nshawahna/kms/awn-107597

README.md

@@ -128,6 +128,10 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
         * [S3 Bucket All Users Policy](en/aws/s3/s3-bucket-all-users-policy.md)
         * [S3 Bucket Logging](en/aws/s3/s3-bucket-logging.md)
         * [S3 Bucket Versioning](en/aws/s3/s3-bucket-versioning.md)
+        * [S3 Bucket Lifecycle Configuration](en/aws/s3/s3-bucket-lifecycle-configuration.md)
+        * [S3 DNS Compliant Bucket Names](en/aws/s3/s3-dns-compliant-bucket-names.md)
+        * [S3 Transfer Acceleration Enabled](en/aws/s3/s3-transfer-acceleration-enabled.md)
+        * [S3 Versioned Buckets Lifecycle Configuration](en/aws/s3/s3-versioned-buckets-lifecycle-configuration.md)
     * SES
         * [Email DKIM Enabled](en/aws/ses/email-dkim-enabled.md)
     * SNS
@@ -481,4 +485,4 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
 
 ## Contributing
 
-Please see the [contributor's guide](.github/CONTRIBUTING.md).
+Please see the [contributor's guide](.github/CONTRIBUTING.md).

en/aws/glacier/S3-glacier-vault-public-access.md

@@ -0,0 +1,25 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / Glacier / S3 Glacier Vault Public Access
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | S3 Glacier Vault Public Access |
+| **Cloud** | AWS |
+| **Category** | Glacier |
+| **Description** | Ensure that S3 Glacier Vault public access block is enabled for the account. |
+| **More Info** | Blocking S3 Glacier Vault public access at the account level ensures objects are not accidentally exposed. |
+| **AWS Link** | http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html |
+| **Recommended Action** | Add access policy for the S3 Glacier Vault to block public access for the AWS account. |
+
+## Detailed Remediation Steps
+1. Log into the AWS Management Console. </br>
+2. Select the "Services" option and search for S3 Glacier. </br> <img src="/resources/aws/glacier/s3-glacier-vault-public-access/step2.png" />
+3. On the navigation pane to the left, click on vaults. </br><img src="/resources/aws/glacier/s3-glacier-vault-public-access/step3.png" />
+4. Click the vault name that you need you need to edit its policy to block public access. </br><img src="/resources/aws/glacier/s3-glacier-vault-public-access/step4.png" />
+5. Select Vault Policies tab. </br><img src="/resources/aws/glacier/s3-glacier-vault-public-access/step5.png" />
+6. Click on Edit vault access policy. </br><img src="/resources/aws/glacier/s3-glacier-vault-public-access/step6.png" />
+7. Edit the policy by removing public access (e.g. "Resource": "*" or "Principal": "*", and "Effect": "Allow") and make sure the policy grant access only to fixed values (values that don't contain a wildcard or an AWS Identity and Access Management Policy Variable). </br>
+8. See this resource to understand when a policy considered public: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html#access-control-block-public-access-policy-status </br>

en/aws/kms/app-tier-kms-customer-master-key-(cmk).md

@@ -0,0 +1,30 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / KMS / App-Tier KMS Customer Master Key (CMK)
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | App-Tier KMS Customer Master Key (CMK) |
+| **Cloud** | AWS |
+| **Category** | KMS |
+| **Description** | Ensures that there is one Amazon KMS Customer Master Key (CMK) present in the account for App-Tier resources. |
+| **More Info** | Amazon KMS should have Customer Master Key (CMK) for App-Tier to protect data in transit. |
+| **AWS Link** | https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html |
+| **Recommended Action** | Create a Customer Master Key (CMK) with App-Tier tag |
+
+## Detailed Remediation Steps
+1. Log into the AWS Management Console. </br>
+2. Select the "Services" option and search for KMS. </br>
+3. To change the AWS Region, use the Region selector in the upper-right corner of the page. </br>
+4. In the navigation pane, choose Customer managed keys. </br>
+5. Choose Create key. </br>
+4. Select the key type. If you are creating a KMS key to encrypt data you store or manage in an AWS service, create a symmetric encryption KMS key, this list of AWS services that are integrated with AWS KMS use only symmetric encryption KMS keys https://aws.amazon.com/kms/features/#AWS_Service_Integration. </br>
+5. For help deciding which type of KMS key to create see https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose </br>
+6. On the "Add alias and description" page provide the "Alias" and "Description" for the new "KMS key" and click on the "Next" button. </br> 
+7. On the "Add tags" page provide a unique key for "Tag key","Tag value" and click on the "Next" button.</br>
+8. On the "Define key administrative permissions" page select the "IAM users" and roles who can administer the new "KMS key" through the KMS API.</br> 
+9. Click on the "Next" button at the bottom to continue the new "KMS key" process.</br> 
+10. On the "Define key usage permissions" page select the IAM users and roles that can use the CMK to encrypt and decrypt data with the "AWS KMS API" and click on the "Next" button.<br> 
+11. On the "Review and edit key policy" page review the policy and click on the "Finish" button to create a new "KMS key" which can be used to encrypt/decrypt the data.</br>

