Security Cipher

Security Cipher

S3
IAM
EC2
EBS
ELB
VPC
CloudTrail
RDS
SNS
KMS
Lambda
AWS Config
GuardDuty
Route 53
EKS
SQS
DynamoDB
CloudFront
ElastiCache
Redshift
Backups
Workspace
Services NameFindings NameDescription
IAM (Identity and Access Management)MFA is not enabled for Root AccountEnsure Multi-Factor Authentication (MFA) is enabled for the AWS root account.
IAM (Identity and Access Management)MFA is not enabled for IAM UsersEnsure Multi-Factor Authentication (MFA) is enabled for all AWS IAM users with AWS Console access.
IAM (Identity and Access Management)Multiple Access Keys exists for IAM UsersDetects when a canary token access key has been used
IAM (Identity and Access Management)Cross-Account Access Lacks External ID and MFAEnsure cross-account IAM roles use either MFA or external IDs to secure the access to AWS resources.
IAM (Identity and Access Management)Lack of Access Key RotationEnsure AWS IAM access keys are rotated on a periodic basis as a security best practice (90 Days).
IAM (Identity and Access Management)Password Expiration is DisabledEnsure AWS Identity and Access Management (IAM) user passwords are reset before expiration (90 Days).
IAM (Identity and Access Management)Weak Password Policy ( AWS Default password policy) is set for the AWS accountEnsure AWS account has an IAM strong password policy in use
IAM (Identity and Access Management)Weak IAM Server Certificate in useEnsure that all your SSL/TLS certificates are using either 2048 or 4096 bit RSA keys instead of 1024-bit keys.
IAM (Identity and Access Management)IAM Role Policy are Too PermissiveEnsure AWS IAM policies attached to IAM roles are not too permissive.
IAM (Identity and Access Management)IAM Access Analyzer is not EnabledEnsure that IAM Access Analyzer feature is enabled to maintain access security to your AWS resources.
IAM (Identity and Access Management)Pre-Heartbleed Server CertificatesEnsure that your server certificates are not vulnerable to Heartbleed security bug.
IAM (Identity and Access Management)Root Account Access Keys PresentEnsure that your AWS account (root) is not using access keys as a security best practice.
IAM (Identity and Access Management)Lack of SSH Public Keys RotationEnsure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices.
IAM (Identity and Access Management)SSL/TLS Certificate is about to ExpireEnsure SSL/TLS certificates are renewed before their expiration.
IAM (Identity and Access Management)Security Challenge Question not EnabledEnsure security challenge questions are enabled and configured to improve the security of your AWS account.
IAM (Identity and Access Management)Security Contact Information is not RegisteredEnsure alternate contacts are set to improve the security of your AWS account.
IAM (Identity and Access Management)AWS Multi-Account are managed centrally via Identity Federation or AWS OrganizationSet up, organize and manage your AWS accounts for optimal security and manageability.
IAM (Identity and Access Management)Root Account Recently usedEnsure root account credentials have not been used recently to access your AWS account.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)Overbroad Ingress Rules for Security GroupsEnsure no EC2 security group allows unrestricted inbound access to any uncommon ports.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)EC2 Instance Termination Protection is not EnabledEnsure Termination Protection feature is enabled for EC2 instances that are not part of ASGs.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)AMIs are Publicaly SharedEnsure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)Golden/Approved AMIs not in UseEnsure all AWS EC2 instances are launched from approved AMIs.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)Amazon EBS Snapshots are Publicly AccessibleEnsure that your Amazon EBS volume snapshots are not accessible to all AWS accounts.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)Amazon EBS Volumes Encryption is not enabledEnsure that existing Elastic Block Store (EBS) attached volumes are encrypted to meet security and compliance requirements.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)Amazon EBS Snapshots Encryption is not enabledEnsure Amazon EBS snapshots are encrypted to meet security and compliance requirements.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)KMS Customer Master Keys is not used for EBS Volume EncryptionEnsure EBS volumes are encrypted with KMS CMKs in order to have full control over data encryption and decryption.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)Weak Cryptographic Controls for ELBEnsure AWS Application Load Balancers (ALBs) are using the latest predefined security policy.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)Load Balancer is not Integrated with AWS WAFEnsure that WAF ACL is integrated with Elastic Load Balancer
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)ELB uses In-secure protocolsEnsure that your Application Load Balancer (ALB) listeners are using a secure protocol such as HTTPS.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)ELB Deletion Protection DisabledEnsure Deletion Protection feature is enabled for your AWS load balancers to follow security best practices.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)Access logging disabled for ELBEnsure access logging is enabled for your AWS ALBs to follow security best practices.
