AWS Security Policies
The Security Policies view provides a list of all security policies within the Cloudneeti application. Following is the security policies within the Cloudneeti application for different cloud account types, please refer Release Notes for latest updates.
AWS Security Policies
| Category Name | Service Name | Policy Title |
|---|---|---|
| AWS - Audit and Logging | CloudTrail | Ensure CloudTrail is enabled in all regions |
| AWS - Audit and Logging | CloudTrail | Ensure CloudTrail log file validation is enabled |
| AWS - Audit and Logging | Config | Ensure AWS Config is enabled in all regions |
| AWS - Audit and Logging | CloudTrail | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
| AWS - Audit and Logging | CloudTrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
| AWS - Audit and Logging | Virtual Private Cloud (VPC) | Ensure VPC flow logging is enabled in all VPCs |
| AWS - Audit and Logging | Simple Storage Service (S3) | Ensure S3 bucket access logging is enabled |
| AWS - Audit and Logging | CloudTrail | Ensure CloudTrail trails are integrated with CloudWatch Logs |
| AWS - Audit and Logging | CloudTrail | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
| AWS - Audit and Logging | Config | Ensure that the log files (history files and snapshots) generated by AWS Config are delivered without any failures to designated S3 bucket |
| AWS - Audit and Logging | Config | Ensure AWS Config service is using an active SNS topic to monitor configuration changes |
| AWS - Audit and Logging | Config | Ensure AWS Config service is using an active S3 bucket to store configuration changes files |
| AWS - Audit and Logging | Simple Storage Service (S3) | Ensure that Object level write event log is enabled for S3 bucket |
| AWS - Audit and Logging | Simple Storage Service (S3) | Ensure that Object level read event log is enabled for S3 bucket |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure that Event Subscription is enabled for RDS PostgreSQL Instance |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure that Event Subscription is enabled for RDS MariaDB Instance |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure that Event Subscription is enabled for RDS Aurora Cluster |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure that Event Subscription is enabled for RDS Oracle Instances |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure that Event Subscription is enabled for RDS SQL Server Instances |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure that Event Subscription is enabled for RDS Aurora SQL Instances |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure that Event Subscription is enabled for RDS Aurora MySQL Serverless Cluster |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure Log Exports feature is enabled for RDS Aurora MySQL Serverless Cluster |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure that Event Subscription is enabled for RDS Aurora PostgreSQL Serverless Cluster |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure to enable unsafe statement transaction logging for RDS MySQL Instance |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure Log Exports feature is enabled for RDS MySQL Instance |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure Log Exports feature is enabled for RDS Mariadb Instance |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure Log Exports feature is enabled for Aurora cluster |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure Log Exports feature is enabled for Oracle instances |
| AWS - Audit and Logging | Relational Database Service (RDS) | Ensure that Event Subscription is enabled for RDS MySQL Instance |
| AWS - Audit and Logging | CloudTrail | Ensure that CloudTrail trail have logging enabled |
| AWS - Audit and Logging | EC2 Autoscaling Group (ASG) | Ensure that Cloudwatch detailed monitoring is enabled in ASG launch configurations |
| AWS - Audit and Logging | APIGateway | Ensure that CloudWatch Log feature is enabled for Amazon API Gateway |
| AWS - Audit and Logging | APIGateway | Ensure that Detailed CloudWatch Metrics feature is enabled for Amazon API Gateway |
| AWS - Business Continuity | EC2 Autoscaling Group (ASG) | Ensure each Auto-Scaling Group is configured for multiple Availability Zones |
| AWS - Business Continuity | Simple Storage Service (S3) | Ensure S3 buckets have versioning enabled |
| AWS - Business Continuity | EC2 Autoscaling Group (ASG) | Ensure Amazon Auto Scaling Groups are utilizing cooldown periods |
| AWS - Business Continuity | EC2 Load Balancer (LB) | Ensure Classic Load Balancer has application layer Health Check Configured |
| AWS - Business Continuity | Cloudfront | Ensure all CloudFront Distributions require HTTPS between CloudFront and your ELB origin |
| AWS - Business Continuity | EC2 Autoscaling Group (ASG) | Ensure Auto-Scaling Group has an associated Elastic Load Balancer |
| AWS - Business Continuity | Redshift | Ensure that AWS Redshift Reserved Nodes are renewed in The Next 7 Days |
| AWS - Business Continuity | Cloudfront | Configure HTTP to HTTPS redirects with a CloudFront Viewer Protocol Policy |
| AWS - Business Continuity | Redshift | Ensure that AWS Redshift Reserved Nodes are renewed in The Next 30 Days |
| AWS - Business Continuity | Cloudformation | Ensure that Termination Protection feature is enabled for AWS CloudFormation stacks |
| AWS - Business Continuity | Neptune (programmatically under Amazon Relational Database Service) | Ensure AWS Neptune clusters have a sufficient backup retention period set for compliance purposes |
| AWS - Business Continuity | Neptune (programmatically under Amazon Relational Database Service) | Ensure Amazon Neptune instances have Auto Minor Version Upgrade feature enabled |
| AWS - Business Continuity | Elastic Block Store (EBS) | Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery |
| AWS - Business Continuity | Neptune (programmatically under Amazon Relational Database Service) | Ensure that Amazon Neptune database clusters have the Multi-AZ feature enabled |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure backup retention policy is set for RDS PostgreSQL Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Auto Minor Version Upgrade feature is Enabled for RDS PostgreSQL Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure that sufficient backup retention period is applied to RDS PostgreSQL Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Multi-AZ feature is Enabled for RDS PostgreSQL Instance |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure backup retention policy is set for RDS MariaDB Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Auto Minor Version Upgrade feature is Enabled for RDS MariaDB Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure that sufficient backup retention period is applied to RDS MariaDB Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Multi-AZ feature is Enabled for RDS MariaDB Instance |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Multi-AZ feature is Enabled for RDS Aurora Cluster |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure backup retention policy is set for RDS Aurora Cluster |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure that sufficient backup retention period is applied to RDS Aurora Cluster |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure that backtracking is enabled for RDS Aurora Cluster |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Auto Minor Version Upgrade feature is Enabled for RDS Oracle Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure backup retention policy is set for RDS Oracle Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Multi-AZ feature is Enabled for RDS Oracle Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure that sufficient backup retention period is applied to RDS Oracle Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Auto Minor Version Upgrade feature is Enabled for RDS SQL Server Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure backup retention policy is set for RDS SQL Server Instance |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure that sufficient backup retention period is applied to RDS SQL Server Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Multi-AZ feature is Enabled for RDS SQL Server Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Auto Minor Version Upgrade feature is Enabled for RDS Aurora SQL Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure that sufficient backup retention period is applied to RDS Aurora MySQL Serverless Cluster |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure that sufficient backup retention period is applied to RDS Aurora PostgreSQL Serverless Cluster |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Auto Minor Version Upgrade feature is Enabled for RDS MySQL Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure backup retention policy is set for RDS MySQL Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure that sufficient backup retention period is applied to RDS MySQL Instances |
| AWS - Business Continuity | Relational Database Service (RDS) | Ensure Multi-AZ feature is Enabled for RDS MySQL Instance |
| AWS - Business Continuity | EC2 Autoscaling Group (ASG) | Ensure that autoscaling group has a healthcheck type set to ELB |
| AWS - Business Continuity | EC2 Autoscaling Group (ASG) | Ensure that termination policy for instances in an ASG is in place |
| AWS - Business Continuity | EC2 Autoscaling Group (ASG) | Ensure that MaxInstanceLifetime of instances in an ASG is set |
| AWS - Business Continuity | EC2 Autoscaling Group (ASG) | Ensure that DeleteOnTermination is enabled for EBS volumes in ASG launch configurations |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure all AWS EC2 instances are launched from approved AMIs |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure that EC2 instances have no Elastic or Public IP addresses associated |
| AWS - Compute | Lambda | Ensure that tracing is enabled for your AWS Lambda functions |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure default EC2 security groups are not in use in order to follow AWS security best practices |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure that detailed monitoring is enabled for the AWS EC2 instances that you need to monitor closely |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure no backend EC2 instances are running in public subnets |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure EC2 instances are launched using the EC2-VPC platform instead of EC2-Classic outdated platform |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure that there are no AWS EC2 instances that have scheduled events |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure that the security group(s) associated with an EC2 instance does not have an excessive number of rules defined |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure there are no running AWS EC2 instances older than 180 days available within your AWS account |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure Instance Profiles/IAM Roles are used to appropriately grant permissions to applications running on amazon EC2 instances |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure no EC2 security group allows inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices |
| AWS - Compute | Amazon Machine Image (AMI) | Ensure that your existing AMIs are encrypted to meet security and compliance requirements |
| AWS - Compute | Amazon Machine Image (AMI) | Ensure that there are no AMIs older than 180 days available within your AWS account |
| AWS - Compute | Amazon Machine Image (AMI) | Ensure that unused Amazon Machine Images (AMIs) are identified and removed in order to follow AWS security best practices |
| AWS - Compute | Amazon Machine Image (AMI) | Ensure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure that none of your AWS EC2 Reserved Instance purchases have been failed |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure that none of your AWS EC2 Reserved Instance purchases are pending |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration (less than 30 days) |
| AWS - Compute | Lambda | Ensure that the latest execution environment is used for your AWS Lambda functions |
