forked from awslabs/aws-security-assessment-solution
-
Notifications
You must be signed in to change notification settings - Fork 0
/
full_checks.txt
368 lines (364 loc) · 44.3 KB
/
full_checks.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v4.2.4
|_| the handy multi-cloud security tool
Date: 2024-06-11 10:54:02
[accessanalyzer_enabled] Check if IAM Access Analyzer is enabled - accessanalyzer [low]
[accessanalyzer_enabled_without_findings] Check if IAM Access Analyzer is enabled without findings - accessanalyzer [low]
[account_maintain_current_contact_details] Maintain current contact details. - account [medium]
[account_maintain_different_contact_details_to_security_billing_and_operations] Maintain different contact details to security, billing and operations. - account [medium]
[account_security_contact_information_is_registered] Ensure security contact information is registered. - account [medium]
[account_security_questions_are_registered_in_the_aws_account] Ensure security questions are registered in the AWS account. - account [medium]
[acm_certificates_expiration_check] Check if ACM Certificates are about to expire in specific days or less - acm [high]
[acm_certificates_transparency_logs_enabled] Check if ACM certificates have Certificate Transparency logging enabled - acm [medium]
[apigateway_restapi_authorizers_enabled] Check if API Gateway has configured authorizers at api or method level. - apigateway [medium]
[apigateway_restapi_client_certificate_enabled] Check if API Gateway Stage has client certificate enabled to access your backend endpoint. - apigateway [medium]
[apigateway_restapi_logging_enabled] Check if API Gateway Stage has logging enabled. - apigateway [medium]
[apigateway_restapi_public] Check if API Gateway endpoint is public or private. - apigateway [medium]
[apigateway_restapi_public_with_authorizer] Check if API Gateway public endpoint has an authorizer configured. - apigateway [medium]
[apigateway_restapi_waf_acl_attached] Check if API Gateway Stage has a WAF ACL attached. - apigateway [medium]
[apigatewayv2_api_access_logging_enabled] Ensure API Gateway V2 has Access Logging enabled. - apigateway [medium]
[apigatewayv2_api_authorizers_enabled] Checks if API Gateway V2 has configured authorizers. - apigateway [medium]
[appstream_fleet_default_internet_access_disabled] Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked. - appstream [medium]
[appstream_fleet_maximum_session_duration] Ensure user maximum session duration is no longer than 10 hours. - appstream [medium]
[appstream_fleet_session_disconnect_timeout] Ensure session disconnect timeout is set to 5 minutes or less. - appstream [medium]
[appstream_fleet_session_idle_disconnect_timeout] Ensure session idle disconnect timeout is set to 10 minutes or less. - appstream [medium]
[athena_workgroup_encryption] Ensure that encryption at rest is enabled for Amazon Athena query results stored in Amazon S3 in order to secure data and meet compliance requirements for data-at-rest encryption. - athena [medium]
[athena_workgroup_enforce_configuration] Ensure that workgroup configuration is enforced so it cannot be overriden by client-side settings. - athena [medium]
[autoscaling_find_secrets_ec2_launch_configuration] Find secrets in EC2 Auto Scaling Launch Configuration - autoscaling [critical]
[autoscaling_group_multiple_az] EC2 Auto Scaling Group should use multiple Availability Zones - autoscaling [medium]
[awslambda_function_invoke_api_operations_cloudtrail_logging_enabled] Check if Lambda functions invoke API operations are being recorded by CloudTrail. - lambda [low]
[awslambda_function_no_secrets_in_code] Find secrets in Lambda functions code. - lambda [critical]
[awslambda_function_no_secrets_in_variables] Find secrets in Lambda functions variables. - lambda [critical]
[awslambda_function_not_publicly_accessible] Check if Lambda functions have resource-based policy set as Public. - lambda [critical]
[awslambda_function_url_cors_policy] Check Lambda Function URL CORS configuration. - lambda [medium]
[awslambda_function_url_public] Check Public Lambda Function URL. - lambda [high]
[awslambda_function_using_supported_runtimes] Find obsolete Lambda runtimes. - lambda [medium]
[backup_plans_exist] Ensure that there is at least one AWS Backup plan - backup [low]
[backup_reportplans_exist] Ensure that there is at least one AWS Backup report plan - backup [low]
[backup_vaults_encrypted] Ensure that AWS Backup vaults are encrypted with AWS KMS - backup [medium]
[backup_vaults_exist] Ensure AWS Backup vaults exist - backup [low]
[cloudformation_stack_outputs_find_secrets] Find secrets in CloudFormation outputs - cloudformation [critical]
[cloudformation_stacks_termination_protection_enabled] Enable termination protection for Cloudformation Stacks - cloudformation [medium]
[cloudfront_distributions_field_level_encryption_enabled] Check if CloudFront distributions have Field Level Encryption enabled. - cloudfront [low]
[cloudfront_distributions_geo_restrictions_enabled] Check if Geo restrictions are enabled in CloudFront distributions. - cloudfront [low]
