AWS Policy
View the new home for Paladin Cloud Documentation
View the new home for Cost
- Delete AWS RDS DB Instances Running in Idle Mode
- Delete Idle Load Balancers
- Check for Underutilized Amazon EBS Volumes
- Check for Underutilized Amazon Redshift Clusters
- Delete Unused Application ELB
- Clean Up Unused ELB
- Delete Unused Elastic IPs
- Check for Underutilized EC2 Instances
- Delete Unused EBS Volumes
Operations
- Check the Expiry Status of the ACM Certificate
- Configure Log Metric Filter and Alarm for AWS Config Configuration Changes
- Configure Log Metric Filter and Alarm for AWS Organizations Changes
- Configure Log Metric Filter and Alarm for CloudTrail Configuration Changes
- Configure Log Metric Filter and Alarm for Disabling or Scheduled Deletion of Customer-Created CMKs
- Configure Log Metric Filter and Alarm for IAM Policy Changes
- Configure Log Metric Filter and Alarm for AWS Management Console Authentication Failures
- Configure Log Metric Filter and Alarm for Management Console Sign in Without MFA
- Configure Log Metric Filter and Alarm for NACL Changes
- Configure Log Metric Filter and Alarm for Changes to Network Gateways
- Configure Log Metric Filter and Alarm for Root Account Usage
- Configure Log Metric Filter and Alarm for Route Table Changes
- Configure Log Metric Filter and Alarm for S3 Bucket Policy Changes
- Configure Log Metric Filter and Alarm for Security Group Changes
- Configure Log Metric Filter and Alarm for Unauthorized API Calls
- Configure Log Metric Filter and Alarm for VPC Changes
- Ensure AWS ASG Launch Configurations Are Utilizing Active Amazon Machine Images
- Configure ECS Task Definition Log Driver
- Resolve IAM Access Analyzer Findings
- Enable AWS Guard Duty Service across All Regions and Accounts
- Enable Access Log for CloudFront and Attach to the Mentioned Bucket
- Enable Access Log for App ELB and Attach to the Mentioned Bucket
- Enable Access Log for Classic ELB and Attach to the Mentioned Bucket
- Ensure That EC2 Instances Are Not Left in a Stopped State for More than 60 Days
- Check the Expiry Status of the IAM Certificate
- Assign Standard Region to API Resource
- Assign Standard Region to APP ELB Resource
- Assign Standard Region to DynamoDB
- Assign Standard Region to EFS Resource
- Assign Standard Region to Elasticache Resource
- Assign Standard Region to Elastic IP Resource
- Assign Standard Region to Elasticsearch Resource
- Assign Standard Region to EMR Resource
- Assign Standard Region to Elastic Network Interfaces
- Assign Standard Region to KMS Resource
- Assign Standard Region to Redshift Resource
- Assign Standard Region to RDS DB Resource
- Assign Standard Region to VPC Resource
- Assign Standard Region to ASG Resource
- Assign Standard Region to Classic ELB Resource
- Assign Standard Region to Lambda
- Assign Standard Region to Launchconfig
- Assign Standard Region to RDS Snapshot
- Assign Standard Region to EC2 Instance
- Assign Standard Region to S3 Buckets
- Assign Standard Region to Security Groups
- Assign Standard Region to Snapshot
- Assign Standard Region to SNS Topic
- Assign Standard Region to Stack
- Assign Standard Region to AWS Subnet
- Assign Standard Region to EBS Volume
- Enable RDS Auto Minor Version Upgrade
- Enable Private S3 Buckets with Access Logs
- Enable S3 Bucket Object-Level Logging for Read Events
- Enable S3 Bucket Object-Level Logging for Write Events
- Increase AWS Service Limits to Meet Growing Needs
- Do Not Use Deprecated EC2 Instances Types to Launch Instances
- Ensure that All CloudWatch Events from all Accounts are sent to the 'Dedicated ACCOUNTID' Default Event Bus
- Configure AWS Backup Vault Access Policy
- Delete Unused Security Groups
Security
- Deny Public Access to RDS Database
- Delete Expired ACM Certificates
- Enable CloudTrail Global Services
- Enable EMR Data Encryption
- Encrypt ElastiCache for Redis Data
- Encrypt OpenSearch Data at Rest
- Encrypt OpenSearch Data in Transit
- Encrypt OpenSearch Using KMS CMK
- Deny Full Administrative Privileges to Customer Managed IAM Policy
- Detach Any Customer-Managed Policy with Full Access from IAM Role
- Detach Any Customer-Managed Policy with Full Access from IAM User
- Configure Dedicated IAM Role for AWS Support Access
- Enable AWS Security Hub
- Enable Control Plane Logs for EKS
- Disable Public Access to EKS Cluster Endpoint
- Update EKS Cluster Version to Latest
- Enable Hardware MFA for Root Account
- Assign User Permission Only through IAM Groups
- Encrypt EBS Volume
- Ensure the Launch Config for ASG Contains Updated Information
- Enable CLB Secure Listener
- Enable ELB HTTPS Listener
- Ensure that Ports Associated with Security Group and ALB are Same
- Ensure that Ports Associated with Security Group and ELB are Same
- Deny Public Access in Default Security Group
- Remove any VPC Peering Connections to Non-Allowlisted AWS Accounts
- Encrypt AWS AMI
- Encrypt EBS Volume Using Customer-Managed Keys
- Encrypt DocumentDB
- Encrypt DocumentDB Using Customer Managed Keys
- Encrypt DynamoDB Tables Using Customer Managed Keys
- Encrypt EFS
- Encrypt AppFlow Using CMK
- Encrypt Athena Query Results
- Encrypt Comprehend Analysis Results
- Encrypt DynamoDB Accelerator(DAX) Cluster
- Encrypt DMS Replication Using CMK
- Deny Public Access to Data Migration Service
- Encrypt EFS Using Customer-Managed Keys
- Enable CloudTrail For Multi-Region
- Remove Inactive IAM Users after 90 Days
- Enable MFA for Root User
- Enable Validation for CloudTrail Log File
- Encrypt CloudTrail to use Key Management Service Customer Managed Keys
- Restrict EC2 RunInstance Privilege to Non-allow Listed IAM Role
- Deny Public Access to EC2 Instances on SSH Port 22
- Deny Public Access to Ports on EC2 Instances
- Deny Public Access to EBS Snapshots
- Enable Qualys EC2 Vulnerability Scan
- Restrict Internet Access to EC2 Instance with Remotely Exploitable Vulnerability (S5)
- Deny Public Access to EC2 Instances on Default SQL Browser Port 1434
- Deny Public Access to EC2 Instances on Default MySQL Port 3306
- Deny Public Access to EC2 Instances on Port 138
- Deny Public Access to EC2 Instances on Port 80
- Deny Public Access to EC2 Instances on Port 8080
- Deny Public Access to EC2 Instances on Default PostgreSQL Port 5432
- Deny Public Access to EC2 Instances on Port 3389
- Qualys Found S3 Vulnerabilities on EC2 Instance
- Qualys Found S4 Vulnerabilities on EC2 Instance
- Qualys Found S5 Vulnerabilities on EC2 Instance
- Disable All Inbound Traffic for EKS Cluster Other than TCP Port 443
- Restrict Internet Access to Elastic Search Endpoint
- Restrict Internet Access to Application ELB
- Restrict Internet Access to Classic ELB
- Delete Expired IAM Certificates
- Ensure that no Guard Duty Findings are Found for an EC2 Instance
- Set the Rotation Period of IAM Access Keys to 90 Days
- Enable IAM Password Policy
- Use Single Access Key for IAM User
- Deny Administrative Permissions to Lambda Functions
- Restrict Inbound Traffic on Remote Server Administration Port 22
- Restrict Inbound Traffic on Remote Server Administration Port 3389
- Restrict full IAM Access to Non-Admin IAM Roles
- Deny Public Access to RDS Snapshot
- Deny Public Access to Redshift Attached Security Group
- Remove Root User Account Access Key
- Deny HTTP Requests to S3 Bucket
- Encrypt S3 Buckets at Rest
- Deny Public Access to Non-allow Listed S3 Buckets
- Deny Hosting Website or Redirecting Requests for S3 Bucket
- Enable MFA Delete on S3 Bucket
- Deny Public Access to any Port
- Restrict Internet Access to Security Group with SSH Port 22
- Deny Security Group Public Access on Memcached Port 11211
- Deny Security Group Public Access on Redis Port 6379
- Deny Public Access to Non-Allow listed SQS Resources
- Deny Listed Privileges to Service Account
- Deny Lambda Privilege to Non-allow Listed IAM Roles
- Prevent Unauthorized CloudFront Content Distribution
- Enable VPC Flow Logs for All VPCs
- Restrict Unauthorized HTML Content on CloudFront
- Restrict Core Networking Privileges to Non-Allow listed IAM Users
- Enable Envelope Encryption for EKS Kubernetes Secrets
- Deny Networking Privileges to Non-allow Listed IAM Roles
- Deny Public Access to RDS Database Endpoints
- Enable Aqua ECR Vulnerability Scan
- Aqua Found High ECR Vulnerabilities
- Aqua Found Critical ECR Vulnerabilities
- Aqua Found Medium ECR Vulnerabilities
Tagging
- Assign Mandatory Tags to Application ELB
- Assign Mandatory Tags to Auto-Scaling Groups
- Assign Mandatory Tags to Classic ELB
- Assign Mandatory Tags to CloudFront
- Assign Mandatory Tags to DynamoDB
- Assign Mandatory Tags to ECS Cluster
- Assign Mandatory Tags to ECS Task Definition
- Assign Mandatory Tags to EC2 Instance
- Assign Mandatory Tags to AWS Elastic File System
- Assign Mandatory Tags to Elasticache
- Assign Mandatory Tags to AWS Elastic MapReduce
- Assign Mandatory Tags to AWS Key Management Services
- Assign Mandatory Tags to Lambda Functions
- Assign Mandatory Tags to RDS Database
- Assign Mandatory Tags to Redshift
- Assign Mandatory Tags to S3
- Assign Mandatory Tags to Network Security Group
- Assign Mandatory Tags to EBS snapshots
- Assign Mandatory Tags to Cloud Formation Stacks
- Assign Mandatory Tags to Subnets
- Assign Mandatory Tags to VPNGateway
- Assign Mandatory Tags to EBS Volumes
- Assign Mandatory Tags to VPC
- Assign Mandatory Tags to Elastic Search Resources
Risk: Critical
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
It is strongly recommended to enable Multi-Factor Authentication (MFA) for the Root Account in an AWS account because the Root Account has the highest level of privileges. MFA is an additional security measure that enhances the protection of user credentials. To authenticate successfully, users must have a registered device that generates a time-sensitive key and knowledge of their credentials, including their user name and password. When a user with MFA enabled signs in to an AWS website, they will be asked to provide their user name, password, and the authentication code generated by their registered AWS MFA device.
