diff --git a/checks/check_extra711 b/checks/check_extra711 index 34e2947a..a7c7b798 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra711="High" CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster" CHECK_ALTERNATE_check711="extra711" CHECK_SERVICENAME_extra711="redshift" -CHECK_RISK_extra711='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra711='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra711='List all shared Redshift clusters and make sure there is a business reason for them.' CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html' CHECK_CAF_EPIC_extra711='Data Protection' diff --git a/checks/check_extra7116 b/checks/check_extra7116 index 77f4eee8..d18ab6f2 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7116="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue" CHECK_ALTERNATE_check7116="extra7116" CHECK_SERVICENAME_extra7116="glue" -CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7116='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html' CHECK_CAF_EPIC_extra7116='Data Protection' diff --git a/checks/check_extra7117 b/checks/check_extra7117 index ce2ebcab..6091a71c 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7117="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue" CHECK_ALTERNATE_check7117="extra7117" CHECK_SERVICENAME_extra7117="glue" -CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7117='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.' CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html' CHECK_CAF_EPIC_extra7117='Data Protection' diff --git a/checks/check_extra7118 b/checks/check_extra7118 index a55996ec..0b70fcab 100644 --- a/checks/check_extra7118 +++ b/checks/check_extra7118 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7118="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue" CHECK_ALTERNATE_check7118="extra7118" CHECK_SERVICENAME_extra7118="glue" -CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7118='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.' CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7118='Data Protection' diff --git a/checks/check_extra7119 b/checks/check_extra7119 index a6a0a4f2..a3ca4a10 100644 --- a/checks/check_extra7119 +++ b/checks/check_extra7119 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7119="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue" CHECK_ALTERNATE_check7119="extra7119" CHECK_SERVICENAME_extra7119="glue" -CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7119='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.' CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7119='Logging and Monitoring' diff --git a/checks/check_extra7120 b/checks/check_extra7120 index 37cd3094..93907c93 100644 --- a/checks/check_extra7120 +++ b/checks/check_extra7120 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7120="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue" CHECK_ALTERNATE_check7120="extra7120" CHECK_SERVICENAME_extra7120="glue" -CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7120='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.' CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7120='Logging and Monitoring' diff --git a/checks/check_extra7121 b/checks/check_extra7121 index 26087e05..13259770 100644 --- a/checks/check_extra7121 +++ b/checks/check_extra7121 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7121="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue" CHECK_ALTERNATE_check7121="extra7121" CHECK_SERVICENAME_extra7121="glue" -CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7121='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.' CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7121='Data Protection' diff --git a/checks/check_extra7122 b/checks/check_extra7122 index ac163833..9f50bb71 100644 --- a/checks/check_extra7122 +++ b/checks/check_extra7122 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7122="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue" CHECK_ALTERNATE_check7122="extra7122" CHECK_SERVICENAME_extra7122="glue" -CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7122='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.' CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html' CHECK_CAF_EPIC_extra7122='Data Protection' diff --git a/checks/check_extra7130 b/checks/check_extra7130 index 251f6c5d..f1641516 100644 --- a/checks/check_extra7130 +++ b/checks/check_extra7130 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra7130="Medium" CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic" CHECK_ALTERNATE_check7130="extra7130" CHECK_SERVICENAME_extra7130="sns" -CHECK_RISK_extra7130='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra7130='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra7130='Use Amazon SNS with AWS KMS.' CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html' CHECK_CAF_EPIC_extra7130='Data Protection' diff --git a/checks/check_extra7143 b/checks/check_extra7143 index a4bdac62..7d3ee0eb 100644 --- a/checks/check_extra7143 +++ b/checks/check_extra7143 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7143="Critical" CHECK_ASFF_RESOURCE_TYPE_extra7143="AwsEFS" CHECK_ALTERNATE_check7143="extra7143" CHECK_SERVICENAME_extra7143="efs" -CHECK_RISK_extra7143='EFS accessible to everyone could expose sensible data to bad actors' +CHECK_RISK_extra7143='EFS accessible to everyone could expose sensitive data to bad actors' CHECK_REMEDIATION_extra7143='Ensure efs has some policy but it does not have principle as *' CHECK_DOC_extra7143='https://docs.aws.amazon.com/efs/latest/ug/access-control-block-public-access.html' CHECK_CAF_EPIC_extra7143='Data Protection' diff --git a/checks/check_extra7147 b/checks/check_extra7147 index f14e1949..4e8c16e3 100644 --- a/checks/check_extra7147 +++ b/checks/check_extra7147 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra7147="Critical" CHECK_ASFF_RESOURCE_TYPE_extra7147="AwsGlacierVault" CHECK_ALTERNATE_check7147="extra7142" CHECK_SERVICENAME_extra7147="glacier" -CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensible data to bad actors' +CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensitive data to bad actors' CHECK_REMEDIATION_extra7147='Ensure vault policy does not have principle as *' CHECK_DOC_extra7147='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html' CHECK_CAF_EPIC_extra7147='Data Protection' diff --git a/checks/check_extra716 b/checks/check_extra716 index 08f2271d..87980aea 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra716="Critical" CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain" CHECK_ALTERNATE_check716="extra716" CHECK_SERVICENAME_extra716="es" -CHECK_RISK_extra716='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra716='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra716='Use VPC endpoints for internal services.' CHECK_DOC_extra716='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html' CHECK_CAF_EPIC_extra716='Infrastructure Security' diff --git a/checks/check_extra723 b/checks/check_extra723 index 11a746ec..94833c23 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra723="Critical" CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot" CHECK_ALTERNATE_check723="extra723" CHECK_SERVICENAME_extra723="rds" -CHECK_RISK_extra723='Publicly accessible services could expose sensible data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.' +CHECK_RISK_extra723='Publicly accessible services could expose sensitive data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.' CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.' CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html' CHECK_CAF_EPIC_extra723='Data Protection' diff --git a/checks/check_extra727 b/checks/check_extra727 index e66962be..86f5dfbd 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra727="Critical" CHECK_ASFF_RESOURCE_TYPE_extra727="AwsSqsQueue" CHECK_ALTERNATE_check727="extra727" CHECK_SERVICENAME_extra727="sqs" -CHECK_RISK_extra727='Sensible information could be disclosed.' +CHECK_RISK_extra727='Sensitive information could be disclosed.' CHECK_REMEDIATION_extra727='Review service with overly permissive policies. Adhere to Principle of Least Privilege.' CHECK_DOC_extra727='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html' CHECK_CAF_EPIC_extra727='Infrastructure Security' diff --git a/checks/check_extra728 b/checks/check_extra728 index 629d6029..10ad0e0c 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -20,7 +20,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue" CHECK_ALTERNATE_check728="extra728" CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1" CHECK_SERVICENAME_extra728="sqs" -CHECK_RISK_extra728='If not enabled sensible information in transit is not protected.' +CHECK_RISK_extra728='If not enabled sensitive information in transit is not protected.' CHECK_REMEDIATION_extra728='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' CHECK_DOC_extra728='https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html' CHECK_CAF_EPIC_extra728='Data Protection' diff --git a/checks/check_extra731 b/checks/check_extra731 index fcda11fa..a22d8492 100644 --- a/checks/check_extra731 +++ b/checks/check_extra731 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra731="Critical" CHECK_ASFF_RESOURCE_TYPE_extra731="AwsSnsTopic" CHECK_ALTERNATE_check731="extra731" CHECK_SERVICENAME_extra731="sns" -CHECK_RISK_extra731='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra731='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra731='Ensure there is a business requirement for service to be public.' CHECK_DOC_extra731='https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html' CHECK_CAF_EPIC_extra731='Infrastructure Security' diff --git a/checks/check_extra735 b/checks/check_extra735 index 0d7a88aa..6b86cc52 100644 --- a/checks/check_extra735 +++ b/checks/check_extra735 @@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance" CHECK_ALTERNATE_check735="extra735" CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1" CHECK_SERVICENAME_extra735="rds" -CHECK_RISK_extra735='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra735='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra735='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' CHECK_DOC_extra735='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html' CHECK_CAF_EPIC_extra735='Data Protection' diff --git a/checks/check_extra738 b/checks/check_extra738 index 10b97118..32116eba 100644 --- a/checks/check_extra738 +++ b/checks/check_extra738 @@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution" CHECK_ALTERNATE_check738="extra738" CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1" CHECK_SERVICENAME_extra738="cloudfront" -CHECK_RISK_extra738='If not enabled sensible information in transit is not protected. Surveillance and other threats are risks may exists.' +CHECK_RISK_extra738='If not enabled sensitive information in transit is not protected. Surveillance and other threats are risks may exists.' CHECK_REMEDIATION_extra738='Use HTTPS everywhere possible. It will enforce