Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: decouple di dc #278

Merged
merged 1 commit into from
Jan 10, 2025
Merged

fix: decouple di dc #278

merged 1 commit into from
Jan 10, 2025

Conversation

drduhe
Copy link
Collaborator

@drduhe drduhe commented Jan 10, 2025
edited
Loading

Issue #, if available: n/a

Notes

Decoupling the DI and DC stacks as it will greatly increase stack deployment / destruction speeds and they are not being integrated for testing right now. We can reconnect them later again when required.

Testing

Before you submit a pull request, please make sure you have to following:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@drduhe drduhe requested a review from a team as a code owner January 10, 2025 02:51
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 10, 2025
edited
Loading

Please review the existing CDK-Nag Violations for 52b3f33f1859991f9c2f74717e4032177fe640a4

There are 92 AwsSolutions Violation(s)
Rule ID Resource ID Compliance Exception Reason Rule Level Rule Info
AwsSolutions-SNS3 OSML-DataCatalog/DCDataplane/DIOutputTopic/Resource Non-Compliant N/A Error The SNS Topic does not require publishers to use SSL.
AwsSolutions-IAM4 OSML-DataCatalog/DCDataplane/DCLambdaRole/DCLambdaRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM4 OSML-DataCatalog/DCDataplane/DCLambdaRole/DCLambdaRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM5 OSML-DataCatalog/DCDataplane/DCLambdaRole/DCLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-DataCatalog/DCDataplane/DCLambdaRole/DCLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-OS3 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not only grant access via allowlisted IP addresses.
AwsSolutions-OS4 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not use dedicated master nodes.
AwsSolutions-OS5 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain allows for unsigned requests or anonymous access.
AwsSolutions-OS9 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not minimally publish SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS to CloudWatch Logs.
AwsSolutions-OS9 OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not minimally publish SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS to CloudWatch Logs.
AwsSolutions-IAM4 OSML-DataCatalog/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-L1 OSML-DataCatalog/AWS679f53fac002430cb0da5b7982bd2287/Resource Non-Compliant N/A Error The non-container Lambda function is not configured to use the latest runtime version.
AwsSolutions-SNS3 OSML-DataIntake/DIDataplane/DIInputTopic/Resource Non-Compliant N/A Error The SNS Topic does not require publishers to use SSL.
AwsSolutions-SNS3 OSML-DataIntake/DIDataplane/DIOutputTopic/Resource Non-Compliant N/A Error The SNS Topic does not require publishers to use SSL.
AwsSolutions-IAM4 OSML-DataIntake/DIDataplane/DILambdaRole/DILambdaRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM4 OSML-DataIntake/DIDataplane/DILambdaRole/DILambdaRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM5 OSML-DataIntake/DIDataplane/DILambdaRole/DILambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-DataIntake/DIDataplane/DILambdaRole/DILambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-S1 OSML-DataIntake/DIDataplane/DIInputBucket/DIInputBucket/Resource Non-Compliant N/A Error The S3 Bucket has server access logs disabled.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSTaskRole/MRTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSExecutionRole/MRExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSExecutionRole/MRExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-ModelRunner/MRDataplane/MRECSExecutionRole/MRExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRImageStatusQueue/MRImageStatusQueueDLQ/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRImageStatusQueue/MRImageStatusQueue/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRImageRequestQueue/MRImageRequestQueueDLQ/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRImageRequestQueue/MRImageRequestQueue/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRRegionRequestQueue/MRRegionRequestQueueDLQ/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-ModelRunner/MRDataplane/MRRegionRequestQueue/MRRegionRequestQueue/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-ECS4 OSML-ModelRunner/MRDataplane/MRCluster/Resource Non-Compliant N/A Error The ECS Cluster has CloudWatch Container Insights disabled.
