Dump controls

iainelder · Jul 1, 2023 · d3859a9 · d3859a9
1 parent 8e06543
commit d3859a9
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/security-hub-controls.jsonl b/security-hub-controls.jsonl
@@ -1,13 +1,13 @@
 {"Id":"Account.1","Title":"Security contact information should be provided for an AWS account","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
 {"Id":"Account.2","Title":"AWS account should be part of an AWS Organizations organization","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
-{"Id":"ACM.1","Title":"Imported and ACM-issued certificates should be renewed after a specified time period","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"ACM.1","Title":"Imported and ACM-issued certificates should be renewed after a specified time period","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered and periodic"}
 {"Id":"ACM.2","Title":"RSA certificates managed by ACM should use a key length of at least 2,048 bits","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"HIGH","ScheduleType":"Change triggered"}
 {"Id":"APIGateway.1","Title":"API Gateway REST and WebSocket API execution logging should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"APIGateway.2","Title":"API Gateway REST API stages should be configured to use SSL certificates for backend authentication","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"APIGateway.3","Title":"API Gateway REST API stages should have AWS X-Ray tracing enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
 {"Id":"APIGateway.4","Title":"API Gateway should be associated with a WAF Web ACL","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"APIGateway.5","Title":"API Gateway REST API cache data should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"APIGateway.8","Title":"API Gateway routes should specify an authorization type","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
+{"Id":"APIGateway.8","Title":"API Gateway routes should specify an authorization type","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
 {"Id":"APIGateway.9","Title":"Access logging should be configured for API Gateway V2 Stages","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"AppSync.2","Title":"AWS AppSync should have request-level and field-level logging turned on","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"AutoScaling.1","Title":"Auto scaling groups associated with a Classic Load Balancer should use load balancer health checks","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Change triggered"}
@@ -35,7 +35,7 @@
 {"Id":"CloudTrail.3","Title":"CloudTrail should be enabled","ApplicableStandards":["PCI DSS v3.2.1"],"Severity":"HIGH","ScheduleType":"Periodic"}
 {"Id":"CloudTrail.4","Title":"CloudTrail log file validation should be enabled","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
 {"Id":"CloudTrail.5","Title":"CloudTrail trails should be integrated with Amazon CloudWatch Logs","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Periodic"}
-{"Id":"CloudTrail.6","Title":"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"CRITICAL","ScheduleType":"Periodic and change triggered"}
+{"Id":"CloudTrail.6","Title":"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"CRITICAL","ScheduleType":"Change triggered and periodic"}
 {"Id":"CloudTrail.7","Title":"Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
 {"Id":"CloudWatch.1","Title":"A log metric filter and alarm should exist for usage of the \"root\" user","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0"],"Severity":"LOW","ScheduleType":"Periodic"}
 {"Id":"CloudWatch.2","Title":"Ensure a log metric filter and alarm exist for unauthorized API calls","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0"],"Severity":"LOW","ScheduleType":"Periodic"}
@@ -90,7 +90,7 @@
 {"Id":"EC2.25","Title":"EC2 launch templates should not assign public IPs to network interfaces","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
 {"Id":"EC2.28","Title":"EBS volumes should be in a backup plan","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"LOW","ScheduleType":"Periodic"}
 {"Id":"EC2.29","Title":"EC2 instances should be inside of a VPC","ApplicableStandards":["NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
-{"Id":"ECR.1","Title":"ECR private repositories should have image scanning configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
+{"Id":"ECR.1","Title":"ECR private repositories should have image scanning configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Periodic"}
 {"Id":"ECR.2","Title":"ECR private repositories should have tag immutability configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"ECR.3","Title":"ECR repositories should have at least one lifecycle policy configured","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"ECS.1","Title":"Amazon ECS task definitions should have secure networking modes and user definitions.","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}
@@ -166,7 +166,7 @@
 {"Id":"Kinesis.1","Title":"Kinesis streams should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"KMS.1","Title":"IAM customer managed policies should not allow decryption actions on all KMS keys","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"KMS.2","Title":"IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
-{"Id":"KMS.3","Title":"AWS KMS keys should not be deleted unintentionally","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic"}
+{"Id":"KMS.3","Title":"AWS KMS keys should not be deleted unintentionally","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
 {"Id":"KMS.4","Title":"AWS KMS key rotation should be enabled","ApplicableStandards":["CIS AWS Foundations Benchmark v1.2.0","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
 {"Id":"Lambda.1","Title":"Lambda function policies should prohibit public access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered"}
 {"Id":"Lambda.2","Title":"Lambda functions should use supported runtimes","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
@@ -220,8 +220,8 @@
 {"Id":"Redshift.9","Title":"Redshift clusters should not use the default database name","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"Redshift.10","Title":"Redshift clusters should be encrypted at rest","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"S3.1","Title":"S3 Block Public Access setting should be enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Periodic"}
-{"Id":"S3.2","Title":"S3 buckets should prohibit public read access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic and change triggered"}
-{"Id":"S3.3","Title":"S3 buckets should prohibit public write access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Periodic and change triggered"}
+{"Id":"S3.2","Title":"S3 buckets should prohibit public read access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered and periodic"}
+{"Id":"S3.3","Title":"S3 buckets should prohibit public write access","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","NIST SP 800-53 Rev. 5"],"Severity":"CRITICAL","ScheduleType":"Change triggered and periodic"}
 {"Id":"S3.4","Title":"S3 buckets should have server-side encryption enabled","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"S3.5","Title":"S3 buckets should require requests to use Secure Socket Layer","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","PCI DSS v3.2.1","CIS AWS Foundations Benchmark v1.4.0","NIST SP 800-53 Rev. 5"],"Severity":"MEDIUM","ScheduleType":"Change triggered"}
 {"Id":"S3.6","Title":"S3 permissions granted to other AWS accounts in bucket policies should be restricted","ApplicableStandards":["AWS Foundational Security Best Practices v1.0.0","Service-Managed Standard: AWS Control Tower","NIST SP 800-53 Rev. 5"],"Severity":"HIGH","ScheduleType":"Change triggered"}