[cloudfront_distributions_https_enabled] Check if CloudFront distributions are set to HTTPS. - cloudfront [medium]
[cloudfront_distributions_logging_enabled] Check if CloudFront distributions have logging enabled. - cloudfront [medium]
[cloudfront_distributions_using_deprecated_ssl_protocols] Check if CloudFront distributions are using deprecated SSL protocols. - cloudfront [low]
[cloudfront_distributions_using_waf] Check if CloudFront distributions are using WAF. - cloudfront [medium]
[cloudtrail_bucket_requires_mfa_delete] Ensure the S3 bucket CloudTrail bucket requires MFA delete - cloudtrail [medium]
[cloudtrail_cloudwatch_logging_enabled] Ensure CloudTrail trails are integrated with CloudWatch Logs - cloudtrail [low]
[cloudtrail_insights_exist] Ensure CloudTrail Insight is enabled - cloudtrail [low]
[cloudtrail_kms_encryption_enabled] Ensure CloudTrail logs are encrypted at rest using KMS CMKs - cloudtrail [medium]
[cloudtrail_log_file_validation_enabled] Ensure CloudTrail log file validation is enabled - cloudtrail [medium]
[cloudtrail_logs_s3_bucket_access_logging_enabled] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - cloudtrail [medium]
[cloudtrail_logs_s3_bucket_is_not_publicly_accessible] Ensure the S3 bucket CloudTrail logs is not publicly accessible - cloudtrail [critical]
[cloudtrail_multi_region_enabled] Ensure CloudTrail is enabled in all regions - cloudtrail [high]
[cloudtrail_multi_region_enabled_logging_management_events] Ensure CloudTrail logging management events in All Regions - cloudtrail [low]
[cloudtrail_s3_dataevents_read_enabled] Check if S3 buckets have Object-level logging for read events is enabled in CloudTrail. - cloudtrail [low]
[cloudtrail_s3_dataevents_write_enabled] Check if S3 buckets have Object-level logging for write events is enabled in CloudTrail. - cloudtrail [low]
[cloudwatch_changes_to_network_acls_alarm_configured] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL). - cloudwatch [medium]
[cloudwatch_changes_to_network_gateways_alarm_configured] Ensure a log metric filter and alarm exist for changes to network gateways. - cloudwatch [medium]
[cloudwatch_changes_to_network_route_tables_alarm_configured] Ensure route table changes are monitored - cloudwatch [medium]
[cloudwatch_changes_to_vpcs_alarm_configured] Ensure a log metric filter and alarm exist for VPC changes. - cloudwatch [medium]
[cloudwatch_cross_account_sharing_disabled] Check if CloudWatch has allowed cross-account sharing. - cloudwatch [medium]
[cloudwatch_log_group_kms_encryption_enabled] Check if CloudWatch log groups are protected by AWS KMS. - cloudwatch [medium]
[cloudwatch_log_group_no_secrets_in_logs] Check if secrets exists in CloudWatch logs. - cloudwatch [medium]
[cloudwatch_log_group_retention_policy_specific_days_enabled] Check if CloudWatch Log Groups have a retention policy of specific days. - cloudwatch [medium]
[cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled] Ensure a log metric filter and alarm exist for AWS Config configuration changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled] Ensure a log metric filter and alarm exist for CloudTrail configuration changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_authentication_failures] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures. - cloudwatch [medium]
[cloudwatch_log_metric_filter_aws_organizations_changes] Ensure a log metric filter and alarm exist for AWS Organizations changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs. - cloudwatch [medium]
[cloudwatch_log_metric_filter_for_s3_bucket_policy_changes] Ensure a log metric filter and alarm exist for S3 bucket policy changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_policy_changes] Ensure a log metric filter and alarm exist for IAM policy changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_root_usage] Ensure a log metric filter and alarm exist for usage of root account. - cloudwatch [medium]
[cloudwatch_log_metric_filter_security_group_changes] Ensure a log metric filter and alarm exist for security group changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_sign_in_without_mfa] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA. - cloudwatch [medium]
[cloudwatch_log_metric_filter_unauthorized_api_calls] Ensure a log metric filter and alarm exist for unauthorized API calls. - cloudwatch [medium]
[codeartifact_packages_external_public_publishing_disabled] Ensure CodeArtifact internal packages do not allow external public source publishing. - codeartifact [critical]
[codebuild_project_older_90_days] Ensure CodeBuild Project has been invoked in the last 90 days - codebuild [medium]
[codebuild_project_user_controlled_buildspec] Ensure CodeBuild Project uses a controlled buildspec - codebuild [medium]
[cognito_identity_pool_guest_access_disabled] Ensure Cognito Identity Pool has guest access disabled - cognito [medium]
[cognito_user_pool_advanced_security_enabled] Ensure cognito user pools has advanced security enabled with full-function - cognito [medium]
[cognito_user_pool_blocks_compromised_credentials_sign_in_attempts] Ensure that advanced security features are enabled for Amazon Cognito User Pools to block sign-in by users with suspected compromised credentials - cognito [medium]
