BPSets

The AWS best practices checker & fixer. Inspired by AWS config and skyuecx0630/bp-check but improved performance via async jobs and better memoization.

Also provides Web based UI powered by bootstrap!

Screenshots

BP List	Fixing Non Compliant

Features

• Web based UI
• Best Practice Checker
• Non Compliant Resource Fixer
• Categorized & Prioritized BPSet Lists
• Easy to Implement Best Practices

Implemented BPSets

• WAFv2LoggingEnabled: Ensures that AWS WAFv2 WebACLs have logging enabled.
• WAFv2RuleGroupLoggingEnabled: Ensures that AWS WAFv2 Rule Groups have logging enabled.
• WAFv2RuleGroupNotEmpty: Ensures WAFv2 Rule Groups are not empty and contain at least one rule.
• WAFv2WebACLNotEmpty: Ensures WAFv2 Web ACLs are not empty and contain at least one rule.
• EC2TransitGatewayAutoVPCAttachDisabled: Ensures that Transit Gateways have Auto VPC Attachments disabled.
• RestrictedCommonPorts: Ensures that common ports (e.g., SSH, HTTP, database ports) are not exposed to the public without proper restrictions.
• RestrictedSSH: Ensures SSH (port 22) is not accessible from 0.0.0.0/0 in security groups.
• SubnetAutoAssignPublicIPDisabled: Ensures that subnets do not automatically assign public IPs.
• VPCDefaultSecurityGroupClosed: Ensures that default VPC security groups have no ingress or egress rules.
• VPCFlowLogsEnabled: Ensures that VPC Flow Logs are enabled for all VPCs.
• VPCNetworkACLUnusedCheck: Ensures that unused network ACLs are identified and removed.
• VPCPeeringDNSResolutionCheck: Ensures that DNS resolution is enabled for all VPC peering connections.
• VPCSGOpenOnlyToAuthorizedPorts: Ensures that security group rules do not allow unrestricted access to unauthorized ports.
• SNSEncryptedKMS: Ensures that all SNS topics are encrypted with a KMS key.
• SNSTopicMessageDeliveryNotificationEnabled: Ensures that SNS topics have message delivery notifications enabled.
• SecurityHubEnabled: Ensures that AWS Security Hub is enabled for the AWS account.
• SecretsManagerRotationEnabledCheck: Ensures all Secrets Manager secrets have rotation enabled.
• SecretsManagerScheduledRotationSuccessCheck: Checks if Secrets Manager secrets have successfully rotated within their scheduled period.
• SecretsManagerSecretPeriodicRotation: Ensures that Secrets Manager secrets are rotated periodically (every 90 days).
• S3AccessPointInVpcOnly: Ensures that all S3 access points are restricted to a VPC.
• S3BucketDefaultLockEnabled: Ensures that all S3 buckets have default object lock configuration enabled.
• S3BucketLevelPublicAccessProhibited: Ensures that S3 buckets have public access blocked at the bucket level.
• S3BucketLoggingEnabled: Ensures that S3 buckets have logging enabled.
• S3BucketSSLRequestsOnly: Ensures that all S3 bucket requests are made using SSL.
• S3BucketVersioningEnabled: Ensures that versioning is enabled on all S3 buckets.
• S3DefaultEncryptionKMS: Ensures that all S3 buckets have default encryption enabled using AWS KMS.
• S3EventNotificationsEnabled: Ensures that S3 buckets have event notifications configured.
• S3LastBackupRecoveryPointCreated: Ensures that S3 buckets have recent backup recovery points.
• S3LifecyclePolicyCheck: Ensures that all S3 buckets have lifecycle policies configured.
• AuroraLastBackupRecoveryPointCreated: Ensures that Aurora DB clusters have a recovery point created within the last 24 hours.
• AuroraMySQLBacktrackingEnabled: Ensures that backtracking is enabled for Aurora MySQL clusters.
• DBInstanceBackupEnabled: Ensures that backups are enabled for RDS instances.
• RDSClusterAutoMinorVersionUpgradeEnabled: Ensures Auto Minor Version Upgrade is enabled for RDS clusters.
• RDSClusterDefaultAdminCheck: Ensures that RDS clusters do not use default administrative usernames (e.g., admin, postgres).
• RDSClusterDeletionProtectionEnabled: Ensures that RDS clusters have deletion protection enabled.
• RDSClusterEncryptedAtRest: Ensures that RDS clusters have encryption at rest enabled.