| AWS - Compute | Elastic Compute Cloud Instances (EC2) | Ensure that EC2 instances provisioned in your AWS account are not associated with security groups that have their name prefixed with 'launch-wizard' |
| AWS - Compute | EC2 Autoscaling Group (ASG) | Ensure that EBS optimized instances are launched using ASG launch configurations |
| AWS - Compute | APIGateway | Ensure that AWS X-Ray Tracing feature is enabled for Amazon API Gateway |
| AWS - Compute | Identity and Access Management (IAM) | Ensure SSL/TLS certificates are renewed 45 days before their expiration |
| AWS - Compute | Identity and Access Management (IAM) | Ensure SSL/TLS certificates are renewed 30 days before their expiration |
| AWS - Compute | Identity and Access Management (IAM) | Ensure SSL/TLS certificates are renewed 7 days before their expiration |
| AWS - Compute | Identity and Access Management (IAM) | Ensure that your server certificates are not vulnerable to Heartbleed security bug |
| AWS - Compute | Identity and Access Management (IAM) | Ensure expired SSL/TLS certificates are removed from AWS IAM |
| AWS - Compute | Amazon Certificate Manager (ACM) | Ensure that wildcard certificates issued by Amazon Certificate Manager (ACM) or imported to ACM are not in use |
| AWS - Compute | Amazon Certificate Manager (ACM) | Ensure there are no failed SSL/TLS certificates in the AWS Certificate Manager (ACM) |
| AWS - Compute | Amazon Certificate Manager (ACM) | Ensure expired SSL/TLS certificates are removed from AWS Certificate Manager (ACM) |
| AWS - Compute | Amazon Certificate Manager (ACM) | Ensure that all the requests made during SSL/TLS certificate issue or renewal process are validated |
| AWS - Compute | Amazon Certificate Manager (ACM) | Ensure Amazon Certificate Manager (ACM) certificates are renewed 7 days before their expiration |
| AWS - Compute | Amazon Certificate Manager (ACM) | Ensure Amazon Certificate Manager (ACM) certificates are renewed 45 days before their expiration |
| AWS - Compute | Amazon Certificate Manager (ACM) | Ensure Amazon Certificate Manager (ACM) certificates are renewed 30 days before their expiration |
| AWS - Compute | Amazon Certificate Manager (ACM) | Ensure unused SSL/TLS certificates are removed from AWS Certificate Manager (ACM) in order to follow AWS best practices |
| AWS - Compute | Neptune (RDS) | Ensure that AWS Neptune instances enforce data-at-rest encryption using KMS CMKs |
| AWS - Compute | Neptune (RDS) | Ensure that Amazon Neptune graph database instances are encrypted |
| AWS - Compute | Elastic Block Store (EBS) | Ensure EBS volumes are encrypted with KMS CMKs in order to have full control over data encryption and decryption |
| AWS - Compute | Simple Notification Service (SNS) | Ensure that encryption with KMS key implemented for each SNS topic |
| AWS - Compute | Simple Queue Service (SQS) | Ensure that KMS CMK is used to encrypt SQS queue |
| AWS - Compute | Relational Database Service (RDS) | Ensure that Transport Encryption feature enabled for RDS SQL Server Instances |
| AWS - Data Protection | Elastic Block Store (EBS) | Ensure that existing Elastic Block Store (EBS) attached volumes are encrypted |
| AWS - Data Protection | Elastic Block Store (EBS) | Ensure unattached Elastic Block Store volumes should be removed to improve security of data |
| AWS - Data Protection | Elastic Block Store (EBS) | Ensure Amazon EBS snapshots are encrypted to meet security and compliance requirement |
| AWS - Data Protection | Simple Notification Service (SNS) | Ensure Simple Notification Service are not using HTTP as delivery protocol in subscription |
| AWS - Data Protection | Simple Notification Service (SNS) | Ensure that AWS Simple Notification Service topics are not exposed to everyone |
| AWS - Data Protection | Simple Queue Service (SQS) | Ensure that AWS Simple Queue Service queues is not exposed to everyone |
| AWS - Data Protection | Simple Queue Service (SQS) | Ensure that Server-Side Encryption is enabled for Amazon SQS queues |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Deletion Protection feature is enabled for RDS PostgreSQL Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption is enabled for RDS PostgreSQL Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Performance Insights feature is enabled for RDS PostgreSQL Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption for storage done with KMS CMKs for each RDS PostgreSQL Instance |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Deletion Protection feature is enabled for RDS MariaDB Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption is enabled for RDS MariaDB Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Performance Insights feature is enabled for RDS MariaDB Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption for storage done with KMS CMKs for each RDS MariaDB Instance |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that Deletion Protection feature is enabled for RDS Aurora Cluster |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Deletion Protection feature is enabled for RDS Oracle Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption is enabled for RDS Oracle Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Performance Insights feature is enabled for RDS Oracle Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption for storage done with KMS CMKs for each RDS Oracle Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Deletion Protection feature is enabled for RDS SQL Server Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption is enabled for RDS SQL Server Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Performance Insights feature is enabled for RDS SQL Server Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption for storage done with KMS CMKs for each RDS SQL Server Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption is enabled for RDS Aurora SQL Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Performance Insights feature is enabled for Aurora SQL Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption for storage done with KMS CMKs for RDS Aurora MySQL Serverless Cluster |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption for storage done with KMS CMKs for RDS Aurora SQL Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption for storage done with KMS CMKs for RDS Aurora PostgreSQL Serverless Cluster |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that Deletion Protection feature is enabled for RDS Aurora MySQL Serverless Cluster |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that latest block encryption algorithms is used for RDS MySQL Instance |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that Deletion Protection feature is enabled for RDS Aurora PostgreSQL Serverless Cluster |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure to enable FIPS standards on the server side for RDS MySQL Instance |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that server loads the validate password plugin at startup for RDS MySQL Instance |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Performance Insights feature is enabled for RDS MySQL Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure Deletion Protection feature is enabled for RDS MySQL Instances |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption for storage done with KMS CMKs for each RDS MySQL Instance |
| AWS - Data Protection | Relational Database Service (RDS) | Ensure that encryption is enabled for RDS MySQL Instances |
| AWS - Data Protection | APIGateway | Ensure that SSL certificates attached with Amazon API Gateway to verify HTTP requests made to backend system are from API Gateway service |
| AWS - Data Protection | EC2 Autoscaling Group (ASG) | Ensure that encrypted EBS volume is being used in ASG launch configurations |
| AWS - Data Protection | APIGateway | Ensure that API Gateway client-side SSL certificate is renewed before expiration |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Credential Validation' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Account Lockout' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Special Logon' is set to 'Success' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Removable Storage' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Authorization Policy Change' is set to 'Success' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Group Membership' is set to 'Success' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit User Account Management' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Logoff' is set to 'Success' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Logon' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Other System Events' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Security State Change' is set to 'Success' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit IPsec Driver' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Application Group Management' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit PNP Activity' is set to 'Success' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Authentication Policy Change' is set to 'Success' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Distribution Group Management' is set to 'Success and Failure' (DC only) |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Computer Account Management' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Security Group Management' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Process Creation' is set to 'Success' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit Security System Extension' is set to 'Success and Failure' |
| AWS - Data Protection | Elastic Compute Cloud Instances (EC2) | Windows 2016 - Ensure 'Audit System Integrity' is set to 'Success and Failure' |
| AWS - Governance | Relational Database Service (RDS) | Ensure Amazon RDS Reserved Instances contract are renewed before expiration in 7 days |
| AWS - Governance | Relational Database Service (RDS) | Ensure Amazon RDS Reserved Instances contract are renewed before expiration in 30 days |
| AWS - Governance | Organization | Ensure Amazon Organization is in use to consolidate all AWS accounts into an organization |
| AWS - Governance | Lambda | Ensure that there are no publicly accessible AWS Lambda functions |
| AWS - Governance | Simple Queue Service (SQS) | Ensure there is a Dead Letter Queue configured for each Amazon SQS queue |
| AWS - Governance | Relational Database Service (RDS) | Ensure that Copy Tags to Snapshots feature is enabled for RDS PostgreSQL Instances |
| AWS - Governance | Relational Database Service (RDS) | Ensure that unique master user name is used for each RDS PostgreSQL Instance |
| AWS - Governance | Relational Database Service (RDS) | Ensure that Copy Tags to Snapshots feature is enabled for RDS MariaDB Instances |
| AWS - Governance | Relational Database Service (RDS) | Ensure that unique master user name is used for each RDS MariaDB Instance |
| AWS - Governance | Relational Database Service (RDS) | Ensure that Copy Tags to Snapshots feature is enabled for RDS Aurora Cluster |
| AWS - Governance | Relational Database Service (RDS) | Ensure that Copy Tags to Snapshots feature is enabled for RDS Oracle Instances |
| AWS - Governance | Relational Database Service (RDS) | Ensure that unique master user name is used for each RDS Oracle Instances |
| AWS - Governance | Relational Database Service (RDS) | Ensure that Copy Tags to Snapshots feature is enabled for RDS SQL Server Instances |
| AWS - Governance | Relational Database Service (RDS) | Ensure that unique master user name is used for each RDS SQL Server Instances |
| AWS - Governance | Relational Database Service (RDS) | Ensure that unique master user name is used for RDS Aurora SQL Instances |
| AWS - Governance | Relational Database Service (RDS) | Ensure that Copy Tags to Snapshots feature is enabled for RDS Aurora MySQL Serverless Cluster |
| AWS - Governance | Relational Database Service (RDS) | Ensure that unique master user name is used for RDS Aurora MySQL Serverless Cluster |
| AWS - Governance | Relational Database Service (RDS) | Ensure that AutoPause feature is enabled for RDS Aurora MySQL Serverless Cluster |
| AWS - Governance | Relational Database Service (RDS) | Ensure that Copy Tags to Snapshots feature is enabled for RDS Aurora PostgreSQL Serverless Cluster |