[cognito_user_pool_blocks_potential_malicious_sign_in_attempts] Ensure that your Amazon Cognito user pool blocks potential malicious sign-in attempts - cognito [medium]
[cognito_user_pool_client_prevent_user_existence_errors] Amazon Cognito User Pool should prevent user existence errors - cognito [medium]
[cognito_user_pool_client_token_revocation_enabled] Ensure that token revocation is enabled for Amazon Cognito User Pools - cognito [medium]
[cognito_user_pool_deletion_protection_enabled] Ensure cognito user pools deletion protection enabled to prevent accidental deletion - cognito [medium]
[cognito_user_pool_mfa_enabled] Ensure Multi-Factor Authentication (MFA) is enabled for Amazon Cognito User Pools - cognito [medium]
[cognito_user_pool_password_policy_lowercase] Ensure Cognito User Pool has password policy to require at least one lowercase letter - cognito [medium]
[cognito_user_pool_password_policy_minimum_length_14] Ensure that the password policy for your user pools require a minimum length of 14 or greater - cognito [medium]
[cognito_user_pool_password_policy_number] Ensure that the password policy for your user pool requires a number - cognito [medium]
[cognito_user_pool_password_policy_symbol] Ensure that the password policy for your Amazon Cognito user pool requires at least one symbol. - cognito [medium]
[cognito_user_pool_password_policy_uppercase] Ensure that the password policy for your user pool requires at least one uppercase letter - cognito [medium]
[cognito_user_pool_self_registration_disabled] Ensure self registration is disabled for Amazon Cognito User Pools - cognito [medium]
[cognito_user_pool_temporary_password_expiration] Ensure that the user pool has a temporary password expiration period of 7 days or less - cognito [medium]
[cognito_user_pool_waf_acl_attached] Ensure that Amazon Cognito User Pool is associated with a WAF Web ACL - cognito [medium]
[config_recorder_all_regions_enabled] Ensure AWS Config is enabled in all regions. - config [medium]
[directoryservice_directory_log_forwarding_enabled] Directory Service monitoring with CloudWatch logs. - directoryservice [medium]
[directoryservice_directory_monitor_notifications] Directory Service has SNS Notifications enabled. - directoryservice [medium]
[directoryservice_directory_snapshots_limit] Directory Service Manual Snapshots limit reached. - directoryservice [low]
[directoryservice_ldap_certificate_expiration] Directory Service LDAP Certificates expiration. - directoryservice [medium]
[directoryservice_radius_server_security_protocol] Ensure Radius server in DS is using the recommended security protocol. - directoryservice [medium]
[directoryservice_supported_mfa_radius_enabled] Ensure Multi-Factor Authentication (MFA) using Radius Server is enabled in DS. - directoryservice [medium]
[dlm_ebs_snapshot_lifecycle_policy_exists] Ensure EBS Snapshot lifecycle policies are defined. - dlm [medium]
[documentdb_instance_storage_encrypted] Check if DocumentDB instances storage is encrypted. - documentdb [medium]
[drs_job_exist] Ensure DRS is enabled with jobs. - drs [medium]
[dynamodb_accelerator_cluster_encryption_enabled] Check if DynamoDB DAX Clusters are encrypted at rest. - dynamodb [medium]
[dynamodb_table_cross_account_access] DynamoDB tables should not be accessible from other AWS accounts - dynamodb [medium]
[dynamodb_tables_kms_cmk_encryption_enabled] Check if DynamoDB table has encryption at rest enabled using CMK KMS. - dynamodb [medium]
[dynamodb_tables_pitr_enabled] Check if DynamoDB tables point-in-time recovery (PITR) is enabled. - dynamodb [medium]
[ec2_ami_public] Ensure there are no EC2 AMIs set as Public. - ec2 [critical]
[ec2_ebs_default_encryption] Check if EBS Default Encryption is activated. - ec2 [medium]
[ec2_ebs_public_snapshot] Ensure there are no EBS Snapshots set as Public. - ec2 [critical]
[ec2_ebs_snapshot_account_block_public_access] Ensure that public access to EBS snapshots is disabled - ec2 [high]
[ec2_ebs_snapshots_encrypted] Check if EBS snapshots are encrypted. - ec2 [medium]
[ec2_ebs_volume_encryption] Ensure there are no EBS Volumes unencrypted. - ec2 [medium]
[ec2_ebs_volume_snapshots_exists] Check if EBS snapshots exists. - ec2 [medium]
[ec2_elastic_ip_shodan] Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY). - ec2 [high]
[ec2_elastic_ip_unassigned] Check if there is any unassigned Elastic IP. - ec2 [low]
[ec2_instance_account_imdsv2_enabled] Ensure Instance Metadata Service Version 2 (IMDSv2) is enforced for EC2 instances at the account level to protect against SSRF vulnerabilities. - ec2 [medium]
[ec2_instance_detailed_monitoring_enabled] Check if EC2 instances have detailed monitoring enabled. - ec2 [low]
[ec2_instance_imdsv2_enabled] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required. - ec2 [medium]
[ec2_instance_internet_facing_with_instance_profile] Check for internet facing EC2 instances with Instance Profiles attached. - ec2 [medium]
[ec2_instance_managed_by_ssm] Check if EC2 instances are managed by Systems Manager. - ec2 [medium]
[ec2_instance_older_than_specific_days] Check EC2 Instances older than specific days. - ec2 [medium]