Virtual Private Cloud(VPC)VPC Flow Logs DisabledEnsure Virtual Private Cloud (VPC) Flow Logs feature is enabled in all applicable AWS regions.
Simple Storage Service (S3)Overbroad S3 Access ControlEnsure that your AWS S3 buckets are not publicly exposed to the Internet.
Simple Storage Service (S3)Cross-Account Access for S3 BucketsEnsure Amazon S3 buckets do not allow unknown cross account access via bucket policies.
Simple Storage Service (S3)Server-Side Encryption is not Enabled for S3Ensure AWS S3 buckets enforce Server-Side Encryption (SSE)
Simple Storage Service (S3)KMS Customer Master Keys is not used for S3 Buckets EncryptionEnsure that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs
Simple Storage Service (S3)Versioning and Multi-Factor Delete is not Enabled on S3 bucketsEnsure AWS S3 buckets have the MFA Delete feature enabled. Ensure AWS S3 object versioning is enabled for an additional level of data protection.
Simple Storage Service (S3)Access Logging Disabled for S3Ensure AWS S3 buckets have server access logging enabled to track access requests.
Simple Storage Service (S3)Secure Transport is Not Enabled on S3Ensure AWS S3 buckets enforce SSL to secure data in transit
Cloud TrailCloudTrail Log Encryption DisabledEnsure your AWS CloudTrail logs are encrypted using AWS KMS–Managed Keys (SSE-KMS).
Cloud TrailKMS Customer Master Keys is not used for CloudTrail EncryptionEnsure that KMS master keys are used for CloudTrail Encryption
Cloud TrailCloudTrail Log File Validation is DisabledEnsure your AWS CloudTrail trails have log file integrity validation enabled.
Cloud TrailCloudTrail is not integrated with CloudWatchEnsure CloudTrail event monitoring with CloudWatch is enabled.
CloudWatchNo Security Incident Alarm exist for AWS ServicesEnsure that Security Incident Alarms are created in CloudWatch
Relational Database Service (RDS)RDS Database instance are Publicly accessibleEnsure RDS database instances are not publicly accessible and prone to security risks.
Relational Database Service (RDS)Deletion protection is not Enabled for RDS InstanceEnsure Deletion Protection feature is enabled for your AWS RDS database instances.
Relational Database Service (RDS)RDS Automated Backup is not enabledEnsure that Automated Backups are created for the RDS Instances
Relational Database Service (RDS)RDS Instance Encryption is not EnabledEnsure AWS RDS instances are encrypted to meet security and compliance requirements.
Relational Database Service (RDS)KMS Customer Master Keys is not used for RDS Instance EncryptionEnsure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption.
Relational Database Service (RDS)RDS Snapshots Encryption is not EnabledEnsure that AWS RDS snapshots are encrypted to meet security and compliance requirements.
Relational Database Service (RDS)RDS Snapshots Publicly accessibleEnsure that your Amazon RDS database snapshots are not accessible to all AWS accounts.
Relational Database Service (RDS)RDS Log Exports is not Enabled (RDS MySQL, Aurora and MariaDB)Ensure Log Exports feature is enabled for your AWS RDS MySQL, Aurora and MariaDB database instances.
Relational Database Service (RDS)IAM Database Authentication is not Enabled for RDS InstancesEnsure IAM Database Authentication feature is enabled for your AWS RDS MySQL and PostgreSQL database instances.
Relational Database Service (RDS)RDS Auto Minor Version Upgrade Not EnabledEnsure AWS RDS instances have the Auto Minor Version Upgrade feature enabled.