AwsSolutions-ECS2 OSML-ModelRunner/MRDataplane/MRTaskDefinition/Resource Non-Compliant N/A Error The ECS Task Definition includes a container definition that directly specifies environment variables.
AwsSolutions-S1 OSML-ModelRunner/MRDataplane/MRSinkBucket/MRSinkBucket/Resource Non-Compliant N/A Error The S3 Bucket has server access logs disabled.
AwsSolutions-IAM5 OSML-Roles/MESMRole/MESageMakerExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Roles/MESMRole/MESageMakerExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Roles/MESMRole/MESageMakerExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Roles/MESMRole/MESageMakerExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-S1 OSML-Test-Imagery/OSMLTestImagery/OSMLTestImageBucket/OSMLTestImageBucket/Resource Non-Compliant N/A Error The S3 Bucket has server access logs disabled.
AwsSolutions-IAM4 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM4 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/Resource Non-Compliant N/A Error The IAM user, role, or group uses AWS managed policies.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-L1 OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/Resource Non-Compliant N/A Error The non-container Lambda function is not configured to use the latest runtime version.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/MEHTTPEndpointRole/MEHttpPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-ECS4 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPModelCluster/Resource Non-Compliant N/A Error The ECS Cluster has CloudWatch Container Insights disabled.
AwsSolutions-ECS2 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointFargateTaskDefinition/Resource Non-Compliant N/A Error The ECS Task Definition includes a container definition that directly specifies environment variables.
AwsSolutions-IAM5 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointFargateTaskDefinition/ExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-ELB2 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/Resource Non-Compliant N/A Error The ELB does not have access logs enabled.
AwsSolutions-EC23 OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/SecurityGroup/Resource Non-Compliant N/A Error The Security Group allows for 0.0.0.0/0 or ::/0 inbound access.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSLambdaRole/TSLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSLambdaRole/TSLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSLambdaRole/TSLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSLambdaRole/TSLambdaPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-IAM5 OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionPolicy/Resource Non-Compliant N/A Error The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
AwsSolutions-SQS4 OSML-TileServer/TSDataplane/TSJobQueue/TSJobQueueDLQ/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-SQS4 OSML-TileServer/TSDataplane/TSJobQueue/TSJobQueue/Resource Non-Compliant N/A Error The SQS queue does not require requests to use SSL.
AwsSolutions-ECS4 OSML-TileServer/TSDataplane/TSCluster/Resource Non-Compliant N/A Error The ECS Cluster has CloudWatch Container Insights disabled.
AwsSolutions-ECS2 OSML-TileServer/TSDataplane/TSTaskDefinition/Resource Non-Compliant N/A Error The ECS Task Definition includes a container definition that directly specifies environment variables.
AwsSolutions-ELB2 OSML-TileServer/TSDataplane/TSService/LB/Resource Non-Compliant N/A Error The ELB does not have access logs enabled.
AwsSolutions-EC23 OSML-TileServer/TSDataplane/TSService/LB/SecurityGroup/Resource Non-Compliant N/A Error The Security Group allows for 0.0.0.0/0 or ::/0 inbound access.
AwsSolutions-VPC7 OSML-Vpc/OSMLVpc/OSMLVPC/Resource Non-Compliant N/A Error The VPC does not have an associated Flow Log.
There are 61 NIST.800.53.R5 Violation(s)
Rule ID Resource ID Compliance Exception Reason Rule Level Rule Info
NIST.800.53.R5-OpenSearchErrorLogsToCloudWatch OSML-DataCatalog/DCDataplane/DCOSDomain/Resource Non-Compliant N/A Error The OpenSearch Service domain does not stream error logs (ES_APPLICATION_LOGS) to CloudWatch Logs - (Control ID: AU-10).