[ec2_instance_port_cassandra_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to Elasticsearch and Kibana ports (TCP 9200, 9300, 5601). - ec2 [critical]
[ec2_instance_port_cifs_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 139 or 445 (CIFS). - ec2 [critical]
[ec2_instance_port_ftp_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 20 or 21 (FTP) - ec2 [critical]
[ec2_instance_port_kafka_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 11211 (Memcached). - ec2 [critical]
[ec2_instance_port_kerberos_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 88, 464, 749 or 750 (Kerberos). - ec2 [critical]
[ec2_instance_port_ldap_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 389 or 636 (LDAP). - ec2 [critical]
[ec2_instance_port_mongodb_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 27017 or 27018 (MongoDB) - ec2 [critical]
[ec2_instance_port_oracle_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 1521, 2483 or 2484 (Oracle). - ec2 [critical]
[ec2_instance_port_postgresql_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 5432 (PostgreSQL) - ec2 [critical]
[ec2_instance_port_rdp_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 3389 (RDP) - ec2 [critical]
[ec2_instance_port_redis_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 6379 (Redis). - ec2 [critical]
[ec2_instance_port_sqlserver_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 1433 or 1434 (SQL Server). - ec2 [critical]
[ec2_instance_port_ssh_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 22 (SSH) - ec2 [critical]
[ec2_instance_port_telnet_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 23 (Telnet). - ec2 [critical]
[ec2_instance_profile_attached] Ensure IAM instance roles are used for AWS resource access from instances - ec2 [medium]
[ec2_instance_public_ip] Check for EC2 Instances with Public IP. - ec2 [medium]
[ec2_instance_secrets_user_data] Find secrets in EC2 User Data. - ec2 [critical]
[ec2_launch_template_no_secrets] Find secrets in EC2 Launch Template - ec2 [critical]
[ec2_networkacl_allow_ingress_any_port] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port. - ec2 [medium]
[ec2_networkacl_allow_ingress_tcp_port_22] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to SSH port 22 - ec2 [medium]
[ec2_networkacl_allow_ingress_tcp_port_3389] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Microsoft RDP port 3389 - ec2 [medium]
[ec2_securitygroup_allow_ingress_from_internet_to_all_ports] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to all ports. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_any_port] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH port 22. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23. - ec2 [high]
[ec2_securitygroup_allow_wide_open_public_ipv4] Ensure no security groups allow ingress from wide-open non-RFC1918 address. - ec2 [high]
[ec2_securitygroup_default_restrict_traffic] Ensure the default security group of every VPC restricts all traffic. - ec2 [high]
[ec2_securitygroup_from_launch_wizard] Security Groups created by EC2 Launch Wizard. - ec2 [medium]
[ec2_securitygroup_not_used] Ensure there are no Security Groups not being used. - ec2 [low]
[ec2_securitygroup_with_many_ingress_egress_rules] Find security groups with more than 50 ingress or egress rules. - ec2 [high]
[ecr_registry_scan_images_on_push_enabled] Check if ECR Registry has scan on push enabled - ecr [medium]
[ecr_repositories_lifecycle_policy_enabled] Check if ECR repositories have lifecycle policies enabled - ecr [low]
[ecr_repositories_not_publicly_accessible] Ensure there are no ECR repositories set as Public - ecr [critical]
[ecr_repositories_scan_images_on_push_enabled] [DEPRECATED] Check if ECR image scan on push is enabled - ecr [medium]
[ecr_repositories_scan_vulnerabilities_in_latest_image] Check if ECR image scan found vulnerabilities in the newest image version - ecr [medium]
[ecs_task_definitions_no_environment_secrets] Check if secrets exists in ECS task definitions environment variables - ecs [critical]
[efs_encryption_at_rest_enabled] Check if EFS protects sensitive data with encryption at rest - efs [medium]
[efs_have_backup_enabled] Check if EFS File systems have backup enabled - efs [medium]
[efs_not_publicly_accessible] Check if EFS have policies which allow access to any client within the VPC - efs [medium]
[eks_cluster_kms_cmk_encryption_in_secrets_enabled] Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) - eks [medium]
[eks_cluster_network_policy_enabled] Ensure Network Policy is Enabled and Set as Appropriate - eks [high]
[eks_cluster_private_nodes_enabled] Ensure Clusters are created with Private Nodes - eks [high]
[eks_control_plane_endpoint_access_restricted] Restrict Access to the EKS Control Plane Endpoint - eks [medium]
[eks_control_plane_logging_all_types_enabled] Ensure EKS Control Plane Audit Logging is enabled for all log types - eks [medium]
[eks_endpoints_not_publicly_accessible] Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled - eks [high]
[elasticache_cluster_uses_public_subnet] Ensure Elasticache Cluster is not using a public subnet - elasticache [medium]