Resolution
Enable the MFA for 'root' account user
Risk: Critical
Target: Volume
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
To meet security and compliance standards, it is important to ensure that all your Amazon Elastic Block Store (EBS) volumes are encrypted. You can confidently store sensitive, confidential, and critical data on your EBS volumes by enabling encryption.
Resolution
Enable EBS Encryption
Risk: Critical
Target: Elastic File System
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
It is important to ensure that your Amazon EFS file systems are encrypted to meet security and compliance requirements. This provides transparent encryption of your data as it is being written and decrypted as it is being read, without requiring any extra effort from you or your applications. AWS KMS service manages the encryption keys, so there is no need to establish and maintain a secure key management infrastructure.
Encrypting your EFS file systems is strongly advised to safeguard your data and metadata against unauthorized access and fulfill your organization's data-at-rest encryption compliance requirements.
Resolution
Encrypt EFS data at rest
Risk: Medium
Target: Account
Compliance:
Description
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
Resolution
Creating, updating, and managing trails with the AWS Command Line Interface
Risk: Medium
Target: Cloud Trail
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Enabling validation for CloudTrail log files is essential to maintain data integrity, ensure security, meet compliance requirements, establish accountability, support forensic analysis, and build trust. It helps detect unauthorized changes, comply with regulations, trace actions, and serves as a reliable source of information during security investigations.
Resolution
Enabling log file integrity validation for CloudTrail
Risk: Medium
Target: Cloud Trail
Compliance:
Description
Encrypting CloudTrail logs with KMS Customer Managed Keys is essential for enhanced security, control over encryption keys, compliance, auditing, key rotation, and granular access control. Using KMS CMKs provides greater protection for log data, ensures adherence to industry regulations, and allows for better key management and access control in AWS environments.
Resolution
Configure CloudTrail to use SSE KMS
Risk: Critical
Target: CloudTrail
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
To enhance the security and management of API activity in your AWS cloud account, ensure that your Amazon CloudTrail trails record regional and global events.
Resolution
Enable CloudTrail Global Services
Risk: High
Target: Security Group
Compliance:
Description
Restricting internet access to the Security Group with SSH Port 22 enhances security by minimizing potential entry points for unauthorized users, controlling access, reducing the risk of brute force attacks, improving auditing and monitoring, and ensuring compliance with security policies.
Resolution
Update Security Group
Risk: Critical
Target: Security Group
Description
Block public access to ports to prevent network attacks and abuse associated with common ports related to particular application and service protocols, such as RDP to port 3389.
Resolution
Update Security Group
Risk: High
Target: Security Group
Compliance:
Description
Deleting unused security groups in AWS is important to ensure security and effective management of AWS resources. Unused security groups can pose a security risk if they contain outdated or unnecessary rules or if they are created for temporary purposes and forgotten. They can also clutter the AWS environment and make it challenging to manage security groups effectively. Regularly reviewing and deleting unused security groups is a security best practice to help prevent unauthorized access and ensure AWS resources are secure and well-managed.
Resolution: Delete unused Security Groups
Risk: Critical
Target: Security Group
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
The default security groups on Amazon EC2 should restrict all inbound public traffic so that users (administrators, resource managers, etc.) are forced to create their security groups using the Principle of Least Privilege (POLP).
Resolution
Update Default Security Group
Risk: Critical
Target: Snapshot
Compliance:
Description
AWS EBS volume snapshots should be kept private for optimal data security to avoid the risk of unauthorized data access. Sharing snapshots with external accounts can pose a potential risk, as they can create volumes from it and gain access to sensitive information. It is therefore recommended to restrict public visibility or share them only with specific accounts.
Resolution
Make the snapshot private
Risk: Critical
Target: Data Migration Service
Compliance:
Description
To protect your private data and minimize security risks, it is important to ensure that your Amazon Database Migration Service (DMS) is not publicly accessible from the Internet. As long as both source and target databases are in the same network connected to the instance's VPC through a VPN, VPC peering connection, or AWS Direct Connect dedicated connection, a DMS replication instance should have a private IP address and the Publicly Accessible feature disabled. This helps to ensure that your DMS is not exposed to external threats and keeps your data secure.
Resolution:
Security in AWS Database Migration Service
Risk: Critical
Target: RDS Snapshot
Compliance:
Description
To ensure data security, denying public access to RDS snapshots is essential since they can contain sensitive information, such as database usernames, passwords, and data. Allowing public access could lead to data breaches, theft, or misuse, making controlling access to RDS snapshots necessary. Doing so reduces the risk of unauthorized access or data exposure, thus ensuring the data remains secure. It is crucial to grant access only to those who need it and follow the principle of least privilege while monitoring security measures.
Resolution
Make the snapshot private
Risk: High
Target: DocumentDB
Compliance:
Description
Enabling encryption for Amazon DocumentDB clusters protects data at rest from unauthorized access to the underlying storage and meets compliance requirements. It is recommended to activate encryption for your AWS DocumentDB (with MongoDB compatibility) clusters to bolster your data security and meet data-at-rest encryption compliance requirements. The encryption covers data elements including indexes, logs, replicas, and snapshots, and is managed by the DocumentDB service with minimal impact on performance.
Resolution
Encrypt DocumentDB
Risk: High
Target: DAX Cluster
Compliance:
Description
Enabling encryption at rest for Amazon DAX cache clusters ensures data protection for security-sensitive DynamoDB applications that have strict data protection requirements by organizational policies, industry, or government regulations. Server-Side Encryption is recommended to encrypt DAX cluster data at rest, including data in the cache, configuration data, and log files, and protect it from unauthorized access to the underlying storage. Enabling Server-Side Encryption integrates with AWS KMS to manage the default encryption key, adds no storage overhead, and has minimal impact on performance without requiring modifications to your applications.
Resolution
Encrypt data at-rest
Risk: High
Target: VPC
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Enabling VPC Flow Logs for all VPCs is important to monitor and analyze network traffic within a VPC environment, investigate security incidents, comply with regulatory requirements related to data protection and security, and improve overall security posture by identifying potential vulnerabilities and taking proactive measures to prevent security threats.
Resolution
Enable Flow Logs
Risk: Critical
Target: ElastiCache
Compliance:
Description
Securing sensitive data stored on Redis clusters and cache storage systems is essential to meet security and compliance requirements and keep Personally Identifiable Information safe. Data encryption helps ensure that unauthorized users cannot access the data, whether it is stored as data at rest or transmitted as data in transit.
ElastiCache for Redis has encryption at rest built-in and also allows for the implementation of customer-managed master keys through AWS Key Management Service (KMS). It is critical to encrypt your AWS ElastiCache Redis clusters to safeguard your information.
Resolution
Encrypt Data at Rest
Encrypt Data in Transit
Risk: High
Target: ACM Certificate
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
AWS Certificate Manager is a service provided by Amazon that allows for rapidly provisioning, managing, and deploying SSL/TLS certificates with other Amazon services, including CloudFront and ELB.
To follow Amazon Security Best Practices and avoid the deployment of invalid SSL/TLS certificates to Elastic Load Balancing (ELB) and other resources, it is essential to remove any expired certificates managed by AWS Certificate Manager. Otherwise, deploying such certificates can cause front-end errors and harm the credibility of the web application or website behind the ELB.
Resolution
Delete Certificate
Risk: Critical
Target: EC2
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
SSH (Secure Shell) port 22 should be restricted for inbound traffic from external IP addresses since unrestricted access could result in banner grabbing or brute force attacks. These risks can be minimized by configuring specific IP addresses for incoming connections.
Resolution Update EC2
Risk: Critical
Target: EC2
Compliance:
Description
Preventing public access to specific ports, including port 8080, can enhance security by decreasing the probability of cyber-attacks, guaranteeing compliance with regulations and standards, decreasing expenses associated with data transfer, and avoiding unintentional disclosure of confidential information. By regulating access to ports, you can decrease your EC2 instance's susceptibility to hacking and minimize the chances of unauthorized entry.
Resolution
Update EC2
Risk: Critical
Target: EC2
Compliance:
Description
TCP port 139 and UDP ports 137 and 138 are used for NetBIOS name resolution (i.e., mapping a NetBIOS name to an IP address) by the services such as File and Printer Sharing service running on Microsoft Windows Server OS. Allowing unrestricted NetBIOS access can increase opportunities for malicious activity such as man-in-the-middle attacks (MITM), Denial of Service (DoS) attacks, or BadTunnel exploits. Review the inbound rules of your EC2 security groups that allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 139 and UDP ports 137 and 138. If such rules are found, restrict them to only trusted IP addresses or IP ranges that require it to implement the principle of least privilege and reduce the attack surface. This will ensure that only authorized traffic is allowed access.
Resolution:
Update EC2
Risk: Critical
Target: EC2
Compliance:
Description
Allowing all external IP addresses to SQL Browser port 1434 is a security vulnerability and should be avoided. To protect against Denial of Service, Buffer Overflow, and SQL Injection attacks, public access to the SQL server should be blocked, and only inbound traffic from specific IP addresses should be allowed for port 1434.
Resolution
Update EC2
Risk: Critical
Compliance:
Target: EC2
Description
Denying public access to EC2 instances on default PostgreSQL port 5432 can enhance your environment's security. Allowing public internet access to this port can lead to various security threats, including brute-force attacks, SQL injection attacks, and unauthorized data breaches. By restricting public access to this port and using security groups to limit access to trusted IP addresses or specific security groups, you can prevent unauthorized access to your database and reduce the risk of data loss or corruption.