Relational Database Service (RDS)RDS Database Instance not updatedEnsure that the RDS Instance is Updated
Relational Database Service (RDS)RDS Automated Backup is not enabledEnsure AWS RDS instances have Automated Backups feature enabled.
Relational Database Service (RDS)RDS Secure Transport is not Enabled (SQL Server, PostgreSQL)Ensure AWS RDS SQL Server instances have Transport Encryption feature enabled.
Relational Database Service (RDS)RDS Backup Retention Period is not enoughEnsure AWS RDS instances have sufficient backup retention period for compliance purposes.
Relational Database Service (RDS)SSL/TLS Certificates Already Expired for RDSEnsure that RDS Instance is using the updated SSL Certificate
Relational Database Service (RDS)RDS not using Multi-AZ deploymentEnsure AWS RDS clusters have the Multi-AZ feature enabled.
Simple Notification Service (SNS)Cross-Account Access for SNS TopicsEnsure Amazon SNS topics do not allow unknown cross account access.
Simple Notification Service (SNS)SNS Topics Exposed to EveryoneEnsure that AWS Simple Notification Service (SNS) topics are not exposed to everyone.
Simple Notification Service (SNS)Server-Side Encryption is Not Enabled for AWS SNS TopicsEnsure that Amazon SNS topics enforce Server-Side Encryption (SSE).
Simple Notification Service (SNS)KMS Customer Master Keys is not used for SNS Topics EncryptionEnsure that Amazon SNS topics are encrypted with KMS Customer Master Keys (CMKs).
Key Management Service (KMS)Lack of KMS Key RotationEnsure KMS key rotation feature is enabled for all your Customer Master Keys (CMK).
Key Management Service (KMS)AWS Keys Exposed to EveryoneEnsure Amazon KMS master keys are not exposed to everyone.
Key Management Service (KMS)Cross-Account Access for KMS ServiceEnsure Amazon KMS master keys do not allow unknown cross account access.
LambdaCode Signing is not Enabled for Lambda FunctionsEnsure that Code Signing is enabled for your Amazon Lambda functions.
LambdaLambda Runtime Environment Version is not LatestEnsure that the latest version of the runtime environment is used for your AWS Lambda functions.
LambdaCross-Account Access for Lambda Functions QueuesEnsure AWS Lambda functions do not allow unknown cross account access via permission policies.
LambdaLambda Function Exposed to EveryoneEnsure that your Amazon Lambda functions are not exposed to everyone.
LambdaLambda Environment Variables are not EncryptedEnsure encryption is enabled for the AWS Lambda environment variables that store sensitive information.
LambdaKMS Customer Master Keys is not used for Lambda Environment Variables EncryptionEnsure Lambda environment variables are encrypted with KMS Customer Master Keys (CMKs) to gain full control over data encryption and decryption.
AWS ConfigAWS Config Not UsedEnsure AWS Config is enabled in all regions to get the optimal visibility of the activity on your account.
AWS ConfigValidate AWS Config RulesValidate the AWS Config Rules and check for NonCompliant Rules
AWS GuardDutyAWS GuardDuty Not UsedEnsure Amazon GuardDuty is enabled to help you protect your AWS accounts and workloads against security threats.
AWS GuardDutyValidate the AWS GuardDuty FindingsAlways validate the findings that are reported by GuardDuty
Route 53Route 53 Domain Transfer Lock is not EnabledEnsure your domain names have the Transfer Lock feature enabled in order to keep them secure.
Route 53SPF Record not PresentEnsure there is an SPF record set for each MX DNS record in order to stop spammers from spoofing your domains.
Route 53Route53 Domains Already ExpiredEnsure expired AWS Route 53 domains names are restored.
Route 53Route53 Domains are about to ExpireEnsure AWS Route 53 domain names are renewed before their expiration (90 days before expiration).
Route 53DNSSEC Signing for Route 53 Hosted Zones is not EnabledEnsure that DNSSEC signing is enabled for your Amazon Route 53 Hosted Zones.
Elastic Kubernetes Service (EKS)EKS Secret Encryption is not EnabledEnsure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled.
