forked from awslabs/aws-security-assessment-solution
-
Notifications
You must be signed in to change notification settings - Fork 0
/
intermediate_checks.txt
114 lines (110 loc) · 13.6 KB
/
intermediate_checks.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v4.2.4
|_| the handy multi-cloud security tool
Date: 2024-06-11 10:54:01
[acm_certificates_expiration_check] Check if ACM Certificates are about to expire in specific days or less - acm [high]
[autoscaling_find_secrets_ec2_launch_configuration] Find secrets in EC2 Auto Scaling Launch Configuration - autoscaling [critical]
[awslambda_function_no_secrets_in_code] Find secrets in Lambda functions code. - lambda [critical]
[awslambda_function_no_secrets_in_variables] Find secrets in Lambda functions variables. - lambda [critical]
[awslambda_function_not_publicly_accessible] Check if Lambda functions have resource-based policy set as Public. - lambda [critical]
[awslambda_function_url_public] Check Public Lambda Function URL. - lambda [high]
[cloudformation_stack_outputs_find_secrets] Find secrets in CloudFormation outputs - cloudformation [critical]
[cloudtrail_logs_s3_bucket_is_not_publicly_accessible] Ensure the S3 bucket CloudTrail logs is not publicly accessible - cloudtrail [critical]
[cloudtrail_multi_region_enabled] Ensure CloudTrail is enabled in all regions - cloudtrail [high]
[codeartifact_packages_external_public_publishing_disabled] Ensure CodeArtifact internal packages do not allow external public source publishing. - codeartifact [critical]
[ec2_ami_public] Ensure there are no EC2 AMIs set as Public. - ec2 [critical]
[ec2_ebs_public_snapshot] Ensure there are no EBS Snapshots set as Public. - ec2 [critical]
[ec2_ebs_snapshot_account_block_public_access] Ensure that public access to EBS snapshots is disabled - ec2 [high]
[ec2_elastic_ip_shodan] Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY). - ec2 [high]
[ec2_instance_port_cassandra_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to Elasticsearch and Kibana ports (TCP 9200, 9300, 5601). - ec2 [critical]
[ec2_instance_port_cifs_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 139 or 445 (CIFS). - ec2 [critical]
[ec2_instance_port_ftp_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 20 or 21 (FTP) - ec2 [critical]
[ec2_instance_port_kafka_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 11211 (Memcached). - ec2 [critical]
[ec2_instance_port_kerberos_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 88, 464, 749 or 750 (Kerberos). - ec2 [critical]
[ec2_instance_port_ldap_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 389 or 636 (LDAP). - ec2 [critical]
[ec2_instance_port_mongodb_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 27017 or 27018 (MongoDB) - ec2 [critical]
[ec2_instance_port_oracle_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 1521, 2483 or 2484 (Oracle). - ec2 [critical]
[ec2_instance_port_postgresql_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 5432 (PostgreSQL) - ec2 [critical]
[ec2_instance_port_rdp_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 3389 (RDP) - ec2 [critical]
[ec2_instance_port_redis_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 6379 (Redis). - ec2 [critical]
[ec2_instance_port_sqlserver_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 1433 or 1434 (SQL Server). - ec2 [critical]
[ec2_instance_port_ssh_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 22 (SSH) - ec2 [critical]
[ec2_instance_port_telnet_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 23 (Telnet). - ec2 [critical]
[ec2_instance_secrets_user_data] Find secrets in EC2 User Data. - ec2 [critical]
[ec2_launch_template_no_secrets] Find secrets in EC2 Launch Template - ec2 [critical]
[ec2_securitygroup_allow_ingress_from_internet_to_all_ports] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to all ports. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_any_port] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH port 22. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23. - ec2 [high]
[ec2_securitygroup_allow_wide_open_public_ipv4] Ensure no security groups allow ingress from wide-open non-RFC1918 address. - ec2 [high]
[ec2_securitygroup_default_restrict_traffic] Ensure the default security group of every VPC restricts all traffic. - ec2 [high]
[ec2_securitygroup_with_many_ingress_egress_rules] Find security groups with more than 50 ingress or egress rules. - ec2 [high]
[ecr_repositories_not_publicly_accessible] Ensure there are no ECR repositories set as Public - ecr [critical]
[ecs_task_definitions_no_environment_secrets] Check if secrets exists in ECS task definitions environment variables - ecs [critical]
[eks_cluster_network_policy_enabled] Ensure Network Policy is Enabled and Set as Appropriate - eks [high]
[eks_cluster_private_nodes_enabled] Ensure Clusters are created with Private Nodes - eks [high]
[eks_endpoints_not_publicly_accessible] Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled - eks [high]
[emr_cluster_account_public_block_enabled] EMR Account Public Access Block enabled. - emr [high]
[eventbridge_bus_cross_account_access] Ensure that AWS EventBridge event buses do not allow unknown cross-account access for delivery of events. - eventbridge [high]
[eventbridge_bus_exposed] Ensure that your AWS EventBridge event bus is not exposed to everyone - eventbridge [high]
