mondoohq · tas50 · Jan 3, 2024 · Jan 3, 2024 · Jan 3, 2024 · Jan 3, 2024
diff --git a/core/mondoo-aws-security.mql.yaml b/core/mondoo-aws-security.mql.yaml
@@ -247,7 +247,7 @@
       - url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa
         title: Enable a virtual MFA device for your AWS account root user (console)
   - uid: mondoo-aws-security-iam-password-policy
-    title: Checks whether the account password policy for IAM users meets the specified requirements
+    title: Ensure strong account password policy requirements are used
     impact: 60
     filters: asset.platform == "aws"
     props:
@@ -371,7 +371,7 @@
       - url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
         title: Setting an account password policy for IAM users
   - uid: mondoo-aws-security-access-keys-rotated
-    title: Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge (default 90)
+    title: Ensure active access keys are rotated
     impact: 30
     filters: asset.platform == "aws"
     props:
@@ -383,7 +383,7 @@
       aws.iam.credentialReport.where(accessKey2Active == true).all(time.now - accessKey2LastRotated < props.maxAccessKeyAge * time.day)
     docs:
       desc: |
-        It is highly recommended that you regularly rotate (change) IAM user access keys to reduce the risk of unwanted access to your account.
+        It is highly recommended that you regularly rotate (change) IAM user access keys to reduce the risk of unwanted access to your account. Change the value enforced in this check by modifying the maxAccessKeyAge property.
       audit: |
         __cnspec shell__
 
@@ -435,7 +435,7 @@
       - url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
         title: AWS Documentation - Managing access keys for IAM users
   - uid: mondoo-aws-security-mfa-enabled-for-iam-console-access
-    title: Checks whether the AWS IAM users have multi-factor authentication (MFA) enabled
+    title: Ensure AWS IAM users have multi-factor authentication (MFA) enabled
     impact: 75
     filters: asset.platform == "aws"
     mql: aws.iam.credentialReport.all(mfaActive == true)
@@ -698,7 +698,7 @@
       - url: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
         title: Terraform Documentation - AWS Provider
   - uid: mondoo-aws-security-iam-group-has-users-check
-    title: Checks whether IAM groups have at least one IAM user
+    title: Ensure IAM groups have at least one IAM user
     impact: 30
     docs:
       desc: |
@@ -736,11 +736,11 @@
       - uid: mondoo-aws-security-iam-group-has-users-check-account
       - uid: mondoo-aws-security-iam-group-has-users-check-single-group
   - uid: mondoo-aws-security-iam-group-has-users-check-account
-    title: Checks whether IAM groups have at least one IAM user
+    title: Ensure IAM groups have at least one IAM user
     filters: asset.platform == "aws"
     mql: aws.iam.groups.all(usernames.length > 0)
   - uid: mondoo-aws-security-iam-group-has-users-check-single-group
-    title: Checks whether IAM groups have at least one IAM user
+    title: Ensure IAM groups have at least one IAM user
     filters: asset.platform == "aws-iam-group"
     mql: aws.iam.group.usernames.length > 0
   - uid: mondoo-aws-security-iam-users-only-one-access-key
@@ -797,7 +797,7 @@
 
         Repeat steps 1 - 3 for each IAM user in your AWS account.