en/aws/kms/kms-duplicate-grants.md

@@ -0,0 +1,23 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / KMS / KMS Duplicate Grants
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | KMS Duplicate Grants |
+| **Cloud** | AWS |
+| **Category** | KMS |
+| **Description** | Ensure that AWS KMS keys does not have duplicate grants to adhere to AWS security best practices. |
+| **More Info** | Duplicate grants have the same key ARN, API actions, grantee principal, encryption context, and name. If you retire or revoke the original grant but leave the duplicates, the leftover duplicate grants constitute unintended escalations of privilege. |
+| **AWS Link** | http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html |
+| **Recommended Action** | Delete duplicate grants for AWS KMS keys |
+
+## Detailed Remediation Steps
+1. Log into the AWS Management Console. </br>
+2. Select the "Services" option and search for KMS. </br>
+3. To delete a grant, retire or revoke it. </br>
+4. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. </br>
+5. Follow this guide https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html to retire grant either by sending a request or using language-specific AWS SDKs. </br> 
+6. To revoke a grant follow this document https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html </br>

en/aws/kms/kms-grant-least-privilege.md

@@ -0,0 +1,15 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / KMS / KMS Grant Least Privilege
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | KMS Grant Least Privilege |
+| **Cloud** | AWS |
+| **Category** | KMS |
+| **Description** | Ensure that AWS KMS key grants use the principle of least privileged access |
+| **More Info** | AWS KMS key grants should be created with minimum set of permissions required by grantee principal to adhere to AWS security best practices |
+| **AWS Link** | https://docs.aws.amazon.com/kms/latest/developerguide/grants.html |
+| **Recommended Action** | Create KMS grants with minimum permission required |

en/aws/lambda/lambda-tracing-enabled.md

@@ -0,0 +1,26 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / Lambda / Lambda Tracing Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Lambda Tracing Enabled |
+| **Cloud** | AWS |
+| **Category** | Lambda |
+| **Description** | Ensures AWS Lambda functions have active tracing for X-Ray. |
+| **More Info** | AWS Lambda functions should have active tracing in order to gain visibility into the functions execution and performance. |
+| **AWS Link** | https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html |
+| **Recommended Action** | Modify Lambda functions to activate tracing. |
+
+## Detailed Remediation Steps
+1. Log into the AWS Management Console. </br>
+2. Select the "Services" option and search for Lambda. </br> 
+3. Scroll down the left navigation panel and choose "Functions".</br> 
+4. Select the Lambda function that needs to be verify from "Functions name".</br> 
+5. On the "Lambda Functions" page scroll down and choose "Configuration".</br>
+6. Scroll down the "Configuration" tab and choose the "Monitoring and operations tools". </br>
+7. Under X-Ray, toggle on Active tracing. </br>
+8. Click on the "Save" button at the top of the dashboard.</br>
+9. Repeat steps 4 - 8 to enable active tracing for other "Lambda functions" in the selected region.</br>