[elb_insecure_ssl_ciphers] Check if Elastic Load Balancers have insecure SSL ciphers. - elb [medium]
[elb_internet_facing] Check for internet facing Elastic Load Balancers. - elb [medium]
[elb_logging_enabled] Check if Elastic Load Balancers have logging enabled. - elb [medium]
[elb_ssl_listeners] Check if Elastic Load Balancers have SSL listeners. - elb [medium]
[elbv2_deletion_protection] Check if Elastic Load Balancers have deletion protection enabled. - elbv2 [medium]
[elbv2_desync_mitigation_mode] Check whether the Application Load Balancer is configured with strictest desync mitigation mode, if not check if at least is configured with the drop_invalid_header_fields attribute - elbv2 [medium]
[elbv2_insecure_ssl_ciphers] Check if Elastic Load Balancers have insecure SSL ciphers. - elbv2 [medium]
[elbv2_internet_facing] Check for internet facing Elastic Load Balancers. - elbv2 [medium]
[elbv2_listeners_underneath] Check if ELBV2 has listeners underneath. - elbv2 [medium]
[elbv2_logging_enabled] Check if Elastic Load Balancers have logging enabled. - elbv2 [medium]
[elbv2_ssl_listeners] Check if Elastic Load Balancers have SSL listeners. - elbv2 [medium]
[elbv2_waf_acl_attached] Check if Application Load Balancer has a WAF ACL attached. - elbv2 [medium]
[emr_cluster_account_public_block_enabled] EMR Account Public Access Block enabled. - emr [high]
[emr_cluster_master_nodes_no_public_ip] EMR Cluster without Public IP. - emr [medium]
[emr_cluster_publicly_accesible] Publicly accessible EMR Cluster. - emr [medium]
[eventbridge_bus_cross_account_access] Ensure that AWS EventBridge event buses do not allow unknown cross-account access for delivery of events. - eventbridge [high]
[eventbridge_bus_exposed] Ensure that your AWS EventBridge event bus is not exposed to everyone - eventbridge [high]
[eventbridge_schema_registry_cross_account_access] Ensure that AWS EventBridge schema registries do not allow unknown cross-account access for delivery of events. - eventbridge [high]
[fms_policy_compliant] Ensure that all FMS policies inside an admin account are compliant - fms [medium]
[glacier_vaults_policy_public_access] Check if S3 Glacier vaults have policies which allow access to everyone. - glacier [critical]
[glue_data_catalogs_connection_passwords_encryption_enabled] Check if Glue data catalog settings have encrypt connection password enabled. - glue [medium]
[glue_data_catalogs_metadata_encryption_enabled] Check if Glue data catalog settings have metadata encryption enabled. - glue [medium]
[glue_database_connections_ssl_enabled] Check if Glue database connection has SSL connection enabled. - glue [medium]
[glue_development_endpoints_cloudwatch_logs_encryption_enabled] Check if Glue development endpoints have CloudWatch logs encryption enabled. - glue [medium]
[glue_development_endpoints_job_bookmark_encryption_enabled] Check if Glue development endpoints have Job bookmark encryption enabled. - glue [medium]
[glue_development_endpoints_s3_encryption_enabled] Check if Glue development endpoints have S3 encryption enabled. - glue [medium]
[glue_etl_jobs_amazon_s3_encryption_enabled] Check if Glue ETL Jobs have S3 encryption enabled. - glue [medium]
[glue_etl_jobs_cloudwatch_logs_encryption_enabled] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled. - glue [medium]
[glue_etl_jobs_job_bookmark_encryption_enabled] Check if Glue ETL Jobs have Job bookmark encryption enabled. - glue [medium]
[guardduty_centrally_managed] GuardDuty is centrally managed - guardduty [medium]
[guardduty_is_enabled] Check if GuardDuty is enabled - guardduty [medium]
[guardduty_no_high_severity_findings] There are High severity GuardDuty findings - guardduty [high]
[iam_administrator_access_with_mfa] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled - iam [high]
[iam_avoid_root_usage] Avoid the use of the root accounts - iam [high]
[iam_aws_attached_policy_no_administrative_privileges] Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached - iam [high]
[iam_check_saml_providers_sts] Check if there are SAML Providers then STS can be used - iam [low]
[iam_customer_attached_policy_no_administrative_privileges] Ensure IAM Customer-Managed policies that allow full "*:*" administrative privileges are not attached - iam [high]
[iam_customer_unattached_policy_no_administrative_privileges] Ensure IAM policies that allow full "*:*" administrative privileges are not created - iam [low]
[iam_inline_policy_no_administrative_privileges] Ensure inline policies that allow full "*:*" administrative privileges are not associated to IAM identities - iam [high]
[iam_no_custom_policy_permissive_role_assumption] Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) - iam [high]
[iam_no_expired_server_certificates_stored] Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed. - iam [critical]
[iam_no_root_access_key] Ensure no root account access key exists - iam [critical]
[iam_password_policy_expires_passwords_within_90_days_or_less] Ensure IAM password policy expires passwords within 90 days or less - iam [medium]
[iam_password_policy_lowercase] Ensure IAM password policy require at least one lowercase letter - iam [medium]
