging-enabled","title":"rds-logging-enabled","desc":"Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is NON_COMPLIANT if any log types are not enabled.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wxgs9r"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wxgs9r","line":1},"code":"","results":[{"code_desc":"config_rule_name: rds-logging-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.31,"status":"failed","message":"(config_rule_name: rds-logging-enabled, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"rds-snapshots-public-prohibited","title":"rds-snapshots-public-prohibited","desc":"AC-03_RDS_Snapshots_Public_Prohibited","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1nyo5j"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1nyo5j","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:22-07:00","status":"skipped"}]},{"id":"redshift-cluster-configuration-check","title":"redshift-cluster-configuration-check","desc":"Checks whether Amazon Redshift clusters have the specified settings.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)","SC-13","SC-28"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nck5qw
clusterDbEncrypted: true
loggingEnabled: true
nodeTypes: dc1.large"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nck5qw","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:23-07:00","status":"skipped"}]},{"id":"redshift-cluster-public-access-check","title":"redshift-cluster-public-access-check","desc":"Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the publicly accessible field is true in the cluster configuration item.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bk3a9o"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bk3a9o","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:23-07:00","status":"skipped"}]},{"id":"redshift-require-tls-ssl","title":"redshift-require-tls-ssl","desc":"Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0zcjv3"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0zcjv3","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:23-07:00","status":"skipped"}]},{"id":"restricted-common-ports","title":"restricted-common-ports","desc":"Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified ports.","impact":0.5,"tags":{"nist":["AC-4","CM-2","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dedood
blockedPort1: 20
blockedPort2: 21
blockedPort3: 3389
blockedPort4: 3306
blockedPort5: 4333"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dedood","line":1},"code":"","results":[{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-05fa730c7a3ec90ee","start_time":"2021-02-17T11:17:30-07:00","run_time":0.105,"status":"passed"},{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee","start_time":"2021-02-17T11:17:23-07:00","run_time":0.094,"status":"passed"},{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d","start_time":"2021-02-17T11:17:25-07:00","run_time":0.098,"status":"passed"}]},{"id":"restricted-ssh","title":"restricted-ssh","desc":"Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-z3n2ot"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-z3n2ot","line":1},"code":"","results":[{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-05fa730c7a3ec90ee","start_time":"2021-02-17T11:12:43-07:00","run_time":0.09,"status":"passed"},{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee","start_time":"2021-02-17T11:12:44-07:00","run_time":0.105,"status":"passed"},{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d","start_time":"2021-02-17T11:12:42-07:00","run_time":0.109,"status":"passed"}]},{"id":"s3-account-level-public-access-blocks","title":"s3-account-level-public-access-blocks","desc":"Checks whether the required public access block settings are configured from account level. The rule is NON_COMPLIANT when the public access block settings are not configured from account level.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nf9cc9
IgnorePublicAcls: true
BlockPublicPolicy: true
BlockPublicAcls: true
RestrictPublicBuckets: true"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nf9cc9","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:23-07:00","status":"skipped"}]},{"id":"s3-bucket-logging-enabled","title":"s3-bucket-logging-enabled","desc":"Checks whether logging is enabled for your S3 buckets.","impact":0.5,"tags":{"nist":["AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w0vbgo"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w0vbgo","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-02-17T11:17:22-07:00","run_time":0.208,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-02-17T11:17:21-07:00","run_time":0.14,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-02-17T11:17:28-07:00","run_time":0.12,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-02-17T11:17:23-07:00","run_time":0.136,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-02-17T11:17:29-07:00","run_time":0.126,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-02-17T11:17:29-07:00","run_time":0.163,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-keys2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-02-17T11:17:21-07:00","run_time":0.113,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-02-17T11:17:25-07:00","run_time":0.133,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-02-17T11:17:30-07:00","run_time":0.14,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-temp): Rule does not pass rule compliance"}]},{"id":"s3-bucket-policy-grantee-check","title":"s3-bucket-policy-grantee-check","desc":"Checks that the access granted by the Amazon S3 bucket is restricted to any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.","impact":0.5,"tags":{"nist":["AC-3","AC-6","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pvpyca"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-pvpyca","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-02-17T11:13:48-07:00","run_time":8.568,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-02-17T11:13:48-07:00","run_time":8.457,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-02-17T11:13:47-07:00","run_time":0.391,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-02-17T11:13:48-07:00","run_time":8.341,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-02-17T11:13:48-07:00","run_time":8.285,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-02-17T11:13:48-07:00","run_time":8.498,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-02-17T11:13:48-07:00","run_time":8.268,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-02-17T11:13:48-07:00","run_time":9.301,"status":"failed","message":"(config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634): The S3 bucket policy allows other principals, IP addresses and/or VPC IDs than those specified."},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-02-17T11:13:48-07:00","run_time":0.428,"status":"failed","message":"(config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889): The S3 bucket policy allows other principals, IP addresses and/or VPC IDs than those specified."}]},{"id":"s3-bucket-public-read-prohibited","title":"s3-bucket-public-read-prohibited","desc":"Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0b0dyu"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-0b0dyu","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-02-28T11:22:39-07:00","run_time":0.321,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.304,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-02-28T11:22:39-07:00","run_time":0.317,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-02-28T11:22:39-07:00","run_time":0.291,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-02-28T11:22:39-07:00","run_time":0.295,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-02-28T11:22:39-07:00","run_time":0.326,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-02-28T11:22:39-07:00","run_time":0.313,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-02-28T11:22:39-07:00","run_time":0.3,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-02-28T11:22:39-07:00","run_time":0.308,"status":"passed"}]},{"id":"s3-bucket-ssl-requests-only","title":"s3-bucket-ssl-requests-only","desc":"Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-91k8vf"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-91k8vf","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-02-17T11:17:22-07:00","run_time":0.215,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-02-17T11:17:21-07:00","run_time":0.205,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-02-17T11:17:28-07:00","run_time":0.117,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-02-17T11:17:23-07:00","run_time":0.093,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-02-17T11:17:29-07:00","run_time":0.192,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-02-17T11:17:29-07:00","run_time":0.101,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-keys2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-02-17T11:17:21-07:00","run_time":0.102,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-02-17T11:17:25-07:00","run_time":0.103,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-02-17T11:17:30-07:00","run_time":0.116,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-temp): Rule does not pass rule compliance"}]},{"id":"sagemaker-notebook-no-direct-internet-access","title":"sagemaker-notebook-no-direct-internet-access","desc":"Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if Amazon SageMaker notebook instances are internet-enabled.