NIST.800.53.R5-IAMNoInlinePolicy OSML-DataCatalog/DCDataplane/DCOSDomain/AccessPolicy/CustomResourcePolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-LambdaConcurrency OSML-DataCatalog/DCDataplane/DCStacFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-DataCatalog/DCDataplane/DCStacFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-LambdaConcurrency OSML-DataCatalog/DCDataplane/DCIngestFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-DataCatalog/DCDataplane/DCIngestFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-LambdaConcurrency OSML-DataCatalog/AWS679f53fac002430cb0da5b7982bd2287/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-DataCatalog/AWS679f53fac002430cb0da5b7982bd2287/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-LambdaInsideVPC OSML-DataCatalog/AWS679f53fac002430cb0da5b7982bd2287/Resource Non-Compliant N/A Error The Lambda function is not VPC enabled - (Control IDs: AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-25).
NIST.800.53.R5-S3BucketLoggingEnabled OSML-DataIntake/DIDataplane/DIInputBucket/DIInputBucket/Resource Non-Compliant N/A Error The S3 Buckets does not have server access logs enabled - (Control IDs: AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c)).
NIST.800.53.R5-S3BucketReplicationEnabled OSML-DataIntake/DIDataplane/DIInputBucket/DIInputBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have replication enabled - (Control IDs: AU-9(2), CM-6a, CM-9b, CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-S3BucketVersioningEnabled OSML-DataIntake/DIDataplane/DIInputBucket/DIInputBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have versioning enabled - (Control IDs: AU-9(2), CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), PM-11b, PM-17b, SC-5(2), SC-16(1), SI-1a.2, SI-1a.2, SI-1c.2, SI-13(5)).
NIST.800.53.R5-LambdaConcurrency OSML-DataIntake/DIDataplane/DataIntakeFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-DataIntake/DIDataplane/DataIntakeFunction/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-IAMNoInlinePolicy OSML-ModelRunner/MRDataplane/MRECSExecutionRole/MRExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-ModelRunner/MRDataplane/MRJobStatusTable/MRJobStatusTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-ModelRunner/MRDataplane/MRFeaturesTable/MRFeaturesTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-ModelRunner/MRDataplane/MREndpointProcessingTable/MREndpointProcessingTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-ModelRunner/MRDataplane/MRRegionRequestTable/MRRegionRequestTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-CloudWatchLogGroupEncrypted OSML-ModelRunner/MRDataplane/MRServiceLogGroup/Resource Non-Compliant N/A Error The CloudWatch Log Group is not encrypted with an AWS KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-S3BucketLoggingEnabled OSML-ModelRunner/MRDataplane/MRSinkBucket/MRSinkBucket/Resource Non-Compliant N/A Error The S3 Buckets does not have server access logs enabled - (Control IDs: AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c)).
NIST.800.53.R5-S3BucketReplicationEnabled OSML-ModelRunner/MRDataplane/MRSinkBucket/MRSinkBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have replication enabled - (Control IDs: AU-9(2), CM-6a, CM-9b, CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-S3BucketVersioningEnabled OSML-ModelRunner/MRDataplane/MRSinkBucket/MRSinkBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have versioning enabled - (Control IDs: AU-9(2), CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), PM-11b, PM-17b, SC-5(2), SC-16(1), SI-1a.2, SI-1a.2, SI-1c.2, SI-13(5)).
NIST.800.53.R5-S3BucketLoggingEnabled OSML-Test-Imagery/OSMLTestImagery/OSMLTestImageBucket/OSMLTestImageBucket/Resource Non-Compliant N/A Error The S3 Buckets does not have server access logs enabled - (Control IDs: AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c)).
NIST.800.53.R5-S3BucketReplicationEnabled OSML-Test-Imagery/OSMLTestImagery/OSMLTestImageBucket/OSMLTestImageBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have replication enabled - (Control IDs: AU-9(2), CM-6a, CM-9b, CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-S3BucketVersioningEnabled OSML-Test-Imagery/OSMLTestImagery/OSMLTestImageBucket/OSMLTestImageBucket/Resource Non-Compliant N/A Error The S3 Bucket does not have versioning enabled - (Control IDs: AU-9(2), CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), PM-11b, PM-17b, SC-5(2), SC-16(1), SI-1a.2, SI-1a.2, SI-1c.2, SI-13(5)).
