Service Screener

Foundational Technical Review

Assesses an AWS Partner's solution against a specific set of Amazon Web Services (AWS) best practices around security, performance, and operational processes that are most critical for customer success.
Read more

Summary: [Not available:33] | [Compliant:13] | [Need Attention:10]

Breakdown

Framework. Foundational Technical Review

Category	Rule ID	Compliance Status	Description	Reference
Partner hosted	HOST-001.1	Not available
Partner hosted	HOST-001.2	Not available
Partner hosted	HOST-001.3	Not available
Support level	SUP-001.1	Need Attention	[supportPlanLowTier] - Subscribe to the AWS Business Support tier (or higher) [GLOBAL]Account::Config	AWS Support Plan Guide
Architecture review	WAFR-001.1	Not available
Architecture review	WAFR-001.2	Not available
Architecture review	WAFR-002.1	Not available
AWS root account	ARC-001.1	Compliant	[rootConsoleLogin30days]
AWS root account	ARC-004.1	Compliant	[rootHasAccessKey]
AWS root account	ARC-005.1	Not available
Communications from AWS	ACOM-001.1	Need Attention	[hasAlternateContact] - Configure AWS account contacts [GLOBAL]Account::Config	Alternate Contact
Communications from AWS	ACOM-002.1	Not available
Identity and Access Management	IAM-001.1	Need Attention	[mfaActive] [rootMfaActive] - Enable MFA on root user [GLOBAL]User::root_id	AWS MFA IAM Best Practices
Identity and Access Management	IAM-002.1	Compliant	[passwordLastChange90] [passwordLastChange365] [hasAccessKeyNoRotate90days] [hasAccessKeyNoRotate30days]
Identity and Access Management	IAM-002.2	Not available
Identity and Access Management	IAM-002.3	Compliant	[NeedToEnableCloudTrail] [HasOneMultiRegionTrail] [enableGuardDuty]
Identity and Access Management	IAM-002.4	Not available
Identity and Access Management	IAM-003.1	Need Attention	[passwordPolicyWeak] [passwordPolicy] - Set a custom password policy. [GLOBAL]Account::Config [passwordPolicyLength] [passwordPolicyReuse]	IAM Password Policy
Identity and Access Management	IAM-004.1	Compliant	[noUsersFound]
Identity and Access Management	IAM-005.1	Compliant	[hasExternalIdentityProvider] [hasSSORoles]
Identity and Access Management	IAM-005.2	Compliant	[hasExternalIdentityProvider] [hasSSORoles]
Identity and Access Management	IAM-006.1	Need Attention	[InlinePolicyFullAccessOneServ] - Limit access in policy [GLOBAL]Role::Cognito_dojoIdPAuth_Role, Role::Cognito_dojoIdPUnauth_Role [InlinePolicyFullAdminAccess] [ManagedPolicyFullAccessOneServ] - Limit permissions. [GLOBAL]Role::CodeStarWorker-dojo-ToolChain, Role::OrthancRole [FullAdminAccess] - Limit permissions. [GLOBAL]Role::AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98, Role::DojoEC2AdminRole, Role::EC2AdminRole, Role::itadmin, Role::OrganizationAccountAccessRole, Role::PACICloudFormationStackSetExecutionRole, Role::ServiceScreenerAutomationRole, Role::stacksets-exec-7ca18804340a75b25a831ca17fba8659	AWS Docs AWS Docs AWS Docs Organization GuardRail Blog
Identity and Access Management	IAM-007.1	Need Attention	[consoleLastAccess90] [consoleLastAccess365] [consoleLastAccess45] [unusedRole] - Review & remove inactive roles [GLOBAL]Role::AccessAnalyzerTrustedService, Role::AlpoTrustedServiceRole, Role::AVMContainersUserRole, Role::aws-ec2-spot-fleet-tagging-role, Role::awslogs.prod.kelex.molecule.toppatterns, Role::AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98, Role::AWSVAPTAudit, Role::CloudSecAuditRole, Role::CloudSeerTrustedServiceRole, Role::CodeDeployRole, Role::CodeGuruProfilerForwardToAmazonProfiler, Role::CodeStarWorker-dojo-CloudFormation, Role::CodeStarWorker-dojo-ToolChain, Role::CodeStarWorker-dojo-WebApp, Role::Cognito_dojoIdPAuth_Role, Role::Cognito_dojoIdPUnauth_Role, Role::DocumentUnderstandingSolutionCICD-CICDHelperRole-ERDSGV99V9GT, Role::DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08, Role::DocumentUnderstandingSolutionCICD-CodePipelineRole-12BUYRAKNJIEQ, Role::DojoEC2AdminRole, Role::EC2AdminRole, Role::EC2CapacityReservationService, Role::EpoxyAccessRole, Role::itadmin, Role::PACICloudFormationStackSetAdministrationRole, Role::PACICloudFormationStackSetExecutionRole, Role::SaltyTrustedService, Role::ServiceScreenerAssumeRole, Role::ServiceScreenerAutomationRole, Role::ShadowTrooperRole, Role::stacksets-exec-7ca18804340a75b25a831ca17fba8659, Role::TurtleRoleManagement [userNoActivity90days]	AWS Blog