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-sickrp"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-sickrp","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:25-07:00","status":"skipped"}]},{"id":"secretsmanager-scheduled-rotation-success-check","title":"secretsmanager-scheduled-rotation-success-check","desc":"Checks whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule. The rule returns NON_COMPLIANT if RotationOccurringAsScheduled is false.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(j)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wovrr3"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wovrr3","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:25-07:00","status":"skipped"}]},{"id":"securityhub-enabled","title":"securityhub-enabled","desc":"Checks that AWS Security Hub is enabled for an AWS Account. The rule is NON_COMPLIANT if AWS Security Hub is not enabled.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(4)","AC-2(12)(a)","AC-2(g)","AC-17(1)","AU-6(1)(3)","CA-7(a)(b)","SA-10","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(16)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-6tbsrs"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-6tbsrs","line":1},"code":"","results":[{"code_desc":"config_rule_name: securityhub-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-02-28T11:22:39-07:00","run_time":0.463,"status":"failed","message":"(config_rule_name: securityhub-enabled, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"vpc-default-security-group-closed","title":"vpc-default-security-group-closed","desc":"Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule is non-compliant if the default security group has one or more inbound or outbound traffic.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nlfsem"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-nlfsem","line":1},"code":"","results":[{"code_desc":"config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee","start_time":"2021-02-17T11:10:24-07:00","run_time":0.143,"status":"failed","message":"(config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d","start_time":"2021-02-17T11:10:30-07:00","run_time":0.144,"status":"failed","message":"(config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d): Rule does not pass rule compliance"}]},{"id":"vpc-sg-open-only-to-authorized-ports","title":"vpc-sg-open-only-to-authorized-ports","desc":"Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-swvu7j"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-swvu7j","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-03-01T06:47:26-07:00","status":"skipped"}]}],"sha256":"f26dbcc316182f27c49acfc797c417c059477394d7b37edcae945bb039b2a5cc"}]} \ No newline at end of file +{"platform":{"name":"Heimdall Tools","release":"1.3.40.7.g59ec875.1.dirty.20210409.121336","target_id":""},"version":"1.3.40.7.g59ec875.1.dirty.20210409.121336","statistics":{"duration":null,"aws_config_sdk_version":"1.56.0"},"profiles":[{"name":"AWS Config","version":null,"title":"AWS Config","maintainer":null,"summary":"AWS Config","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"config-rule-7hytm9","title":"060708420889 - access-keys-rotated","desc":"Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(j)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-7hytm9
Source Identifier: ACCESS_KEYS_ROTATED
maxAccessKeyAge: 90"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-7hytm9","line":1},"code":"","results":[{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-04-09T08:39:21-06:00","run_time":30.614,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-04-09T08:39:21-06:00","run_time":30.643,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-04-09T08:39:21-06:00","run_time":30.627,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-04-09T08:39:21-06:00","run_time":30.619,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-04-09T08:39:21-06:00","run_time":30.623,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-04-09T08:39:21-06:00","run_time":30.635,"status":"passed"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-04-09T08:39:21-06:00","run_time":30.631,"status":"failed","message":"(config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-04-09T08:39:21-06:00","run_time":30.639,"status":"failed","message":"(config_rule_name: access-keys-rotated, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4): Rule does not pass rule compliance"}]},{"id":"config-rule-hhbv4i","title":"060708420889 - acm-certificate-expiration-check","desc":"Checks whether ACM Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import.","impact":0.5,"tags":{"nist":["AC-4","AC-17(2)","SC-12"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-hhbv4i
Source Identifier: ACM_CERTIFICATE_EXPIRATION_CHECK
daysToExpiration: 14"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-hhbv4i","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:39-06:00","status":"skipped"}]},{"id":"config-rule-zxnruv","title":"060708420889 - alb-http-drop-invalid-header-enabled","desc":"Checks if rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields.enabled is set to false.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-23"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-zxnruv
Source Identifier: ALB_HTTP_DROP_INVALID_HEADER_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-zxnruv","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:39-06:00","status":"skipped"}]},{"id":"config-rule-mdbqxw","title":"060708420889 - alb-http-to-https-redirection-check","desc":"Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13","SC-23"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mdbqxw
Source Identifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mdbqxw","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:39-06:00","status":"skipped"}]},{"id":"config-rule-72hqtt","title":"060708420889 - cloud-trail-cloud-watch-logs-enabled","desc":"Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs. The trail is non-compliant if the CloudWatchLogsLogGroupArn property of the trail is empty.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-6(1)(3)","AU-7(1)","AU-12(a)(c)","CA-7(a)(b)","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-72hqtt
Source Identifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-72hqtt","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloud-trail-cloud-watch-logs-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default","start_time":"2021-04-09T08:39:21-06:00","run_time":0.388,"status":"failed","message":"(config_rule_name: cloud-trail-cloud-watch-logs-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default): The CloudTrail trail is not associated with any CloudWatch Logs log group ARN."}]},{"id":"config-rule-mmxruj","title":"060708420889 - cloud-trail-encryption-enabled","desc":"Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is compliant if the KmsKeyId is defined.","impact":0.5,"tags":{"nist":["AU-9","SC-13","SC-28"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mmxruj
Source Identifier: CLOUD_TRAIL_ENCRYPTION_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mmxruj","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloud-trail-encryption-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default","start_time":"2021-04-09T08:39:21-06:00","run_time":0.224,"status":"failed","message":"(config_rule_name: cloud-trail-encryption-enabled, resource_type: AWS::CloudTrail::Trail, resource_id: Default): Rule does not pass rule compliance"}]},{"id":"config-rule-uqo3pz","title":"060708420889 - cloudtrail-enabled","desc":"Checks whether AWS CloudTrail is enabled in your AWS account.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-uqo3pz
Source Identifier: CLOUD_TRAIL_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-uqo3pz","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloudtrail-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-04-09T08:39:21-06:00","run_time":0.191,"status":"passed"}]},{"id":"config-rule-i3z0au","title":"060708420889 - cloudtrail-s3-dataevents-enabled","desc":"Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets. The rule is NON_COMPLIANT if trails log data events for S3 buckets is not configured.","impact":0.5,"tags":{"nist":["AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-i3z0au
Source Identifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-i3z0au","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloudtrail-s3-dataevents-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-04-09T08:39:21-06:00","run_time":0.506,"status":"failed","message":"(config_rule_name: cloudtrail-s3-dataevents-enabled, resource_type: AWS::::Account, resource_id: 060708420889): No AWS CloudTrail Trail is configured to log data events for Amazon S3."}]},{"id":"config-rule-rdwwdx","title":"060708420889 - cloudwatch-alarm-action-check","desc":"Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled. Optionally, checks whether any of the actions matches one of the specified ARNs.","impact":0.5,"tags":{"nist":["AC-2(4)","AU-6(1)(3)","AU-7(1)","CA-7(a)(b)","IR-4(1)","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rdwwdx
Source Identifier: CLOUDWATCH_ALARM_ACTION_CHECK
alarmActionRequired: true
insufficientDataActionRequired: true
okActionRequired: false"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rdwwdx","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:40-06:00","status":"skipped"}]},{"id":"config-rule-9joxmn","title":"060708420889 - cloudwatch-log-group-encrypted","desc":"Checks whether a log group in Amazon CloudWatch Logs is encrypted. The rule is NON_COMPLIANT if CloudWatch Logs has log group without encryption enabled.","impact":0.5,"tags":{"nist":["AU-9","SC-13","SC-28"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-9joxmn
