Views:

Get answers to frequently asked support questions for Cloud Posture.

How do I manage rule failures related to Agentless Vulnerability & Threat Detection?

The Agentless Vulnerability & Threat Detection (AVTD) feature has undergone thorough testing including security and performance inorder to meet cloud configuration best practices. The following rules failures may occur:
Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Managed Keys: AVTD resources are securely encrypted with default keys. In addition, the environment variables do not contain any secrets, so adding additional encryption using customer-managed keys is not required.
SecretsManager-001: Secret Encrypted With KMS Customer Master Keys: AVTD resources are securely encrypted with default keys so adding additional encryption using customer-managed keys is not required.
Lambda-001: Lambda Using Latest Runtime Environment: AVTD ensures that all our Lambdas use a Supported Runtime Environment with no End Of Life date. All supported runtime environments receive frequent security updates from AWS.
Lambda-003: Lambda Tracing Enabled : AVTD ensures that this feature is throughly tested before the release hence this additional visibility via Enabling Tracing is not required.
SecretsManager-002:Secret Rotation Enabled AVTD uses its own secrets feature instead of the one provided by AWS hence enabling the AWS provided Secret Rotation feature is not required.
SecretsManager-003: Secret Rotation Interval AVTD uses its own secrets feature instead of the one provided by AWS hence enabling the AWS provided Secret Rotation feature is not required.
S3-024: S3 Transfer Acceleration: The AVTD feature does not use the transfer acceleration feature.
Lambda-006: Using an IAM Role For More Than One Lambda Function: AVTD employs a strategy called "permission planes” where Lambda functions that require identical permissions use a single IAM role. This ensures both efficiency and manageability when deploying to multiple regions e.g. reduction of the number of IAM roles used in a customer’s cloud account
Lambda-007:VPC Access for AWS Lambda Functions: AVTD does not utilize resources like Redshift, ElastiCache, and RDS which may require a VPC implementation.
CFM-001: CloudFormation Stack Notification: AVTD Cloudformation stack is already managed via V1 CAM instead AWS.
CFM-002: CloudFormation Stack Policy: AVTD Cloudformation stack is already managed via V1 CAM instead AWS.
CFM-005:CloudFormation Stack Termination Protection: In order to give customers control of the stacks in their environment, AVTD does allow users to deactivate and remove the stack from their account
S3-025: S3 Buckets Encrypted with Customer Provided Keys CMKs: AVTD is already encrypted using S3-Managed Keys.
SQS-006:SQS Dead Letter Queue: AVTD implements Dead Letter Queue (DLQ) in some of its SQS resources where applicable.
S3-013: S3 Bucket MFA Delete Enabled: Objects stored in AVTD S3s are Objects are relatively short-lived hence enabling MFA Delete protection for accidental deletion is not required
S3-023: Object Lock: Objects stored in AVTD S3s are relatively short-lived and hence Object lock for accidental deletion is not required.

What to do next?

To prevent these failures from affecting compliance of your cloud accounts, exclude AVTD resources from the rules above, you can create a rule exception using the resource tag AppManagerCFNStackKey::V1 Agentless Vulnerability and Threat Detection to exclude the resources from the rules. Alternatively, you can create and apply an exceptions profile using the resource tag:
  1. Merge the profile with the affected accounts to apply the rule exceptions.