Source of truth: rule files in packages/rules/src/aws/.
Format: CLDBRN-{PROVIDER}-{SERVICE}-{N}
- All uppercase
- No zero-padding on the sequence number
- IDs stay contiguous within each provider/service sequence; when a change affects the sequence, renumber later entries and update references in the same change
- Provider:
AWS,AZURE,GCP - Service: short name matching the directory (e.g.
EBS,EC2,RDS,S3,LAMBDA)
| ID | Description | Service | Supports |
|---|---|---|---|
CLDBRN-AWS-APIGATEWAY-1 |
Flags REST API stages when cacheClusterEnabled is not explicitly true. |
apigateway | discovery, iac |
CLDBRN-AWS-CLOUDFRONT-1 |
Reviews only distributions using PriceClass_All. |
cloudfront | discovery, iac |
CLDBRN-AWS-CLOUDFRONT-2 |
Requires a complete 30-day Requests history and flags only distributions whose total request count stays below 100. |
cloudfront | discovery |
CLDBRN-AWS-CLOUDTRAIL-1 |
Flag redundant multi-region CloudTrail trails when more than one trail covers the same account. | cloudtrail | discovery |
CLDBRN-AWS-CLOUDTRAIL-2 |
Flag redundant single-region CloudTrail trails when more than one trail covers the same region. | cloudtrail | discovery |
CLDBRN-AWS-CLOUDWATCH-1 |
Flag CloudWatch log groups that do not define retention and are not delivery-managed. | cloudwatch | discovery, iac |
CLDBRN-AWS-CLOUDWATCH-2 |
Flags log groups whose most recent observed stream activity is missing or older than 90 days. Delivery-managed log groups remain exempt. | cloudwatch | discovery |
CLDBRN-AWS-CLOUDWATCH-3 |
Reviews only log groups storing at least 1 GiB and flags them when no metric filters are configured. |
cloudwatch | discovery |
CLDBRN-AWS-COSTGUARDRAILS-1 |
Flags accounts whose AWS Budgets summary reports zero configured budgets. | costguardrails | discovery |
CLDBRN-AWS-COSTGUARDRAILS-2 |
Flags accounts whose Cost Anomaly Detection summary reports zero anomaly monitors. | costguardrails | discovery |
CLDBRN-AWS-COSTEXPLORER-1 |
Compares the last two full months and flags only services with an existing prior-month baseline and a cost increase greater than 10 cost units. |
costexplorer | discovery |
CLDBRN-AWS-DYNAMODB-1 |
Flags only tables whose parsed latestStreamLabel is older than 90 days. Tables without a stream label are skipped. |
dynamodb | discovery |
CLDBRN-AWS-DYNAMODB-2 |
Reviews only provisioned-capacity tables and flags them when no table-level read or write autoscaling targets are configured. | dynamodb | discovery, iac |
CLDBRN-AWS-DYNAMODB-3 |
Reviews only provisioned-capacity tables and flags them when 30 days of consumed read and write capacity both sum to zero. | dynamodb | discovery |
CLDBRN-AWS-DYNAMODB-4 |
Reviews only provisioned-capacity tables and flags them when statically resolved read or write autoscaling ranges have identical min and max capacity values. | dynamodb | iac |
CLDBRN-AWS-EC2-1 |
Flag direct EC2 instances that do not use curated preferred instance types. | ec2 | iac, discovery |
CLDBRN-AWS-EC2-2 |
Flag S3 interface endpoints when a gateway endpoint is the cheaper in-VPC option. | ec2 | iac |
CLDBRN-AWS-EC2-3 |
Flag Elastic IP allocations that are not associated with an EC2 resource. | ec2 | discovery, iac |
CLDBRN-AWS-EC2-4 |
Flag interface VPC endpoints that have processed no traffic in the last 30 days. | ec2 | discovery |
CLDBRN-AWS-EC2-5 |
Flag EC2 instances whose CPU and network usage stay below the low-utilization threshold for at least 4 of the previous 14 days. | ec2 | discovery |
CLDBRN-AWS-EC2-6 |
Flags only families with a curated Graviton-equivalent path. Instances without architecture metadata or outside the curated family set are skipped. | ec2 | discovery, iac |
CLDBRN-AWS-EC2-7 |
Reviews only active reserved instances with an endTime inside the next 60 days. |
ec2 | discovery |
CLDBRN-AWS-EC2-8 |
Treats 2xlarge and above, plus metal, as the large-instance review threshold. |
ec2 | discovery, iac |
CLDBRN-AWS-EC2-9 |
Flags only instances with a parsed launch timestamp at least 180 days old. | ec2 | discovery |
CLDBRN-AWS-EC2-10 |
Flags IaC-defined instances only when detailed monitoring is explicitly enabled. | ec2 | iac |
CLDBRN-AWS-EC2-11 |
Flags only NAT gateways in the available state and requires complete 7-day BytesInFromDestination and BytesOutToDestination coverage, with both totals equal to 0. |
ec2 | discovery |
CLDBRN-AWS-EC2-12 |