   - uid: mondoo-aws-security-iam-user-no-inline-policies-check
-    title: Ensure IAM Users Receive Permissions Only Through Groups
+    title: Ensure IAM users receive permissions only through groups
     impact: 30
     docs:
       desc: |
@@ -852,11 +852,11 @@
       - uid: mondoo-aws-security-iam-user-no-inline-policies-check-account
       - uid: mondoo-aws-security-iam-user-no-inline-policies-check-single-user
   - uid: mondoo-aws-security-iam-user-no-inline-policies-check-account
-    title: Ensure IAM Users Receive Permissions Only Through Groups
+    title: Ensure IAM users receive permissions only through groups
     filters: asset.platform == "aws"
     mql: aws.iam.users.all(attachedPolicies.length == 0)
   - uid: mondoo-aws-security-iam-user-no-inline-policies-check-single-user
-    title: Ensure IAM Users Receive Permissions Only Through Groups
+    title: Ensure IAM users receive permissions only through groups
     filters: asset.platform == "aws-iam-user"
     mql: aws.iam.user.attachedPolicies.length == 0
   - uid: mondoo-aws-security-vpc-default-security-group-closed
@@ -1101,7 +1101,7 @@
       - url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default
         title: AWS Documentation - Encryption by default
   - uid: mondoo-aws-security-s3-buckets-account-level-block-public-access
-    title: Checks if the required S3 public access block settings are configured from the account level
+    title: Ensure public access to S3 buckets is blocked at the account level
     impact: 30
     filters: asset.platform == "aws"
     mql: aws.s3control.accountPublicAccessBlock.values.all(_ == true)
@@ -1312,7 +1312,7 @@
       - url: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance
         title: Terraform Registry - aws_instance
   - uid: mondoo-aws-security-ec2-imdsv2-check
-    title: Checks whether the instance metadata version is configured with IMDSv2 (http tokens required)
+    title: Ensure EC2 instances use IMDSv2
     impact: 80
     filters: asset.platform == "aws"
     mql: aws.ec2.instances.all(httpTokens == "required")
@@ -1733,7 +1733,7 @@
     filters: asset.platform == "aws-vpc"
     mql: aws.vpc.flowLogs.any(status == "ACTIVE")
   - uid: mondoo-aws-security-dynamodb-table-encrypted-kms
-    title: Checks that all DynamoDB tables are encrypted with AWS Key Management Service (KMS)
+    title: Ensure DynamoDB tables are encrypted with AWS Key Management Service (KMS)
     impact: 30
     filters: asset.platform == "aws-dynamodb-table"
     mql: aws.dynamodb.tables.all(sseDescription["SSEType"] == "KMS" && sseDescription["Status"] == "ENABLED")
@@ -1829,11 +1829,12 @@
       - url: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
         title: AWS Documentation - DynamoDB encryption at rest
   - uid: mondoo-aws-security-lambda-concurrency-check
-    title: Checks whether lambda functions are configured with function-level concurrent execution limit
+    title: Ensure Lambda functions are configured with function-level concurrent execution limits
+    impact: 60
     filters: asset.platform == "aws-lambda-function"
     mql: aws.lambda.function { concurrency > 0 }
   - uid: mondoo-aws-security-rds-instance-public-access-check
-    title: Checks that all RDS instances are not publicly accessible
+    title: Ensure all RDS instances are not publicly accessible
     impact: 100
     filters: asset.platform == "aws-rds-dbinstance"
     mql: aws.rds.dbInstances.all(publiclyAccessible == false)
@@ -1940,7 +1941,7 @@
       - url: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html
         title: AWS Documentation - Security Hub controls reference
   - uid: mondoo-aws-security-redshift-cluster-public-access-check
-    title: Checks whether Redshift clusters are publicly accessible
+    title: Ensure Redshift clusters are not publicly accessible
     impact: 95
     filters: asset.platform == "aws-redshift-cluster"
     mql: aws.redshift.clusters.all(publiclyAccessible == false)
@@ -2013,7 +2014,7 @@
       - url: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
