Summary
Add an atomic deterministic validation module for AWS EC2 serial console access without account-level disablement. The module must perform read-only state inspection, return a stable pass/fail result for this single control, and emit planner-ready metadata (risk, noise, detection_surface, and postcondition ControlFailure). Classification target: Level 2.
Protocol and Category
- Protocol: AWS EC2 API
- Category: cloud/aws/compute
Module Path
Proposed module path in registry/: registry/auxiliary/validation/aws/ec2/aws_ec2_serial_console_access_without_account_level_disablement
Manifest Details
List required manifest fields, inputs, and outputs.
- Required fields:
manifest_version: 1, module_api_version: 1, runtime: builtin, name, description, category: auxiliary, rank: normal, author, platforms, tags, entrypoint, references.
- Suggested
name: auxiliary/validation/aws/ec2/aws_ec2_serial_console_access_without_account_level_disablement
- Suggested
platforms: ['cross'] unless the check is host-OS specific.
- Suggested
tags: validation, defensive, domain/provider tags, and control-family tags.
- Input:
AWS_ACCOUNT_ID (required)
- Input:
AWS_REGION (optional when global service)
- Input:
EVIDENCE_MODE (summary|full, default summary)
- Input:
TIMEOUT_SECONDS (default 30)
- Output:
status = compliant|non_compliant|error for AWS EC2 serial console access without account-level disablement.
- Output:
postcondition = ControlFailure when non_compliant.
- Output:
risk_level default medium and noise_class default low.
- Output:
detection_surface includes CloudTrail, VPC Flow Logs, GuardDuty.
- Output:
evidence with normalized fields (resource_id, expected_state, observed_state, source_api).
Dependencies
Protocol stack or subsystem dependencies.
- AWS authentication chain with read-only EC2 permissions.
- AWS SDK EC2 and SSM clients.
- Instance metadata option normalization.
- Shared validation core for deterministic comparison and stable finding IDs.
Tests Required
- Unit tests: parser and evaluator tests for
AWS EC2 serial console access without account-level disablement expected/observed-state logic, including compliant and non-compliant fixtures.
- Integration tests: provider/target-backed read-only check proving deterministic results across repeated runs with identical input state.
- Compliance vectors: at minimum one
pass vector, one fail vector, and one error vector for missing permissions or missing resource.
Performance Expectations
Any latency, throughput, or memory expectations. Single-resource evaluation should complete with p95 <= 2s, batched 100-resource scan <= 60s, memory <= 128 MB, and no write-side API calls.
Acceptance Criteria
Clear, testable outcomes that confirm completion.
- Module exists at
registry/auxiliary/validation/aws/ec2/aws_ec2_serial_console_access_without_account_level_disablement with valid manifest and entrypoint.
- Running the module against a known failing fixture reports
non_compliant for AWS EC2 serial console access without account-level disablement and emits ControlFailure.
- Running the module against a known compliant fixture reports
compliant with no side effects.
- Risk/noise/detection metadata are emitted in machine-readable output for planner integration.
- Integration and compliance vector tests pass in CI.
Summary
Add an atomic deterministic validation module for
AWS EC2 serial console access without account-level disablement. The module must perform read-only state inspection, return a stable pass/fail result for this single control, and emit planner-ready metadata (risk,noise,detection_surface, and postconditionControlFailure). Classification target:Level 2.Protocol and Category
Module Path
Proposed module path in
registry/:registry/auxiliary/validation/aws/ec2/aws_ec2_serial_console_access_without_account_level_disablementManifest Details
List required manifest fields, inputs, and outputs.
manifest_version: 1,module_api_version: 1,runtime: builtin,name,description,category: auxiliary,rank: normal,author,platforms,tags,entrypoint,references.name:auxiliary/validation/aws/ec2/aws_ec2_serial_console_access_without_account_level_disablementplatforms:['cross']unless the check is host-OS specific.tags:validation,defensive, domain/provider tags, and control-family tags.AWS_ACCOUNT_ID (required)AWS_REGION (optional when global service)EVIDENCE_MODE (summary|full, default summary)TIMEOUT_SECONDS (default 30)status=compliant|non_compliant|errorforAWS EC2 serial console access without account-level disablement.postcondition=ControlFailurewhennon_compliant.risk_leveldefaultmediumandnoise_classdefaultlow.detection_surfaceincludesCloudTrail, VPC Flow Logs, GuardDuty.evidencewith normalized fields (resource_id,expected_state,observed_state,source_api).Dependencies
Protocol stack or subsystem dependencies.
Tests Required
AWS EC2 serial console access without account-level disablementexpected/observed-state logic, including compliant and non-compliant fixtures.passvector, onefailvector, and oneerrorvector for missing permissions or missing resource.Performance Expectations
Any latency, throughput, or memory expectations. Single-resource evaluation should complete with p95 <= 2s, batched 100-resource scan <= 60s, memory <= 128 MB, and no write-side API calls.
Acceptance Criteria
Clear, testable outcomes that confirm completion.
registry/auxiliary/validation/aws/ec2/aws_ec2_serial_console_access_without_account_level_disablementwith valid manifest and entrypoint.non_compliantforAWS EC2 serial console access without account-level disablementand emitsControlFailure.compliantwith no side effects.