en/aws/s3/s3-bucket-lifecycle-configuration.md

@@ -0,0 +1,27 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / S3 / S3 Bucket Lifecycle Configuration
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | S3 Bucket Lifecycle Configuration |
+| **Cloud** | AWS |
+| **Category** | S3 |
+| **Description** | Ensures that S3 buckets have lifecycle configuration enabled to automatically transition S3 bucket objects. |
+| **More Info** | S3 bucket should have lifecycle configuration enabled to automatically downgrade the storage class for your objects. |
+| **AWS Link** | https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-set-lifecycle-configuration-intro.html |
+| **Recommended Action** | Update S3 bucket and create lifecycle rule configuration. |
+
+## Detailed Remediation Steps
+1. Log into the AWS Management Console. </br>
+2. Select the "Services" option and search for S3. </br>
+3. Scroll down the left navigation pane and choose "Buckets".</br> 
+4. Select the "Bucket" that needs to add policy to and click on its identifier(name) from the "Bucket name" column.</br>
+5. Click on the "Management" tab on the top menu. </br>
+6. Click on Create Lifecycle rule. </br>
+7. Choose the rule scope (all bucket objects OR limit scope to specific objects using filters/ tags prefix) . </br>
+8. Check Lifecycle rule actions you need to apply. </br>
+9. Click on the "Save" button to make the necessary changes. </br>
+10. Repeat steps number 4 - 9 to enable lifecycle configurations in other S3 buckets.</br>

en/aws/s3/s3-dns-compliant-bucket-names.md

@@ -0,0 +1,15 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / S3 / S3 DNS Compliant Bucket Names
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | S3 DNS Compliant Bucket Names |
+| **Cloud** | AWS |
+| **Category** | S3 |
+| **Description** | Ensures that S3 buckets have DNS complaint bucket names. |
+| **More Info** | S3 bucket names must be DNS-compliant and not contain period "." to enable S3 Transfer Acceleration and to use buckets over SSL. |
+| **AWS Link** | https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html |
+| **Recommended Action** | Recreate S3 bucket to use "-" instead of "." in S3 bucket names. |

en/aws/s3/s3-transfer-acceleration-enabled.md

@@ -0,0 +1,26 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / S3 / S3 Transfer Acceleration Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | S3 Transfer Acceleration Enabled |
+| **Cloud** | AWS |
+| **Category** | S3 |
+| **Description** | Ensures that S3 buckets have transfer acceleration enabled to increase the speed of data transfers. |
+| **More Info** | S3 buckets should have transfer acceleration enabled to increase the speed of data transfers in and out of Amazon S3 using AWS edge network. |
+| **AWS Link** | https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration-examples.html |
+| **Recommended Action** | Modify S3 bucket to enable transfer acceleration. |
+
+## Detailed Remediation Steps
+1. Log into the AWS Management Console. </br>
+2. Select the "Services" option and search for S3. </br>
+3. Scroll down the left navigation pane and Click on "Buckets".</br> 
+4. Select the "Bucket" that needs to add policy to and click on its identifier(name) from the "Bucket name" column.</br>
+5. Click on the "Properties" tab on the top menu. </br>
+6. Click Edit Transfer acceleration. </br>
+7. Select Enable. </br> 
+8. Click on the "Save" button to make the necessary changes. </br>
+9. Repeat steps 4 - 8 to enable transfer accelaration for other S3 buckets in the region. </br>

en/aws/s3/s3-versioned-buckets-lifecycle-configuration.md

@@ -0,0 +1,28 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / S3 / S3 Versioned Buckets Lifecycle Configuration
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | S3 Versioned Buckets Lifecycle Configuration |
+| **Cloud** | AWS |
+| **Category** | S3 |
+| **Description** | Ensure that S3 buckets having versioning enabled also have lifecycle policy configured for non-current objects. |
+| **More Info** | When object versioning is enabled on a bucket, every modification/update to an object results in a new version of the object that will be stored indefinitely. Enable a lifecycle policy, so that non-current object versions are removed or transitioned in a predictable manner. |
+| **AWS Link** | https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-to-set-lifecycle-configuration-intro.html |
+| **Recommended Action** | Configure lifecycle rules for buckets which have versioning enabled. |
+
+## Detailed Remediation Steps
+1. Log into the AWS Management Console. </br>
+2. Select the "Services" option and search for S3. </br>
+3. Scroll down the left navigation pane and choose "Buckets".</br> 
+4. Select the "Bucket" that needs to create lifecycle rule for by clicking on its identifier(name) from the "Bucket name" column.</br>
+5. Click on the "Management" tab on the top menu. </br>
+6. Click on Create Lifecycle rule. </br>
+7. Choose the rule scope (all bucket objects OR limit scope to specific objects using filters/ tags prefix) . </br>
+8. Check Lifecycle rule actions you need to apply. </br>
+9. Make sure to specify a rule for Move noncurrent versions of objects between storage classes. </br>
+10. Click on the "Save" button to make the necessary changes. </br>
+11. Repeat steps 4 - 10 to enable lifecycle configurations in other S3 buckets.</br>

