Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release: osml-cdk-constructs@dev - fc2cb85 #238

Merged
merged 2 commits into from
Sep 16, 2024
Merged

release: osml-cdk-constructs@dev - fc2cb85 #238

merged 2 commits into from
Sep 16, 2024

Conversation

github-actions[bot]
Copy link
Contributor

Automated changes by create-pull-request GitHub action

@github-actions github-actions bot added the automated-bot Github Automated Bot label Sep 16, 2024
@github-actions github-actions bot changed the title release: osml-cdk-constructs@dev - 812de87 release: osml-cdk-constructs@dev - fc2cb85 Sep 16, 2024
@github-actions github-actions bot force-pushed the Updates/submodule-osml-cdk-constructs-updates branch from 1fbe123 to 2ba1877 Compare September 16, 2024 18:54
drduhe
drduhe approved these changes Sep 16, 2024
View reviewed changes
Copy link
Collaborator

@drduhe drduhe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions GitHub Actions
Copy link
Contributor Author

Please review the existing CDK-Nag Violations for 47f0f0e5c6211af33c216c8157ab1fd083ce2752

There are 91 AwsSolutions Violation(s)
Rule ID Resource ID Compliance Exception Reason Rule Level Rule Info
AwsSolutions-IAM4 OSML-DataCatalog/DCDataplane/DCLambdaRole/DCLambdaRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM4 OSML-DataCatalog/DCDataplane/DCLambdaRole/DCLambdaRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM5 OSML-DataCatalog/DCDataplane/DCLambdaRole/DCLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-DataCatalog/DCDataplane/DCLambdaRole/DCLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-OS3 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not only grant access via allowlisted IP addresses.
AwsSolutions-OS4 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not use dedicated master nodes.
AwsSolutions-OS5 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain allows for unsigned requests or anonymous access.
AwsSolutions-OS9 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not minimally publish SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS to CloudWatch Logs.
AwsSolutions-OS9 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not minimally publish SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS to CloudWatch Logs.
AwsSolutions-IAM4 OSML-DataCatalog/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-SNS2 OSML-DataIntake/DIDataplane/DIInputTopic/Resource Non-Compliant N/A Error The SNS Topic does not have server-side encryption enabled.
AwsSolutions-SNS3 OSML-DataIntake/DIDataplane/DIInputTopic/Resource Non-Compliant N/A Error The SNS Topic does not require publishers to use SSL.
AwsSolutions-SNS2 OSML-DataIntake/DIDataplane/DIOutputTopic/Resource Non-Compliant N/A Error The SNS Topic does not have server-side encryption enabled.
AwsSolutions-SNS3 OSML-DataIntake/DIDataplane/DIOutputTopic/Resource Non-Compliant N/A Error The SNS Topic does not require publishers to use SSL.
AwsSolutions-IAM4 OSML-DataIntake/DIDataplane/DILambdaRole/DILambdaRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM4 OSML-DataIntake/DIDataplane/DILambdaRole/DILambdaRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM5 OSML-DataIntake/DIDataplane/DILambdaRole/DILambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-DataIntake/DIDataplane/DILambdaRole/DILambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-S1 OSML-DataIntake/DIDataplane/DIInputBucket/DIInputBucket/Resource Non-Compliant N/A Error The S3 Bucket has server access logs disabled.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSExecutionRole/MRExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSExecutionRole/MRExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSExecutionRole/MRExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSExecutionRole/MRExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRImageStatusQueue/MRImageStatusQueueDLQ/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRImageStatusQueue/MRImageStatusQueue/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRImageRequestQueue/MRImageRequestQueueDLQ/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRImageRequestQueue/MRImageRequestQueue/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRRegionRequestQueue/MRRegionRequestQueueDLQ/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRRegionRequestQueue/MRRegionRequestQueue/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-ECS4 OSML-ModelRunner/MRDataplane/MRCluster/Resource Non-Compliant N/A Error The ECS Cluster has CloudWatch Container Insights disabled.
AwsSolutions-ECS2 OSML-ModelRunner/MRDataplane/MRTaskDefinition/Resource Non-Compliant N/A Error The ECS Task Definition includes a container definition that directly specifies environment variables.
AwsSolutions-S1 OSML-ModelRunner/MRDataplane/MRSinkBucket/MRSinkBucket/Resource Non-Compliant N/A Error The S3 Bucket has server access logs disabled.
