AWS Security & Compliance Services
Enabled: 2026-02-10 Region: us-east-1 Account: 760007728097 Issue: NQU-140
Services Enabled
1. GuardDuty
Detector ID: d4ce24a6e10e03e8746421d20802c7d0
Finding frequency: 15 minutes
Threat detection service — monitors CloudTrail, VPC Flow Logs, DNS logs, S3 data events, RDS login events, Lambda network activity, and EBS for malware. No agents required.
Active features:
- CloudTrail event analysis
- VPC Flow Log analysis
- DNS query log analysis
- S3 data event monitoring
- RDS login event monitoring
- Lambda network activity monitoring
- EBS malware protection
2. Inspector
Scan targets: EC2 instances, Lambda functions Scan type: Continuous (automatic)
Continuous CVE scanning for EC2 and Lambda. Covers SOC 2 vulnerability management control (CC7.1).
3. Security Hub
Hub ARN: arn:aws:securityhub:us-east-1:760007728097:hub/default
Aggregation dashboard for all security findings from GuardDuty, Inspector, and Config.
Standards enabled:
- CIS AWS Foundations Benchmark v1.2.0
- AWS Foundational Security Best Practices v1.0.0
4. AWS Config
Recorder: Recording all supported resource types + global resources
Delivery: S3 bucket nquir-config-760007728097, 24-hour snapshot frequency
IAM Role: AWSConfigRole with AWS_ConfigRole managed policy
Config Rules (7 — selective for cost control):
| Rule | Evaluates | SOC 2 Control |
|---|---|---|
encrypted-volumes | EBS volumes encrypted | CC6.1 |
rds-storage-encrypted | RDS instances encrypted | CC6.1 |
s3-bucket-server-side-encryption-enabled | S3 buckets encrypted | CC6.1 |
cloud-trail-enabled | CloudTrail active | CC7.2 |
iam-password-policy | IAM password requirements | CC6.1, CC6.2 |
restricted-ssh | No open SSH in security groups | CC6.1, CC6.6 |
vpc-default-security-group-closed | Default SG has no rules | CC6.1, CC6.6 |
5. Audit Manager
SOC 2 Assessment ID: 5708c1f6-cb37-4519-8f6a-1cfee1bd3c6a
HIPAA Assessment ID: b767924d-20a4-4328-b750-eb491ccfc579
Reports bucket: nquir-audit-manager-760007728097
Automatically gathers evidence mapped to SOC 2 and HIPAA controls. Evidence accumulates over time — the earlier this runs before the SOC 2 audit (fall 2026), the stronger the evidence history.
Frameworks:
- SSAE No. 18, SOC Report 2 (SOC 2 Type I/II)
- HIPAA Security Rule: Feb 2003
Initial Findings Triage (2026-02-10)
GuardDuty
No findings. Just enabled — will accumulate findings over time.
Inspector — 2 HIGH
| CVE | Package | Severity | Resource | Risk |
|---|---|---|---|---|
| CVE-2026-25128 | fast-xml-parser | HIGH | CloudWatch Synthetics canary Lambda (cwsyn-invapp-dev-staging) | Low — AWS-managed canary runtime, does not process untrusted XML |
| CVE-2026-25128 | fast-xml-parser | HIGH | CloudWatch Synthetics canary Lambda (cwsyn-invapp-staging-health) | Low — same as above |
Action: No immediate remediation needed. These are in AWS-managed Synthetics canary runtimes, not our application code. AWS will update the runtime. Monitor for resolution.
Security Hub
No findings yet — standards still initializing (PENDING status). Findings will populate within 24 hours as CIS and AWS Foundational benchmarks run their first evaluation.
Config Rules — Initial Compliance
| Rule | Status | Notes |
|---|---|---|
rds-storage-encrypted | COMPLIANT | RDS encryption at rest confirmed |
restricted-ssh | COMPLIANT | No open SSH in security groups |
s3-bucket-server-side-encryption-enabled | COMPLIANT | All S3 buckets encrypted |
cloud-trail-enabled | NON_COMPLIANT | CloudTrail not yet enabled — planned for NQU-112 (production infra) |
iam-password-policy | NON_COMPLIANT | IAM password policy not configured — using Cognito for app auth, IAM used only by devs |
vpc-default-security-group-closed | NON_COMPLIANT | Default VPC security group has rules — review and restrict |
encrypted-volumes | INSUFFICIENT_DATA | No EBS volumes in scope or still evaluating |
Priority remediation:
cloud-trail-enabled— Enable CloudTrail as part of NQU-112 production infrastructurevpc-default-security-group-closed— Remove all inbound/outbound rules from default SGiam-password-policy— Configure IAM password policy (min 14 chars, complexity requirements)
Cost Estimate
| Service | Estimated Monthly Cost |
|---|---|
| GuardDuty | $2-5 (based on event volume) |
| Inspector | $1-3 (2 Lambda functions, no EC2) |
| Security Hub | $1-2 (finding ingestion) |
| Config | $5-10 (7 rules, resource recording) |
| Audit Manager | Free tier (first assessment) |
| Total | ~$10-20/mo |
S3 Buckets Created
| Bucket | Purpose |
|---|---|
nquir-config-760007728097 | AWS Config delivery channel (snapshots, history) |
nquir-audit-manager-760007728097 | Audit Manager assessment reports |
IAM Resources Created
| Resource | Purpose |
|---|---|
AWSConfigRole | Service role for AWS Config recorder |
AWSServiceRoleForAmazonGuardDuty | Auto-created service-linked role |
AWSServiceRoleForAmazonGuardDutyMalwareProtection | Auto-created service-linked role |