[eventbridge_schema_registry_cross_account_access] Ensure that AWS EventBridge schema registries do not allow unknown cross-account access for delivery of events. - eventbridge [high]
[glacier_vaults_policy_public_access] Check if S3 Glacier vaults have policies which allow access to everyone. - glacier [critical]
[guardduty_no_high_severity_findings] There are High severity GuardDuty findings - guardduty [high]
[iam_administrator_access_with_mfa] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled - iam [high]
[iam_avoid_root_usage] Avoid the use of the root accounts - iam [high]
[iam_aws_attached_policy_no_administrative_privileges] Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached - iam [high]
[iam_customer_attached_policy_no_administrative_privileges] Ensure IAM Customer-Managed policies that allow full "*:*" administrative privileges are not attached - iam [high]
[iam_inline_policy_no_administrative_privileges] Ensure inline policies that allow full "*:*" administrative privileges are not associated to IAM identities - iam [high]
[iam_no_custom_policy_permissive_role_assumption] Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) - iam [high]
[iam_no_expired_server_certificates_stored] Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed. - iam [critical]
[iam_no_root_access_key] Ensure no root account access key exists - iam [critical]
[iam_policy_allows_privilege_escalation] Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation - iam [high]
[iam_role_administratoraccess_policy] Ensure IAM Roles do not have AdministratorAccess policy attached - iam [high]
[iam_role_cross_account_readonlyaccess_policy] Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts - iam [high]
[iam_role_cross_service_confused_deputy_prevention] Ensure IAM Service Roles prevents against a cross-service confused deputy attack - iam [high]
[iam_root_hardware_mfa_enabled] Ensure only hardware MFA is enabled for the root account - iam [critical]
[iam_root_mfa_enabled] Ensure MFA is enabled for the root account - iam [critical]
[iam_user_mfa_enabled_console_access] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password. - iam [high]
[kafka_cluster_is_public] Kafka Cluster Exposed to the Public - kafka [high]
[kafka_cluster_unrestricted_access_disabled] Ensure Kafka Cluster has unrestricted access disabled - kafka [high]
[lightsail_database_public] Check if the database has the public mode. - lightsail [high]
[lightsail_instance_public] Ensure that Lightsail instances are not publicly accessible - lightsail [high]
[opensearch_service_domains_not_publicly_accessible] Check if Amazon Opensearch/Elasticsearch domains are set as Public or if it has open policy access - opensearch [critical]
[opensearch_service_domains_use_cognito_authentication_for_kibana] Check if Amazon Elasticsearch/Opensearch Service domains has either Amazon Cognito or SAML authentication for Kibana enabled - opensearch [high]
[organizations_delegated_administrators] Check if AWS Organizations delegated administrators are trusted - organizations [high]
[rds_instance_certificate_expiration] Ensure that the SSL/TLS certificates configured for your Amazon RDS are not expired. - rds [high]
[rds_instance_no_public_access] Ensure there are no Public Accessible RDS instances. - rds [critical]
[rds_instance_transport_encrypted] Check if RDS instances client connections are encrypted (Microsoft SQL Server, PostgreSQL, MySQL, MariaDB, Aurora PostgreSQL, and Aurora MySQL). - rds [high]
[rds_snapshots_public_access] Check if RDS Snapshots and Cluster Snapshots are public. - rds [critical]
[redshift_cluster_automatic_upgrades] Check for Redshift Automatic Version Upgrade - redshift [high]
[redshift_cluster_public_access] Check for Publicly Accessible Redshift Clusters - redshift [high]
[route53_dangling_ip_subdomain_takeover] Check if Route53 Records contains dangling IPs. - route53 [high]
[s3_account_level_public_access_blocks] Check S3 Account Level Public Access Block. - s3 [high]
[s3_bucket_policy_public_write_access] Check if S3 buckets have policies which allow WRITE access. - s3 [critical]
[s3_bucket_public_access] Ensure there are no S3 buckets open to Everyone or Any AWS user. - s3 [critical]
[s3_bucket_public_list_acl] Ensure there are no S3 buckets listable by Everyone or Any AWS customer. - s3 [critical]
[s3_bucket_public_write_acl] Ensure there are no S3 buckets writable by Everyone or Any AWS customer. - s3 [critical]
[sns_subscription_not_using_http_endpoints] Ensure there are no SNS subscriptions using HTTP endpoints - sns [high]
[sns_topics_kms_encryption_at_rest_enabled] Ensure there are no SNS Topics unencrypted - sns [high]
[sns_topics_not_publicly_accessible] Check if SNS topics have policy set as Public - sns [high]
[sqs_queues_not_publicly_accessible] Check if SQS queues have policy set as Public - sqs [critical]
[ssm_document_secrets] Find secrets in SSM Documents. - ssm [critical]
[ssm_documents_set_as_public] Check if there are SSM Documents set as public. - ssm [high]
[ssm_managed_compliant_patching] Check if EC2 instances managed by Systems Manager are compliant with patching requirements. - ssm [high]
[workspaces_volume_encryption_enabled] Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements - workspaces [high]
There are 102 available checks.