Resolution
Update EC2
Risk: Critical
Target: EC2
Compliance:
Description
To implement the principle of least privilege and reduce the likelihood of a security breach, it is important to review your EC2 security groups for inbound rules that permit unrestricted access (i.e., 0.0.0.0/0 or ::/0) to TCP port 3389. TCP port 3389 is used for secure remote GUI login to Microsoft servers by connecting an RDP (Remote Desktop Protocol) client application with an RDP server. Allowing unrestricted RDP access can increase the potential for malicious activity, such as hacking, man-in-the-middle attacks (MITM), and Pass-the-Hash (PtH) attacks. To mitigate these risks, restrict access to only the IP addresses that require it by modifying your security group's inbound rules.
Resolution
Update EC2
Risk: Critical
Target: EC2
Compliance:
Description
To implement the principle of least privilege and minimize the risk of a security breach, it's crucial to review the inbound rules in your EC2 security groups for TCP port 80 and ensure that only the necessary IP addresses are granted access. Allowing unrestricted HTTP access can lead to various malicious activities, including hacking, denial-of-service (DoS) attacks, and data loss. Therefore, it's advisable to update your security groups' inbound configuration to restrict HTTP access to specific entities, such as IP addresses or IP ranges.
Resolution
Update EC2
Risk: Critical
Target: EC2
Compliance:
Description
Allowing all external IP addresses to MySQL Browser port 3306 is a security vulnerability and should be avoided. To protect against Denial of Service, Buffer Overflow, and SQL Injection attacks, public access to the SQL server should be blocked, and only inbound traffic from specific IP addresses should be allowed for port 3306.
Resolution
Update EC2
Risk: Critical
Target: EC2
Compliance:
Description
EC2 instances can be vulnerable to network attacks due to their open ports. One way to address this vulnerability is by configuring security groups on EC2 instances to restrict inbound traffic based on specific rules, such as allowing traffic from specific IP addresses.
Resolution:
Update EC2
Risk: Critical
Target: Redshift
Compliance:
Description
Amazon Redshift clusters can be accessed through different methods, including the internet, EC2 Instances outside the VPC through VPN, bastion hosts in the public subnet, or the Publicly Accessible option. The Publicly Accessible option allows Redshift clusters to be fully accessible outside the VPC while disabling it can prevent external access. Allowing public access to Redshift clusters can increase the risk of malicious activities such as SQL injections or DDoS attacks, so evaluating the security implications and implementing security measures like network security and encryption methods is essential.
Resolution
Update Security Group
Risk: Critical
Target: Security Group
Compliance:
Description
Memcached is an open-source, high-performance, distributed memory object caching system that helps optimize dynamic websites and web applications by reducing database load.
Allowing unrestricted inbound access on TCP and/or UDP port 11211 (Memcached) to your Amazon EC2 instances can increase the risk of malicious activities such as DDoS amplification attacks, which can significantly impact the health and stability of your web services and applications.
To protect the Memcached cache server instances associated with your EC2 security groups and reduce the attack surface, check your Amazon EC2 security groups for inbound rules that allow unrestricted access (i.e., 0.0.0.0/0 or::/0) on TCP and/or UDP port 11211.
Resolution
Update EC2
Risk: Critical
Target: Security Group
Compliance:
Description
Redis is an open-source, in-memory data structure store commonly used as a database, cache server, and message broker.
To prevent malicious activities such as cross-site scripting, remote code execution, and crypto-jacking attacks, it is important to restrict inbound access to TCP port 6379 (Redis) on your Amazon EC2 instances.
The security groups associated with your Redis cache server instances should be configured to limit communication to only those hosts or networks that require legitimate access. It is crucial to check your Amazon EC2 security groups for inbound rules that allow unrestricted access (i.e., 0.0.0.0/0 or::/0) on TCP port 6379 to minimize the risk of security breaches.
Resolution
Update your Security Group
Risk: High
Target: IAM User
Description
Updating Identity and Access Management (IAM) credentials periodically significantly lowers the probability of an undetected compromised access key is used to access parts of your AWS account. Make sure to rotate all IAM user access keys monthly, reducing the risk of unintentional exposure and safeguarding your AWS resources from unauthorized access.
Resolution
Rotate your keys
Risk: High
Target: IAM Policy
Compliance: IAM Policy
Description
To secure AWS cloud resources, it's important to set IAM policies with the minimum permissions required and gradually add more as needed instead of starting with full administrative privileges. This helps to restrict access and prevent undesired actions. IAM policies that provide full administrative privileges should be avoided to prevent potential attacks. It's recommended to use the Principle of Least Privilege by creating and using IAM policies that provide the minimum set of actions required for task completion to ensure the security and privacy of AWS cloud resources.
Resolution
Update the customer-managed policy to revoke access
Risk: Medium
Target: IAM Role
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
By detaching customer-managed policies with full access from IAM roles and adhering to the Principle of Least Privilege, you can enhance security, compliance, access control, and auditing while minimizing the impact of human errors. This practice involves granting only necessary actions for tasks, thus minimizing AWS cloud resource permissions, reducing risks, and protecting your resources from unwanted actions.
Resolution
Detach policy from role
Risk: Medium
Target: IAM User
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
By detaching customer-managed policies with full access from IAM users and adhering to the Principle of Least Privilege, you can enhance security, compliance, access control, and auditing while minimizing the impact of human errors. This practice involves granting only necessary actions for tasks, thus minimizing AWS cloud resource permissions, reducing risks, and protecting your resources from unwanted actions.
Resolution
Detach policy from user or group
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring a dedicated IAM role for AWS Support access is important for maintaining security, enabling efficient troubleshooting, and ensuring proper access control. By creating a specific role for AWS Support, you can grant the necessary permissions for support personnel to resolve issues, while adhering to the Principle of Least Privilege and preventing unauthorized access to your AWS resources.
Resolution
Manage access to AWS Support Center
Risk: High
Target: Account
Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0
Description
Enabling Hardware MFA for the root account adds an extra layer of security to protect the AWS account against unauthorized access. Hardware MFA devices provide an added level of security by generating a unique code that needs to be entered alongside the password. Using a hardware device for MFA reduces the risk of unauthorized access in case of a password compromise. It is strongly recommended to enable MFA for the root account and use hardware devices, which are considered more secure than other MFA options.
Resolution
Install and configure a hardware MFA device for the root account
Risk: Medium
Target: IAM User
Compliance:
Description
Using a single access key for an IAM user is not a recommended best practice, as it can compromise security. However, organizations might use a single access key for simplified management, limited use cases, or small-scale environments. It is crucial to weigh the trade-offs and risks of using a single access key and determine if it suits a specific use case.
Resolution
Update to make the key inactive or delete the access keys which are no longer used
Risk: Medium
Target: IAM Certificate
Compliance:
Description
Deleting expired IAM certificates is essential for security, resource optimization, compliance, maintaining trust, and reducing confusion. By removing outdated certificates, you minimize security risks, simplify management, adhere to industry regulations, and ensure that only valid certificates are used within your AWS environment.
Resolution
Remove the expired IAM certificates
Risk: Medium
Target: Account
Compliance:
Description
Removing the root user account access key in AWS is essential for security, following the principle of least privilege, separation of duties, auditing, monitoring, and compliance. Using IAM users and roles helps mitigate the risk of unauthorized access, human error, and insider threats while simplifying access management and meeting regulatory requirements.
Resolution
Delete Account access keys for Root user
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for unauthorized API calls is crucial for improving security, compliance, operational visibility, and incident response capabilities. It helps detect potential security threats, ensures compliance, provides insights, enables proactive alerts, and aids incident response. Overall, it is a best practice for safeguarding systems and data from unauthorized access, meeting compliance requirements, identifying operational anomalies, and responding to security incidents effectively.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for management console sign-in without multi-factor authentication (MFA) is essential for enhancing security, ensuring compliance, gaining operational visibility and enabling prompt incident response in your AWS environment. It helps detect unauthorized access attempts, demonstrate compliance, identify user behavior anomalies, and facilitate timely responses to security incidents. By monitoring and alerting on management console sign-in without MFA, you can proactively protect your AWS resources and data by enforcing an additional layer of authentication.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for root account usage in AWS is crucial for security, compliance, operational visibility, and incident response. It helps detect unauthorized activities, demonstrate compliance, gain insights into root account usage, and aid incident response efforts. Monitoring root account usage is a critical security best practice. It can help organizations protect their AWS resources from unauthorized access or misuse, comply with regulatory requirements, gain visibility into privileged account activities, and enable effective incident response.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for IAM policy changes is essential for effective monitoring, heightened security, detecting unauthorized activity, maintaining compliance, and ensuring accountability, all of which contribute to a secure and well-managed AWS environment.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for CloudTrail configuration changes is crucial for improved monitoring, enhanced security, compliance adherence, efficient troubleshooting, and increased accountability, contributing to a robust and well-managed AWS environment.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for AWS Management Console authentication failures is crucial for maintaining security, compliance, operational efficiency, and cost optimization in your AWS environment. It helps you detect potential security breaches, meet compliance requirements, troubleshoot operational issues, and prevent misuse of AWS resources. Proactive monitoring and alerting on authentication failures enable early detection and response to potential incidents, ensuring the integrity and availability of your AWS resources and data.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for disabling or scheduled deletion of customer-created CMKs is vital for effective monitoring, increased security, ensuring compliance, timely troubleshooting, and maintaining accountability, which helps safeguard and manage cryptographic keys within your AWS environment.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for S3 bucket policy changes is important for enhancing security, compliance, operational visibility, and incident response capabilities. It helps detect unauthorized changes to S3 bucket policies in real time, ensures compliance with regulations, provides operational insights, enables proactive alerting, and aids in incident response activities. Overall, it is a best practice for protecting S3 data assets.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for AWS Config changes promotes real-time monitoring, improved security, compliance, faster troubleshooting, and accountability, helping you maintain a secure and well-managed AWS environment.
