Get answers to frequently asked support questions for Cloud Posture.
How do I manage rule failures related to Agentless Vulnerability & Threat Detection?
The Agentless Vulnerability & Threat
Detection (AVTD) feature has undergone thorough testing including security and performance
inorder to
meet cloud configuration best practices. The following rules failures may occur:
Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Managed
Keys: AVTD resources are securely encrypted with default keys. In addition, the
environment variables do not contain any secrets, so adding additional encryption
using
customer-managed keys is not required.
SecretsManager-001: Secret Encrypted With KMS Customer Master Keys: AVTD resources
are securely encrypted with default keys so adding additional encryption using
customer-managed keys is not required.
Lambda-001: Lambda Using Latest Runtime Environment: AVTD ensures that all our
Lambdas use a Supported Runtime Environment with no End Of Life date. All
supported runtime environments receive frequent security updates from AWS.
Lambda-003: Lambda Tracing Enabled : AVTD ensures that this feature is throughly
tested before the release hence this additional visibility via Enabling Tracing is
not
required.
SecretsManager-002:Secret Rotation Enabled AVTD uses its own secrets feature instead
of the one provided by AWS hence enabling the AWS provided Secret Rotation feature
is not
required.
SecretsManager-003: Secret Rotation Interval AVTD uses its own secrets feature
instead of the one provided by AWS hence enabling the AWS provided Secret Rotation
feature
is not required.
S3-024: S3 Transfer Acceleration: The AVTD feature does not use the transfer
acceleration feature.
Lambda-006: Using an IAM Role For More Than One Lambda Function: AVTD employs a
strategy called "permission planes” where Lambda functions that require identical
permissions use a single IAM role. This ensures both efficiency and manageability
when
deploying to multiple regions e.g. reduction of the number of IAM roles used in a
customer’s
cloud account
Lambda-007:VPC Access for AWS Lambda Functions: AVTD does not utilize resources like
Redshift, ElastiCache, and RDS which may require a VPC implementation.
CFM-001: CloudFormation Stack Notification: AVTD Cloudformation stack is already
managed via V1 CAM instead AWS.
CFM-002: CloudFormation Stack Policy: AVTD Cloudformation stack is already managed
via V1 CAM instead AWS.
CFM-005:CloudFormation Stack Termination Protection: In order to give customers
control of the stacks in their environment, AVTD does allow users to deactivate and
remove
the stack from their account
S3-025: S3 Buckets Encrypted with Customer Provided Keys CMKs: AVTD is already
encrypted using S3-Managed Keys.
SQS-006:SQS Dead Letter Queue: AVTD implements Dead Letter Queue (DLQ) in some of
its SQS resources where applicable.
S3-013: S3 Bucket MFA Delete Enabled: Objects stored in AVTD S3s are Objects are
relatively short-lived hence enabling MFA Delete protection for accidental deletion
is not
required
S3-023: Object Lock: Objects stored in AVTD S3s are relatively short-lived and hence
Object lock for accidental deletion is not required.
What to do next?
To prevent these failures from affecting compliance of your cloud accounts, exclude
AVTD
resources from the rules above, you can create a rule exception using the resource tag AppManagerCFNStackKey::V1
Agentless Vulnerability and Threat Detection to exclude the resources from the
rules. Alternatively, you can create and apply an exceptions profile using the resource tag:
-
Merge the profile with the affected accounts to apply the rule exceptions.