Amazon QDetector Library Sign in to Amazon Q

Q

Detector Library

CloudFormation detectors (79/79)

Cloudfront Custom SSL Certificate DynamoDB Autoscaling Enabled CLOUD TRAIL CLOUD WATCH LOGS Cloudfront Origin Failover Sagemaker Notebook Direct Access Cloudwatch Alarm Action Check ELB Cross Zone Load Balancing Disabled domain logging Elasticsearch Primary Node S3 Bucket SSL Request Only Disabled pitr for global tables Redshift Backup Enabled Restrict log4j2 message lookup RDS instance logging enabled S3 Bucket replication enabled IAM Profile Not Attached.S3 Bucket Default Encryption With AWS KMS Unsecure encryption of DAX at rest Disabled encryption on Aurora at rest Restrict wildcard in KMS key CLOUDFRONT DEFAULT ROOT OBJECT CONFIGURED No unrestricted route to igw RDS Auto Version Upgrade Subnet Auto Assign Public IP Unecrypted AWS Redshift using CMK CW Loggroup Retention Period EMR Kerberos Enabled RedShift Enhanced VPC Routing Unencryption not prevented Disabled AWS S3 object versioning Ecs Task Definition Configure HTTPS for CloudFront distribution ViewerProtocolPolicy Monitoring Disabled EC2 instances Disabled iam authentication AWS S3 public WRITE permission Over premissive aws private ecr Disabled AWS RDS Encryption Fsx Resources Protected Cloudtrail S3 Dataevents enabled Restrict IAM permissive role assumption Timestream database not encrypted Restrict public access on DMS replication instance Redshift Cluster Maintenance Settings DB instance backup enabled EKS Endpoint No Public Access More Restrictive CIDR enabled_rds_public_access_cloudformation Aurora MySQL Backtracking ELB ACM Certificate S3 default lock enabled Sagemaker NoteBook Instance Kms Exposed secrets in EC2 user data S3 ignore public acls not true Unencrypted code build Cloudfront SNI Enabled DynamoDB Table Encryption Exposed secrets in Lambda function environment variables sns_topic_uses_cmk_cloudformation Disabled Neptune logging API GW Resources Type Check Restricted Common Ports Disabled DynamoDB Point-In-Time Recovery EBS Optimization Disabled EC2 instances Restrict assumed IAM role access Autoscaling Launch Config Autoscaling Group ELB Health Checks Implicit SSH for AWS EKS node group Elasticsearch in VPS Disabled Glue Data Catalog encryption Unsecured Encryption in transit for EFS volumes EFS Resources Protected By Backup Plan Disabled enforce https Unencrypted EBS Volumes Restrict public IP association on EC2 instance RDS Instance Deletion Protection Public READ bucket ACL nonhttps_load_balancer_cloudformation Disabled AWS Glue security encryption EC2 Instance In VPC

Disabled Neptune logging High

Disabled Neptune logging is detected. Make sure to enable Neptune logging to analyse traffic patterns and troubleshoot security.

Detector ID

cloudformation/disabled-neptune-logging-cloudformation@v1.0

Category

Common Weakness Enumeration (CWE)

Tags

# aws-cloudformation

Noncompliant example

1Resources:
2  Resource:
3    Type: AWS::Neptune::DBCluster
4    DependsOn: NeptuneDBSG
5    Properties:
6      # Noncompliant: Neptune logging is not enabled.
7      BackupRetentionPeriod: !Ref BackupRetentionPeriod
8      DBClusterIdentifier: !Ref DBClusterIdentifier
9      DBClusterParameterGroupName: !Ref NeptuneDBClusterParameterGroup
10      DBSubnetGroupName: !Ref NeptuneDBSubnetGroup
11      IamAuthEnabled: !Ref IAMAuthEnabled
12      Port: !Ref Port
13      PreferredBackupWindow: !Ref NeptuneDBClusterPreferredBackupWindow
14      PreferredMaintenanceWindow: !Ref NeptuneDBClusterPreferredMaintenanceWindow
15      StorageEncrypted: true
16      VpcSecurityGroupIds:
17        - !Ref 'NeptuneDBSG'
18      Tags:
19        - Key: Name
20          Value: !Sub '${Env}-${AppName}-Cluster'

Compliant example

1Resources:
2  Resource:
3    Type: AWS::Neptune::DBCluster
4    DependsOn: NeptuneDBSG
5    Properties:
6      BackupRetentionPeriod: !Ref BackupRetentionPeriod
7      DBClusterIdentifier: !Ref DBClusterIdentifier
8      DBClusterParameterGroupName: !Ref NeptuneDBClusterParameterGroup
9      DBSubnetGroupName: !Ref NeptuneDBSubnetGroup
10      IamAuthEnabled: !Ref IAMAuthEnabled
11      Port: !Ref Port
12      PreferredBackupWindow: !Ref NeptuneDBClusterPreferredBackupWindow
13      PreferredMaintenanceWindow: !Ref NeptuneDBClusterPreferredMaintenanceWindow
14      # Compliant: Neptune logging is enabled.
15      EnableCloudwatchLogsExports: [ "audit" ]
16      StorageEncrypted: true
17      VpcSecurityGroupIds:
18        - !Ref 'NeptuneDBSG'
19      Tags:
20        - Key: Name
21          Value: !Sub '${Env}-${AppName}-Cluster'