Resolution
Configure CloudTrail to deliver log files from multiple regions
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for security group changes is crucial for maintaining security, compliance, operational visibility, and incident response capabilities in AWS. It helps detect unauthorized changes, ensures compliance, provides insights, enables proactive alerts, and aids incident response. Overall, it is a best practice for securing AWS resources and preventing security breaches.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for Network Access Control List (NACL) changes in AWS is essential for enhancing security, ensuring compliance, gaining operational visibility, and improving change management. It helps detect unauthorized changes, demonstrate compliance, troubleshoot networking issues, and ensure network configuration governance. By monitoring and alerting on NACL changes, you can promptly detect and respond to potential security vulnerabilities, track changes, and maintain a secure and compliant AWS environment.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for changes to network gateways in AWS is important for enhancing security, ensuring compliance, gaining operational visibility, and improving change management. It helps detect unauthorized changes, demonstrate compliance, troubleshoot networking issues, and ensure network configuration governance. By monitoring and alerting on changes to network gateways, you can promptly detect and respond to potential security vulnerabilities, track changes, and maintain a secure and compliant AWS networking environment.
Resolution
Configure CloudTrail to deliver log files from multiple regions
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for route table changes in AWS is crucial for enhancing security, operational visibility, change management, and compliance. It helps detect unauthorized changes, provides insights into network configurations, establishes effective change management practices, and ensures compliance with security best practices and regulatory requirements. Monitoring and alerting on route table changes can aid in troubleshooting, network security, and compliance audits.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for VPC changes is essential for improving security, compliance, operational visibility, and incident response in AWS environments. It helps detect unauthorized changes, ensures compliance, provides insights, enables proactive alerting, and aids in incident response. Overall, it is a best practice for maintaining the security and integrity of VPCs, meeting compliance requirements, identifying operational issues, and responding to security incidents effectively.
Resolution
Configure alarms for CloudTrail events
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Configuring log metric filters and alarms for AWS Organizations changes is essential for effective monitoring, heightened security, compliance, efficient troubleshooting, and accountability, ultimately contributing to a secure and well-managed multi-account AWS environment.
Resolution
Using Amazon CloudWatch alarms
Risk: Medium
Target: Account
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Enabling AWS Security Hub enhances your security posture by centralizing security monitoring, automating compliance checks, integrating threat detection, offering customizable insights, and continuously monitoring your AWS environment.
Resolution
Setting up AWS Security Hub
Risk: Critical
Target: Elastic Map Reduce
Compliance:
Description
Encryption of production data is essential to prevent unauthorized access and comply with data security regulations. AWS EMR clusters must be encrypted to secure data at rest and in transit. Data encryption prevents unauthorized users from accessing sensitive data stored on EMR clusters and related data storage systems.
Resolution
Encrypt data at rest and in transit
Risk: Critical
Target: RDS DB
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
To protect your RDS database instances from unauthorized access and mitigate security risks, disable the Publicly Accessible flag and update the associated VPC security group to disallow unrestricted access (0.0.0.0/0). This will prevent malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.
Resolution
Deny Public Access
Risk: Critical
Target: Account
Compliance:
Description
To maintain the security of your AWS account, it's crucial to enforce strong password policies, including password strength, pattern, and rotation. A strong password policy can significantly decrease the risk of password-guessing and brute-force attacks. It's essential to ensure that all AWS IAM users use a strong password policy specifying password requirements, such as minimum length, expiration date, and whether a specific pattern is necessary. By doing this, you can ensure that your account is well-protected against potential security breaches.
Resolution
Setup password policy
Risk: High
Target: Lambda
Compliance:
Description
Denying administrative permissions to Lambda functions is crucial for adhering to the principle of least privilege, enhancing security, meeting compliance standards, improving auditability, and maintaining system stability. Limiting permissions reduces the risk of unauthorized actions, data breaches, and unintended changes while simplifying monitoring and ensuring regulatory compliance.
Resolution
Update Lambda Permissions
Risk: Critical
Target: App ELB
Compliance:
Description
The security of a publicly accessible load balancer can be compromised by brute-force login attempts, potentially leading to data leaks or loss. To reduce security risks, it is important to prevent unauthorized access attempts. To restrict internet access to the application ELB, you can disable the 'Publicly Accessible' flag for the database and update the security group associated with the instance in the VPC
Resolution
Configure Internal-Only ELB
Risk: Critical
Target: Classic ELB
Compliance:
Description
Configuring your Amazon Classic Load Balancer listeners to use HTTPS or SSL encryption provides security for sensitive information transmitted between clients and the load balancer, authentication, meets regulatory requirements, and improves the user experience by avoiding browser warnings.
Resolution
Secure Listener
Risk: Critical
Target: Elasticsearch
Compliance:
Description
It is crucial to enable encryption at rest to ensure the security and privacy of your sensitive data stored on Amazon Elasticsearch (ES) domains and their storage systems. This way, unauthorized access to the data is prevented. Utilizing this feature does not require any application changes, as Amazon Elasticsearch automatically handles encryption and decryption processes.
Resolution
Encrypt OpenSearch data at rest
Risk: High
Target: ElasticSearch
Compliance:
Description
Encrypting OpenSearch data in transit should be considered a best practice for ensuring the security and privacy of data. It helps to ensure the security and integrity of data while it is being transferred between nodes in a distributed system. Without encryption, data can be vulnerable to interception, modification, or tampering during transmission. Encrypting data in transit adds an extra layer of security and safeguards sensitive information from unauthorized access or data breaches. This is especially crucial when dealing with sensitive or confidential data, such as financial or personal information.
Resolution
Encrypt OpenSearch data in transit
Risk: Critical
Target: ElasticSearch
Compliance:
Description
The AWS KMS service provides a convenient way to create, rotate, disable, and monitor the encryption keys for your ElasticSearch domains using CMKs. Using KMS Customer Master Keys instead of the default AWS-managed keys for your Amazon ElasticSearch domains provides a more secure and controlled encryption and decryption process for data-at-rest and helps you meet compliance requirements. When protecting your ElasticSearch domains and their storage systems using your own KMS Customer Master Keys, you have complete control over who can access the cluster's data using these keys.
Resolution
Create Customer Managed Key
Risk: High
Target: Elastic File System
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Using your own KMS CMK customer-managed keys to encrypt Amazon EFS file systems data and metadata provides complete control over who can access the data, including the system metadata. With the AWS KMS service, you can easily create, rotate, disable, and audit CMK encryption keys for your file systems. It is recommended to use KMS CMK customer-managed keys for Amazon EFS file system encryption instead of AWS-managed keys to have greater control over the data-at-rest encryption/decryption process.
Resolution
Create Customer Managed Key
Risk: High
Target: S3
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Enable encryption at rest for Amazon S3 buckets to protect sensitive content using AWS S3-managed or KMS-managed keys. Implement encryption at both the bucket and object levels to defend against unauthorized access and ensure secure data storage and retrieval.
Resolution
Enable encryption for S3 buckets
Risk: High
Target: S3
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Denying HTTP requests to S3 buckets is crucial for enhancing security, data privacy, compliance, and data integrity while promoting industry best practices. By using encrypted protocols like HTTPS instead of HTTP, you protect data during transmission, ensure regulatory compliance, and maintain data integrity.
Resolution
Create a bucket policy that explicitly denies access when SecureTransport:false
Risk: Low
Target: S3
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Enabling MFA (Multi-Factor Authentication) Delete on an S3 bucket can enhance security by adding an extra layer of authentication, ensuring compliance with regulations such as PCI DSS, protecting against data loss, and providing control over the deletion process.
Resolution
Configuring MFA delete
Risk: medium
Target: S3 Bucket
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Enabling S3 bucket object-level logging for read events is important for security, compliance, and forensic analysis. Logging read events for S3 objects allows you to track access to your data, detect unauthorized access or suspicious activity, and investigate potential security incidents. It can also help you meet regulatory requirements and support forensic analysis during a security breach.
Resolution
Configure Object-level logging for S3 bucket read events
Risk: medium
Target: S3 Bucket
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Enabling S3 bucket object-level logging for write events is important for security, data integrity, compliance, forensic analysis, and following best practices. It helps you track changes to your data, detect potential security threats, ensure data authenticity, meet regulatory requirements, and follow recommended security practices.
Resolution
Configure Object-level logging for S3 bucket write events
Risk: Low
Target: Subnet
Compliance:
Description
Assigning a standard region to an AWS subnet is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and network traffic optimization. By choosing a region closest to your users and replicating your subnet across multiple regions, you can reduce latency, ensure data compliance, and maintain subnet availability. Using a standard region can simplify management, optimize network traffic, and make maintaining and scaling your subnet easier over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution
Managing AWS Regions
Risk: High
Target: Classic ELB
Compliance:
Description
Cleaning up unused Elastic Load Balancers (ELBs) can result in cost savings, resource optimization, improved performance, simplified management, improved security, and free up resources for other applications. By removing unused ELBs, you can save money, prevent conflicts, simplify your infrastructure, improve security, and optimize your AWS usage.
Resolution: Delete ELB
Risk: High
Target: Volume
Compliance:
Description
Deleting unused Elastic Block Store (EBS) volumes can result in cost savings, resource optimization, improved security, simplified maintenance, and compliance with regulatory requirements. By removing unused volumes, you can save money, decrease your attack surface, simplify maintenance, meet compliance requirements, and optimize your AWS usage.
Resolution: Delete EBS
Risk: High
Target: ElasticIP
Compliance:
Description
Deleting unused Elastic IPs can result in cost savings, resource optimization, simplified management, improved security, and compliance with regulatory requirements. By removing unused Elastic IPs, you can save money, reduce the complexity of your infrastructure, improve security, meet compliance requirements, and optimize your AWS usage.
Resolution: Disassociate an ElasticIP
Risk: High
Target: Network ACL
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Restricting inbound traffic on port 22 is crucial for enhancing security, adhering to the principle of least privilege, preventing brute-force and MITM attacks, and improving auditability. This practice ensures only trusted IPs have access, protects your servers from unauthorized access, and simplifies security audits.
