arturlr
commented
3 years ago I believe there is a misconception about having services in a VPC make them more secure. I recently received a Lambda Warning in a complete serverless solution, where adding the lambda to a VPC would make no sense. The same idea goes to ElasticSearch as it would make more sense to evaluate the ES policy when ElasticSearch is not in a VPC.
I'd suggest removing the VPC warning for services that are not in a VPC.
To get better coverage of encryption and make sure no public instances is created by mistake.
Encryption
https://asecure.cloud/a/cfgrule_eks-secrets-encrypted/ (Done) https://asecure.cloud/a/cfgrule_dax-encryption-enabled/ (Done) https://asecure.cloud/a/cfgrule_cloudwatch-log-group-encrypted/ (Done) https://asecure.cloud/a/cfgrule_api-gw-cache-enabled-and-encrypted/ (adjusted to only check for encryption https://github.com/stelligent/cfn_nag/pull/519)(Done) https://asecure.cloud/a/cfgrule_elasticsearch-node-to-node-encryption-check/ (Done)
Public
https://asecure.cloud/a/cfgrule_elasticsearch-in-vpc-only/ (https://github.com/stelligent/cfn_nag/pull/528) https://asecure.cloud/a/cfgrule_emr-master-no-public-ip/ (hard to do) https://asecure.cloud/a/cfgrule_dms-replication-not-public/ (https://github.com/stelligent/cfn_nag/pull/529) https://asecure.cloud/a/cfgrule_eks-endpoint-no-public-access/ (hard to do) https://asecure.cloud/a/cfgrule_lambda-inside-vpc/ (https://github.com/stelligent/cfn_nag/pull/527)
Limits
https://asecure.cloud/a/cfgrule_lambda-concurrency-check/ (https://github.com/stelligent/cfn_nag/pull/530)
Audit retention
https://asecure.cloud/a/cfgrule_cw-loggroup-retention-period-check/ (Done)