Can we align the resources to CIS standards from security hub.

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.

https://aws.amazon.com/solutions/aws-waf-security-automations

Apache License 2.0

852 stars 366 forks source link

Can we align the resources to CIS standards from security hub. #262

Closed sbe-arg closed 5 months ago

sbe-arg commented 6 months ago

Some of the resources don't follow CIS standards such as S3 encryption.

Will update the issue with the list of resources and CIS failed controls so it can be properly tracked.

aijunpeng commented 5 months ago

Thanks for opening this issue. All the S3 buckets created by the WAF solution have encryption configured by default, and objects are automatically encrypted by using server-side encryption with Amazon S3 managed keys (SSE-S3). Could you check if your buckets are created by this solution and haven't been changed on your end? Also what are the details of your s3 buckets and the security findings?