Resolution: Update or delete the inbound rules to deny the unrestricted inbound traffic
Risk: High
Target: Network ACL
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Ensure Amazon VPC NACLs restrict inbound traffic on TCP ports 22 (SSH) and 3389 (RDP) to trusted IPs or IP ranges, implementing the Principle of Least Privilege and minimizing attack surfaces. Exposing these ports to the internet increases the risk of malicious activities; therefore, limit access to known and trusted IP addresses.
Resolution: Update or delete the inbound rules to deny the unrestricted inbound traffic
Risk: High
Target: Route53
Description
To protect domains/subdomains delete DNS records that are no longer in use.
Resolution: Working with records Deleting records
Risk: medium
Target: AWS Comprehend
Compliance:
Description
Encrypting Comprehend Analysis results is essential to safeguard sensitive information, maintain privacy, ensure data integrity, comply with regulations, prevent data breaches, and build trust. Encryption protects data from unauthorized access, tampering, and theft, helping organizations adhere to industry standards and maintain a positive reputation.
Resolution: Enable Encryption
Risk: High
Target: ElasticIP
Description
Cleaning up unused ElasticIP saves money and prevents misuse.
Resolution: Disassociate an ElasticIP
Risk: medium
Target: Application ELB Classic ELB Network ELB
Description
Enable ELB access logs and attach an S3 bucket
Resolution: Enable Access Logs for Applciation ELB Classic ELB Network ELB
Risk: High
Target: Volume
Compliance:
Description
Deleting unused Elastic Block Store (EBS) volumes can result in cost savings, improved security, simplified maintenance, and compliance with regulatory requirements. By removing unused volumes, you can reduce costs, decrease your attack surface, simplify maintenance, and meet compliance requirements.
Resolution: Amazon EBS volumes
Risk: High
Target: EC2
Compliance:
Description
Downsizing underutilized EC2 instances can result in cost savings, resource optimization, improved performance, and better scalability. By paying only for the needed resources, you can free up CPU, memory, and storage, improve the performance of other applications, and allocate resources more efficiently.
Resolution: [Optimizing your cost with Rightsizing Recommendations] (https://docs.aws.amazon.com/cost-management/latest/userguide/ce-rightsizing.html)
Risk: Critical
Target: Elastic Kubernetes Service
Compliance: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
Description
To ensure that your secrets stored in Amazon Elastic Kubernetes Service (EKS) meet security and compliance requirements, you can use AWS Key Management Service (KMS) keys to provide envelope encryption. Implementing envelope encryption of Kubernetes secrets is a security best practice for applications that handle sensitive and confidential data.
To set this up, you must create your AWS KMS Customer Master Key (CMK) and link it to your Amazon EKS cluster. When you store secrets using the Kubernetes secrets API, they will first be encrypted using a data encryption key generated by Kubernetes and then further encrypted with the connected KMS CMK. This additional layer of encryption helps to protect your secrets and meet security and compliance requirements.
Resolution: Encrypt Secrets
Risk: High
Target: Elastic Kubernetes Service
Compliance: CIS Amazon Elastic Kubernetes Service(EKS) Benchmark v1.1.0 PDF
Description
To control access to the managed Kubernetes API server created by Amazon EKS, it is important to use AWS IAM and Kubernetes RBAC to regulate access to the public API server endpoint. Keeping the Kubernetes API server private is recommended to enhance the cluster's security and to allow communication between worker nodes and APIs within the VPC. In situations where public access is necessary, limiting the IP addresses that can access the API server from the internet can help reduce the potential attack surface.
Resolution: Disable public accessibility of EKS cluster endpoint
Risk: High
Target: Elastic Kubernetes Service
Compliance: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0 PDF
Description
Control plane logs can help identify cluster creation, authentication, authorization, and scheduling issues. They can also help detect security breaches and compliance violations by tracking unauthorized access attempts, changes to permissions, and other activities. Enabling control plane logs for Amazon Elastic Kubernetes Service (EKS) is crucial because it provides visibility into the cluster's control plane activity, making diagnosing and troubleshooting issues easier. In addition, control plane logs are required for auditing and compliance purposes, as they provide a detailed record of the actions taken in the cluster.
Resolution: Enable EKS control plane logging for Amazon EKS
Risk: High
Target: Elastic Kubernetes Service
Compliance:
Description
Updating the EKS cluster version to the latest is crucial to ensure that the cluster benefits from the latest features and security updates. Running outdated EKS cluster versions may expose the cluster to vulnerabilities and potential attacks, as older versions may not have the latest patches and bug fixes. Therefore, updating the EKS cluster version to the latest version helps ensure the stability, security, and efficiency of the cluster.
Resolution: Update the Kubernetes version
Risk: High
Target: Elastic Kubernetes Service
Compliance:
Description
To improve the security of an EKS cluster, it's advisable to disable all inbound traffic except for TCP port 443. This practice helps protect against network-based attacks, limits access to authorized users, ensures confidentiality through SSL/TLS encryption, and facilitates compliance with applicable regulations.
Resolution: Allow access only on TCP port 443 by updating the Security groups associated with AWS EKS cluster
Risk: High
Target: RDS DB
Compliance:
Description
Deleting AWS RDS DB instances running in idle mode can lead to cost savings, improved security, simplified maintenance, and better compliance with regulatory requirements. It can help optimize your AWS usage and reduce your attack surface, and ensure that your database is up-to-date and free from vulnerabilities.
Resolution: Deleting a DB instance
Risk: High
Target: Redshift
Compliance:
Description
Downsizing underused Amazon Redshift clusters can result in cost savings, resource optimization, improved performance, and better scalability. By paying only for the needed resources, you can free up CPU, memory, and storage, improve the performance of other applications, and allocate resources more efficiently.
Resolution: Amazon Redshift clusters
Risk: Medium
Target: RDS DB
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description
Enabling RDS Auto Minor Version Upgrade is important for maintaining security, improving performance, simplifying maintenance, ensuring compliance, maintaining high availability, and reducing technical debt. Automating the update process ensures your database instances are regularly patched with the latest security updates and performance enhancements while minimizing administrative overhead and downtime.
Resolution Set AutoUpgrade to true
Risk: High
Target: AWS Athena
Compliance:
Description
AWS Athena is an interactive query service that allows you to analyze data in Amazon S3 using standard SQL. While data in transit between Amazon Athena and S3 is encrypted by default using SSL/TLS, query results are not encrypted at rest by default. To ensure the security of your data and meet compliance requirements, it is recommended to enable encryption at rest for Athena query results stored in S3. AWS Athena offers different S3 encryption options including SSE-S3, SSE-KMS, and CSE-KMS, to add an extra layer of security to your data.
Resolution
Encrypting Athena query results stored in Amazon S3
Risk: High
Target: ECS Task Definition
Compliance:
Description Assigning mandatory tags to ECS Task Definition can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tagging your Amazon ECS resources
Risk: Low
Target: Security Groups
Compliance:
Description Assigning standard regions to security groups in AWS is a best practice that can provide several benefits, including improved security, compliance with regulations, simplified management, and disaster recovery and availability. Using a standard region, you can ensure that your security policies are consistently applied to your instances and comply with regional data processing requirements. Using a standard region can simplify management and make maintaining and scaling your security groups easier over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Medium
Target: IAM User
Compliance:
Description Assigning user permissions through IAM groups simplifies management, promotes consistency, improves scalability, enhances security, and eases auditing of access control in your AWS environment, streamlining the application of the Principle of Least Privilege.
Resolution Adding and removing users in an IAM user group
Risk: Low
Target: VPC
Compliance:
Description Assigning a standard region to VPC resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your VPC resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Critical
Target: Security Group
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description: To protect against attackers who use brute force methods to gain access to Amazon EC2 instances, it is important to ensure that the associated security groups do not allow unrestricted access (i.e., 0.0.0.0/0 or::/0) on uncommon ports. Uncommon ports are any TCP/UDP ports not included in the commonly used service ports such as HTTP, HTTPS, FTP, SSH, Telnet, DNS, RDP, SMTP, MySQL, PostgreSQL, Oracle Database, SQL Server, RPC, and SMB/CIFS. Allowing unrestricted inbound access to EC2 instances on uncommon ports can increase the risk of malicious activities such as hacking, data capture, and Denial-of-Service attacks.
Resolution: Work with Security Groups
Risk: Critical
Target: Volume
Compliance:
Description: Use customer-managed Customer Master Keys (CMKs) instead of AWS-managed keys for Amazon EBS volumes for complete control of encryption and decryption. Once CMK-based encryption is enabled, it secures Amazon EBS volumes, volume snapshots, and disk I/O.
Resolution: EBS Encryption
Risk: Critical
Target: IAM Role
Compliance:
Description To enhance the security of your AWS infrastructure, it is recommended to restrict the "RunInstances" privilege for Amazon Elastic Compute Cloud (EC2) instances to non-allow listed IAM roles only. This way, you can ensure that only authorized IAM roles can create new EC2 instances within your AWS account, thereby reducing the risk of unauthorized access and misuse of your resources.
To implement this security measure, you can create an IAM policy that allows only specific IAM roles to run EC2 instances and denies this privilege to any other role not explicitly listed. You can then attach this policy to your EC2 instances to restrict the ability to launch new instances to only authorized roles.
Resolution: Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
Risk: Critical
Target: IAM Role
Compliance:
Description When a new IAM role is created in AWS, it is given complete network access. However, not all roles necessarily need network access and granting it to non-allow listed roles can increase the risk of security threats. To reduce these risks, it is advised to identify and establish security groups that only permit network access to the essential IAM roles.
Resolution: Policies and Permissions in IAM
Risk: Critical
Target: IAM Role
Compliance:
Description To safeguard AWS resources against unauthorized access or misuse, denying Lambda privilege to non-allow listed IAM roles is essential. This practice reduces the likelihood of unauthorized access, helps maintain compliance with security standards, mitigates the risk of accidental changes, and minimizes the impact of security breaches. By limiting the actions that non-allow listed IAM roles can take on your Lambda functions, you can prevent them from harming your resources and ensure that only required privileges are granted.