[iam_password_policy_minimum_length_14] Ensure IAM password policy requires minimum length of 14 or greater - iam [medium]
[iam_password_policy_number] Ensure IAM password policy require at least one number - iam [medium]
[iam_password_policy_reuse_24] Ensure IAM password policy prevents password reuse: 24 or greater - iam [medium]
[iam_password_policy_symbol] Ensure IAM password policy require at least one symbol - iam [medium]
[iam_password_policy_uppercase] Ensure IAM password policy requires at least one uppercase letter - iam [medium]
[iam_policy_allows_privilege_escalation] Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation - iam [high]
[iam_policy_attached_only_to_group_or_roles] Ensure IAM policies are attached only to groups or roles - iam [low]
[iam_policy_no_full_access_to_cloudtrail] Ensure IAM policies that allow full "cloudtrail:*" privileges are not created - iam [medium]
[iam_policy_no_full_access_to_kms] Ensure IAM policies that allow full "kms:*" privileges are not created - iam [medium]
[iam_role_administratoraccess_policy] Ensure IAM Roles do not have AdministratorAccess policy attached - iam [high]
[iam_role_cross_account_readonlyaccess_policy] Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts - iam [high]
[iam_role_cross_service_confused_deputy_prevention] Ensure IAM Service Roles prevents against a cross-service confused deputy attack - iam [high]
[iam_root_hardware_mfa_enabled] Ensure only hardware MFA is enabled for the root account - iam [critical]
[iam_root_mfa_enabled] Ensure MFA is enabled for the root account - iam [critical]
[iam_rotate_access_key_90_days] Ensure access keys are rotated every 90 days or less - iam [medium]
[iam_securityaudit_role_created] Ensure a Security Audit role has been created to conduct security audits - iam [low]
[iam_support_role_created] Ensure a support role has been created to manage incidents with AWS Support - iam [medium]
[iam_user_accesskey_unused] Ensure User Access Keys unused are disabled - iam [medium]
[iam_user_console_access_unused] Ensure unused user console access are disabled - iam [medium]
[iam_user_hardware_mfa_enabled] Check if IAM users have Hardware MFA enabled. - iam [medium]
[iam_user_mfa_enabled_console_access] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password. - iam [high]
[iam_user_no_setup_initial_access_key] Do not setup access keys during initial user setup for all IAM users that have a console password - iam [medium]
[iam_user_two_active_access_key] Check if IAM users have two active access keys - iam [medium]
[iam_user_with_temporary_credentials] Ensure users make use of temporary credentials assuming IAM roles - iam [medium]
[inspector2_active_findings_exist] Check if Inspector2 findings exist - inspector2 [medium]
[inspector2_is_enabled] Check if Inspector2 is enabled - inspector2 [medium]
[kafka_cluster_encryption_at_rest_uses_cmk] Ensure Kafka Cluster Encryption at Rest Uses Customer Managed Keys (CMK) - kafka [medium]
[kafka_cluster_enhanced_monitoring_enabled] Ensure Enhanced Monitoring is Enabled for MSK (Kafka) Brokers - kafka [medium]
[kafka_cluster_in_transit_encryption_enabled] Ensure Kafka Cluster Encryption in Transit is Enabled - kafka [medium]
[kafka_cluster_is_public] Kafka Cluster Exposed to the Public - kafka [high]
[kafka_cluster_mutual_tls_authentication_enabled] Ensure Mutual TLS Authentication is Enabled for Kafka Cluster - kafka [medium]
[kafka_cluster_unrestricted_access_disabled] Ensure Kafka Cluster has unrestricted access disabled - kafka [high]
[kafka_cluster_uses_latest_version] MSK cluster should use the latest version. - kafka [medium]
[kms_cmk_are_used] Check if there are CMK KMS keys not used. - kms [medium]
[kms_cmk_rotation_enabled] Ensure rotation for customer created KMS CMKs is enabled. - kms [medium]
[kms_key_not_publicly_accessible] Check exposed KMS keys - kms [medium]
[lightsail_database_public] Check if the database has the public mode. - lightsail [high]
[lightsail_instance_automated_snapshots] Check if instances have automated snapshots enabled - lightsail [medium]
[lightsail_instance_public] Ensure that Lightsail instances are not publicly accessible - lightsail [high]
[lightsail_static_ip_unused] Static IP are allocated but not attached to any instance - lightsail [low]
[macie_is_enabled] Check if Amazon Macie is enabled. - macie [low]
[neptune_cluster_uses_public_subnet] Ensure Neptune Cluster is not using a public subnet - neptune [medium]
[networkfirewall_in_all_vpc] Ensure all VPCs have Network Firewall enabled - network-firewall [medium]
[opensearch_service_domains_audit_logging_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have audit logging enabled - opensearch [low]
[opensearch_service_domains_cloudwatch_logging_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have logging enabled - opensearch [medium]
[opensearch_service_domains_encryption_at_rest_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have encryption at-rest enabled - opensearch [medium]
[opensearch_service_domains_https_communications_enforced] Check if Amazon Elasticsearch/Opensearch Service domains have enforce HTTPS enabled - opensearch [medium]