AwsSolutions-IAM5 OSML-Roles/MESMRole/MESageMakerExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Roles/MESMRole/MESageMakerExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Roles/MESMRole/MESageMakerExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Roles/MESMRole/MESageMakerExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Roles/MESMRole/MESageMakerExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-S1 OSML-Test-Imagery/OSMLTestImagery/OSMLTestImageBucket/OSMLTestImageBucket/Resource Non-Compliant N/A Error The S3 Bucket has server access logs disabled.
AwsSolutions-IAM4 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM4 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-L1 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/Resource Non-Compliant N/A Error The non-container Lambda function is not configured to use the latest runtime version.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-ECS4 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPModelCluster/Resource Non-Compliant N/A Error The ECS Cluster has CloudWatch Container Insights disabled.
AwsSolutions-ECS2 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointFargateTaskDefinition/Resource Non-Compliant N/A Error The ECS Task Definition includes a container definition that directly specifies environment variables.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointFargateTaskDefinition/ExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-ELB2 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/Resource Non-Compliant N/A Error The ELB does not have access logs enabled.
AwsSolutions-EC23 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/SecurityGroup/Resource Non-Compliant N/A Error The Security Group allows for 0.0.0.0/0 or ::/0 inbound access.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSLambdaRole/TSLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSLambdaRole/TSLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSLambdaRole/TSLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-SQS4 OSML-TileServer/TSDataplane/TSJobQueue/TSJobQueueDLQ/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-TileServer/TSDataplane/TSJobQueue/TSJobQueue/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-ECS4 OSML-TileServer/TSDataplane/TSCluster/Resource Non-Compliant N/A Error The ECS Cluster has CloudWatch Container Insights disabled.
AwsSolutions-ECS2 OSML-TileServer/TSDataplane/TSTaskDefinition/Resource Non-Compliant N/A Error The ECS Task Definition includes a container definition that directly specifies environment variables.
AwsSolutions-ELB2 OSML-TileServer/TSDataplane/TSService/LB/Resource Non-Compliant N/A Error The ELB does not have access logs enabled.
AwsSolutions-EC23 OSML-TileServer/TSDataplane/TSService/LB/SecurityGroup/Resource Non-Compliant N/A Error The Security Group allows for 0.0.0.0/0 or ::/0 inbound access.
AwsSolutions-VPC7 OSML-Vpc/OSMLVpc/OSMLVPC/Resource Non-Compliant N/A Error The VPC does not have an associated Flow Log.
There are 63 NIST.800.53.R5 Violation(s)
Rule ID Resource ID Compliance Exception Reason Rule Level Rule Info
NIST.800.53.R5-OpenSearchErrorLogsToCloudWatch OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not stream error logs (ES_APPLICATION_LOGS) to CloudWatch Logs - (Control ID: AU-10).
NIST.800.53.R5-IAMNoInlinePolicy OSML-DataCatalog/DCDataplane/DCOSDomain/AccessPolicy/CustomResourcePolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-LambdaConcurrency OSML-DataCatalog/DCDataplane/DCStacFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-DataCatalog/DCDataplane/DCStacFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-LambdaConcurrency OSML-DataCatalog/DCDataplane/DCIngestFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-DataCatalog/DCDataplane/DCIngestFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-LambdaConcurrency OSML-DataCatalog/AWS679f53fac002430cb0da5b7982bd2287/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-DataCatalog/AWS679f53fac002430cb0da5b7982bd2287/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-LambdaInsideVPC OSML-DataCatalog/AWS679f53fac002430cb0da5b7982bd2287/Resource Non-Compliant N/A Error The Lambda function is not VPC enabled - (Control IDs: AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-25).
NIST.800.53.R5-SNSEncryptedKMS OSML-DataIntake/DIDataplane/DIInputTopic/Resource Non-Compliant N/A Error The SNS topic does not have KMS encryption enabled - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1)).
NIST.800.53.R5-SNSEncryptedKMS OSML-DataIntake/DIDataplane/DIOutputTopic/Resource Non-Compliant N/A Error The SNS topic does not have KMS encryption enabled - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1)).
NIST.800.53.R5-S3BucketLoggingEnabled OSML-DataIntake/DIDataplane/DIInputBucket/DIInputBucket/Resource Non-Compliant N/A Error The S3 Buckets does not have server access logs enabled - (Control IDs: AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c)).
NIST.800.53.R5-S3BucketReplicationEnabled OSML-DataIntake/DIDataplane/DIInputBucket/DIInputBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have replication enabled - (Control IDs: AU-9(2), CM-6a, CM-9b, CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-S3BucketVersioningEnabled OSML-DataIntake/DIDataplane/DIInputBucket/DIInputBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have versioning enabled - (Control IDs: AU-9(2), CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), PM-11b, PM-17b, SC-5(2), SC-16(1), SI-1a.2, SI-1a.2, SI-1c.2, SI-13(5)).