Identity and Access Management	IAM-008.1	Not available
Identity and Access Management	IAM-009.1	Not available
Identity and Access Management	IAM-010.1	Compliant	[NeedToEnableCloudTrail]
Identity and Access Management	IAM-011.1	Not available
Identity and Access Management	IAM-012.1	Compliant	[EC2IamProfile]
Identity and Access Management	IAM-012.2	Not available
Operational security	SECOPS-001	Not available
Network security	NETSEC-001.1	Compliant	[SGDefaultInUsed] [SGSensitivePortOpenToAll] [SGAllOpenToAll] [SGAllOpen]
Network security	NETSEC-001.2	Compliant	[SGSensitivePortOpenToAll]
Network security	NETSEC-002.1	Compliant	[EC2InstancePublicIP]
Backups and recovery	BAR-001.1	Need Attention	[EBSSnapshot] [Backup] [BackupTooLow] [backupStatus] [enabledContinuousBackup] [hasAWSBackupPlans] - Configure AWS Backup plans [GLOBAL]Account::Config [BucketVersioning] - Enable Versioning [ap-southeast-1]Bucket::aws-codestar-ap-southeast-1-961319563195, Bucket::codepipeline-ap-southeast-1-183991447891, Bucket::config-bucket-961319563195, Bucket::documentunderstandingsolutioncicd-devoutputbucket-1m11zxjc9fhd6, Bucket::dojo-logs, Bucket::kuettai-solutions-bucket-ap-southeast-1 [us-east-1]Bucket::cloudtrail-awslogs-961319563195-pyvnhwtz-isengard-do-not-delete, Bucket::kuettai-dojo01	AWS Backup Getting Started AWS Docs Manage Versioning Example
Backups and recovery	BAR-002.1	Not available
Backups and recovery	BAR-002.2	Not available
Resiliency	RES-001.1	Not available
Resiliency	RES-002.1	Not available
Resiliency	RES-004.1	Not available
Resiliency	RES-005.1	Not available
Resiliency	RES-006.1	Not available
Resiliency	RES-006.2	Not available
Resiliency	RES-007.1	Not available
Amazon S3 bucket access	S3-001.1	Compliant	[PublicAccessBlock] [PublicReadAccessBlock] [PublicWriteAccessBlock] [S3AccountPublicAccessBlock]
Cross-account access	CAA-001.1	Not available
Cross-account access	CAA-002.1	Not available
Cross-account access	CAA-003.1	Not available
Cross-account access	CAA-004.1	Not available
Cross-account access	CAA-005.1	Not available
Cross-account access	CAA-006.1	Not available
Cross-account access	CAA-007.1	Not available
Sensitive data	SDAT-001.1	Need Attention	[MacieToEnable] - Enable Macie [ap-southeast-1]Macie [us-east-1]Macie	Getting started with Amazon Macie
Sensitive data	SDAT-002.1	Need Attention	[EBSEncrypted] [ServerSideEncrypted] [SSEWithKMS] [StorageEncrypted] [RequiresKmsKey] - Enable SSE [ap-southeast-1]Cloudtrail::IsengardTrail-DO-NOT-DELETE	Encrypt CloudTrail using AWS KMS CloudTrail Security Best Practices
Sensitive data	SDAT-003.1	Need Attention	[SGEncryptionInTransit] - Encryption in Transit [ap-southeast-1]SG::sg-34753642 [us-east-1]SG::sg-9b3e45a4 [TlsEnforced] - Enforce Encryption of Data in Transit [ap-southeast-1]Bucket::aws-codestar-ap-southeast-1-961319563195, Bucket::aws-codestar-ap-southeast-1-961319563195-dojo-pipe, Bucket::config-bucket-961319563195, Bucket::documentunderstandingsolutioncic-artifacts3bucket-dtr9a8q6yj2h, Bucket::documentunderstandingsolutioncicd-devoutputbucket-1m11zxjc9fhd6, Bucket::dojo-logs, Bucket::kuettai-solutions-bucket-ap-southeast-1 [us-east-1]Bucket::kuettai-dojo01	Data protection in Amazon EC2 AWS Docs
Regulatory compliance validation process	RCVP-001.1	Not available
Regulatory compliance validation process	RCVP-001.2	Not available

FTR

Foundational Technical Review

Summary: [Not available:33] | [Compliant:13] | [Need Attention:10]

Breakdown

Framework. Foundational Technical Review