         title: Terraform Documentation - AWS Provider
   - uid: mondoo-aws-security-ec2-volume-inuse-check
-    title: Checks whether EBS volumes are attached to EC2 instances and configured for deletion on instance termination
+    title: Ensure EBS volumes attached to EC2 instances are configured for deletion on instance termination
     impact: 30
     filters: asset.platform == "aws-ec2-volume"
     mql: aws.ec2.volumes.where(attachments.length > 0 ).all(attachments.all(_['DeleteOnTermination']))
@@ -2087,12 +2088,12 @@
       - url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html
         title: AWS Documentation - Delete an Amazon EBS volume
   - uid: mondoo-aws-security-ebs-snapshot-public-restorable-check
-    title: Checks that all EBS snapshots are not publicly restorable
+    title: Ensure EBS snapshots are not publicly restorable
     impact: 80
     filters: asset.platform == "aws-ec2-snapshot"
     mql: aws.ec2.snapshots.all(createVolumePermission.none(_['Group'] == "all"))
   - uid: mondoo-aws-security-efs-encrypted-check
-    title: Checks whether EFS is configured to encrypt file data using KMS
+    title: Ensure EFS is configured to encrypt file data using KMS
     impact: 75
     filters: asset.platform == "aws-efs-filesystem"
     mql: aws.efs.filesystems.all(encrypted == true && kmsKey != null)
@@ -2170,17 +2171,17 @@
       - url: https://docs.aws.amazon.com/efs/latest/ug/creating-using-create-fs.html#creating-using-fs-part1-cli
         title: AWS Documentation - Creating a file system using the AWS CLI
   - uid: mondoo-aws-security-cloudwatch-log-group-encrypted
-    title: Checks that all log groups in Amazon CloudWatch Logs are encrypted with KMS
+    title: Ensure Amazon CloudWatch log groups are encrypted with KMS
     impact: 40
     filters: asset.platform == "aws-cloudwatch-loggroup"
     mql: aws.cloudwatch.logGroups.all(kmsKey != null)
   - uid: mondoo-aws-security-elb-deletion-protection-enabled
-    title: Checks whether elastic load balancing has deletion protection enabled
+    title: Ensure ELBs have deletion protection enabled
     impact: 50
     filters: asset.platform == "aws-elb-loadbalancer"
     mql: aws.elb.loadBalancers.all(attributes.all(_['Key'] == "delete_protection.enabled" && _['Value'] == true))
   - uid: mondoo-aws-security-elasticsearch-encrypted-at-rest
-    title: Checks that all ES domains have encryption at rest configuration enabled
+    title: Ensure ES domains have encryption at rest configuration enabled
     impact: 50
     filters: asset.platform == "aws-es-domain"
     mql: aws.es.domains.all(encryptionAtRestEnabled == true)
@@ -2190,12 +2191,12 @@
     filters: asset.platform == "aws-kms-key"
     mql: aws.kms.keys.where(metadata['KeyState'] == "Enabled").all(keyRotationEnabled == true)
   - uid: mondoo-aws-security-sagemaker-notebook-instance-kms-key-configured
-    title: Checks that all SageMaker notebook instances are configured to use KMS
+    title: Ensure SageMaker notebook instances are configured to use KMS
     impact: 50
     filters: asset.platform == "aws-sagemaker-notebookinstance"
     mql: aws.sagemaker.notebookInstances.all(details.kmsKey != null)
   - uid: mondoo-aws-security-cloud-trail-encryption-enabled
-    title: Checks that all CloudTrail trails are configured to use the server side encryption KMS
+    title: Ensure CloudTrail trails are configured to use the server side encryption KMS
     impact: 50
     filters: asset.platform == "aws-cloudtrail-trail"
     mql: aws.cloudtrail.trails.all(kmsKey != null)
@@ -2246,7 +2247,7 @@
           Note: The AWS KMS key and S3 bucket must be in the same Region.
         7. Select **Save**.
   - uid: mondoo-aws-security-secgroup-restricted-ssh
-    title: Checks that all incoming SSH traffic for the security groups is restricted
+    title: Ensure security groups restrict incoming SSH traffic
     impact: 80
     filters: asset.platform == "aws-security-group"
     mql: aws.ec2.securityGroups.where(ipPermissions.contains(toPort == 22)).all(ipPermissions.all(ipRanges.none("0.0.0.0/0")))