[opensearch_service_domains_internal_user_database_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have internal user database enabled - opensearch [medium]
[opensearch_service_domains_node_to_node_encryption_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have node-to-node encryption enabled - opensearch [medium]
[opensearch_service_domains_not_publicly_accessible] Check if Amazon Opensearch/Elasticsearch domains are set as Public or if it has open policy access - opensearch [critical]
[opensearch_service_domains_updated_to_the_latest_service_software_version] Check if Amazon Elasticsearch/Opensearch Service domains have updates available - opensearch [low]
[opensearch_service_domains_use_cognito_authentication_for_kibana] Check if Amazon Elasticsearch/Opensearch Service domains has either Amazon Cognito or SAML authentication for Kibana enabled - opensearch [high]
[organizations_account_part_of_organizations] Check if account is part of an AWS Organizations - organizations [medium]
[organizations_delegated_administrators] Check if AWS Organizations delegated administrators are trusted - organizations [high]
[organizations_scp_check_deny_regions] Check if AWS Regions are restricted with SCP policies - organizations [low]
[organizations_tags_policies_enabled_and_attached] Check if an AWS Organization has tags policies enabled and attached. - organizations [medium]
[rds_instance_backup_enabled] Check if RDS instances have backup enabled. - rds [medium]
[rds_instance_certificate_expiration] Ensure that the SSL/TLS certificates configured for your Amazon RDS are not expired. - rds [high]
[rds_instance_deletion_protection] Check if RDS instances have deletion protection enabled. - rds [medium]
[rds_instance_deprecated_engine_version] Check if RDS instance is using a supported engine version - rds [medium]
[rds_instance_enhanced_monitoring_enabled] Check if RDS instances has enhanced monitoring enabled. - rds [low]
[rds_instance_integration_cloudwatch_logs] Check if RDS instances is integrated with CloudWatch Logs. - rds [medium]
[rds_instance_minor_version_upgrade_enabled] Ensure RDS instances have minor version upgrade enabled. - rds [low]
[rds_instance_multi_az] Check if RDS instances have multi-AZ enabled. - rds [medium]
[rds_instance_no_public_access] Ensure there are no Public Accessible RDS instances. - rds [critical]
[rds_instance_storage_encrypted] Check if RDS instances storage is encrypted. - rds [medium]
[rds_instance_transport_encrypted] Check if RDS instances client connections are encrypted (Microsoft SQL Server, PostgreSQL, MySQL, MariaDB, Aurora PostgreSQL, and Aurora MySQL). - rds [high]
[rds_snapshots_public_access] Check if RDS Snapshots and Cluster Snapshots are public. - rds [critical]
[redshift_cluster_audit_logging] Check if Redshift cluster has audit logging enabled - redshift [medium]
[redshift_cluster_automated_snapshot] Check if Redshift Clusters have automated snapshots enabled - redshift [medium]
[redshift_cluster_automatic_upgrades] Check for Redshift Automatic Version Upgrade - redshift [high]
[redshift_cluster_public_access] Check for Publicly Accessible Redshift Clusters - redshift [high]
[resourceexplorer2_indexes_found] Resource Explorer Indexes Found - resourceexplorer2 [low]
[route53_dangling_ip_subdomain_takeover] Check if Route53 Records contains dangling IPs. - route53 [high]
[route53_domains_privacy_protection_enabled] Enable Privacy Protection for for a Route53 Domain. - route53 [medium]
[route53_domains_transferlock_enabled] Enable Transfer Lock for a Route53 Domain. - route53 [medium]
[route53_public_hosted_zones_cloudwatch_logging_enabled] Check if Route53 public hosted zones are logging queries to CloudWatch Logs. - route53 [medium]
[s3_account_level_public_access_blocks] Check S3 Account Level Public Access Block. - s3 [high]
[s3_bucket_acl_prohibited] Check if S3 buckets have ACLs enabled - s3 [medium]
[s3_bucket_default_encryption] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it. - s3 [medium]
[s3_bucket_kms_encryption] Check if S3 buckets have KMS encryption enabled. - s3 [medium]
[s3_bucket_level_public_access_block] Check S3 Bucket Level Public Access Block. - s3 [medium]
[s3_bucket_no_mfa_delete] Check if S3 bucket MFA Delete is not enabled. - s3 [medium]
[s3_bucket_object_lock] Check if S3 buckets have object lock enabled - s3 [low]
[s3_bucket_object_versioning] Check if S3 buckets have object versioning enabled - s3 [medium]
[s3_bucket_policy_public_write_access] Check if S3 buckets have policies which allow WRITE access. - s3 [critical]
[s3_bucket_public_access] Ensure there are no S3 buckets open to Everyone or Any AWS user. - s3 [critical]
[s3_bucket_public_list_acl] Ensure there are no S3 buckets listable by Everyone or Any AWS customer. - s3 [critical]
[s3_bucket_public_write_acl] Ensure there are no S3 buckets writable by Everyone or Any AWS customer. - s3 [critical]
[s3_bucket_secure_transport_policy] Check if S3 buckets have secure transport policy. - s3 [medium]
[s3_bucket_server_access_logging_enabled] Check if S3 buckets have server access logging enabled - s3 [medium]
