AWS Config Enabled
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. By having the AWS Config enabled for all regions it helps in keeping track of growing resources present in all regions.
Cloud Trail integration of CloudWatch Logs
Cloud Trail tracks user activity and API usage. After you configure CloudTrail integration with CloudWatch Logs, which you can do from the CloudTrail console or using the AWS SDKs or AWS CLI, CloudTrail begins to continuously and automatically deliver all the CloudTrail events associated with API activity to a CloudWatch Logs log group you specify.CloudTrail Enabled
CloudTrail trails should be active for all regions so that it is able to pick up the user activity and the API usage in all regions for that specfifc trial.CloudTrail Encrypted
CloudTrail logs should be encrypted at rest so that it stays protected even if it falls into the wrong hands.
CloudTrail Log File Validation
Ensures that CloudTrail log file validation has been enabled.
CloudTrail Public Access
Ensures that S3 bucket cloudtrail logs are not publically accessible.
No SSE/KMS Encryption for S3
Reports S3 Buckets without SSE/KMS encryption.
Actions
- DELETE : Deletes the reported S3 Buckets.
Public EC2 Instance
Reports EC2 instances with public ip addresses.
Actions
- STOP : Stops the EC2 instance.
- TERMINATE : Terminates the EC2 instance.
Rotation of customer CMKs Enabled
When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK's older cryptographic material so it can be used to decrypt data that it encrypted.
S3 Bucket Access
Ensures S3 Bucket access logging is enabled on the cloudtrail S3 bucket.