Source Identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-9joxmn","line":1},"code":"","results":[{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/Config-to-HDF-Pusher","start_time":"2021-04-09T08:39:21-06:00","run_time":1.377,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/Config-to-HDF-Pusher): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/ConfigToHdf","start_time":"2021-04-09T08:39:21-06:00","run_time":1.382,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/ConfigToHdf): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.389,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_NOT_PUBLIC_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.394,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_NOT_PUBLIC_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OUTDATED_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.407,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OUTDATED_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OWNERID_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.412,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-AMI_OWNERID_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_NOT_EDGE_OPTIMISED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.417,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_NOT_EDGE_OPTIMISED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_PRIVATE_RESTRICTED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.422,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_PRIVATE_RESTRICTED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_RESTRICTED_IP","start_time":"2021-04-09T08:39:21-06:00","run_time":1.427,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-API_GW_RESTRICTED_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-BUSINESS_SUPPORT_OR_ABOVE_ENABLED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.432,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-BUSINESS_SUPPORT_OR_ABOVE_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_ENABLED_V2","start_time":"2021-04-09T08:39:21-06:00","run_time":1.437,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_ENABLED_V2): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_S3_DATAEVENTS_ENABLED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.442,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDTRAIL_S3_DATAEVENTS_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDWATCH_LOG_GROUP_ENCRYPTED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.447,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-CLOUDWATCH_LOG_GROUP_ENCRYPTED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DMS_REPLICATION_NOT_PUBLIC","start_time":"2021-04-09T08:39:21-06:00","run_time":1.452,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DMS_REPLICATION_NOT_PUBLIC): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DYNAMODB_ENCRYPTED_CUSTOM","start_time":"2021-04-09T08:39:21-06:00","run_time":1.457,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-DYNAMODB_ENCRYPTED_CUSTOM): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_ENCRYPTED_VOLUMES_V2","start_time":"2021-04-09T08:39:21-06:00","run_time":1.462,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_ENCRYPTED_VOLUMES_V2): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.466,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_INSTANCE_NO_PUBLIC_IP","start_time":"2021-04-09T08:39:21-06:00","run_time":1.472,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_INSTANCE_NO_PUBLIC_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_Instance_No_Public_IP","start_time":"2021-04-09T08:39:21-06:00","run_time":1.484,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_Instance_No_Public_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_BADINGRESS","start_time":"2021-04-09T08:39:21-06:00","run_time":1.498,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_BADINGRESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_NOT_USED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.504,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_SECURITY_GROUP_NOT_USED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME","start_time":"2021-04-09T08:39:21-06:00","run_time":1.509,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EC2_TAG_MATCHES_INSTANCE_PROFILE_NAME): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECR_REPOSITORY_SCAN_ON_PUSH_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.514,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECR_REPOSITORY_SCAN_ON_PUSH_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_AWSLOGS_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.519,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_AWSLOGS_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_ECRIMAGE_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.524,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ECS_ECRIMAGE_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EFS_ENCRYPTED_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.529,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EFS_ENCRYPTED_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_LOGGING_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.534,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_LOGGING_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_PUBLIC_ACCESS","start_time":"2021-04-09T08:39:21-06:00","run_time":1.539,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EKS_PUBLIC_ACCESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.544,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICACHE_REDIS_CLUSTER_AUTO_BACKUP_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_ENCRYPTED_AT_REST","start_time":"2021-04-09T08:39:21-06:00","run_time":1.549,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_ENCRYPTED_AT_REST): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_IN_VPC_ONLY","start_time":"2021-04-09T08:39:21-06:00","run_time":1.554,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELASTICSEARCH_IN_VPC_ONLY): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_ALB_PREDEFINED_SSL_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.559,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_ALB_PREDEFINED_SSL_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_DELETION_PROTECTION_ENABLED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.564,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ELB_DELETION_PROTECTION_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_KERBEROS_ENABLED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.569,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_KERBEROS_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_MASTER_NO_PUBLIC_IP","start_time":"2021-04-09T08:39:21-06:00","run_time":1.574,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_MASTER_NO_PUBLIC_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_SECURITY_GROUPS_RESTRICTED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.588,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-EMR_SECURITY_GROUPS_RESTRICTED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ENTERPRISE_SUPPORT_PLAN_ENABLED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.594,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ENTERPRISE_SUPPORT_PLAN_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-GUARDDUTY_UNTREATED_FINDINGS","start_time":"2021-04-09T08:39:21-06:00","run_time":1.599,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-GUARDDUTY_UNTREATED_FINDINGS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ACCESS_KEY_ROTATED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.605,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ACCESS_KEY_ROTATED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_GROUP_NO_POLICY_FULL_STAR","start_time":"2021-04-09T08:39:21-06:00","run_time":1.61,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_GROUP_NO_POLICY_FULL_STAR): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_IP_RESTRICTION","start_time":"2021-04-09T08:39:21-06:00","run_time":1.615,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_IP_RESTRICTION): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_NO_USER","start_time":"2021-04-09T08:39:21-06:00","run_time":1.62,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_NO_USER): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_POLICY_REQUIRED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.625,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_POLICY_REQUIRED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ROLE_NO_POLICY_FULL_STAR","start_time":"2021-04-09T08:39:21-06:00","run_time":1.629,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_ROLE_NO_POLICY_FULL_STAR): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MATCHES_REGEX_PATTERN","start_time":"2021-04-09T08:39:21-06:00","run_time":1.635,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MATCHES_REGEX_PATTERN): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MFA_ENABLED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.639,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_MFA_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_NO_POLICY_FULL_STAR","start_time":"2021-04-09T08:39:21-06:00","run_time":1.645,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_NO_POLICY_FULL_STAR): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_PERMISSION_BOUNDARY_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.65,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_PERMISSION_BOUNDARY_