| AWS - Governance | Relational Database Service (RDS) | Ensure that AutoPause feature is enabled for RDS Aurora PostgreSQL Serverless Cluster |
| AWS - Governance | Relational Database Service (RDS) | Ensure that unique master user name is used for RDS Aurora PostgreSQL Serverless Cluster |
| AWS - Governance | Relational Database Service (RDS) | Ensure that Copy Tags to Snapshots feature is enabled for RDS MySQL Instances |
| AWS - Governance | Relational Database Service (RDS) | Ensure that unique master user name is used for each RDS MySQL Instance |
| AWS - Key Management | Key Management Service (KMS) | Ensure rotation for customer created CMKs is enabled |
| AWS - Key Management | Key Management Service (KMS) | Ensure that there are no disabled Customer Master Keys (CMK) in your AWS account in order to follow AWS best practices |
| AWS - Key Management | Key Management Service (KMS) | Ensure Amazon KMS master keys are not exposed to everyone |
| AWS - Key Management | Key Management Service (KMS) | Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for unauthorized API calls |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for usage of 'root' account |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for IAM policy changes |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for S3 bucket policy changes |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for AWS Config configuration changes |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for security group changes |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for changes to network gateways |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for route table changes |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for VPC changes |
| AWS - Monitoring | CloudWatch | Ensure to integrate Simple Notification Service with AWS CloudFormation stack |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for S3 bucket object read operations |
| AWS - Monitoring | CloudWatch | Ensure a log metric filter and alarm exist for S3 bucket object write operations |
| AWS - Monitoring | Simple Storage Service (S3) | Ensure that Block all public access is turned on for S3 buckets |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to TCP ports 20 and 21 (FTP) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 23 (Telnet) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 25 (SMTP) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted inbound access to TCP port 1521 (Oracle Database) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to TCP port 3306 (MySQL) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted inbound access to TCP port 5432 (PostgreSQL Database) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to TCP and UDP port 53 (DNS) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to TCP port 1433 (MSSQL) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to TCP port 445 and (CIFS) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to Internet Control Message Protocol (ICMP) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB port 27017 |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to port 9200 (Elasticsearch) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to port 80 (HTTP) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security groups allow ingress from 0.0.0.0/0 to port 443 (HTTPS) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted inbound access to TCP port 110 (Pop3 Database) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure your EC2 security groups do not have an excessive number of rules defined |
| AWS - Networking | EC2 Security Groups (SG) | Ensure your AWS account does not have an excessive number of security groups per region |
| AWS - Networking | Virtual Private Cloud (VPC) | Ensure routing tables for VPC peering are "least access" |
| AWS - Networking | Virtual Private Cloud (VPC) | Ensure the default security group of every VPC restricts all traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure that your AWS ELBs listeners are using a secure protocol (HTTPS or SSL) |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with administrative service: Remote Desktop (TCP:3389) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with unencrypted Mongo (TCP:27017) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with HTTP (Port:80) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with administrative service: SSH (TCP:22) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'SNMP' (UDP:161) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with HTTPS (Port:443) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'NetBios Datagram Service' (UDP:138) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'NetBios Session Service' (UDP:139) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'Known internal web port' (TCP:8080) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'NetBIOS Name Service' (UDP:137) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'NetBios Session Service' (TCP:139) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'Known internal web port' (TCP:8000) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'NetBIOS Name Service' (TCP:137) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'NetBios Datagram Service' (TCP:138) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with unencrypted LDAP (TCP:389) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer (ALB) with service 'Prevalent known internal port' (TCP:3000) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure that all Application Load Balancers (ALBs) available in your AWS account are associated with valid and secure security groups |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted inbound access using Internet Control Message Protocol v6 (ICMPv6) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted inbound access to all TCP traffic |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted inbound access to all UDP traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure AWS Application Load Balancers (ALBs) are using the latest predefined security policy |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted inbound access to all traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Deletion Protection feature is enabled for your AWS Application load balancers to follow security best practices |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure that there are no unused Application Load Balancers in your AWS account in order to follow AWS best practices |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure that your Application Load Balancer (ALB) listeners are using a secure protocol such as HTTPS |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure access logging is enabled for your AWS ALBs to follow security best practices |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure AWS Network Load Balancers (NLBs) are using the latest predefined security policy |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Network Load Balancer allows unrestricted inbound access to all Traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Deletion Protection feature is enabled for your AWS Network load balancers to follow security best practices |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure there are no unused Network Load Balancers in your AWS account in order to follow AWS best practices |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure access logging is enabled for your AWS NLBs to follow security best practices |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with unencrypted LDAP (TCP:389) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure that all Network Load Balancers (NLBs) available in your AWS account are associated with valid and secure security groups |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'NetBIOS Name Service' (TCP:137) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'Prevalent known internal port' (TCP:3000) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'NetBios Session Service' (TCP:139) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'NetBios Datagram Service' (TCP:138) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'Known internal web port' (TCP:8080) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'Known internal web port' (TCP:8000) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'NetBios Datagram Service' (UDP:138) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'NetBIOS Name Service' (UDP:137) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'SNMP' (UDP:161) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'NetBios Session Service' (UDP:139) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with HTTP (Port:80) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with HTTPS (Port:443) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with administrative service: Remote Desktop (TCP:3389) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with administrative service: SSH (TCP:22) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure that there are no unused Classic Load Balancers in your AWS account in order to follow AWS best practices |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with unencrypted Mongo DB (TCP:27017) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Connection Draining is enabled for your AWS Classic Load Balancer |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure there are valid security groups associated with your Classic Load Balancer |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure access logging is enabled for your AWS Classic Load Balancer to follow security best practices |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with unencrypted LDAP (TCP:389) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'Prevalent known internal port' (TCP:3000) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'NetBIOS Name Service' (TCP:137) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'NetBios Datagram Service' (TCP:138) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'NetBios Session Service' (TCP:139) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'Known internal web port' (TCP:8000) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'Known internal web port' (TCP:8080) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'NetBIOS Name Service' (UDP:137) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'NetBios Datagram Service' (UDP:138) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'NetBios Session Service' (UDP:139) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'SNMP' (UDP:161) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with HTTPS (Port:443) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with HTTP (Port:80) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with administrative service: SSH (TCP:22) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with administrative service: Remote Desktop (TCP:3389) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with unencrypted Mongo (TCP:27017) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Classic Load Balancer allows unrestricted inbound access using Internet Control Message Protocol v6 (ICMPv6) |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Classic Load Balancer allows unrestricted inbound access using Internet Control Message Protocol (ICMP) |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Classic Load Balancer allows unrestricted inbound access to all UDP traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Network Load Balancer allows unrestricted inbound access to all TCP traffic |
| AWS - Networking | EC2 Security Groups (SG) | Ensure that your EC2 security groups do not allow unrestricted outbound/egress access |
| AWS - Networking | EC2 Security Groups (SG) | Ensure AWS EC2 security group rules have descriptive text for organization and documentation |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Classic Load Balancer allows unrestricted inbound access to all traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Classic Load Balancer allows unrestricted inbound access to all TCP traffic |
| AWS - Networking | Virtual Private Cloud (VPC) | Ensure Elastic IPs for NAT gateways are allocated |
| AWS - Networking | Virtual Private Cloud (VPC) | Ensure AWS default Virtual Private Cloud (VPC) is not being used |