NIST.800.53.R5-LambdaConcurrency OSML-DataIntake/DIDataplane/DataIntakeFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-DataIntake/DIDataplane/DataIntakeFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-IAMNoInlinePolicy OSML-ModelRunner/MRDataplane/MRECSExecutionRole/MRExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-ModelRunner/MRDataplane/MRJobStatusTable/MRJobStatusTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-ModelRunner/MRDataplane/MRFeaturesTable/MRFeaturesTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-ModelRunner/MRDataplane/MREndpointProcessingTable/MREndpointProcessingTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-ModelRunner/MRDataplane/MRRegionRequestTable/MRRegionRequestTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-CloudWatchLogGroupEncrypted OSML-ModelRunner/MRDataplane/MRServiceLogGroup/Resource Non-Compliant N/A Error The CloudWatch Log Group is not encrypted with an AWS KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-S3BucketLoggingEnabled OSML-ModelRunner/MRDataplane/MRSinkBucket/MRSinkBucket/Resource Non-Compliant N/A Error The S3 Buckets does not have server access logs enabled - (Control IDs: AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c)).
NIST.800.53.R5-S3BucketReplicationEnabled OSML-ModelRunner/MRDataplane/MRSinkBucket/MRSinkBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have replication enabled - (Control IDs: AU-9(2), CM-6a, CM-9b, CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-S3BucketVersioningEnabled OSML-ModelRunner/MRDataplane/MRSinkBucket/MRSinkBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have versioning enabled - (Control IDs: AU-9(2), CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), PM-11b, PM-17b, SC-5(2), SC-16(1), SI-1a.2, SI-1a.2, SI-1c.2, SI-13(5)).
NIST.800.53.R5-S3BucketLoggingEnabled OSML-Test-Imagery/OSMLTestImagery/OSMLTestImageBucket/OSMLTestImageBucket/Resource Non-Compliant N/A Error The S3 Buckets does not have server access logs enabled - (Control IDs: AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c)).
NIST.800.53.R5-S3BucketReplicationEnabled OSML-Test-Imagery/OSMLTestImagery/OSMLTestImageBucket/OSMLTestImageBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have replication enabled - (Control IDs: AU-9(2), CM-6a, CM-9b, CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-S3BucketVersioningEnabled OSML-Test-Imagery/OSMLTestImagery/OSMLTestImageBucket/OSMLTestImageBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have versioning enabled - (Control IDs: AU-9(2), CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), PM-11b, PM-17b, SC-5(2), SC-16(1), SI-1a.2, SI-1a.2, SI-1c.2, SI-13(5)).
NIST.800.53.R5-EFSInBackupPlan OSML-Test-Imagery/OSMLTestImagery/BucketDeploymentEFS-VPC-c8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/Resource Non-Compliant N/A Error The EFS is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-IAMNoInlinePolicy OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-LambdaConcurrency OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-CloudWatchLogGroupEncrypted OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointServiceLogGroup/Resource Non-Compliant N/A Error The CloudWatch Log Group is not encrypted with an AWS KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-IAMNoInlinePolicy OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointFargateTaskDefinition/ExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-ALBWAFEnabled OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/Resource Non-Compliant N/A Error The ALB is not associated with AWS WAFv2 web ACL - (Control ID: AC-4(21)).
NIST.800.53.R5-ELBDeletionProtectionEnabled OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/Resource Non-Compliant N/A Error The ALB, NLB, or GLB does not have deletion protection enabled - (Control IDs: CA-7(4)(c), CM-2a, CM-2(2), CM-3a, CM-8(6), CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), SA-15a.4, SC-5(2), SC-22).
NIST.800.53.R5-ELBLoggingEnabled OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/Resource Non-Compliant N/A Error The ELB does not have logging enabled - (Control IDs: AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-4(17), SI-7(8)).
NIST.800.53.R5-ALBHttpToHttpsRedirection OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/PublicListener/Resource Non-Compliant N/A Error The ALB's HTTP listeners are not configured to redirect to HTTPS - (Control IDs: AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2).
NIST.800.53.R5-ELBv2ACMCertificateRequired OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/PublicListener/Resource Non-Compliant N/A Error The ALB, NLB, or GLB listener does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager) - (Control IDs: SC-8(1), SC-23(5)).