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_USED_LAST_90_DAYS","start_time":"2021-04-09T08:39:21-06:00","run_time":1.655,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-IAM_USER_USED_LAST_90_DAYS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INSTANCE_PROFILE_HAVE_DEFINED_POLICIES","start_time":"2021-04-09T08:39:21-06:00","run_time":1.66,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INSTANCE_PROFILE_HAVE_DEFINED_POLICIES): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INTERNET_GATEWAY_AUTHORIZED_ONLY","start_time":"2021-04-09T08:39:21-06:00","run_time":1.665,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-INTERNET_GATEWAY_AUTHORIZED_ONLY): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-KMS_KEYS_TO_NOT_DELETE","start_time":"2021-04-09T08:39:21-06:00","run_time":1.671,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-KMS_KEYS_TO_NOT_DELETE): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CODE_IS_VERSIONED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.676,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CODE_IS_VERSIONED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CONCURRENCY_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.681,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_CONCURRENCY_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_DLQ_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.686,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_DLQ_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_INSIDE_VPC","start_time":"2021-04-09T08:39:21-06:00","run_time":1.691,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_INSIDE_VPC): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_ROLE_ALLOWED_ON_LOGGING","start_time":"2021-04-09T08:39:21-06:00","run_time":1.696,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-LAMBDA_ROLE_ALLOWED_ON_LOGGING): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-REST_API_GW_CUSTOMDOMAIN_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.701,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-REST_API_GW_CUSTOMDOMAIN_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ROOT_NO_ACCESS_KEY","start_time":"2021-04-09T08:39:21-06:00","run_time":1.706,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ROOT_NO_ACCESS_KEY): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_BUCKET_NAMING_CONVENTION","start_time":"2021-04-09T08:39:21-06:00","run_time":1.711,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_BUCKET_NAMING_CONVENTION): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT","start_time":"2021-04-09T08:39:21-06:00","run_time":1.716,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_PUBLIC_ACCESS_SETTINGS_FOR_ACCOUNT): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_VPC_ENDPOINT_ENABLED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.721,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-S3_VPC_ENDPOINT_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.726,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_ENDPOINT_CONFIG_KMS_KEY_CONFIGURED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_KMS_CONFIGURED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.731,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_KMS_CONFIGURED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS","start_time":"2021-04-09T08:39:21-06:00","run_time":1.736,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-07_EC2_Instance_No_Public_IP","start_time":"2021-04-09T08:39:21-06:00","run_time":1.741,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-07_EC2_Instance_No_Public_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-7_EC2_Instance_No_Public_IP","start_time":"2021-04-09T08:39:21-06:00","run_time":1.746,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SC-7_EC2_Instance_No_Public_IP): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SECRETSMANAGER_MAX_SECRET_AGE","start_time":"2021-04-09T08:39:21-06:00","run_time":1.752,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SECRETSMANAGER_MAX_SECRET_AGE): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SHIELD_DRT_ACCESS","start_time":"2021-04-09T08:39:21-06:00","run_time":1.758,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SHIELD_DRT_ACCESS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_ENCRYPTED_TOPIC_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.769,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_ENCRYPTED_TOPIC_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_TOPIC_EMAIL_SUB_IN_DOMAINS","start_time":"2021-04-09T08:39:21-06:00","run_time":1.775,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SNS_TOPIC_EMAIL_SUB_IN_DOMAINS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_ENCRYPTION_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.779,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_ENCRYPTION_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_PUBLIC_ACCESS_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.784,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_PUBLIC_ACCESS_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_TRANSIT_ENCRYPTION_CHECK","start_time":"2021-04-09T08:39:21-06:00","run_time":1.79,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-SQS_TRANSIT_ENCRYPTION_CHECK): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_ENDPOINT_MANUAL_ACCEPTANCE","start_time":"2021-04-09T08:39:21-06:00","run_time":1.795,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_ENDPOINT_MANUAL_ACCEPTANCE): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_FLOW_LOGS_ENABLED_CUSTOM","start_time":"2021-04-09T08:39:21-06:00","run_time":1.8,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_FLOW_LOGS_ENABLED_CUSTOM): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS","start_time":"2021-04-09T08:39:21-06:00","run_time":1.805,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-WAFV2_WEBACL_LOGGING_ENABLED","start_time":"2021-04-09T08:39:21-06:00","run_time":1.81,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-WAFV2_WEBACL_LOGGING_ENABLED): This log group is not encrypted."},{"code_desc":"config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ec2-instance-no-public-ip","start_time":"2021-04-09T08:39:21-06:00","run_time":1.815,"status":"failed","message":"(config_rule_name: cloudwatch-log-group-encrypted, resource_type: AWS::Logs::LogGroup, resource_id: /aws/lambda/RDK-Rule-Function-ec2-instance-no-public-ip): This log group is not encrypted."}]},{"id":"config-rule-tmzoqc","title":"060708420889 - cmk-backing-key-rotation-enabled","desc":"Checks that key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK). The rule is compliant, if the key rotation is enabled for specific key object.","impact":0.5,"tags":{"nist":["SC-12"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-tmzoqc
Source Identifier: CMK_BACKING_KEY_ROTATION_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-tmzoqc","line":1},"code":"","results":[{"code_desc":"config_rule_name: cmk-backing-key-rotation-enabled, resource_type: AWS::KMS::Key, resource_id: 34630e5e-a543-4136-977d-b50cee4f81a0","start_time":"2021-04-09T08:39:22-06:00","run_time":0.44,"status":"failed","message":"(config_rule_name: cmk-backing-key-rotation-enabled, resource_type: AWS::KMS::Key, resource_id: 34630e5e-a543-4136-977d-b50cee4f81a0): Rule does not pass rule compliance"}]},{"id":"config-rule-o7g6zb","title":"060708420889 - dms-replication-not-public","desc":"Checks whether AWS Database Migration Service replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is True.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-o7g6zb
Source Identifier: DMS_REPLICATION_NOT_PUBLIC"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-o7g6zb","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:40-06:00","status":"skipped"}]},{"id":"config-rule-fzh0f2","title":"060708420889 - ebs-snapshot-public-restorable-check","desc":"Checks whether Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with RestorableByUserIds field are set to all, that is, Amazon EBS snapshots are public.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-fzh0f2
Source Identifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-fzh0f2","line":1},"code":"","results":[{"code_desc":"config_rule_name: ebs-snapshot-public-restorable-check, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-04-09T08:39:22-06:00","run_time":0.66,"status":"passed"}]},{"id":"config-rule-g1wzku","title":"060708420889 - ec2-instance-detailed-monitoring-enabled","desc":"Checks whether detailed monitoring is enabled for EC2 instances.","impact":0.5,"tags":{"nist":["CA-7(a)(b)","SI-4(2)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-g1wzku
Source Identifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-g1wzku","line":1},"code":"","results":[{"code_desc":"config_rule_name: ec2-instance-detailed-monitoring-enabled, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048","start_time":"2021-04-05T08:14:35-06:00","run_time":0.162,"status":"failed","message":"(config_rule_name: ec2-instance-detailed-monitoring-enabled, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048): Rule does not pass rule compliance"}]},{"id":"config-rule-q6dqpv","title":"060708420889 - ec2-instance-managed-by-systems-manager","desc":"Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.","impact":0.5,"tags":{"nist":["CM-2","CM-7(a)","CM-8(1)","CM-8(3)(a)","SA-3(a)","SA-10","SI-2(2)","SI-7(1)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-q6dqpv