| AWS - Networking | Virtual Private Cloud (VPC) | Ensure that a specific Internet/NAT gateway is attached to a specific VPC |
| AWS - Networking | Virtual Private Cloud (VPC) | Ensure Amazon VPC endpoints are not exposed to everyone |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Application Load Balancer allows unrestricted inbound access using Internet Control Message Protocol v6 (ICMPv6) |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Application Load Balancer allows unrestricted inbound access using Internet Control Message Protocol (ICMP) |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Application Load Balancer allows unrestricted inbound access to all UDP traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Application Load Balancer allows unrestricted inbound access to all TCP traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Application Load Balancer allows unrestricted inbound access to all traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Network Load Balancer allows unrestricted inbound access to all UDP traffic |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Network Load Balancer allows unrestricted inbound access using Internet Control Message Protocol (ICMP) |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure no Network Load Balancer allows unrestricted inbound access using Internet Control Message Protocol v6 (ICMPv6) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted ingress access to TCP port 8545 (Ethereum) |
| AWS - Networking | EC2 Security Groups (SG) | Ensure no security group allows unrestricted ingress access to TCP ports 8332 and 8333 (Bitcoin) |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'Ethereum' (TCP Port 8545) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Network Load Balancer with service 'Bitcoin' (TCP Ports 8332 and 8333) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'Ethereum' (Port 8545) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Classic Load Balancer with service 'Bitcoin' (Ports 8332 and 8333) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer with service 'Ethereum' (Port 8545) is not exposed to the public internet |
| AWS - Networking | EC2 Load Balancer (LB) | Ensure Application Load Balancer with service 'Bitcoin' (Ports 8332 and 8333) is not exposed to the public internet |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public access is not given to RDS PostgreSQL Instance |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public subnets are not assigned to RDS PostgreSQL Instances |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public access is not given to RDS MariaDB Instance |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public subnets are not assigned to RDS MariaDB Instances |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public access is not given to RDS Oracle Instances |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public subnets are not assigned to RDS Oracle Instances |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public access is not given to RDS SQL Server Instances |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public subnets are not assigned to RDS SQL Server Instances |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public access is not given to RDS Aurora SQL Instances |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public subnets are not assigned to RDS Aurora SQL Instances |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public subnets are not assigned to RDS Aurora MySQL Serverless Cluster |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public subnets are not assigned to RDS Aurora PostgreSQL Serverless Cluster |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public access is not given to RDS MySQL Instance |
| AWS - Networking | Relational Database Service (RDS) | Ensure that public subnets are not assigned to RDS MySQL Instances |
| AWS - Networking | EC2 Autoscaling Group (ASG) | Ensure that security group in ASG launch configuration does not have SSH port open to the internet |
| AWS - Networking | EC2 Autoscaling Group (ASG) | Ensure that security group in ASG launch configuration does not have RDP port open to the internet |
| AWS - Networking | APIGateway | Ensure that Access-Control-Allow-Origin is not set to all sources for HTTP APIs |
| AWS - Networking | APIGateway | Ensure that Access-Control-Allow-Methods is set to specific methods and not * for HTTP APIs |
| AWS - Networking | APIGateway | Ensure that Access-Control-Allow-Headers is set to specific Header and not * for HTTP APIs |
| AWS - Networking | APIGateway | Ensure that Access-Control-Allow-Credentials is set to True for HTTP APIs |
| AWS - Networking | APIGateway | Ensure that Data Trace logging is enabled for WebSocket APIs |
| AWS - Networking | APIGateway | Ensure that Access logging is enabled for WebSocket APIs |
| AWS - Networking | APIGateway | Ensure that Amazon API Gateway APIs accessible only through private API endpoints |
| AWS - Networking | APIGateway | Ensure that AWS WAF is integrated with Amazon API Gateway to protect APIs from common web exploits |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure AWS S3 buckets have the MFA Delete feature enabled |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure AWS S3 buckets do not allow public access via bucket policies |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure AWS S3 buckets enforce SSL to secure data in transit |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure Amazon S3 buckets have Default Encryption feature enabled |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that Amazon S3 buckets access is limited only to specific IP addresses |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that your AWS S3 buckets are not publicly exposed to the Internet |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure AWS S3 buckets do not allow public READ access |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure AWS S3 buckets do not allow public READ_ACP access |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure AWS S3 buckets do