en/azure/virtualmachines/auto-instance-repairs.md

@@ -0,0 +1,27 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Virtual Machines / Automatic Instance Repairs Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Automatic Instance Repairs Enabled |
+| **Cloud** | AZURE |
+| **Category** | Virtual Machines |
+| **Description** | Ensures that automatic instance repairs is enabled for Azure virtual machine scale sets. |
+| **More Info** | Enabling automatic instance repairs for Azure virtual machine scale sets helps achieve high availability for applications by maintaining a set of healthy instances. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs |
+| **Recommended Action** | Enable automatic instance repairs for Azure virtual machine scale sets. |
+
+## Detailed Remediation Steps
+
+{Listed Remediation Steps}
+1. Log into the Microsoft Azure Management Console.
+2. Select the "Search resources, services, and docs" option at the top and search for "Virtual machine scale sets".
+3. Select the scale set by clicking on the "Name" link.
+4. Select "Health and Repair" in the left hand menu under Settings.
+5. Select "Enabled" in Enable application health monitoring.
+6. Select "On" for Enable automatic repairs. Note that the "Health" extension will need to be added to the Virtual Machines associated with this scale set and the scale set may need restarted prior to the changes successfully being made.
+7. Save the changes.
+8. Repeat steps 3-7 for all other scale sets.

en/azure/virtualmachines/auto-os-upgrades-enabled.md

@@ -0,0 +1,25 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Virtual Machines / Automatic OS Upgrades Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Automatic OS Upgrades Enabled |
+| **Cloud** | AZURE |
+| **Category** | Virtual Machines |
+| **Description** | Ensure that automatic operating system (OS) upgrades are enabled for Microsoft Azure virtual machine scale sets. |
+| **More Info** | Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all instances in the scale set. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade |
+| **Recommended Action** | Enable automatic OS upgrades under operating system settings. |
+
+## Detailed Remediation Steps
+
+{Listed Remediation Steps}
+1. Log into the Microsoft Azure Management Console.
+2. Select the "Search resources, services, and docs" option at the top and search for "Virtual machine scale sets".
+3. Select the corresponding scale set by clicking on the "name" link
+4. Once the scale set is selected, select "Upgrade policy" in the left side menu under Settings.
+5. Select "Automatic" in the drop down menu for "Upgrade Mode" and save the changes.
+6. Repeat steps 3-5 for all applicable scale set instances.

en/azure/virtualmachines/disk-volumes-byok-encryption-enabled.md

@@ -0,0 +1,26 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Virtual Machines / Disk Volumes BYOK Encryption Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Disk Volumes BYOK Encryption Enabled |
+| **Cloud** | AZURE |
+| **Category** | Virtual Machines |
+| **Description** | Ensures that Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled. |
+| **More Info** | Encrypting virtual machine disk volumes helps protect and safeguard your data to meet organizational security and compliance commitments. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault |
+| **Recommended Action** | Ensure that virtual machine disks are created using BYOK encryption. |
+
+## Detailed Remediation Steps
+
+{Listed Remediation Steps}
+1. Log into the Microsoft Azure Management Console.
+2. Select the "Search resources, services, and docs" option at the top and search for Virtual Machines.
+3. Select the corresponding virtual machine by clicking on the "Name" link.
+4. In the left side menu, select "Disk" and click on the corresponding disk "Name" link.
+5. In the left side menu, select "Encryption" and change the Encryption type to one of the customer-managed key options. Select the appropriate encryption sets and then click "Save" to confirm the changes.
+6. Note that if no encryption sets are available, you will need to configure both the Azure "Key Vaults" as well as the "Disk Encryption Sets" resources. Please visit https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault for more information. 
+7. Repeat steps 3 - 6 for all other applicable virtual machines.