Source Identifier: EC2_INSTANCE_MANAGED_BY_SSM"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-q6dqpv","line":1},"code":"","results":[{"code_desc":"config_rule_name: ec2-instance-managed-by-systems-manager, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048","start_time":"2021-04-05T08:14:35-06:00","run_time":0.435,"status":"failed","message":"(config_rule_name: ec2-instance-managed-by-systems-manager, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048): Rule does not pass rule compliance"}]},{"id":"config-rule-wzp4y8","title":"060708420889 - ec2-instances-in-vpc","desc":"EC2_Instances_In_VPC","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wzp4y8
Source Identifier: INSTANCES_IN_VPC"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wzp4y8","line":1},"code":"","results":[{"code_desc":"config_rule_name: ec2-instances-in-vpc, resource_type: AWS::EC2::Instance, resource_id: i-0b89c215adafc7048","start_time":"2021-04-05T08:14:35-06:00","run_time":0.121,"status":"passed"}]},{"id":"config-rule-vsmcjy","title":"060708420889 - ec2-managedinstance-association-compliance-status-check","desc":"Checks whether the compliance status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.","impact":0.5,"tags":{"nist":["CM-2","CM-7(a)","CM-8(3)(a)","SI-2(2)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-vsmcjy
Source Identifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-vsmcjy","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:41-06:00","status":"skipped"}]},{"id":"config-rule-etnfxm","title":"060708420889 - ec2-managedinstance-patch-compliance-status-check","desc":"Checks whether the compliance status of the AWS Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.","impact":0.5,"tags":{"nist":["CM-8(3)(a)","SI-2(2)","SI-7(1)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-etnfxm
Source Identifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-etnfxm","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:41-06:00","status":"skipped"}]},{"id":"config-rule-6cqpcd","title":"060708420889 - elasticsearch-in-vpc-only","desc":"Checks whether Amazon Elasticsearch Service domains are in Amazon Virtual Private Cloud (VPC). The rule is NON_COMPLIANT if ElasticSearch Service domain endpoint is public.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-6cqpcd
Source Identifier: ELASTICSEARCH_IN_VPC_ONLY"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-6cqpcd","line":1},"code":"","results":[{"code_desc":"config_rule_name: elasticsearch-in-vpc-only, resource_type: AWS::Elasticsearch::Domain, resource_id: nnc-aws-rdk-controls-es","start_time":"2021-04-09T08:39:22-06:00","run_time":0.761,"status":"failed","message":"(config_rule_name: elasticsearch-in-vpc-only, resource_type: AWS::Elasticsearch::Domain, resource_id: nnc-aws-rdk-controls-es): This ElasticSearch Domain is not attached to a VPC."}]},{"id":"config-rule-sg1qkz","title":"060708420889 - elasticsearch-node-to-node-encryption-check","desc":"Check that Amazon ElasticSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is disabled on the domain.","impact":0.5,"tags":{"nist":["SC-7","SC-8","SC-8(1)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-sg1qkz
Source Identifier: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-sg1qkz","line":1},"code":"","results":[{"code_desc":"config_rule_name: elasticsearch-node-to-node-encryption-check, resource_type: AWS::Elasticsearch::Domain, resource_id: 060708420889/nnc-aws-rdk-controls-es","start_time":"2021-04-06T12:25:41-06:00","run_time":0.149,"status":"passed"}]},{"id":"config-rule-vbd2wq","title":"060708420889 - elb-acm-certificate-required","desc":"This rule checks whether the Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager. You must use an SSL or HTTPS listener with your Elastic Load Balancer to use this rule.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-vbd2wq
Source Identifier: ELB_ACM_CERTIFICATE_REQUIRED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-vbd2wq","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:42-06:00","status":"skipped"}]},{"id":"config-rule-duf3vx","title":"060708420889 - elb-tls-https-listeners-only","desc":"Checks whether your Classic Load Balancer's listeners are configured with SSL or HTTPS","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-23"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-duf3vx
Source Identifier: ELB_TLS_HTTPS_LISTENERS_ONLY"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-duf3vx","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:42-06:00","status":"skipped"}]},{"id":"config-rule-leocq5","title":"060708420889 - emr-kerberos-enabled","desc":"The rule is NON_COMPLIANT if a security configuration is not attached to the cluster or the security configuration does not satisfy the specified rule parameters.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-leocq5
Source Identifier: EMR_KERBEROS_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-leocq5","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:42-06:00","status":"skipped"}]},{"id":"config-rule-xlmgip","title":"060708420889 - emr-master-no-public-ip","desc":"Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs. The rule is NON_COMPLIANT if the master node has a public IP.","impact":0.5,"tags":{"nist":["AC-4","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-xlmgip
Source Identifier: EMR_MASTER_NO_PUBLIC_IP"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-xlmgip","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:43-06:00","status":"skipped"}]},{"id":"config-rule-fapvnu","title":"060708420889 - guardduty-enabled-centralized","desc":"Checks whether GuardDuty is enabled. You can optionally verify that the results are centralized in a specific AWS Account.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(4)","AC-2(12)(a)","AC-2(g)","AC-17(1)","AU-6(1)(3)","CA-7(a)(b)","RA-5","SA-10","SI-4(1)","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(16)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-fapvnu
Source Identifier: GUARDDUTY_ENABLED_CENTRALIZED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-fapvnu","line":1},"code":"","results":[{"code_desc":"config_rule_name: guardduty-enabled-centralized, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-04-09T08:39:22-06:00","run_time":0.417,"status":"failed","message":"(config_rule_name: guardduty-enabled-centralized, resource_type: AWS::::Account, resource_id: 060708420889): Amazon GuardDuty is not configured."}]},{"id":"config-rule-00tkud","title":"060708420889 - guardduty-non-archived-findings","desc":"Checks whether Amazon GuardDuty has findings that are non archived. The rule is NON_COMPLIANT if Amazon GuardDuty has non archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/daysHighSev parameter.","impact":0.5,"tags":{"nist":["IR-4(1)","IR-6(1)","IR-7(1)","RA-5","SA-10","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-00tkud
Source Identifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
daysLowSev: 30
daysMediumSev: 7
daysHighSev: 1"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-00tkud","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:44-06:00","status":"skipped"}]},{"id":"config-rule-waclp2","title":"060708420889 - iam-group-has-users-check","desc":"Checks whether IAM groups have at least one IAM user.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6","SC-2"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-waclp2
Source Identifier: IAM_GROUP_HAS_USERS_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-waclp2","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UM5IB6AKZCE","start_time":"2021-04-05T08:14:37-06:00","run_time":8.171,"status":"passed"},{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMZCIN36XBA","start_time":"2021-04-05T08:14:35-06:00","run_time":8.242,"status":"passed"},{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMZNTX7A2AR","start_time":"2021-04-05T08:14:35-06:00","run_time":8.405,"status":"passed"},{"code_desc":"config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMYT3T7DO6V","start_time":"2021-04-05T08:14:30-06:00","run_time":8.05,"status":"failed","message":"(config_rule_name: iam-group-has-users-check, resource_type: AWS::IAM::Group, resource_id: AGPAQ4IUA7UMYT3T7DO6V): Rule does not pass rule compliance"}]},{"id":"config-rule-knahli","title":"060708420889 - iam-password-policy","desc":"Checks whether the account password policy for IAM users meets the specified requirements indicated in the parameters. This rule is NON_COMPLIANT if the account password policy does not meet the specified requirements.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(f)","AC-2(j)","IA-2","IA-5(1)(a)(d)(e)","IA-5(4)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-knahli
Source Identifier: IAM_PASSWORD_POLICY
RequireUppercaseCharacters: true
RequireLowercaseCharacters: true
RequireSymbols: true
RequireNumbers: true
MinimumPasswordLength: 14
PasswordReusePrevention: 24
MaxPasswordAge: 90"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-knahli","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-password-policy, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-04-09T08:39:22-06:00","run_time":0.173,"status":"failed","message":"(config_rule_name: iam-password-policy, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"config-rule-4f2m3s","title":"060708420889 - iam-policy-no-statements-with-admin-access","desc":"Checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\", the rule is non-compliant.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6","SC-2"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-4f2m3s