not allow public WRITE_ACP access |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure AWS S3 buckets do not allow public WRITE access |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that your AWS S3 buckets are using DNS-compliant bucket names |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure Amazon S3 buckets have lifecycle configuration enabled for security purposes |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that Amazon S3 buckets use Transfer Acceleration feature for faster data transfers |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that AWS S3 buckets use Object Lock for data protection and/or regulatory compliance |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure AWS S3 buckets do not allow READ_ACP access to AWS authenticated users using ACLs |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure S3 buckets do not allow WRITE_ACP access to AWS authenticated users using S3 ACLs |
| AWS - Storage and Databases | DynamoDB | Identify and remove any unused AWS DynamoDB tables in your AWS account in order to follow AWS best practices |
| AWS - Storage and Databases | DynamoDB | Ensure Amazon DynamoDB tables enforce Server-Side Encryption (SSE) |
| AWS - Storage and Databases | DynamoDB | Ensure Amazon DynamoDB tables have continuous backups enabled |
| AWS - Storage and Databases | DynamoDB | Ensure that Amazon DynamoDB data is encrypted using AWS-managed Customer Master Keys |
| AWS - Storage and Databases | DynamoDB | Ensure on-demand backup and restore functionality is in use for AWS DynamoDB tables |
| AWS - Storage and Databases | DynamoDB | Ensure AWS DynamoDB Auto Scaling is enabled to automate capacity management for tables and indexes |
| AWS - Storage and Databases | Elastic MapReduce (EMR) | Ensure in-transit and at-rest encryption is enabled for Amazon EMR clusters |
| AWS - Storage and Databases | Elastic MapReduce (EMR) | Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3 |
| AWS - Storage and Databases | Elastic MapReduce (EMR) | Ensure AWS EMR clusters are launched in a Virtual Private Cloud (i.e. are using EC2-VPC platform) |
| AWS - Storage and Databases | Redshift | Ensure that user activity logging is enabled for your Amazon Redshift clusters |
| AWS - Storage and Databases | Redshift | Ensure AWS Redshift database clusters are not using 'awsuser' (default master user name) for database access |
| AWS - Storage and Databases | Redshift | Ensure Redshift clusters are using the latest generation of nodes for performance improvements |
| AWS - Storage and Databases | Redshift | Ensure Deferred Maintenance feature is enabled for your Amazon Redshift clusters |
| AWS - Storage and Databases | Redshift | Ensure Amazon Redshift clusters are not using port 5439 (default port) for database access |
| AWS - Storage and Databases | Redshift | Ensure Redshift clusters are not publicly accessible to minimize security risks |
| AWS - Storage and Databases | Redshift | Ensure AWS Redshift non-default parameter groups require SSL to secure data in transit |
| AWS - Storage and Databases | Redshift | Ensure Amazon Redshift clusters are launched within a Virtual Private Cloud (VPC) |
| AWS - Storage and Databases | Redshift | Ensure Redshift clusters are encrypted with KMS customer master keys (CMKs) in order to have full control over data encryption and decryption |
| AWS - Storage and Databases | Redshift | Ensure database encryption is enabled for AWS Redshift clusters to protect your data at rest |
| AWS - Storage and Databases | Redshift | Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes |
| AWS - Storage and Databases | Redshift | Ensure Version Upgrade is enabled for Redshift clusters to automatically receive upgrades during the maintenance window |
| AWS - Storage and Databases | Redshift | Ensure that retention period is enabled for Amazon Redshift automated snapshots |
| AWS - Storage and Databases | Kinesis | Ensure AWS Kinesis streams are encrypted with KMS Customer Master Keys (CMKs) for complete control over data encryption and decryption |
| AWS - Storage and Databases | Kinesis | Ensure enhanced monitoring is enabled for your AWS Kinesis streams using shard-level metrics |
| AWS - Storage and Databases | Kinesis | Ensure Amazon Kinesis streams enforce Server-Side Encryption (SSE) |
| AWS - Storage and Databases | Relational Database Service (RDS) | Ensure that port number should not be set as default port number for RDS PostgreSQL Instances |
| AWS - Storage and Databases | Relational Database Service (RDS) | Ensure that port number should not be set as default port number for RDS MariaDB Instances |
| AWS - Storage and Databases | Relational Database Service (RDS) | Ensure that port number should not be set as default port number for RDS Oracle Instances |
| AWS - Storage and Databases | Relational Database Service (RDS) | Ensure that port number should not be set as default port number for RDS SQL Server Instances |
| AWS - Storage and Databases | Relational Database Service (RDS) | Ensure that port number should not be set as default port number for RDS Aurora SQL Instances |
| AWS - Storage and Databases | Relational Database Service (RDS) | Ensure that port number should not be set as default port number for RDS MySQL Instances |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that Block public access to buckets and objects granted through new access control lists (ACLs) is turned on for S3 buckets |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that Block public access to buckets and objects granted through any access control lists (ACLs) is turned on for S3 buckets |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that Block public access to buckets and objects granted through new public bucket or access point policies is turned on for S3 buckets |
| AWS - Storage and Databases | Simple Storage Service (S3) | Ensure that Block public and cross-account access to buckets and objects through any public bucket or access point policies are turned on for S3 buckets |
| AWS - Storage and Databases | APIGateway | Ensure that Content Encoding feature is enabled for Amazon API Gateway APIs |