Elastic Kubernetes Service (EKS)Kubernetes Cluster Logging is not EnabledEnsure that EKS control plane logging is enabled for your Amazon EKS clusters.
Elastic Kubernetes Service (EKS)Kubernetes Cluster Version is not UpdatedEnsure that the latest version of Kubernetes is installed on your Amazon EKS clusters.
Elastic Kubernetes Service (EKS)Cluster Endpoints are Publicly accessibleEnsure that AWS EKS cluster endpoint access is not public and prone to security risks.
Simple Queue Service (SQS)Server-Side Encryption is not Enabled for SQS QueuesEnsure Amazon SQS queues enforce Server-Side Encryption (SSE).
Simple Queue Service (SQS)KMS Customer Master Keys is not used for SQS Queue EncryptionEnsure SQS queues are encrypted with KMS CMKs to gain full control over data encryption and decryption.
Simple Queue Service (SQS)SQS Queue Exposed to EveryoneEnsure that AWS Simple Queue Service (SQS) queues are not exposed to everyone.
Simple Queue Service (SQS)Cross-Account Access for SQS QueuesEnsure AWS Simple Queue Service (SQS) queues do not allow unknown cross account access.
DynamoDBContinuous Backup is Not Enabled for DynamoDBEnsure that continous backup is enabld for all the DynamoDB
DynamoDBKMS Customer Master Keys is not used for DynamoDB Table EncryptionEnsure that for all the DynamoDB tables are using KMS Customers Master Keys for encryption
AWS BackupsAWS Backup Vault is Not Prevented from Accidental DeletionEnsure that Accidental Deletion is enabled for AWS Backup Vault
RedShiftRedshift Cluster is publicly accessibleEnsure that Redshift Cluster is not publicly accessible
WorkSpacesWorkspaces Volume Encryption is not EnabledEnsure that the volume encryption is enabled for all the Workspaces
ElastiCacheOlder Version of ElastiCache Engine in UseEnsure that you are not using an older version of elasticache and use the latest version that is available
ElastiCacheElastiCache Redis cluster In-Transit and At-rest Encryption not enabledEnsure that redis clusters data In-transit and At-rest encryptions are enabled
CloudFrontAccess logging disabled for CloudFrontEnsure that access logging is enabled for Cloudfront
CloudFrontWAF is Not Enabled in CloudFrontEnsure that WAF is enabled for all the available Cloudfront
CloudFrontTLSv1.0 Supported by CloudFront DistributionEnsure that you are using latest TLS version for all Cloudfront
Services NameFindings NameDescription
IAM (Identity and Access Management)MFA is not enabled for Root AccountEnsure Multi-Factor Authentication (MFA) is enabled for the AWS root account.
MFA is not enabled for IAM UsersEnsure Multi-Factor Authentication (MFA) is enabled for all AWS IAM users with AWS Console access.
Multiple Access Keys exists for IAM UsersDetects when a canary token access key has been used
Cross-Account Access Lacks External ID and MFAEnsure cross-account IAM roles use either MFA or external IDs to secure the access to AWS resources.
Lack of Access Key RotationEnsure AWS IAM access keys are rotated on a periodic basis as a security best practice (90 Days).
Password Expiration is DisabledEnsure AWS Identity and Access Management (IAM) user passwords are reset before expiration (90 Days).
Weak Password Policy ( AWS Default password policy) is set for the AWS accountEnsure AWS account has an IAM strong password policy in use
Weak IAM Server Certificate in useEnsure that all your SSL/TLS certificates are using either 2048 or 4096 bit RSA keys instead of 1024-bit keys.
IAM Role Policy are Too PermissiveEnsure AWS IAM policies attached to IAM roles are not too permissive.
IAM Access Analyzer is not EnabledEnsure that IAM Access Analyzer feature is enabled to maintain access security to your AWS resources.
Pre-Heartbleed Server CertificatesEnsure that your server certificates are not vulnerable to Heartbleed security bug.
Root Account Access Keys PresentEnsure that your AWS account (root) is not using access keys as a security best practice.
Lack of SSH Public Keys RotationEnsure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices.