Source Identifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-4f2m3s","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:45-06:00","status":"skipped"}]},{"id":"config-rule-7vurub","title":"060708420889 - iam-root-access-key-check","desc":"Checks whether the root user access key is available. The rule is compliant if the user access key does not exist.","impact":0.5,"tags":{"nist":["AC-2(f)","AC-2(j)","AC-3","AC-6","AC-6(10)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-7vurub
Source Identifier: IAM_ROOT_ACCESS_KEY_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-7vurub","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-root-access-key-check, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-04-09T08:39:22-06:00","run_time":0.448,"status":"failed","message":"(config_rule_name: iam-root-access-key-check, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"config-rule-srcikw","title":"060708420889 - iam-user-group-membership-check","desc":"Checks whether IAM users are members of at least one IAM group.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(j)","AC-3","AC-6"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-srcikw
Source Identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-srcikw","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-04-05T08:14:34-06:00","run_time":0.139,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-04-05T08:14:35-06:00","run_time":0.13,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-04-05T08:14:35-06:00","run_time":0.256,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-04-05T08:14:29-06:00","run_time":0.417,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-04-05T08:14:35-06:00","run_time":0.51,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-04-05T08:14:37-06:00","run_time":0.449,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-04-05T08:14:31-06:00","run_time":0.125,"status":"passed"},{"code_desc":"config_rule_name: iam-user-group-membership-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-04-05T08:14:34-06:00","run_time":0.254,"status":"passed"}]},{"id":"config-rule-8jn0vh","title":"060708420889 - iam-user-no-policies-check","desc":"Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.","impact":0.5,"tags":{"nist":["AC-2(j)","AC-3","AC-5(c)","AC-6"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-8jn0vh
Source Identifier: IAM_USER_NO_POLICIES_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-8jn0vh","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-04-05T08:14:34-06:00","run_time":0.17,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-04-05T08:14:35-06:00","run_time":0.423,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-04-05T08:14:29-06:00","run_time":0.414,"status":"passed"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-04-05T08:14:35-06:00","run_time":0.129,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-04-05T08:14:35-06:00","run_time":0.452,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-04-05T08:14:37-06:00","run_time":0.216,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-04-05T08:14:31-06:00","run_time":0.115,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-04-05T08:14:34-06:00","run_time":0.199,"status":"failed","message":"(config_rule_name: iam-user-no-policies-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4): Rule does not pass rule compliance"}]},{"id":"config-rule-58tf67","title":"060708420889 - iam-user-unused-credentials-check","desc":"Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(3)","AC-2(f)","AC-3","AC-6"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-58tf67
Source Identifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
maxCredentialUsageAge: 90"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-58tf67","line":1},"code":"","results":[{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM6I4P3IY7Y","start_time":"2021-04-09T08:39:22-06:00","run_time":30.412,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMQ3ZQG4H5T","start_time":"2021-04-09T08:39:22-06:00","run_time":30.398,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMTUCZJQTCB","start_time":"2021-04-09T08:39:22-06:00","run_time":30.39,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMVWFUDQY7G","start_time":"2021-04-09T08:39:22-06:00","run_time":30.394,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZ7QZNEJS5","start_time":"2021-04-09T08:39:22-06:00","run_time":30.405,"status":"passed"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ","start_time":"2021-04-09T08:39:22-06:00","run_time":30.386,"status":"failed","message":"(config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UM4QUIM3AGQ): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA","start_time":"2021-04-09T08:39:22-06:00","run_time":30.401,"status":"failed","message":"(config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMXLY36QZXA): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4","start_time":"2021-04-09T08:39:22-06:00","run_time":30.408,"status":"failed","message":"(config_rule_name: iam-user-unused-credentials-check, resource_type: AWS::IAM::User, resource_id: AIDAQ4IUA7UMZDKJGS3J4): Rule does not pass rule compliance"}]},{"id":"config-rule-ljx1ti","title":"060708420889 - internet-gateway-authorized-vpc-only","desc":"Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.","impact":0.5,"tags":{"nist":["AC-4","AC-17(3)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ljx1ti
Source Identifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ljx1ti","line":1},"code":"","results":[{"code_desc":"config_rule_name: internet-gateway-authorized-vpc-only, resource_type: AWS::EC2::InternetGateway, resource_id: igw-0f71441266c1eb319","start_time":"2021-04-06T18:41:21-06:00","run_time":0.138,"status":"failed","message":"(config_rule_name: internet-gateway-authorized-vpc-only, resource_type: AWS::EC2::InternetGateway, resource_id: igw-0f71441266c1eb319): This IGW is attached to the following unauthorized VPC(s): vpc-0791742f79e0263a0."}]},{"id":"config-rule-soawdk","title":"060708420889 - kms-cmk-not-scheduled-for-deletion","desc":"Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS). The rule is NON_COMPLAINT if CMKs are scheduled for deletion.","impact":0.5,"tags":{"nist":["SC-12","SC-28"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-soawdk
Source Identifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-soawdk","line":1},"code":"","results":[{"code_desc":"config_rule_name: kms-cmk-not-scheduled-for-deletion, resource_type: AWS::KMS::Key, resource_id: 34630e5e-a543-4136-977d-b50cee4f81a0","start_time":"2021-04-09T08:39:22-06:00","run_time":0.81,"status":"passed"}]},{"id":"config-rule-hehadp","title":"060708420889 - lambda-function-public-access-prohibited","desc":"Checks whether the Lambda function policy prohibits public access.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-hehadp
Source Identifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-hehadp","line":1},"code":"","results":[{"code_desc":"config_rule_name: lambda-function-public-access-prohibited, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-ec2-instance-no-public-ip","start_time":"2021-04-05T08:14:31-06:00","run_time":0.195,"status":"passed"}]},{"id":"config-rule-flokqq","title":"060708420889 - lambda-inside-vpc","desc":"Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud. The rule is NON_COMPLIANT if the Lambda function is not in a VPC.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-flokqq
Source Identifier: LAMBDA_INSIDE_VPC"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-flokqq","line":1},"code":"","results":[{"code_desc":"config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-ec2-instance-no-public-ip","start_time":"2021-04-05T08:14:31-06:00","run_time":0.185,"status":"failed","message":"(config_rule_name: lambda-inside-vpc, resource_type: AWS::Lambda::Function, resource_id: RDK-Rule-Function-ec2-instance-no-public-ip): This AWS Lambda function is not in VPC."}]},{"id":"config-rule-ac2sx7","title":"060708420889 - multi-region-cloudtrail-enabled","desc":"Checks that there is at least one multi-region AWS CloudTrail. The rule is non-compliant if the trails do not match input parameters","impact":0.5,"tags":{"nist":["AC-2(4)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ac2sx7
Source Identifier: MULTI_REGION_CLOUD_TRAIL_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ac2sx7","line":1},"code":"","results":[{"code_desc":"config_rule_name: multi-region-cloudtrail-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-04-09T08:39:22-06:00","run_time":0.176,"status":"failed","message":"(config_rule_name: multi-region-cloudtrail-enabled, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"config-rule-mulhbb","title":"060708420889 - rds-instance-public-access-check","desc":"Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.","impact":0.5,"tags":{"nist":["AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mulhbb
Source Identifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mulhbb","line":1},"code":"","results":[{"code_desc":"config_rule_name: rds-instance-public-access-check, resource_type: AWS::RDS::DBInstance, resource_id: db-YBHPQ56FHKA5GAL6NSS45QIFPA","start_time":"2021-04-06T19:03:25-06:00","run_time":0.281,"status":"passed"}]},{"id":"config-rule-tnjnrr","title":"060708420889 - rds-logging-enabled","desc":"Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is NON_COMPLIANT if any log types are not enabled.","impact":0.5,"tags":{"nist":["AC-2(4)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-tnjnrr