Resolution: Update AWS Lambda Function Permissions
Risk: High
Target: EC2
Compliance:
Description Scanning EC2 instances monthly using the Qualys Vulnerability Assessment Tool is important for understanding and managing security risks on your cloud infrastructure. The tool can help identify vulnerabilities in software, configurations, and networking components, which malicious actors can exploit to gain unauthorized access to your systems or data. By scanning your EC2 instances regularly, you can discover and promptly address any potential security threats. This helps to ensure that the security of your cloud environment is top-notch and that your data is safe and secure.
Resolution: Securing Amazon Web Services with Qualys
Risk: High
Target: Auto Scaling Group
Compliance:
Description: Make sure your AWS Auto Scaling Groups (ASGs) launch configuration refers to an active Amazon Machine Image (AMI) to keep the auto-scaling process functioning correctly.
If your ASGs cannot launch new EC2 instances due to invalid (removed) AMIs, the scaling mechanism will be unable to allocate additional computing resources to manage the workload, resulting in a substantial negative impact on your application's performance.
Resolution Launch configurations
Risk: High Target: IAM User
Compliance:
Description: Removing inactive IAM users after 90 days is a best practice for security and compliance. It helps prevent users from having open access to your data and resources, which can lead to a data breach or other security threats. Additionally, removing users who are no longer actively using your services helps ensure that you are only paying for the resources you are using. Lastly, it can help simplify the management of your users and ensure that your IAM policies are up to date.
Resolution: Finding unused credentials
Risk: Critical
Target: S3
Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0
Description: To protect against malicious public data exposure, ensure that public access is not enabled for your S3 buckets. By default, S3 buckets and objects are created without public access, but an IAM principal with sufficient S3 permissions can grant public access at either the bucket or object level.
Resolution: Blocking public access to your Amazon S3 storage
Risk: Low
Target: Volume
Compliance:
Description Assigning a standard region to an EBS (Elastic Block Store) volume in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your volume across multiple regions, you can reduce latency and ensure data compliance, as well as maintain volume availability. Using a standard region can also simplify management and make it easier to maintain and scale your volume over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: High
Target: ECS Cluster
Compliance:
Description Assigning mandatory tags to ECS Cluster can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tagging your Amazon ECS resources
Risk: High
Target: APP ELB
Compliance:
Description: Ensuring that the ports associated with the security group and ELB are the same is important to avoid any issues related to port mismatch. If there is a port mismatch between the security group and ELB, it can lead to unintended network access and make the application vulnerable to attacks. Therefore, it is crucial to ensure that the same ports are allowed in both the security group and the ELB. This helps to maintain consistency and ensure the security and reliability of the application.
Resolution: Security group rules for different use cases
Risk: High
Target: Classic ELB
Compliance:
Description: Ensure that the ports associated with a security group and an Application Load Balancer (ALB) are the same. This is important for ensuring proper communication between the security group and the ALB, as well as for maintaining security and avoiding potential security breaches. Having mismatched ports can lead to security vulnerabilities and communication errors. Therefore, it's recommended to regularly check and confirm that the ports associated with the security group and the ALB are the same.
Resolution: Configure security groups for your Classic Load Balancer
Risk: High
Target: DocumentDB
Compliance:
Description
Using your own AWS KMS Customer Master Keys (CMKs) to encrypt your DocumentDB data, including indexes, logs, replicas, and snapshots, gives you complete authority over who can access your data using the encryption keys. With Amazon KMS service, creating, rotating, disabling, and auditing Customer Master Keys for your Amazon DocumentDB clusters is straightforward.
To achieve more granular control over DocumentDB data-at-rest encryption and decryption, it is recommended to use KMS Customer Master Keys (CMKs) instead of AWS managed-keys, which are the default keys used by the DocumentDB service when customer-managed keys are not defined.
Resolution Key Management
Risk: High
Target: DynamoDB
Compliance:
Description:
To have more precise control over your cluster data encryption and decryption process in Amazon DynamoDB, it is advisable to use KMS Customer Master Keys (CMKs) instead of AWS managed-keys or keys owned by the DynamoDB service. Encryption at rest with Customer Master Keys can satisfy stringent encryption compliance and regulatory requirements, especially for security-sensitive applications.
Customer-managed Customer Master Keys (CMKs) are often necessary to comply with organizational policies, industry or government regulations, and internal compliance requirements for data-at-rest encryption. Using your own KMS Customer Master Keys (CMKs) to secure DynamoDB data provides complete control over who can access your data with these keys. The key policy is viewable, and encryption/decryption of your DynamoDB data can be audited by analyzing DynamoDB API calls made to Amazon KMS with CloudTrail.
Resolution Managing encrypted tables in DynamoDB
Risk: Critical
Target: Elasticsearch
Compliance:
Description: AWS Elasticsearch should not be accessible to the public via the internet to prevent unauthorized user access, data loss, and the potential exposure of sensitive data.
Resolution: VPC for OpenSearch
Risk: Critical
Target: Classic ELB
Compliance:
Description Elastic Load Balancing distributes app traffic across multiple targets like EC2 instances, containers, IP addresses, and virtual appliances. It offers four types of load balancers with high availability, auto-scaling, and security for fault-tolerant apps, across one or multiple Availability Zones. Restricting Internet access to a Classic Load Balancer (ELB) is an essential security measure that can help reduce the potential attack surface of your application and make it harder for attackers to access your resources. It provides protection against DDoS attacks, helps meet compliance requirements, and enables better control over access.
Resolution: Configure security groups for your Classic Load Balancer
Risk: High
Target: Classic ELB
Compliance:
Description To reduce the cost of your monthly AWS bill, it's recommended to identify any Amazon Elastic Load Balancers (ELBs) that are not being used and terminate them. An ELB is considered idle when it records less than 100 requests made to it in the past 7 days. The AWS CloudWatch metric 'RequestCount (Sum)' is used to detect such idle ELBs, which records the number of requests completed or connections made during a specified timeframe (1 or 5 minutes) for the HTTP/HTTPS or TCP/SSL listeners.
Resolution Delete an Application Load Balancer
Risk: Low
Target: KMS
Compliance:
Description Assigning a standard region to KMS resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your KMS resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: High
Target: Classic ELB
Compliance:
Description Assigning mandatory tags to Classic ELB (Elastic Load Balancer) can provide several benefits, including improved resource management, cost tracking, enhanced visibility, security, and streamlined operations. These tags can help track and manage ELBs, optimize resource allocation, analyze cost, identify and group related ELBs, restrict access to load balancers, and automate routine tasks.
Resolution Tag your Classic Load Balancer
Risk: High
Target: Elasticsearch
Compliance:
Description Assigning mandatory tags to Elastic Search Resources can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tagging AWS resources
Risk: Medium
Target: Cloud Front
Compliance:
Description Preventing unauthorized CloudFront content distribution is essential for content protection, data privacy, compliance, reputation management, and resource optimization. It helps maintain data privacy, protect against data breaches, ensure compliance with regulations, and maintain the integrity of your brand. Preventing unauthorized CloudFront content distribution is a recommended best practice for managing your AWS environment and ensuring your content is used appropriately.
Resolution Configuring secure access and restricting access to content
Risk: High
Target: ACM Certificate
Compliance:
Description To comply with Amazon Security Best Practices, remove all expired SSL/TLS certificates managed by AWS Certificate Manager. This prevents accidental deployment of invalid certificates to resources like Elastic Load Balancing, which could cause errors and harm your web application or website's reputation.
Resolution Check a certificate's renewal status
Risk: Critical
Target: Auto scaling Group
Compliance:
Description: It is essential to keep your AWS Auto Scaling Groups (ASGs) launch configuration up to date to prevent your application performance from being negatively impacted and to avoid downtime. If the ASGs fail to launch new EC2 instances due to inactive (deleted) Security Groups, the scaling mechanism cannot add compute resources to handle the traffic load.
To fix this, replace the unhealthy ASGs with a valid launch configuration that references one or more active Security Groups (SGs).
Resolution: Change the Launch Configuration for an Auto Scaling Group
Risk: High
Target: APP ELB
Compliance:
Description: Enabling secure listeners for Elastic Load Balancers (ELBs) is essential to protect web applications and ensure secure communication between clients and servers. Secure listeners use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption to secure the connection between the client and the load balancer. This protects sensitive data, such as login credentials and credit card information, from interception and theft by malicious actors. Enabling secure listeners for ELBs also helps to ensure compliance with various security standards and regulations, such as the Payment Card Industry Data Security Standard (PCI DSS).
Resolution: Configure an HTTPS listener for your Classic Load Balancer
Risk: High
Target: AppFlow
Compliance:
Description
A Customer Master Key (CMK) is a logical representation of a symmetric master key managed by Amazon KMS service, containing metadata such as the key ID, creation date, description, and key state, as well as the key material used for encryption and decryption of data. To meet security and compliance requirements and gain full control over encrypted data, it is recommended to encrypt Amazon AppFlow flows using customer-managed Customer Master Keys (CMKs).
Resolution Data protection in Amazon AppFlow
Risk: High
Target: DMS
Compliance:
Description
Amazon DMS provides encryption for replication instance storage and endpoint connection information, with the option to use AWS KMS Customer Master Keys (CMKs) for increased data protection. Using your own AWS KMS CMKs allows for greater control over who can access your data, and AWS KMS service enables easy management of Customer Master Keys. To have more control over data-at-rest encryption and decryption for AWS DMS replication instances, it is recommended to use KMS Customer Master Keys instead of AWS managed-keys, ensuring a higher level of control over data and improved data security.
Resolution Security in AWS database migration service
Risk: High
Target: ECS Task Definition
Compliance:
Description Configure a log driver for containers in Amazon ECS task definitions to effectively manage logs. This enables centralized logging, additional operational capabilities and prevents logs from consuming disk space on ECS container instances.
Resolution Using the awslogs log driver
Risk: High
Target: Access Analyzer
Compliance:
Decription Utilize Amazon IAM Access Analyzer to identify and address security issues related to public or untrusted cross-account access in your AWS environment. This feature analyzes resource-based policies, generates findings, and helps maintain the principle of least privilege by continuously monitoring policy changes, thus reducing the need for manual checks.
