Security How-To Guides
Access Managementβ
Detect Use of AWS Account Root User Credentials
The root account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.
Find AWS Account Root Users with Access Keys
The root user is the most privileged user in an AWS account. AWS access Keys provide programmatic access to a given AWS account.
Find AWS Account Root Users Without Hardware MFA Enabled
The root account is the most privileged user in an AWS account. Multi-factor authentication (MFA) adds an extra layer of protection on top of a username and password.
Find AWS Accounts Missing IAM Support Roles
AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.
Find AWS Accounts That Do Not Prevent Reuse of the Last 24 Passwords
Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets.
Find AWS Accounts Without Minimum Password Length of 14 Characters
Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require minimum length of 14 or greater.
Find AWS EC2 Instances Not Using IAM Instance Roles
AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access.
Find AWS IAM Access Keys Not Rotated Within 90 Days
Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS.
Find AWS IAM Policies Not Attached to Groups or Roles
By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.
Find AWS IAM Policies with Full Administrative Privileges
IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant only the permissions required.
Find AWS IAM Users with Multiple Active Access Keys
Access keys can be lost or stolen, and multiple access keys are not required.
Find AWS IAM Users Without MFA Enabled
Multi-factor authentication (MFA) adds an extra layer of protection on top of a username and password.
Find AWS Lambda Function CORS Vulnerabilities
Publicly accessible services could expose sensitive data to bad actors.
Find AWS Lambda Functions with Public Resource-Based Policies
Publicly accessible services could expose sensitive data to bad actors.
Find Expired AWS IAM Server Certificates
Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB.
Find Public AWS Lambda Functions
Publicly accessible services could expose sensitive data to bad actors.
Find Unused AWS IAM Access Keys for Users with Configured Passwords
The AWS Console defaults to creating access keys during user setup, resulting in the unnecessary generation of access keys.
Find Unused AWS IAM Credentials
To increase the security of your AWS account, remove IAM user credentials (that is, passwords and access keys) that are not needed. For example, when users leave your organization or no longer need AWS access.
Computeβ
Find AWS Lambda Functions with Obsolete Runtimes
If you have functions running on a runtime that will be deprecated in the next 60 days, Lambda notifies you by email that you should prepare by migrating your function to a supported runtime.
Find Old AWS EC2 Instances
Having old instances within your AWS account could increase the risk of having vulnerable software.
Loggingβ
Find AWS CloudTrail Trails Not Encrypted with KMS Keys
By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMSβmanaged keys (SSE-KMS) for your CloudTrail log files.
Find AWS CloudTrail Trails with Logging Disabled
Sending AWS CloudTrail events to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and makes it possible to establish alarms and notifications for anomalous or sensitive account activity.
Find AWS CloudTrail Trails with No Log Events
Sending AWS CloudTrail events to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and makes it possible to establish alarms and notifications for anomalous or sensitive account activity.
Find AWS CloudTrail Trails with Public S3 Buckets
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.
Find AWS CloudTrail Trails with S3 Bucket Access Logging Disabled
Server access logs can assist you in security and access audits, help you learn about your customer base, and understand your Amazon S3 bill.
Find AWS CloudTrail Trails Without Log File Validation Enabled
Enabling log file validation will provide additional integrity checking of CloudTrail logs.
Find AWS KMS Keys Without Rotation Enabled
Cryptographic best practices discourage extensive reuse of encryption keys. Consequently, AWS KMS keys should be rotated to prevent usage of compromised keys.
Find AWS Regions Not Monitored by CloudTrail
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.
Find AWS Regions with CloudTrail Object-Level Logging for S3 Read Events Disabled
If logs are not enabled, monitoring of service use and threat analysis is not possible.
Find AWS Regions Where CloudTrail Object-Level Logging for S3 Write Events Is Disabled
If logs are not enabled, monitoring of service use and threat analysis is not possible.
Find AWS Regions Without AWS Config Enabled
The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.
Find AWS VPCs Without EC2 Flow Logging Enabled
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.
Monitoringβ
Find AWS CloudTrail Trails Missing Alarms for Authentication Failures
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for AWS Config Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for Console Logins Without MFA
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for IAM Policy Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for KMS Key Deletion
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for ACL Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for Network Gateway Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for Organization Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for Root User Usage
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for Route Table Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for S3 Policy Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for Security Group Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for Trail Configuration Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for Unauthorized API Calls
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Find AWS CloudTrail Trails Missing Alarms for VPC Changes
Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.
Networkingβ
Find AWS API Gateways Without Authorizers
If no authorizer is defined, anyone can use the service.
Find AWS API Gateways Without SSL Client Authentication
Man-in-the-middle attacks are possible and other similar risks.
Find AWS API Gateways Without WAF ACLs
Access control lists (ACLs) reduce the attack surface and minimize the risk of service abuse for internet-reachable services.
Find AWS EC2 Network ACLs Allowing All IPv4 Inbound Traffic
Even having a perimeter firewall, having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.
Find AWS EC2 Network ACLs Allowing All IPv6 Inbound Traffic
Even having a perimeter firewall, having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default Cassandra Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default FTP Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default Kafka Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default Kibana Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default Memcached Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default MongoDB Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default MySQL Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default Oracle Database Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default PostgreSQL Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default RDP Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default Redis Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default SQL Server Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default SSH Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic on Default Telnet Ports
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All Inbound Traffic
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All IPv4 Inbound Traffic
If security groups are not properly configured, the attack surface is increased.
Find AWS EC2 Security Groups Allowing All IPv6 Inbound Traffic
If security groups are not properly configured, the attack surface is increased.
Find AWS VPCs with Default Security Groups Allowing All Inbound Traffic
Even having a perimeter firewall, having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.
Find AWS VPCs with Overly Permissive Peering Routing Tables
Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.
Find Overly Permissive AWS EC2 Security Groups
If security groups are not properly configured, the attack surface is increased.
Find Public AWS EC2 Instances with Instance Profiles
Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.
Find Public AWS EC2 Instances
Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.
Storageβ
Find AWS RDS Instances Without Auto Minor Version Upgrade Enabled
Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs and therefore should be applied.
Find AWS S3 Buckets Missing Public Access Blocks
Public access policies may be applied to sensitive data buckets.
Find AWS S3 Buckets Without MFA Delete Enabled
Your security credentials are compromised or unauthorized access is granted.
Find AWS S3 Buckets Without Secure Transport Policies
If HTTPS is not enforced on the bucket policy, communication between clients and S3 buckets can use unencrypted HTTP. As a result, sensitive information could be transmitted in clear text over the network or internet.
Find Publicly Accessible AWS RDS Instances
Publicly accessible databases could expose sensitive data to bad actors.
Find Unencrypted AWS EC2 Snapshots
When you share a snapshot, you are giving others access to all the data on the snapshot. Share snapshots only with people with whom you want to share all of your snapshot data.
Find Unencrypted AWS EC2 Volumes
Data encryption at rest prevents data visibility in the event of its unauthorized access or theft.
Find Unencrypted AWS EFS File Systems
EFS file systems should be encrypted at rest to prevent exposure of sensitive data to bad actors.
Find Unencrypted AWS RDS Storage Volumes
If not enabled sensitive information at rest is not protected.
Find Unencrypted AWS S3 Buckets
Amazon S3 provides a way to set the default encryption behavior for an S3 bucket to ensure data is encrypted at rest.