Source Identifier: MULTI_REGION_CLOUD_TRAIL_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-tnjnrr","line":1},"code":"","results":[{"code_desc":"config_rule_name: rds-logging-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-04-09T08:39:22-06:00","run_time":8.194,"status":"failed","message":"(config_rule_name: rds-logging-enabled, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"config-rule-dzhsuk","title":"060708420889 - rds-snapshots-public-prohibited","desc":"AC-03_RDS_Snapshots_Public_Prohibited","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dzhsuk
Source Identifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dzhsuk","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:47-06:00","status":"skipped"}]},{"id":"config-rule-mekvhc","title":"060708420889 - redshift-cluster-configuration-check","desc":"Checks whether Amazon Redshift clusters have the specified settings.","impact":0.5,"tags":{"nist":["AC-2(4)","AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)","SC-13","SC-28"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mekvhc
Source Identifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
clusterDbEncrypted: true
loggingEnabled: true
nodeTypes: dc1.large"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-mekvhc","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:47-06:00","status":"skipped"}]},{"id":"config-rule-1r6bo0","title":"060708420889 - redshift-cluster-public-access-check","desc":"Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the publicly accessible field is true in the cluster configuration item.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1r6bo0
Source Identifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-1r6bo0","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:47-06:00","status":"skipped"}]},{"id":"config-rule-q5tw3f","title":"060708420889 - redshift-require-tls-ssl","desc":"Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-q5tw3f
Source Identifier: REDSHIFT_REQUIRE_TLS_SSL"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-q5tw3f","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:47-06:00","status":"skipped"}]},{"id":"config-rule-jw6576","title":"060708420889 - restricted-common-ports","desc":"Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified ports.","impact":0.5,"tags":{"nist":["AC-4","CM-2","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-jw6576
Source Identifier: RESTRICTED_INCOMING_TRAFFIC
blockedPort1: 20
blockedPort2: 21
blockedPort3: 3389
blockedPort4: 3306
blockedPort5: 4333"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-jw6576","line":1},"code":"","results":[{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-00e46ca089345c553","start_time":"2021-04-06T12:18:38-06:00","run_time":0.15,"status":"passed"},{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-05fa730c7a3ec90ee","start_time":"2021-04-05T08:14:31-06:00","run_time":0.127,"status":"passed"},{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08afb1c6312ca976e","start_time":"2021-04-06T18:57:07-06:00","run_time":0.199,"status":"passed"},{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee","start_time":"2021-04-05T08:14:29-06:00","run_time":0.117,"status":"passed"},{"code_desc":"config_rule_name: restricted-common-ports, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d","start_time":"2021-04-05T08:14:32-06:00","run_time":0.127,"status":"passed"}]},{"id":"config-rule-2sv118","title":"060708420889 - restricted-ssh","desc":"Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-2sv118
Source Identifier: INCOMING_SSH_DISABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-2sv118","line":1},"code":"","results":[{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-00e46ca089345c553","start_time":"2021-04-06T12:18:38-06:00","run_time":0.109,"status":"passed"},{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-05fa730c7a3ec90ee","start_time":"2021-04-05T08:14:31-06:00","run_time":0.115,"status":"passed"},{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08afb1c6312ca976e","start_time":"2021-04-06T18:57:07-06:00","run_time":0.351,"status":"passed"},{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee","start_time":"2021-04-05T08:14:29-06:00","run_time":0.098,"status":"passed"},{"code_desc":"config_rule_name: restricted-ssh, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d","start_time":"2021-04-05T08:14:32-06:00","run_time":0.106,"status":"passed"}]},{"id":"config-rule-dieuzz","title":"060708420889 - s3-account-level-public-access-blocks","desc":"Checks whether the required public access block settings are configured from account level. The rule is NON_COMPLIANT when the public access block settings are not configured from account level.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dieuzz
Source Identifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS
IgnorePublicAcls: true
BlockPublicPolicy: true
BlockPublicAcls: true
RestrictPublicBuckets: true"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-dieuzz","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:48-06:00","status":"skipped"}]},{"id":"config-rule-wkwfa4","title":"060708420889 - s3-bucket-logging-enabled","desc":"Checks whether logging is enabled for your S3 buckets.","impact":0.5,"tags":{"nist":["AC-2(g)","AU-2(a)(d)","AU-3","AU-12(a)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wkwfa4
Source Identifier: S3_BUCKET_LOGGING_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-wkwfa4","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-04-05T08:14:32-06:00","run_time":0.116,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-04-05T08:14:35-06:00","run_time":0.129,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-04-05T08:14:31-06:00","run_time":0.112,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-to-hdf-bucket","start_time":"2021-04-05T08:14:38-06:00","run_time":0.114,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: config-to-hdf-bucket): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-04-05T08:14:35-06:00","run_time":0.096,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-04-05T08:14:37-06:00","run_time":0.106,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-04-05T08:14:31-06:00","run_time":0.14,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: il6-keys2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-04-05T08:14:32-06:00","run_time":0.101,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-04-05T08:14:36-06:00","run_time":0.104,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-04-05T08:14:37-06:00","run_time":0.126,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-temp): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-terraform-state","start_time":"2021-04-05T08:14:37-06:00","run_time":0.15,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: nnc-terraform-state): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: saf-nnc-master-us-gov-west-1-tf-states","start_time":"2021-04-06T07:36:55-06:00","run_time":0.36,"status":"failed","message":"(config_rule_name: s3-bucket-logging-enabled, resource_type: AWS::S3::Bucket, resource_id: saf-nnc-master-us-gov-west-1-tf-states): Rule does not pass rule compliance"}]},{"id":"config-rule-rmeusf","title":"060708420889 - s3-bucket-policy-grantee-check","desc":"Checks that the access granted by the Amazon S3 bucket is restricted to any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.","impact":0.5,"tags":{"nist":["AC-3","AC-6","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rmeusf
Source Identifier: S3_BUCKET_POLICY_GRANTEE_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-rmeusf","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-04-05T08:14:31-06:00","run_time":8.561,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-to-hdf-bucket","start_time":"2021-04-05T08:14:38-06:00","run_time":8.075,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-04-05T08:14:35-06:00","run_time":7.821,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-04-05T08:14:37-06:00","run_time":0.376,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-04-05T08:14:31-06:00","run_time":0.389,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-04-05T08:14:32-06:00","run_time":0.286,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-04-05T08:14:36-06:00","run_time":0.186,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-04-05T08:14:37-06:00","run_time":8.125,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: nnc-terraform-state","start_time":"2021-04-05T08:14:37-06:00","run_time":0.345,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: saf-nnc-master-us-gov-west-1-tf-states","start_time":"2021-04-06T07:36:55-06:00","run_time":8.436,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-04-05T08:14:32-06:00","run_time":9.459,"status":"failed","message":"(config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634): The S3 bucket policy allows other principals, IP addresses and/or VPC IDs than those specified."},{"code_desc":"config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-04-05T08:14:35-06:00","run_time":0.446,"status":"failed","message":"(config_rule_name: s3-bucket-policy-grantee-check, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889): The S3 bucket policy allows other principals, IP addresses and/or VPC IDs than those specified."}]},{"id":"config-rule-djf94q","title":"060708420889 - s3-bucket-public-read-prohibited","desc":"Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-djf94q