NIST.800.53.R5-SageMakerEndpointConfigurationKMSKeyConfigured OSML-Test-ModelEndpoints/MREndpoints/OSMLCenterPointModelEndpoint/OSMLCenterPointModelEndpoint-EndpointConfig Non-Compliant N/A Error The SageMaker resource endpoint is not encrypted with a KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-SageMakerEndpointConfigurationKMSKeyConfigured OSML-Test-ModelEndpoints/MREndpoints/OSMLFloodModelEndpoint/OSMLFloodModelEndpoint-EndpointConfig Non-Compliant N/A Error The SageMaker resource endpoint is not encrypted with a KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-SageMakerEndpointConfigurationKMSKeyConfigured OSML-Test-ModelEndpoints/MREndpoints/OSMLAircraftModelEndpoint/OSMLAircraftModelEndpoint-EndpointConfig Non-Compliant N/A Error The SageMaker resource endpoint is not encrypted with a KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-IAMNoInlinePolicy OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-IAMNoInlinePolicy OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-TileServer/TSDataplane/TSJobTable/TSJobTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-CloudWatchLogGroupEncrypted OSML-TileServer/TSDataplane/TSServiceLogGroup/Resource Non-Compliant N/A Error The CloudWatch Log Group is not encrypted with an AWS KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-EFSInBackupPlan OSML-TileServer/TSDataplane/TSEfsFileSystem/Resource Non-Compliant N/A Error The EFS is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-ALBWAFEnabled OSML-TileServer/TSDataplane/TSService/LB/Resource Non-Compliant N/A Error The ALB is not associated with AWS WAFv2 web ACL - (Control ID: AC-4(21)).
NIST.800.53.R5-ELBDeletionProtectionEnabled OSML-TileServer/TSDataplane/TSService/LB/Resource Non-Compliant N/A Error The ALB, NLB, or GLB does not have deletion protection enabled - (Control IDs: CA-7(4)(c), CM-2a, CM-2(2), CM-3a, CM-8(6), CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), SA-15a.4, SC-5(2), SC-22).
NIST.800.53.R5-ELBLoggingEnabled OSML-TileServer/TSDataplane/TSService/LB/Resource Non-Compliant N/A Error The ELB does not have logging enabled - (Control IDs: AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-4(17), SI-7(8)).
NIST.800.53.R5-ALBHttpToHttpsRedirection OSML-TileServer/TSDataplane/TSService/LB/PublicListener/Resource Non-Compliant N/A Error The ALB's HTTP listeners are not configured to redirect to HTTPS - (Control IDs: AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2).
NIST.800.53.R5-ELBv2ACMCertificateRequired OSML-TileServer/TSDataplane/TSService/LB/PublicListener/Resource Non-Compliant N/A Error The ALB, NLB, or GLB listener does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager) - (Control IDs: SC-8(1), SC-23(5)).
NIST.800.53.R5-LambdaConcurrency OSML-TileServer/TSDataplane/TSTestRunner/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-TileServer/TSDataplane/TSTestRunner/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-VPCDefaultSecurityGroupClosed OSML-Vpc/OSMLVpc/OSMLVPC/Resource Non-Compliant N/A Warning The VPC's default security group allows inbound or outbound traffic - (Control IDs: AC-4(21), AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), CM-6a, CM-9b, SC-7a, SC-7c, SC-7(5), SC-7(7), SC-7(11), SC-7(12), SC-7(16), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28)).
NIST.800.53.R5-VPCFlowLogsEnabled OSML-Vpc/OSMLVpc/OSMLVPC/Resource Non-Compliant N/A Error The VPC does not have an associated Flow Log - (Control IDs: AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SI-4(17), SI-7(8)).
NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet1/Subnet Non-Compliant N/A Error The subnet auto-assigns public IP addresses - (Control IDs: AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25).
NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet1/DefaultRoute Non-Compliant N/A Error The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0') - (Control IDs: AC-4(21), CM-7b).
NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet2/Subnet Non-Compliant N/A Error The subnet auto-assigns public IP addresses - (Control IDs: AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25).
NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet2/DefaultRoute Non-Compliant N/A Error The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0') - (Control IDs: AC-4(21), CM-7b).
NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet3/Subnet Non-Compliant N/A Error The subnet auto-assigns public IP addresses - (Control IDs: AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25).
NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet3/DefaultRoute Non-Compliant N/A Error The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0') - (Control IDs: AC-4(21), CM-7b).

@drduhe drduhe merged commit 3ef21b9 into dev Sep 16, 2024
5 of 6 checks passed
@drduhe drduhe deleted the Updates/submodule-osml-cdk-constructs-updates branch September 16, 2024 23:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drduhe drduhe drduhe approved these changes

Assignees
No one assigned
Labels
automated-bot Github Automated Bot
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@drduhe @RanbirAulakh