Automatic updates to AWS managed Config Rules

niaid · Jul 15, 2024 · 635e407 · 635e407
1 parent 7f0bef1
commit 635e407
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 10 deletions.
diff --git a/files/pack-rules.yaml b/files/pack-rules.yaml
@@ -1,4 +1,4 @@
-generated_on: '2024-06-05T16:36:58Z'
+generated_on: '2024-07-15T00:04:10Z'
 packs:
   AWS-Control-Tower-Detective-Guardrails:
   - autoscaling-launch-config-public-ip-disabled

diff --git a/managed_rules_locals.tf b/managed_rules_locals.tf
@@ -1621,7 +1621,7 @@ locals {
       description          = "Checks if Audit Log Monitoring for Amazon Elastic Kubernetes Service (Amazon EKS) is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the EKS Audit Log Monitoring feature is not enabled for your account."
       identifier           = "GUARDDUTY_EKS_PROTECTION_AUDIT_ENABLED"
       resource_types_scope = ["AWS::GuardDuty::Detector"]
-      severity             = "Medium"
+      severity             = "High"
     }
 
     guardduty-eks-protection-runtime-enabled = {
@@ -1642,14 +1642,14 @@ locals {
       description          = "Checks if Lambda Protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the Lambda Protection feature in Amazon GuardDuty is not enabled for your account."
       identifier           = "GUARDDUTY_LAMBDA_PROTECTION_ENABLED"
       resource_types_scope = ["AWS::GuardDuty::Detector"]
-      severity             = "Medium"
+      severity             = "High"
     }
 
     guardduty-malware-protection-enabled = {
       description          = "Checks if Malware Protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the Malware Protection feature in Amazon GuardDuty is not enabled for your account."
       identifier           = "GUARDDUTY_MALWARE_PROTECTION_ENABLED"
       resource_types_scope = ["AWS::GuardDuty::Detector"]
-      severity             = "Medium"
+      severity             = "High"
     }
 
     guardduty-non-archived-findings = {
@@ -1663,14 +1663,14 @@ locals {
       description          = "Checks if Amazon Relational Database Service (Amazon RDS) protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the Amazon RDS protection feature in Amazon GuardDuty is not enabled for you account."
       identifier           = "GUARDDUTY_RDS_PROTECTION_ENABLED"
       resource_types_scope = ["AWS::GuardDuty::Detector"]
-      severity             = "Medium"
+      severity             = "High"
     }
 
     guardduty-s3-protection-enabled = {
       description          = "Checks if S3 Protection is enabled for an Amazon GuardDuty Detector in your account. The rule is NON_COMPLIANT if the S3 Protection feature in Amazon GuardDuty is not enabled for your account."
       identifier           = "GUARDDUTY_S3_PROTECTION_ENABLED"
       resource_types_scope = ["AWS::GuardDuty::Detector"]
-      severity             = "Medium"
+      severity             = "High"
     }
 
     iam-customer-policy-blocked-kms-actions = {
@@ -1811,28 +1811,28 @@ locals {
       description          = "Checks if Amazon Inspector V2 EC2 scanning is activated for your single or multi-account environment to detect potential vulnerabilities and network reachability issues on your EC2 instances. The rule is NON_COMPLIANT if EC2 scanning is not activated."
       identifier           = "INSPECTOR_EC2_SCAN_ENABLED"
       resource_types_scope = ["AWS::::Account"]
-      severity             = "Medium"
+      severity             = "High"
     }
 
     inspector-ecr-scan-enabled = {
       description          = "Checks if Amazon Inspector V2 ECR scanning is activated for your single or multi-account environment to detect potential software vulnerabilities in your container images. The rule is NON_COMPLIANT if ECR scanning is not activated."
       identifier           = "INSPECTOR_ECR_SCAN_ENABLED"
       resource_types_scope = ["AWS::::Account"]
-      severity             = "Medium"
+      severity             = "High"
     }
 
     inspector-lambda-code-scan-enabled = {
       description          = "Checks if Amazon Inspector V2 Lambda code scanning is activated for your single or multi-account environment to detect potential code vulnerabilities. The rule is NON_COMPLIANT if Lambda code scanning is not activated."
       identifier           = "INSPECTOR_LAMBDA_CODE_SCAN_ENABLED"
       resource_types_scope = ["AWS::::Account"]
-      severity             = "Medium"
+      severity             = "High"
     }
 
     inspector-lambda-standard-scan-enabled = {
       description          = "Checks if Amazon Inspector V2 Lambda standard scanning is activated for your single or multi-account environment to detect potential software vulnerabilities. The rule is NON_COMPLIANT if Lambda standard scanning is not activated."
       identifier           = "INSPECTOR_LAMBDA_STANDARD_SCAN_ENABLED"
       resource_types_scope = ["AWS::::Account"]
-      severity             = "Medium"
+      severity             = "High"
     }
 
     ec2-instances-in-vpc = {