NIST.800.53.R5-EFSInBackupPlan OSML-Test-Imagery/OSMLTestImagery/BucketDeploymentEFS-VPC-c8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/Resource Non-Compliant N/A Error The EFS is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-IAMNoInlinePolicy OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/ServiceRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-LambdaConcurrency OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-Test-Imagery/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C10240MiBc8608322c7be1b1d2ec0d0943f387bf840ccfa30d8/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-CloudWatchLogGroupEncrypted OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointServiceLogGroup/Resource Non-Compliant N/A Error The CloudWatch Log Group is not encrypted with an AWS KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-IAMNoInlinePolicy OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointFargateTaskDefinition/ExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-ALBWAFEnabled OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/Resource Non-Compliant N/A Error The ALB is not associated with AWS WAFv2 web ACL - (Control ID: AC-4(21)).
NIST.800.53.R5-ELBDeletionProtectionEnabled OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/Resource Non-Compliant N/A Error The ALB, NLB, or GLB does not have deletion protection enabled - (Control IDs: CA-7(4)(c), CM-2a, CM-2(2), CM-3a, CM-8(6), CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), SA-15a.4, SC-5(2), SC-22).
NIST.800.53.R5-ELBLoggingEnabled OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/Resource Non-Compliant N/A Error The ELB does not have logging enabled - (Control IDs: AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-4(17), SI-7(8)).
NIST.800.53.R5-ALBHttpToHttpsRedirection OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/PublicListener/Resource Non-Compliant N/A Error The ALB's HTTP listeners are not configured to redirect to HTTPS - (Control IDs: AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2).
NIST.800.53.R5-ELBv2ACMCertificateRequired OSML-Test-ModelEndpoints/MREndpoints/OSMLHTTPCenterPointModelEndpoint/HTTPEndpointService/LB/PublicListener/Resource Non-Compliant N/A Error The ALB, NLB, or GLB listener does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager) - (Control IDs: SC-8(1), SC-23(5)).
NIST.800.53.R5-SageMakerEndpointConfigurationKMSKeyConfigured OSML-Test-ModelEndpoints/MREndpoints/OSMLCenterPointModelEndpoint/OSMLCenterPointModelEndpoint-EndpointConfig Non-Compliant N/A Error The SageMaker resource endpoint is not encrypted with a KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-SageMakerEndpointConfigurationKMSKeyConfigured OSML-Test-ModelEndpoints/MREndpoints/OSMLFloodModelEndpoint/OSMLFloodModelEndpoint-EndpointConfig Non-Compliant N/A Error The SageMaker resource endpoint is not encrypted with a KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-SageMakerEndpointConfigurationKMSKeyConfigured OSML-Test-ModelEndpoints/MREndpoints/OSMLAircraftModelEndpoint/OSMLAircraftModelEndpoint-EndpointConfig Non-Compliant N/A Error The SageMaker resource endpoint is not encrypted with a KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-IAMNoInlinePolicy OSML-TileServer/TSDataplane/TSECSTaskRole/TSTaskRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-IAMNoInlinePolicy OSML-TileServer/TSDataplane/TSECSExecutionRole/TSExecutionRole/DefaultPolicy/Resource Non-Compliant N/A Error The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
NIST.800.53.R5-DynamoDBInBackupPlan OSML-TileServer/TSDataplane/TSJobTable/TSJobTable/Resource Non-Compliant N/A Error The DynamoDB table is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-CloudWatchLogGroupEncrypted OSML-TileServer/TSDataplane/TSServiceLogGroup/Resource Non-Compliant N/A Error The CloudWatch Log Group is not encrypted with an AWS KMS key - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4)).