• RDSClusterIAMAuthenticationEnabled: Ensures that IAM Database Authentication is enabled for RDS clusters.
• RDSClusterMultiAZEnabled: Ensures that RDS clusters are deployed across multiple availability zones.
• RDSDBSecurityGroupNotAllowed: Ensures RDS clusters are not associated with the default security group.
• RDSEnhancedMonitoringEnabled: Ensures that Enhanced Monitoring is enabled for RDS instances.
• RDSInstancePublicAccessCheck: Ensures RDS instances are not publicly accessible.
• RDSLoggingEnabled: Ensures that logging is enabled for RDS clusters.
• RDSSnapshotEncrypted: Ensures RDS cluster snapshots are encrypted.
• LambdaDLQCheck: Ensures that Lambda functions have a configured Dead Letter Queue (DLQ).
• LambdaFunctionPublicAccessProhibited: Ensures that Lambda functions do not allow public access via their resource-based policies.
• LambdaFunctionSettingsCheck: Ensures Lambda functions have non-default timeout and memory size configurations.
• LambdaInsideVPC: Ensures Lambda functions are configured to run inside a VPC.
• IAMPolicyNoStatementsWithAdminAccess: Ensures IAM policies do not contain statements granting full administrative access.
• IAMPolicyNoStatementsWithFullAccess: Ensures IAM policies do not have statements granting full access.
• IAMRoleManagedPolicyCheck: Checks whether managed IAM policies are attached to any entities (roles, users, or groups).
• ElastiCacheAutoMinorVersionUpgradeCheck: Ensures that ElastiCache clusters have auto minor version upgrade enabled.
• ElastiCacheRedisClusterAutomaticBackupCheck: Ensures that Redis clusters in ElastiCache have automatic backups enabled.
• ElastiCacheReplGrpAutoFailoverEnabled: Ensures that automatic failover is enabled for ElastiCache replication groups.
• ElastiCacheReplGrpEncryptedAtRest: Ensures that ElastiCache replication groups are encrypted at rest.
• ElastiCacheReplGrpEncryptedInTransit: Ensures that ElastiCache replication groups have in-transit encryption enabled.
• ElastiCacheSubnetGroupCheck: Ensures ElastiCache clusters are not using the default subnet group.
• EKSClusterLoggingEnabled: Ensures that all EKS clusters have full logging enabled.
• EKSClusterSecretsEncrypted: Ensures that all EKS clusters have secrets encrypted with a KMS key.
• EKSEndpointNoPublicAccess: Ensures EKS cluster endpoint does not have public access enabled.
• EFSAccessPointEnforceRootDirectory: Ensures that EFS Access Points enforce a specific root directory.
• EFSAccessPointEnforceUserIdentity: Ensures that EFS Access Points enforce a specific PosixUser identity.
• EFSAutomaticBackupsEnabled: Ensures that EFS file systems have automatic backups enabled.
• EFSEncryptedCheck: Ensures that all EFS file systems are encrypted.
• EFSMountTargetPublicAccessible: Checks if EFS mount targets are publicly accessible.
• ECSAwsVpcNetworkingEnabled: Ensures that ECS task definitions are configured to use the awsvpc network mode.
• ECSContainerInsightsEnabled: Ensures that ECS clusters have Container Insights enabled.
• ECSContainersNonPrivileged: Ensures that containers in ECS task definitions are not running in privileged mode.
• ECSContainersReadonlyAccess: Ensures that containers in ECS task definitions have readonly root filesystems enabled.
• ECSFargateLatestPlatformVersion: Ensures ECS Fargate services are using the latest platform version.
• ECSTaskDefinitionLogConfiguration: Ensures that ECS task definitions have log configuration enabled.
• ECSTaskDefinitionMemoryHardLimit: Ensures all containers in ECS task definitions have a memory hard limit set.
• ECSTaskDefinitionNonRootUser: Ensures all ECS containers in task definitions run as non-root users.
• ECRKmsEncryption1: Ensures ECR repositories are encrypted using AWS KMS.
• ECRPrivateImageScanningEnabled: Ensures that image scanning on push is enabled for private ECR repositories.
• ECRPrivateLifecyclePolicyConfigured: Ensures that private ECR repositories have lifecycle policies configured.