privacy and protect against account hijacking and other threats.' CHECK_DOC_extra738='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html' CHECK_CAF_EPIC_extra738='Data Protection' diff --git a/checks/check_extra761 b/checks/check_extra761 index 6d10e7e1..7189b473 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra761="Medium" CHECK_ALTERNATE_check761="extra761" CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2" CHECK_SERVICENAME_extra761="ec2" -CHECK_RISK_extra761='If not enabled sensible information at rest is not protected.' +CHECK_RISK_extra761='If not enabled sensitive information at rest is not protected.' CHECK_REMEDIATION_extra761='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.' CHECK_DOC_extra761='https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/' CHECK_CAF_EPIC_extra761='Data Protection' diff --git a/checks/check_extra763 b/checks/check_extra763 index 765755ce..6cbf5b28 100644 --- a/checks/check_extra763 +++ b/checks/check_extra763 @@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket" CHECK_ALTERNATE_check763="extra763" CHECK_SERVICENAME_extra763="s3" CHECK_RISK_extra763=' With versioning; you can easily recover from both unintended user actions and application failures.' -CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensible information that is changing frecuently; and backup may not be enough to capture all the changes.' +CHECK_REMEDIATION_extra763='Configure versioning using the Amazon console or API for buckets with sensitive information that is changing frecuently; and backup may not be enough to capture all the changes.' CHECK_DOC_extra763='https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/Versioning.html' CHECK_CAF_EPIC_extra763='Data Protection' diff --git a/checks/check_extra767 b/checks/check_extra767 index 1b7d76d5..77bb0de4 100644 --- a/checks/check_extra767 +++ b/checks/check_extra767 @@ -19,7 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution" CHECK_ALTERNATE_check767="extra767" CHECK_SERVICENAME_extra767="cloudfront" CHECK_RISK_extra767='Allows you protect specific data throughout system processing so that only certain applications can see it.' -CHECK_REMEDIATION_extra767='Check if applicable to any sensible data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.' +CHECK_REMEDIATION_extra767='Check if applicable to any sensitive data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.' CHECK_DOC_extra767='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html' CHECK_CAF_EPIC_extra767='Data Protection' diff --git a/checks/check_extra78 b/checks/check_extra78 index ce5e34ef..bc32dc1c 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -20,7 +20,7 @@ CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_check78="extra78" CHECK_ALTERNATE_check708="extra78" CHECK_SERVICENAME_extra78="rds" -CHECK_RISK_extra78='Publicly accessible databases could expose sensible data to bad actors.' +CHECK_RISK_extra78='Publicly accessible databases could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra78='Using an AWS Config rule check for RDS public instances periodically and check there is a business reason for it.' CHECK_DOC_extra78='https://docs.amazonaws.cn/en_us/config/latest/developerguide/rds-instance-public-access-check.html' CHECK_CAF_EPIC_extra78='Data Protection' diff --git a/checks/check_extra79 b/checks/check_extra79 index 894dd0f9..bcb414bb 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -20,7 +20,7 @@ CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_check79="extra79" CHECK_ALTERNATE_check709="extra79" CHECK_SERVICENAME_extra79="elb" -CHECK_RISK_extra79='Publicly accessible load balancers could expose sensible data to bad actors.' +CHECK_RISK_extra79='Publicly accessible load balancers could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra79='Ensure the load balancer should be publicly accessible. If publiccly exposed ensure a WAF ACL is implemented.' CHECK_DOC_extra79='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html' CHECK_CAF_EPIC_extra79='Data Protection' diff --git a/checks/check_extra795 b/checks/check_extra795 index d71370e0..7030d741 100644 --- a/checks/check_extra795 +++ b/checks/check_extra795 @@ -18,7 +18,7 @@ CHECK_SEVERITY_extra795="High" CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster" CHECK_ALTERNATE_check795="extra795" CHECK_SERVICENAME_extra795="eks" -CHECK_RISK_extra795='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra795='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra795='Enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. Disable internet access to the API server.' CHECK_DOC_extra795='https://docs.aws.amazon.com/eks/latest/userguide/infrastructure-security.html' CHECK_CAF_EPIC_extra795='Infrastructure Security' diff --git a/checks/check_extra798 b/checks/check_extra798 index 1d8e00ef..0e14d22a 100644 --- a/checks/check_extra798 +++ b/checks/check_extra798 @@ -19,7 +19,7 @@ CHECK_SEVERITY_extra798="Critical" CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" CHECK_ALTERNATE_check798="extra798" CHECK_SERVICENAME_extra798="lambda" -CHECK_RISK_extra798='Publicly accessible services could expose sensible data to bad actors.' +CHECK_RISK_extra798='Publicly accessible services could expose sensitive data to bad actors.' CHECK_REMEDIATION_extra798='Grant usage permission on a per-resource basis and applying least privilege principle.' CHECK_DOC_extra798='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html' CHECK_CAF_EPIC_extra798='Infrastructure Security'