in src/packs/aws-solutions.ts [193:338]
private checkCompute(node: CfnResource): void {
this.applyRule({
ruleSuffixOverride: 'EB1',
info: 'The Elastic Beanstalk environment is not configured to use a specific VPC.',
explanation:
'Use a non-default in order to seperate your environment from default resources.',
level: NagMessageLevel.ERROR,
rule: ElasticBeanstalkVPCSpecified,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EB3',
info: 'The Elastic Beanstalk environment does not have managed updates enabled.',
explanation:
'Enable managed platform updates for beanstalk environments in order to receive bug fixes, software updates and new features. Managed platform updates perform immutable environment updates.',
level: NagMessageLevel.ERROR,
rule: ElasticBeanstalkManagedUpdatesEnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EB4',
info: 'The Elastic Beanstalk environment does not upload EC2 Instance logs to S3.',
explanation:
'Beanstalk environment logs should be retained and uploaded to Amazon S3 in order to keep the logging data for future audits, historical purposes or to track and analyze the EB application environment behavior for a long period of time.',
level: NagMessageLevel.WARN,
rule: ElasticBeanstalkEC2InstanceLogsToS3,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EC23',
info: 'The Security Group allows for 0.0.0.0/0 or ::/0 inbound access.',
explanation:
'Large port ranges, when open, expose instances to unwanted attacks. More than that, they make traceability of vulnerabilities very difficult. For instance, your web servers may only require 80 and 443 ports to be open, but not all. One of the most common mistakes observed is when all ports for 0.0.0.0/0 range are open in a rush to access the instance. EC2 instances must expose only to those ports enabled on the corresponding security group level.',
level: NagMessageLevel.ERROR,
rule: EC2RestrictedInbound,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EC26',
info: 'The EBS volume has encryption disabled.',
explanation:
"With EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest.",
level: NagMessageLevel.ERROR,
rule: EC2EBSVolumeEncrypted,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EC27',
info: 'The Security Group does not have a description.',
explanation:
'Descriptions help simplify operations and remove any opportunities for operator errors.',
level: NagMessageLevel.ERROR,
rule: EC2SecurityGroupDescription,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EC28',
info: 'The EC2 instance/AutoScaling launch configuration does not have detailed monitoring enabled.',
explanation:
'Monitoring data helps make better decisions on architecting and managing compute resources.',
level: NagMessageLevel.ERROR,
rule: EC2InstanceDetailedMonitoringEnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EC29',
info: 'The EC2 instance is not part of an ASG and has Termination Protection disabled.',
explanation:
'Termination Protection safety feature enabled in order to protect the instances from being accidentally terminated.',
level: NagMessageLevel.ERROR,
rule: EC2InstanceTerminationProtection,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'ECR1',
info: 'The ECR Repository allows open access.',
explanation:
'Removing * principals in an ECR Repository helps protect against unauthorized access.',
level: NagMessageLevel.ERROR,
rule: ECROpenAccess,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'ECS4',
info: 'The ECS Cluster has CloudWatch Container Insights disabled.',
explanation:
'CloudWatch Container Insights allow operators to gain a better perspective on how the cluster’s applications and microservices are performing.',
level: NagMessageLevel.ERROR,
rule: ECSClusterCloudWatchContainerInsights,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'ECS7',
info: 'The ECS Task Definition does not have awslogs logging enabled at the minimum.',
explanation:
'Container logging allows operators to view and aggregate the logs from the container.',
level: NagMessageLevel.ERROR,
rule: ECSTaskDefinitionContainerLogging,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'ELB1',
info: 'The CLB is used for incoming HTTP/HTTPS traffic. Use ALBs instead.',
explanation:
'HTTP/HTTPS applications (monolithic or containerized) should use the ALB instead of the CLB for enhanced incoming traffic distribution, better performance and lower costs.',
level: NagMessageLevel.ERROR,
rule: CLBNoInboundHttpHttps,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'ELB2',
info: 'The ELB does not have access logs enabled.',
explanation:
'Access logs allow operators to to analyze traffic patterns and identify and troubleshoot security issues.',
level: NagMessageLevel.ERROR,
rule: ELBLoggingEnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'ELB3',
info: 'The CLB does not have connection draining enabled.',
explanation:
'With Connection Draining feature enabled, if an EC2 backend instance fails health checks The CLB will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to complete for the duration of the configured timeout.',
level: NagMessageLevel.ERROR,
rule: CLBConnectionDraining,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'ELB4',
info: 'The CLB does not use at least two AZs with the Cross-Zone Load Balancing feature enabled.',
explanation:
'CLBs can distribute the traffic evenly across all backend instances. To use Cross-Zone Load Balancing at optimal level, the system should maintain an equal EC2 capacity distribution in each of the AZs registered with the load balancer.',
level: NagMessageLevel.ERROR,
rule: ELBCrossZoneLoadBalancingEnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'ELB5',
info: 'The CLB listener is not configured for secure (HTTPs or SSL) protocols for client communication.',
explanation:
'The HTTPs or SSL protocols enable secure communication by encrypting the communication between the client and the load balancer.',
level: NagMessageLevel.ERROR,
rule: ELBTlsHttpsListenersOnly,
node: node,
});
}