Flags only EC2 reserved instances whose endTime fell within the last 30 days, surfacing them for renewal follow-up review. |
ec2 | discovery |
CLDBRN-AWS-EC2-13 |
Flags only EC2 instances whose discovered state is stopped and whose parsed stop timestamp is at least 30 days old. Instances with missing or unparseable stop timestamps are skipped. |
ec2 | discovery |
CLDBRN-AWS-ECS-1 |
Flags only EC2-backed container instances whose instance families have a curated Graviton-equivalent path. Fargate and unclassified backing instances are skipped. | ecs | discovery |
CLDBRN-AWS-ECS-2 |
Flags only ECS clusters with a complete 14-day AWS/ECS CPU history and an average below 10%. |
ecs | discovery |
CLDBRN-AWS-ECS-3 |
Flags only active REPLICA ECS services and requires both a scalable target and at least one scaling policy. |
ecs | discovery, iac |
CLDBRN-AWS-EBS-1 |
Flags previous-generation EBS volume types (gp2, io1, and standard) and does not flag current-generation HDD families such as st1 or sc1. |
ebs | discovery, iac |
CLDBRN-AWS-EBS-2 |
Flag EBS volumes that are not attached to any EC2 instance. | ebs | discovery |
CLDBRN-AWS-EBS-3 |
Flag EBS volumes whose attached EC2 instances are all in the stopped state. | ebs | discovery |
CLDBRN-AWS-EBS-4 |
Treats volumes above 100 GiB as oversized enough to warrant explicit review. |
ebs | discovery, iac |
CLDBRN-AWS-EBS-5 |
Flags only io1 and io2 volumes whose provisioned IOPS exceed 32000. |
ebs | discovery, iac |
CLDBRN-AWS-EBS-6 |
Flags only io1 and io2 volumes at 16000 IOPS or below, using an IOPS-only gp3 eligibility heuristic without throughput checks. |
ebs | discovery, iac |
CLDBRN-AWS-EBS-7 |
Flags only completed snapshots with a parsed StartTime older than 90 days. |
ebs | discovery |
CLDBRN-AWS-EBS-8 |
Flags only gp3 volumes whose provisioned throughput is above the included 125 MiB/s baseline. |
ebs | iac |
CLDBRN-AWS-EBS-9 |
Flags only gp3 volumes whose provisioned or defaulted IOPS exceed the included 3000 baseline. |
ebs | iac |
CLDBRN-AWS-ECR-1 |
Flag ECR repositories that do not define a lifecycle policy. | ecr | iac, discovery |
CLDBRN-AWS-ECR-2 |
Reviews only repositories with a lifecycle policy and flags them when the statically parsed policy does not expire untagged images. | ecr | iac |
CLDBRN-AWS-ECR-3 |
Reviews only repositories with a lifecycle policy and flags them when the statically parsed policy does not cap tagged image retention. | ecr | iac |
CLDBRN-AWS-EKS-1 |
Flags only managed node groups with classifiable non-Arm instance families. Arm AMIs and unclassified node groups are skipped. | eks | discovery, iac |
CLDBRN-AWS-ELASTICACHE-1 |
Reviews only available clusters with a parsed create time at least 180 days old and requires active reserved-node capacity on the same node type, preferring exact engine matches when ElastiCache reports them. |
elasticache | discovery |
CLDBRN-AWS-ELASTICACHE-2 |
Currently supports Redis and Valkey clusters, requires a complete 14-day metric history, and flags only available clusters whose computed hit rate stays below 5% while average current connections stay below 2. |
elasticache | discovery |
CLDBRN-AWS-ELB-1 |
Flags load balancers with no attached target groups or no registered targets across attached target groups. | elb | discovery |
CLDBRN-AWS-ELB-2 |
Flag Classic Load Balancers that have zero attached instances. | elb | discovery |
CLDBRN-AWS-ELB-3 |
Flags load balancers with no attached target groups or no registered targets across attached target groups. | elb | discovery |
CLDBRN-AWS-ELB-4 |
Flags load balancers with no attached target groups or no registered targets across attached target groups. | elb | discovery |
CLDBRN-AWS-ELB-5 |
Requires a complete 14-day RequestCount history, treats fewer than 10 requests per day as idle, and skips load balancers already covered by the stricter empty-target cleanup rules. |
elb | discovery |
CLDBRN-AWS-EMR-1 |
Reuses the built-in EC2 family policy. EMR clusters are flagged when any discovered cluster instance type falls into the current non-preferred, previous-generation family set. | emr | discovery, iac |
CLDBRN-AWS-EMR-2 |
Flags only active clusters whose IsIdle metric stays true for six consecutive 5-minute periods, which is a 30-minute idle window. |
emr | discovery |
CLDBRN-AWS-RDS-1 |
Flag RDS DB instances that do not use curated preferred instance classes. | rds | iac, discovery |
CLDBRN-AWS-RDS-2 |