Resolution Findings for public and cross-account access
Risk: High
Target: Cloud Front
Compliance:
Description Enabling access logs for CloudFront and attaching them to a specified S3 bucket provides several benefits, including monitoring user activity, maintaining security and compliance, troubleshooting issues, optimizing performance, managing costs, and centralizing log storage. These logs offer valuable insights into web traffic patterns and can help improve the overall performance and security of your web application.
Resolution Configuring and using standard logs (access logs)
Risk: High
Target: APP ELB
Compliance:
Description Enabling access logs for App ELB and attaching them to a specified S3 bucket is beneficial for performance monitoring, troubleshooting, security and compliance, user activity analysis, centralized log storage, and cost management. Access logs provide valuable insights into traffic patterns and client behavior, helping you optimize your application, identify potential security threats, and manage resources more effectively.
Resolution Enable access logs for your Application Load Balancer
Risk: High
Target: Classic ELB
Compliance:
Description Enabling access logs for Classic ELB and attaching them to a specified S3 bucket provides benefits such as performance monitoring, troubleshooting, security and compliance, user activity analysis, centralized log storage, and cost management. Access logs offer valuable insights into client traffic patterns and user behavior, helping you optimize your application, identify potential security threats, and manage resources more effectively.
Resolution Enable access logs for your Classic Load Balancer
Risk: Critical
Target: EC2
Compliance:
Description Minimizing the risk of network attacks is crucial when an EC2 instance has a remotely exploitable vulnerability. Key steps to take include identifying the affected instance, restricting inbound traffic via security group rules, using a bastion host to control access, and applying relevant patches or updates. By taking these measures, the vulnerability can be addressed, and the instance can be safeguarded while still allowing legitimate traffic to reach it.
Resolution: Restrict Traffic by Configuring Security Groups
Risk: Low
Target: EC2
Compliance:
Description EC2 instances should not be left in a stopped state for more than 60 days because it can result in increased costs due to storage charges, security vulnerabilities, compliance violations, and performance issues.
Resolution Stop and start your instance
Risk: Medium
Risk: Medium
Target: EC2
Compliance:
Description S3 vulnerability could allow attackers to access the underlying operating system, resources, and data. To prevent the S3 vulnerability from affecting EC2 instances, update the firmware, disable the Management Engine if necessary, implement access controls and security policies, monitor the instance for suspicious activity, and use strong authentication measures.
Resolution Best practices for Amazon EC2
Risk: High
Target: EC2
Compliance:
Description: S4 vulnerability could allow attackers to access the underlying operating system, resources, and data. To prevent the S4 vulnerability from affecting EC2 instances, update the firmware, disable the Management Engine if necessary, implement access controls and security policies, monitor the instance for suspicious activity, and use strong authentication measures.
Resolution: Security in Amazon EC2
Risk: Critical
Target: EC2
Compliance:
Description: S5 vulnerability can enable attackers to gain control of a target system and affects EC2 instances with Intel processors with Intel Management Engine firmware. To prevent the S5 vulnerability from affecting EC2 instances, update the firmware, disable the Management Engine if necessary, implement access controls and security policies, monitor the instance for suspicious activity, and use strong authentication measures.
Resolution: Best practices for Amazon EC2
Risk: High
Target: EC2
Compliance:
Description: Address AWS GuardDuty findings to protect your AWS infrastructure from security threats. GuardDuty, a managed threat detection service, monitors logs for malicious activity and generates findings for suspicious behavior. By using these findings, you can evaluate your AWS infrastructure in an automated manner without additional security hardware or software and integrate alerts into various communication channels.
Resolution: Understanding Amazon GuardDuty Findings
Risk: High
Target: IAM Certificate Compliance:
Description Regularly checking the expiry status of IAM certificates is crucial to ensure that they are valid and have not expired. IAM certificates are used for authentication and encryption purposes in AWS, and an expired certificate can lead to security breaches and service interruptions. Renewing IAM certificates before they expire helps maintain the security and availability of AWS resources.
Resolution Managed renewal for ACM certificates
Risk: High
Target: IAM Role
Compliance:
Description: Restricting full IAM access to non-admin roles is vital for adhering to the principle of least privilege, enhancing security, ensuring compliance, improving auditability, and maintaining system stability. This practice minimizes the risk of unauthorized actions, breaches, and unintended changes while simplifying audits and promoting regulatory compliance.
Resolution: Policies and permissions in IAM
Risk: Low
Target: API
Compliance:
Description Assigning a standard region to an API resource is a best practice that brings several benefits, such as improved performance, compliance with regulations, disaster recovery, availability, and simplified management. It also helps organizations avoid legal or regulatory issues and maintain customer trust by ensuring data is stored in compliance with regulations. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions, and if assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target:
Compliance:
Description Assigning a standard region to an App ELB (Elastic Load Balancer) resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region that is closest to your users and replicating your App ELB across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions, and if assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: DynamoDB
Compliance:
Description Assigning a standard region to DynamoDB resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your DynamoDB across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: EFS
Compliance:
Description Assigning a standard region to EFS resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your EFS resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: Elasticache
Compliance:
Description Assigning a standard region to Elasticache resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your Elasticache resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Choosing regions and availability zones
Risk: Low
Target: Elastic IP
Compliance:
Description Assigning a standard region to ElasticIP resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your Elastic resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: Elastic Search
Compliance:
Description Assigning a standard region to Elasticsearch resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. You can improve latency, ensure data compliance, and maintain application availability by choosing a region closest to your users and replicating your Elasticsearch resource across multiple regions. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: EMR
Compliance:
Description Assigning a standard region to EMR resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your EMR resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: ENI
Compliance:
Description Assigning a standard region to ENI resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your ENI resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: RDS DB
Compliance:
Description Assigning a standard region to RDS DB resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your RDS DB resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: Redshift
Compliance:
Description Assigning a standard region to Redshift resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your Redshift resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: ASG
Compliance:
Description Assigning a standard region to ASG resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your ASG resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: Classic ELB
Compliance:
Description Assigning a standard region to Classic ELB resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your Classic ELB resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer's intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: Lambda
Compliance:
Description Assigning a standard region to a Lambda function in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and potential cost savings. By choosing a region closest to your users and replicating your Lambda function across multiple regions, you can reduce latency, ensure data compliance, and maintain application availability. Using a standard region can simplify management and lower costs, making it an important best practice for many organizations. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: Launch Config
Compliance:
Description Assigning a standard region to a Launch Configuration in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and consistency. By choosing a region closest to your users and replicating your instances across multiple regions, you can reduce latency, ensure data compliance, and maintain instance availability. Using a standard region can simplify management, ensure consistency, and simplify troubleshooting and managing instances, making it an important best practice for many organizations. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: RDS Snapshot
Compliance:
Description Assigning a standard region to an RDS snapshot in AWS is a best practice that can provide several benefits, including disaster recovery and availability, improved performance, compliance with regulations, and simplified management. You can ensure database availability even during a regional outage by replicating your RDS snapshot across multiple regions. Choosing a region closest to your users can improve performance, and using a standard region can simplify management and ensure compliance with regulations. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: Snapshot
Compliance:
Description Assigning a standard region to a snapshot in AWS is a best practice that can provide several benefits, including disaster recovery and availability, improved performance, compliance with regulations, and simplified management. By replicating your snapshot across multiple regions, you can ensure its availability even during a regional outage. Choosing a region closest to your users can improve performance, and using a standard region can simplify management and ensure compliance with regulations. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: Stack
Compliance:
Description Assigning a standard region to a stack in AWS CloudFormation is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your stack across multiple regions, you can reduce latency, ensure data compliance, and maintain stack availability. Using a standard region can simplify management and make maintaining and scaling your stack easier over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: SNS Topic
Compliance:
Description Assigning a standard region to an SNS topic in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your topic across multiple regions, you can reduce latency, ensure data compliance, and maintain topic availability. Using a standard region can simplify management and make maintaining and scaling your topics easier over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: EC2
Compliance:
Description Assigning a standard region to an EC2 instance in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and potential cost savings. By choosing a region closest to your users and replicating your instances across multiple regions, you can reduce latency, ensure data compliance, and maintain instance availability. Using a standard region can simplify management, lower costs, and make maintaining and scaling your instances easier. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: Low
Target: S3
Compliance:
Description Assigning a standard region to an S3 bucket in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and potential cost savings. By choosing a region closest to your users and replicating your bucket across multiple regions, you can reduce latency, ensure data compliance, and maintain bucket availability. Using a standard region can also simplify management, lower costs, and make it easier to maintain and scale your buckets. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.
Resolution Managing AWS Regions
Risk: High
Target: S3
Compliance:
Description Denying hosting websites or redirecting requests for S3 buckets enhances security, prevents data leakage, ensures access control, maintains compliance, and simplifies resource management. This practice safeguards sensitive data, adheres to regulatory requirements, and promotes efficient infrastructure management.
Resolution Setting permissions for website access
Risk: Critical
Target: IAM User
Compliance:
Description Denying listed privileges to a service account in AWS is crucial for securing your AWS resources from unauthorized access or misuse. It helps minimize the risk of unauthorized access, ensures compliance with security standards, prevents accidental changes, and limits the impact of a security breach.
By denying privileges to service accounts, you can reduce the risk of damage to your resources caused by compromised accounts, comply with regulatory frameworks and avoid penalties, and prevent unauthorized actions that could lead to accidental changes or disruptions to your environment.
Resolution: IAM Roles for Service Accounts
Risk: Critical
Target: CloudFront
Compliance:
Description To prevent security risks in CloudFront, only approved HTML content should be served to users. This can be done by configuring CloudFront to allowlist approved sources through custom headers or cookies to verify the source of the HTML content. AWS WAF can also block requests that do not meet specific criteria. These measures can protect against various security risks, such as cross-site scripting attacks, phishing attacks, and malware infections.
Resolution: Creating a Distribution
Risk: Critical
Target: IAM User
Compliance:
Description Restricting core networking privileges to non-allow listed IAM users is an important security best practice in AWS that reduces the risk of unauthorized access to your network resources. This is important because it minimizes the attack surface, mitigates the risk of insider threats, and ensures compliance with regulatory and compliance frameworks. Limiting access to only non-allow listed IAM users with specific permissions can protect your network resources from unauthorized access, reduce the risk of data breaches, and ensure that only legitimate users have access.