NIST.800.53.R5-EFSInBackupPlan OSML-TileServer/TSDataplane/TSEfsFileSystem/Resource Non-Compliant N/A Error The EFS is not in an AWS Backup plan - (Control IDs: CP-1(2), CP-2(5), CP-6a, CP-6(1), CP-6(2), CP-9a, CP-9b, CP-9c, CP-10, CP-10(2), SC-5(2), SI-13(5)).
NIST.800.53.R5-ALBWAFEnabled OSML-TileServer/TSDataplane/TSService/LB/Resource Non-Compliant N/A Error The ALB is not associated with AWS WAFv2 web ACL - (Control ID: AC-4(21)).
NIST.800.53.R5-ELBDeletionProtectionEnabled OSML-TileServer/TSDataplane/TSService/LB/Resource Non-Compliant N/A Error The ALB, NLB, or GLB does not have deletion protection enabled - (Control IDs: CA-7(4)(c), CM-2a, CM-2(2), CM-3a, CM-8(6), CP-1a.1(b), CP-1a.2, CP-2a, CP-2a.6, CP-2a.7, CP-2d, CP-2e, CP-2(5), SA-15a.4, SC-5(2), SC-22).
NIST.800.53.R5-ELBLoggingEnabled OSML-TileServer/TSDataplane/TSService/LB/Resource Non-Compliant N/A Error The ELB does not have logging enabled - (Control IDs: AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-4(17), SI-7(8)).
NIST.800.53.R5-ALBHttpToHttpsRedirection OSML-TileServer/TSDataplane/TSService/LB/PublicListener/Resource Non-Compliant N/A Error The ALB's HTTP listeners are not configured to redirect to HTTPS - (Control IDs: AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2).
NIST.800.53.R5-ELBv2ACMCertificateRequired OSML-TileServer/TSDataplane/TSService/LB/PublicListener/Resource Non-Compliant N/A Error The ALB, NLB, or GLB listener does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager) - (Control IDs: SC-8(1), SC-23(5)).
NIST.800.53.R5-LambdaConcurrency OSML-TileServer/TSDataplane/TSTestRunner/Resource Non-Compliant N/A Error The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
NIST.800.53.R5-LambdaDLQ OSML-TileServer/TSDataplane/TSTestRunner/Resource Non-Compliant N/A Error The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
NIST.800.53.R5-VPCDefaultSecurityGroupClosed OSML-Vpc/OSMLVpc/OSMLVPC/Resource Non-Compliant N/A Warning The VPC's default security group allows inbound or outbound traffic - (Control IDs: AC-4(21), AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), CM-6a, CM-9b, SC-7a, SC-7c, SC-7(5), SC-7(7), SC-7(11), SC-7(12), SC-7(16), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28)).
NIST.800.53.R5-VPCFlowLogsEnabled OSML-Vpc/OSMLVpc/OSMLVPC/Resource Non-Compliant N/A Error The VPC does not have an associated Flow Log - (Control IDs: AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SI-4(17), SI-7(8)).
NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet1/Subnet Non-Compliant N/A Error The subnet auto-assigns public IP addresses - (Control IDs: AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25).
NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet1/DefaultRoute Non-Compliant N/A Error The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0') - (Control IDs: AC-4(21), CM-7b).
NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet2/Subnet Non-Compliant N/A Error The subnet auto-assigns public IP addresses - (Control IDs: AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25).
NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet2/DefaultRoute Non-Compliant N/A Error The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0') - (Control IDs: AC-4(21), CM-7b).
NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet3/Subnet Non-Compliant N/A Error The subnet auto-assigns public IP addresses - (Control IDs: AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25).
NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW OSML-Vpc/OSMLVpc/OSMLVPC/OSML-VPC-PublicSubnet3/DefaultRoute Non-Compliant N/A Error The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0') - (Control IDs: AC-4(21), CM-7b).

@drduhe drduhe changed the base branch from main to dev January 10, 2025 17:07
@drduhe drduhe force-pushed the fix/decouple-di-dc branch 3 times, most recently from a2232dd to 2499221 Compare January 10, 2025 21:41
RanbirAulakh
RanbirAulakh previously approved these changes Jan 10, 2025
View reviewed changes
@drduhe drduhe force-pushed the fix/decouple-di-dc branch from 2499221 to 52b3f33 Compare January 10, 2025 21:48
@drduhe drduhe merged commit 08caac2 into dev Jan 10, 2025
6 checks passed
@drduhe drduhe deleted the fix/decouple-di-dc branch January 10, 2025 23:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RanbirAulakh RanbirAulakh RanbirAulakh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@drduhe @RanbirAulakh