AWS
Composite Recipes
Recipes that include further recipes, often including the individual recipes below.
Recipes
- Disable Instance Metadata Service version 1
- Enable API gateway caching
- Enable point-in-time recovery for DynamoDB
- Encrypt Aurora clusters
- Encrypt CodeBuild projects
- Encrypt DAX storage at rest
- Encrypt DocumentDB storage
- Encrypt EBS snapshots
- Encrypt EBS volume launch configurations
- Encrypt EBS volumes
- Encrypt EFS Volumes in ECS Task Definitions in transit
- Encrypt ElastiCache Redis at rest
- Encrypt ElastiCache Redis in transit
- Encrypt Neptune storage
- Encrypt RDS clusters
- Encrypt Redshift storage at rest
- Ensure AWS CMK rotation is enabled
- Ensure AWS EFS with encryption for data at rest is enabled
- Ensure AWS EKS cluster endpoint access is publicly disabled
- Ensure AWS Elasticsearch domain encryption for data at rest is enabled
- Ensure AWS Elasticsearch domains have
EnforceHTTPSenabled - Ensure AWS Elasticsearch has node-to-node encryption enabled
- Ensure AWS IAM password policy has a minimum of 14 characters
- Ensure AWS Lambda function is configured for function-level concurrent execution limit
- Ensure AWS Lambda functions have tracing enabled
- Ensure AWS RDS database instance is not publicly accessible
- Ensure AWS S3 object versioning is enabled
- Ensure Amazon EKS control plane logging enabled for all log types
- Ensure CloudTrail log file validation is enabled
- Ensure EC2 is EBS optimized
- Ensure ECR repositories are encrypted
- Ensure IAM password policy expires passwords within 90 days or less
- Ensure IAM password policy prevents password reuse
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one uppercase letter
- Ensure Kinesis Stream is securely encrypted
- Ensure RDS database has IAM authentication enabled
- Ensure RDS instances have Multi-AZ enabled
- Ensure VPC subnets do not assign public IP by default
- Ensure data stored in an S3 bucket is securely encrypted at rest
- Ensure detailed monitoring for EC2 instances is enabled
- Ensure enhanced monitoring for Amazon RDS instances is enabled
- Ensure respective logs of Amazon RDS are enabled
- Ensure the S3 bucket has access logging enabled
- Make ECR tags immutable
- Scan images pushed to ECR
- Use HTTPS for Cloudfront distribution