Resolution: Changing Permissions for an IAM User
Risk: Medium
Target: EC2
Compliance:
Description: Not using deprecated EC2 instance types is crucial for maintaining your AWS infrastructure's security, reliability, performance, compatibility, and compliance. Using deprecated instances increases the risk of security threats, service disruptions, and data loss, limits your options, and hinders your ability to innovate and adapt. Using up-to-date EC2 instance types is a recommended best practice for managing your AWS environment and ensuring optimal performance and cost efficiency.
Resolution Deprecate an AMI
Risk: High
Target: AMI
Compliance:
Description
To comply with data-at-rest encryption requirements, it is important to verify that your Amazon Machine Images (AMIs) are encrypted. The encryption and decryption of AMI data are handled automatically without the need for any additional action from your applications.
When dealing with critical business data in production environments, it is strongly advised to implement data encryption to safeguard against unauthorized access or attacks. The encryption keys used for AMIs employ the AES-256 algorithm and are fully managed and protected by AWS's Key Management Service (KMS).
Resolution
Use encryption with EBS-backed AMIs
Risk: High
Target: Account
Compliance:
Description Enabling AWS GuardDuty across all regions and accounts is essential for comprehensive security coverage. It provides centralized security monitoring, ensures consistent security posture, enables faster detection and response to threats, and can lead to cost savings by reducing the need for manual security monitoring. By covering all AWS resources in your organization, you better protect your environment from unauthorized access, data leaks, and other malicious activities.
Resolution Guard duty-enabled-centralized
Risk: High
Target: Peering Connection
Compliance:
Description
Removing any VPC peering connections to non-allow listed AWS accounts is essential for security reasons. VPC peering connections can allow traffic to flow between VPCs in different accounts, which can potentially expose sensitive data or resources to unauthorized access or attacks. Therefore, restricting VPC peering connections to only the allowed and trusted AWS accounts can help prevent potential security breaches and maintain the confidentiality and integrity of your resources.
Resolution
Delete a VPC peering connection
Risk: Medium
Target: Account
Compliance:
Description Increasing AWS service limits is crucial for ensuring scalability, performance optimization, cost optimization, innovation, and future-proofing your AWS infrastructure. It helps accommodate more users, resources, and workloads, reduce bottlenecks, optimize costs, explore new use cases, and prepare for future growth and expansion. Increasing AWS service limits is a recommended best practice for managing your AWS environment and meeting growing needs and demands.
Resolution AWS service quotas
Risk: High
Target: APP ELB
Compliance:
Description Deleting unused Application Elastic Load Balancers (ELBs) can result in cost savings, resource optimization, improved performance, simplified management, and free up resources for other applications. By removing unused ELBs, you can save money, prevent conflicts, simplify your infrastructure, and optimize your AWS usage.
Resolution Delete an Application Load Balancer
Risk: High
Target: S3
Compliance:
Description To track access requests for security and access auditability, enable Amazon S3's Server Access Logging feature for your S3 buckets. This feature creates detailed records of request type, resources, and processing date/time, which can provide valuable data for security, compliance audits, user behavior analysis, and S3 billing insights. Note that the feature is not enabled by default.
Resolution Blocking public access to your Amazon S3 storage
Risk: Critical
Target: SQS
Compliance:
Description: AWS SQS is a cloud-based queue service that enables the integration of distributed software systems and components. It offers a web services API that is compatible with any programming language that is supported by AWS SDK.
When SQS queues are public, they can expose existing interfaces to unwanted third parties, potentially leading to data leaks.
To ensure security, SQS policies must restrict access to the queues. In line with the security principle of least privilege, an SQS policy should grant access only to essential principals.
Resolution: Authentication and Access Control for Amazon SQS
Risk: High
Target: APP ELB
Compliance:
Description Assigning mandatory tags to Application Elastic Load Balancers (ELBs) is important for identifying resources, allocating costs, automation, security, and compliance purposes. Mandatory tags ensure consistency, manageability, cost-effectiveness, security, and compliance across your AWS infrastructure.
Resolution Tag your Classic Load Balancer
Risk: High Target: Auto Scaling Group
Compliance:
Description Assigning mandatory tags to Auto-Scaling Groups (ASGs) is important for identifying resources, cost allocation, and automation purposes. This practice guarantees consistency, manageability, and cost-effectiveness across your AWS infrastructure.
Resolution Tag Auto Scaling groups and instances
Risk: High
Target: CloudFront
Compliance:
Description Assigning mandatory tags to Cloud Front can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tagging Amazon CloudFront distributions
Risk: High
Target: DynamoDB
Compliance:
Description Assigning mandatory tags to DynamoDB can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Help enforce DynamoDB tagging
Risk: High Target: Elastic File System
Compliance:
Description Assigning mandatory tags to AWS Elastic File System can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Create Tags
Risk: High
Target: Elastic Map Reduce
Compliance:
Description Assigning mandatory tags to AWS Elastic MapReduce can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Enforce tagging of Amazon EMR clusters at launch
Risk: High
Target: Lambda
Compliance:
Description Assigning mandatory tags to Lambda functions can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Using tags on Lambda functions
Risk: High
Target: RDS DB
Compliance:
Description Assigning mandatory tags to RDS database can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Enforce automatic tagging of Amazon RDS databases at launch
Risk: High
Target: Redshift
Compliance:
Description Assigning mandatory tags to Redshift can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tagging resources in Amazon Redshift
Risk: High
Target: S3
Compliance:
Description Assigning mandatory tags to S3 can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tagging and access control policies
Risk: High
Target: Security Group
Compliance:
Description Assigning mandatory tags to Network Security Group center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Work with security groups
Risk: High
Target: Snapshot
Compliance:
Description Assigning mandatory tags to EBS Snapshots center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Create Amazon EBS snapshots
Risk: High
Target: Stack
Compliance:
Description Assigning mandatory tags to Cloud Formation Stacks can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Required-tags
Risk: High
Target: Subnet
Compliance:
Description Assigning mandatory tags to Subnets can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution AWS::EC2::Subnet
Risk: High
Target: VPN Gateway
Compliance:
Description Assigning mandatory tags to VPN Gateway can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution [VpnGateway] (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VpnGateway.html)
Risk: High
Target: Volume
Compliance:
Description Assigning mandatory tags to EBS Volumes can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tag your Amazon EC2 resources
Risk: High
Target: VPC
Compliance:
Description Assigning mandatory tags to VPC can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tag your Amazon EC2 resources
Risk: High
Target: Backup Vault
Compliance:
Description Implementing an Amazon Backup vault access policy not only safeguards AWS backups but also provides better control over user permissions. This added layer of protection maintains the integrity of your data and ensures a reliable recovery process when needed.
Resolution Setting access policies on backup vaults
Ensure that All CloudWatch Events from all Accounts are sent to the 'Dedicated ACCOUNTID' Default Event Bus
Risk: High
Target: Account
Compliance:
Description Sending all CloudWatch Events from all accounts to a dedicated ACCOUNTID default event bus offers advantages such as centralized monitoring and management, simplified cross-account event handling, improved security and governance, efficient incident response, streamlined troubleshooting, and cost optimization. By centralizing events, you can better track activities, maintain consistent security policies, and manage resources more effectively across multiple AWS accounts.
Resolution Sending and Receiving Events Between AWS Accounts
Risk: High
Target: EC2
Compliance:
Description Assigning mandatory tags to EC2 Instance can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tag your Amazon EC2 resources
Risk: High
Target: ElastiCache
Compliance:
Description Assigning mandatory tags to Elasticache can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tag Elasticache
Risk: High
Target: Key Management Services
Compliance:
Description Assigning mandatory tags to AWS Key Management Services can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.
Resolution Tagging Keys
Risk: Critical
Target: RDS DB
Compliance:
Description To enhance the security of your RDS database instances in AWS, it is recommended to enable "Deny Public Access to RDS Database Endpoints." This security measure prevents internet-based attacks like SQL injection and brute-force attacks and helps ensure compliance with security standards such as PCI DSS. You can activate this measure by adjusting the "Public accessibility" setting of your RDS instance, which restricts access to your database to only within your VPC or via a VPN connection.
Resolution: Security in Amazon RDS
Risk: High
Target: ECR
Compliance:
Description Aqua Security's container security platform can scan images stored in a client's Amazon Elastic Container Registry (ECR) to identify any images not scanned for vulnerabilities. There are four possible reasons for a resource (image) not being scanned: it is not present in the ECR repository, it does not have the latest tag, it has no vulnerabilities, or its metadata has not been collected by cloud discovery. The primary objective of this process is to ensure that all images in the ECR repository are scanned for vulnerabilities, thereby mitigating potential security risks.
Resolution
Connecting an Amazon ECR registry
Risk: High
Target: ECR
Compliance:
Description Vulnerabilities in images created or updated within a configurable threshold timeline of 10 days are scanned using Aqua's vulnerability data to gather key information about the vulnerabilities, including the CVE number, NVD URL, solution, resource, Aqua severity classification, and description.
Scanning and remediating high-vulnerability images in AWS can proactively identify and mitigate potential security threats, minimizing the risk of security breaches and other damage to the cloud infrastructure.
Resolution
Risk: Critical
Target: ECR
Compliance:
Description Vulnerabilities in images created or updated within a configurable threshold timeline of 10 days are scanned using Aqua's vulnerability data to gather key information about the vulnerabilities, including the CVE number, NVD URL, solution, resource, Aqua severity classification, and description.
Scanning and remediating critical-vulnerability images in AWS can proactively identify and mitigate potential security threats, minimizing the risk of security breaches and other damage to the cloud infrastructure.
Resolution Aqua Vulnerability Database
Risk: Medium
Target: ECR
Compliance:
Description Vulnerabilities in images created or updated within a configurable threshold timeline of 10 days are scanned using Aqua's vulnerability data to gather key information about the vulnerabilities, including the CVE number, NVD URL, solution, resource, Aqua severity classification, and description.
Scanning and remediating medium vulnerability images in AWS can proactively identify and mitigate potential security threats, minimizing the risk of security breaches and other damage to the cloud infrastructure.
Resolution
