Default Policy Rules

Open Raven provides the following pre-built Rules:

Rule Name

Description

Personal & Privacy data is encrypted at rest

Encryption for data at rest should be enabled on any data store that has personal & privacy data.

Financial data is encrypted at rest

Encryption for data at rest should be enabled on any data store that has financial data.

Health care data is encrypted at rest

Encryption for data at rest should be enabled on any data store that has health care data.

Developers secrets are encrypted at rest

Encryption for data at rest should be enabled on any data store that has developer secrets.

AWS KMS is used for encryption at rest

AWS KMS should be enabled all data stores rather than default encryption options.

Personal & Privacy data is backed up and backups are encrypted

Backup should be enabled on any data store that has personal & privacy data.

Financial data is backed up and backups are encrypted

Backup should be enabled on any data store that has financial data.

Health care data is backed up and backups are encrypted

Backup should be enabled on any data store that has health care data.

Data stores with personal & privacy data have logging enabled

Data stores with personal & privacy data should have logging enabled to record security events.

Data stores with financial data have logging enabled

Data stores with financial data should have logging enabled to record security events.

Data stores with health care data have logging enabled

Data stores with health care data should have logging enabled to record security events.

Internet wide AWS security groups

AWS security groups should not have wildcards and be open to the world.

Open AWS S3 buckets

S3 buckets should not be made public to the Internet.

Open Elastic Search servers are not public

Elasticsearch servers should not be made public to the Internet.

AWS MFA enabled

Multi-Factor Authentication should be required for all by admins access to any asset.

Delete protection is enabled

Delete protection should be enabled on all data stores.