Source Identifier: S3_BUCKET_PUBLIC_READ_PROHIBITED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-djf94q","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-04-09T08:39:22-06:00","run_time":0.322,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-04-09T08:39:22-06:00","run_time":0.305,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-04-09T08:39:22-06:00","run_time":0.314,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-to-hdf-bucket","start_time":"2021-04-09T08:39:22-06:00","run_time":0.288,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-04-09T08:39:22-06:00","run_time":0.284,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-04-09T08:39:22-06:00","run_time":0.297,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-04-09T08:39:22-06:00","run_time":0.326,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-04-09T08:39:22-06:00","run_time":0.31,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-04-09T08:39:22-06:00","run_time":0.301,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-04-09T08:39:22-06:00","run_time":0.293,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-terraform-state","start_time":"2021-04-09T08:39:22-06:00","run_time":0.318,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-read-prohibited, resource_type: AWS::S3::Bucket, resource_id: saf-nnc-master-us-gov-west-1-tf-states","start_time":"2021-04-09T08:39:22-06:00","run_time":0.28,"status":"passed"}]},{"id":"config-rule-6q11ox","title":"060708420889 - s3-bucket-public-write-prohibited","desc":"Checks that your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-6q11ox
Source Identifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-6q11ox","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-04-09T08:39:22-06:00","run_time":0.384,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-04-09T08:39:22-06:00","run_time":0.366,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-04-09T08:39:22-06:00","run_time":0.375,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: config-to-hdf-bucket","start_time":"2021-04-09T08:39:22-06:00","run_time":0.349,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-04-09T08:39:22-06:00","run_time":0.344,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-04-09T08:39:22-06:00","run_time":0.357,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-04-09T08:39:22-06:00","run_time":0.388,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-04-09T08:39:22-06:00","run_time":0.37,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-04-09T08:39:22-06:00","run_time":0.362,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-04-09T08:39:22-06:00","run_time":0.353,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: nnc-terraform-state","start_time":"2021-04-09T08:39:22-06:00","run_time":0.379,"status":"passed"},{"code_desc":"config_rule_name: s3-bucket-public-write-prohibited, resource_type: AWS::S3::Bucket, resource_id: saf-nnc-master-us-gov-west-1-tf-states","start_time":"2021-04-09T08:39:22-06:00","run_time":0.34,"status":"passed"}]},{"id":"config-rule-8zzlwr","title":"060708420889 - s3-bucket-ssl-requests-only","desc":"Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).","impact":0.5,"tags":{"nist":["AC-17(2)","SC-7","SC-8","SC-8(1)","SC-13"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-8zzlwr
Source Identifier: S3_BUCKET_SSL_REQUESTS_ONLY"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-8zzlwr","line":1},"code":"","results":[{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634","start_time":"2021-04-05T08:14:32-06:00","run_time":0.191,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: cloudtrail11773022026880308634): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889","start_time":"2021-04-05T08:14:35-06:00","run_time":0.202,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-bucket-060708420889): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1","start_time":"2021-04-05T08:14:31-06:00","run_time":0.117,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-rule-code-bucket-060708420889-us-gov-west-1): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-to-hdf-bucket","start_time":"2021-04-05T08:14:38-06:00","run_time":0.114,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: config-to-hdf-bucket): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation","start_time":"2021-04-05T08:14:35-06:00","run_time":0.129,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2","start_time":"2021-04-05T08:14:38-06:00","run_time":0.098,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-cloudformation-logs2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-keys2","start_time":"2021-04-05T08:14:31-06:00","run_time":0.206,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: il6-keys2): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test","start_time":"2021-04-05T08:14:32-06:00","run_time":0.221,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: jkufro-s3-test): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state","start_time":"2021-04-05T08:14:36-06:00","run_time":0.092,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-env-state): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-temp","start_time":"2021-04-05T08:14:37-06:00","run_time":0.112,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-temp): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-terraform-state","start_time":"2021-04-05T08:14:37-06:00","run_time":0.11,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: nnc-terraform-state): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: saf-nnc-master-us-gov-west-1-tf-states","start_time":"2021-04-06T07:36:55-06:00","run_time":0.107,"status":"failed","message":"(config_rule_name: s3-bucket-ssl-requests-only, resource_type: AWS::S3::Bucket, resource_id: saf-nnc-master-us-gov-west-1-tf-states): Rule does not pass rule compliance"}]},{"id":"config-rule-j4orus","title":"060708420889 - sagemaker-notebook-no-direct-internet-access","desc":"Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if Amazon SageMaker notebook instances are internet-enabled.","impact":0.5,"tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-j4orus
Source Identifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-j4orus","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:50-06:00","status":"skipped"}]},{"id":"config-rule-w4kl0y","title":"060708420889 - secretsmanager-scheduled-rotation-success-check","desc":"Checks whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule. The rule returns NON_COMPLIANT if RotationOccurringAsScheduled is false.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(j)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w4kl0y
Source Identifier: SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-w4kl0y","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:50-06:00","status":"skipped"}]},{"id":"config-rule-ykxgik","title":"060708420889 - securityhub-enabled","desc":"Checks that AWS Security Hub is enabled for an AWS Account. The rule is NON_COMPLIANT if AWS Security Hub is not enabled.","impact":0.5,"tags":{"nist":["AC-2(1)","AC-2(4)","AC-2(12)(a)","AC-2(g)","AC-17(1)","AU-6(1)(3)","CA-7(a)(b)","SA-10","SI-4(2)","SI-4(4)","SI-4(5)","SI-4(16)","SI-4(a)(b)(c)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ykxgik
Source Identifier: SECURITYHUB_ENABLED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-ykxgik","line":1},"code":"","results":[{"code_desc":"config_rule_name: securityhub-enabled, resource_type: AWS::::Account, resource_id: 060708420889","start_time":"2021-04-09T08:39:22-06:00","run_time":0.453,"status":"failed","message":"(config_rule_name: securityhub-enabled, resource_type: AWS::::Account, resource_id: 060708420889): Rule does not pass rule compliance"}]},{"id":"config-rule-bycurb","title":"060708420889 - vpc-default-security-group-closed","desc":"Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule is non-compliant if the default security group has one or more inbound or outbound traffic.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bycurb
Source Identifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-bycurb","line":1},"code":"","results":[{"code_desc":"config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08afb1c6312ca976e","start_time":"2021-04-06T18:57:07-06:00","run_time":0.131,"status":"failed","message":"(config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08afb1c6312ca976e): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee","start_time":"2021-04-05T08:14:29-06:00","run_time":0.165,"status":"failed","message":"(config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-08d5af470490965ee): Rule does not pass rule compliance"},{"code_desc":"config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d","start_time":"2021-04-05T08:14:32-06:00","run_time":0.128,"status":"failed","message":"(config_rule_name: vpc-default-security-group-closed, resource_type: AWS::EC2::SecurityGroup, resource_id: sg-0e4253695bd587d1d): Rule does not pass rule compliance"}]},{"id":"config-rule-trm0sx","title":"060708420889 - vpc-sg-open-only-to-authorized-ports","desc":"Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters.","impact":0.5,"tags":{"nist":["AC-4","SC-7","SC-7(3)"]},"descriptions":[{"label":"check","data":"ARN: arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-trm0sx
Source Identifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS"}],"refs":[],"source_location":{"ref":"arn:aws-us-gov:config:us-gov-west-1:060708420889:config-rule/config-rule-trm0sx","line":1},"code":"","results":[{"run_time":0,"code_desc":"Not enough data has been collectd to determine compliance yet.","skip_message":"Not enough data has been collectd to determine compliance yet.","start_time":"2021-04-09T12:13:50-06:00","status":"skipped"}]}],"sha256":"d4094c7816e3c635d49ebebbb9c7b77896fcbb9a370605f139ac75b9259294e1"}]} \ No newline at end of file