Flag RDS DB instances that have no database connections in the last 7 days. | rds | discovery |
CLDBRN-AWS-RDS-3 |
Reviews only available DB instances with a parsed create time at least 180 days old and requires active reserved-instance coverage on the same instance class, deployment mode, and normalized engine when AWS reports it. |
rds | discovery |
CLDBRN-AWS-RDS-4 |
Flags only curated non-Graviton RDS families with a clear Graviton migration path. Existing Graviton classes and unclassified families are skipped. | rds | discovery, iac |
CLDBRN-AWS-RDS-5 |
Reviews only available DB instances and treats a complete 30-day average CPUUtilization of 10% or lower as low utilization. |
rds | discovery |
CLDBRN-AWS-RDS-6 |
Flags only RDS MySQL 5.7.x and PostgreSQL 11.x DB instances for extended-support review. |
rds | discovery, iac |
CLDBRN-AWS-RDS-7 |
Flags only snapshots whose source DB instance no longer exists and whose parsed create time is at least 30 days old. |
rds | discovery |
CLDBRN-AWS-RDS-8 |
Flags only DB instances with Performance Insights enabled and a retention period above the included 7-day baseline. | rds | iac |
CLDBRN-AWS-RDS-9 |
Flags only RDS DB instances whose discovered dbInstanceStatus is stopped, surfacing them for cleanup review. |
rds | discovery |
CLDBRN-AWS-RDS-10 |
Flags only manual RDS snapshots whose parsed snapshotCreateTime is at least 90 days old. Automated snapshots and snapshots with invalid timestamps are skipped. |
rds | discovery |
CLDBRN-AWS-REDSHIFT-1 |
Reviews only available clusters and treats a 14-day average CPUUtilization of 10% or lower as low utilization. |
redshift | discovery |
CLDBRN-AWS-REDSHIFT-2 |
Reviews only available clusters with a parsed create time at least 180 days old and requires active reserved-node coverage for the same node type. |
redshift | discovery |
CLDBRN-AWS-REDSHIFT-3 |
Flags only available, VPC-backed clusters with automated snapshots enabled, no HSM, and no Multi-AZ deployment when either the pause or resume schedule is missing. |
redshift | discovery, iac |
CLDBRN-AWS-ROUTE53-1 |
Reviews only non-alias records and treats 3600 seconds as the low-TTL floor. |
route53 | discovery, iac |
CLDBRN-AWS-ROUTE53-2 |
Flags only Route 53 health checks that are not referenced by any in-scope record set. | route53 | discovery, iac |
CLDBRN-AWS-S3-1 |
Ensure S3 buckets define lifecycle management policies. | s3 | iac, discovery |
CLDBRN-AWS-S3-2 |
Recommend Intelligent-Tiering or another explicit storage-class transition for lifecycle-managed buckets. | s3 | iac, discovery |
CLDBRN-AWS-S3-3 |
Flags buckets when no enabled lifecycle rule aborts incomplete multipart uploads within 7 days. | s3 | iac, discovery |
CLDBRN-AWS-S3-4 |
Flags only versioned buckets and requires either noncurrent-version expiration or transition cleanup to avoid unbounded version growth. | s3 | iac |
CLDBRN-AWS-SAGEMAKER-1 |
Flags only notebook instances whose normalized status remains InService. |
sagemaker | discovery |
CLDBRN-AWS-SAGEMAKER-2 |
Flags only endpoints whose normalized status remains InService, whose parsed creationTime is at least 14 days old, and whose complete 14-day Invocations total stays at 0. Endpoints with incomplete metrics are skipped. |
sagemaker | discovery |
CLDBRN-AWS-SECRETSMANAGER-1 |
Flags secrets with no lastAccessedDate and secrets whose parsed last access is at least 90 days old. |
secretsmanager | discovery |
CLDBRN-AWS-LAMBDA-1 |
Recommend arm64 architecture when compatible. | lambda | iac, discovery |
CLDBRN-AWS-LAMBDA-2 |
Uses 7-day CloudWatch totals and flags only functions whose observed Errors / Invocations ratio is greater than 10%. |
lambda | discovery |
CLDBRN-AWS-LAMBDA-3 |
Reviews only functions with configured timeouts of at least 30 seconds and flags when the timeout is at least 5x the observed 7-day average duration. |
lambda | discovery |
CLDBRN-AWS-LAMBDA-4 |
Reviews only functions configured above 256 MB, requires invocation history, and flags them when the observed 7-day average duration uses less than 30% of the configured timeout. |
lambda | discovery |
CLDBRN-AWS-LAMBDA-5 |
Flags explicit provisioned concurrency configuration when provisioned concurrent executions are greater than zero. | lambda | iac |
| Preset ID | Name | Rule IDs |
|---|---|---|
aws-core |
AWS Core | All AWS rules above |
Future presets (planned): strict, startup, production.