• ECRPrivateTagImmutabilityEnabled: Ensures that private ECR repositories have tag immutability enabled.
• EC2EbsEncryptionByDefault: Ensures that EBS encryption is enabled by default for all volumes in the AWS account.
• EC2Imdsv2Check: Ensures that EC2 instances enforce the use of IMDSv2 for enhanced metadata security.
• EC2InstanceDetailedMonitoringEnabled: Ensures that EC2 instances have detailed monitoring enabled.
• EC2InstanceManagedBySystemsManager: Ensures that EC2 instances are managed by AWS Systems Manager.
• EC2InstanceProfileAttached: Ensures that all EC2 instances have an IAM instance profile attached.
• EC2NoAmazonKeyPair: Ensures that EC2 instances are not using an Amazon Key Pair.
• EC2StoppedInstance: Ensures that stopped EC2 instances are identified and terminated if necessary.
• EC2TokenHopLimitCheck: Ensures that EC2 instances have a Metadata Options HttpPutResponseHopLimit of 1.
• DynamoDBAutoscalingEnabled: Ensures DynamoDB tables have autoscaling enabled for both read and write capacity.
• DynamoDBLastBackupRecoveryPointCreated: Ensures that DynamoDB tables have a recent recovery point within the last 24 hours.
• DynamoDBPITREnabled: Ensures that Point-In-Time Recovery (PITR) is enabled for DynamoDB tables.
• DynamoDBTableDeletionProtectionEnabled: Ensures that deletion protection is enabled for DynamoDB tables.
• DynamoDBTableEncryptedKMS: Ensures that DynamoDB tables are encrypted with AWS KMS.
• DynamoDBTableEncryptionEnabled: Ensures that DynamoDB tables have server-side encryption enabled.
• CodeBuildProjectEnvironmentPrivilegedCheck: Ensures that AWS CodeBuild projects are not using privileged mode for their environment.
• CodeBuildProjectLoggingEnabled: Ensures that logging is enabled for AWS CodeBuild projects.
• CodeDeployAutoRollbackMonitorEnabled: Ensures that auto-rollback and alarm monitoring are enabled for CodeDeploy deployment groups.
• CWLogGroupRetentionPeriodCheck: Ensures all CloudWatch log groups have a retention period set.
• CloudWatchAlarmSettingsCheck: Ensures that CloudWatch alarms have the required settings configured.
• CloudFrontAccessLogsEnabled: Ensures that access logging is enabled for CloudFront distributions.
• CloudFrontAssociatedWithWAF: Ensures that CloudFront distributions are associated with a WAF.
• CloudFrontDefaultRootObjectConfigured: Ensures that CloudFront distributions have a default root object configured.
• CloudFrontNoDeprecatedSSLProtocols: Ensures that CloudFront distributions do not use deprecated SSL protocols like SSLv3.
• CloudFrontS3OriginAccessControlEnabled: Ensures that CloudFront distributions with S3 origins have Origin Access Control (OAC) enabled.
• CloudFrontViewerPolicyHTTPS: Ensures that CloudFront distributions enforce HTTPS for viewer requests.
• AutoScalingGroupELBHealthCheckRequired: Ensures that Auto Scaling groups with ELB or Target Groups use ELB health checks.
• AutoScalingLaunchTemplate: Ensures that Auto Scaling groups use a launch template instead of a launch configuration.
• AutoScalingMultipleAZ: Ensures that Auto Scaling groups are configured to use multiple Availability Zones.
• APIGatewayAssociatedWithWAF: Ensures that API Gateway stages are associated with WAF.
• APIGatewayExecutionLoggingEnabled: Ensures that execution logging is enabled for API Gateway stages.
• APIGatewayV2AccessLogsEnabled: Ensures that access logging is enabled for API Gateway v2 stages.
• APIGatewayV2AuthorizationTypeConfigured: Ensures that authorization type is configured for API Gateway v2 routes.
• ALBHttpDropInvalidHeaderEnabled: Ensures that ALBs have invalid HTTP headers dropped.
• ALBWAFEnabled: Ensures that WAF is associated with ALBs.
• ELBCrossZoneLoadBalancingEnabled: Ensures that cross-zone load balancing is enabled for Elastic Load Balancers.
• ELBDeletionProtectionEnabled: Ensures that deletion protection is enabled for Elastic Load Balancers.
• ELBLoggingEnabled: Ensures that access logging is enabled for Elastic Load Balancers.