[sagemaker_models_network_isolation_enabled] Check if Amazon SageMaker Models have network isolation enabled - sagemaker [medium]
[sagemaker_models_vpc_settings_configured] Check if Amazon SageMaker Models have VPC settings configured - sagemaker [medium]
[sagemaker_notebook_instance_encryption_enabled] Check if Amazon SageMaker Notebook instances have data encryption enabled - sagemaker [medium]
[sagemaker_notebook_instance_root_access_disabled] Check if Amazon SageMaker Notebook instances have root access disabled - sagemaker [medium]
[sagemaker_notebook_instance_vpc_settings_configured] Check if Amazon SageMaker Notebook instances have VPC settings configured - sagemaker [medium]
[sagemaker_notebook_instance_without_direct_internet_access_configured] Check if Amazon SageMaker Notebook instances have direct internet access - sagemaker [medium]
[sagemaker_training_jobs_intercontainer_encryption_enabled] Check if Amazon SageMaker Training jobs have intercontainer encryption enabled - sagemaker [medium]
[sagemaker_training_jobs_network_isolation_enabled] Check if Amazon SageMaker Training jobs have network isolation enabled - sagemaker [medium]
[sagemaker_training_jobs_volume_and_output_encryption_enabled] Check if Amazon SageMaker Training jobs have volume and output with KMS encryption enabled - sagemaker [medium]
[sagemaker_training_jobs_vpc_settings_configured] Check if Amazon SageMaker Training job have VPC settings configured. - sagemaker [medium]
[secretsmanager_automatic_rotation_enabled] Check if Secrets Manager secret rotation is enabled. - secretsmanager [medium]
[securityhub_enabled] Check if Security Hub is enabled and its standard subscriptions. - securityhub [medium]
[shield_advanced_protection_in_associated_elastic_ips] Check if Elastic IP addresses with associations are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_classic_load_balancers] Check if Classic Load Balancers are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_cloudfront_distributions] Check if Cloudfront distributions are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_global_accelerators] Check if Global Accelerators are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_internet_facing_load_balancers] Check if internet-facing Application Load Balancers are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_route53_hosted_zones] Check if Route53 hosted zones are protected by AWS Shield Advanced. - shield [medium]
[sns_subscription_not_using_http_endpoints] Ensure there are no SNS subscriptions using HTTP endpoints - sns [high]
[sns_topics_kms_encryption_at_rest_enabled] Ensure there are no SNS Topics unencrypted - sns [high]
[sns_topics_not_publicly_accessible] Check if SNS topics have policy set as Public - sns [high]
[sqs_queues_not_publicly_accessible] Check if SQS queues have policy set as Public - sqs [critical]
[sqs_queues_server_side_encryption_enabled] Check if SQS queues have Server Side Encryption enabled - sqs [medium]
[ssm_document_secrets] Find secrets in SSM Documents. - ssm [critical]
[ssm_documents_set_as_public] Check if there are SSM Documents set as public. - ssm [high]
[ssm_managed_compliant_patching] Check if EC2 instances managed by Systems Manager are compliant with patching requirements. - ssm [high]
[ssmincidents_enabled_with_plans] Ensure SSM Incidents is enabled with response plans. - ssm [low]
[storagegateway_fileshare_encryption_enabled] Check if AWS StorageGateway File Shares are encrypted with KMS CMK. - storagegateway [low]
[trustedadvisor_errors_and_warnings] Check Trusted Advisor for errors and warnings. - trustedadvisor [medium]
[trustedadvisor_premium_support_plan_subscribed] Check if a Premium support plan is subscribed - support [low]
[vpc_different_regions] Ensure there are VPCs in more than one region - vpc [medium]
[vpc_endpoint_connections_trust_boundaries] Find trust boundaries in VPC endpoint connections. - vpc [medium]
[vpc_endpoint_services_allowed_principals_trust_boundaries] Find trust boundaries in VPC endpoint services allowlisted principles. - vpc [medium]
[vpc_flow_logs_enabled] Ensure VPC Flow Logging is Enabled in all VPCs. - vpc [medium]
[vpc_peering_routing_tables_with_least_privilege] Ensure routing tables for VPC peering are least access. - vpc [medium]
[vpc_subnet_different_az] Ensure all VPC has subnets in more than one availability zone - vpc [medium]
[vpc_subnet_no_public_ip_by_default] Ensure VPC subnets do not assign public IP by default - vpc [medium]
[vpc_subnet_separate_private_public] Ensure all VPC has public and private subnets defined - vpc [medium]
[wafv2_webacl_logging_enabled] Check if AWS WAFv2 WebACL logging is enabled - wafv2 [medium]
[wellarchitected_workload_no_high_or_medium_risks] Check for medium and high risks identified in workloads defined in the AWS Well-Architected Tool. - wellarchitected [medium]
[workspaces_volume_encryption_enabled] Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements - workspaces [high]
[workspaces_vpc_2private_1public_subnets_nat] Ensure that the Workspaces VPC are deployed following the best practices using 1 public subnet and 2 private subnets with a NAT Gateway attached - workspaces [medium]
There are 359 available checks.