SSL/TLS Certificate is about to ExpireEnsure SSL/TLS certificates are renewed before their expiration.
Security Challenge Question not EnabledEnsure security challenge questions are enabled and configured to improve the security of your AWS account.
Security Contact Information is not RegisteredEnsure alternate contacts are set to improve the security of your AWS account.
AWS Multi-Account are managed centrally via Identity Federation or AWS OrganizationSet up, organize and manage your AWS accounts for optimal security and manageability.
Root Account Recently usedEnsure root account credentials have not been used recently to access your AWS account.
Elastic Compute Cloud (EC2) , Elastic Blob Storage (EBS), Elastic Load Balancer V2 (ELBv2)Overbroad Ingress Rules for Security GroupsEnsure no EC2 security group allows unrestricted inbound access to any uncommon ports.
EC2 Instance Termination Protection is not EnabledEnsure Termination Protection feature is enabled for EC2 instances that are not part of ASGs.
AMIs are Publicaly SharedEnsure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts.
Golden/Approved AMIs not in UseEnsure all AWS EC2 instances are launched from approved AMIs.
Amazon EBS Snapshots are Publicly AccessibleEnsure that your Amazon EBS volume snapshots are not accessible to all AWS accounts.
Amazon EBS Volumes Encryption is not enabledEnsure that existing Elastic Block Store (EBS) attached volumes are encrypted to meet security and compliance requirements.
Amazon EBS Snapshots Encryption is not enabledEnsure Amazon EBS snapshots are encrypted to meet security and compliance requirements.
KMS Customer Master Keys is not used for EBS Volume EncryptionEnsure EBS volumes are encrypted with KMS CMKs in order to have full control over data encryption and decryption.
Weak Cryptographic Controls for ELBEnsure AWS Application Load Balancers (ALBs) are using the latest predefined security policy.
Load Balancer is not Integrated with AWS WAFEnsure that WAF ACL is integrated with Elastic Load Balancer
ELB uses In-secure protocolsEnsure that your Application Load Balancer (ALB) listeners are using a secure protocol such as HTTPS.
ELB Deletion Protection DisabledEnsure Deletion Protection feature is enabled for your AWS load balancers to follow security best practices.
Access logging disabled for ELBEnsure access logging is enabled for your AWS ALBs to follow security best practices.
Virtual Private Cloud(VPC)VPC Flow Logs DisabledEnsure Virtual Private Cloud (VPC) Flow Logs feature is enabled in all applicable AWS regions.
Simple Storage Service (S3)Overbroad S3 Access ControlEnsure that your AWS S3 buckets are not publicly exposed to the Internet.
Cross-Account Access for S3 BucketsEnsure Amazon S3 buckets do not allow unknown cross account access via bucket policies.
Server-Side Encryption is not Enabled for S3Ensure AWS S3 buckets enforce Server-Side Encryption (SSE)
KMS Customer Master Keys is not used for S3 Buckets EncryptionEnsure that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs
Versioning and Multi-Factor Delete is not Enabled on S3 bucketsEnsure AWS S3 buckets have the MFA Delete feature enabled. Ensure AWS S3 object versioning is enabled for an additional level of data protection.
Access Logging Disabled for S3Ensure AWS S3 buckets have server access logging enabled to track access requests.
Secure Transport is Not Enabled on S3Ensure AWS S3 buckets enforce SSL to secure data in transit
Cloud TrailCloudTrail Log Encryption DisabledEnsure your AWS CloudTrail logs are encrypted using AWS KMS–Managed Keys (SSE-KMS).
KMS Customer Master Keys is not used for CloudTrail EncryptionEnsure that KMS master keys are used for CloudTrail Encryption
CloudTrail Log File Validation is DisabledEnsure your AWS CloudTrail trails have log file integrity validation enabled.
CloudTrail is not integrated with CloudWatchEnsure CloudTrail event monitoring with CloudWatch is enabled.
CloudWatchNo Security Incident Alarm exist for AWS ServicesEnsure that Security Incident Alarms are created in CloudWatch
Relational Database Service (RDS)RDS Database instance are Publicly accessibleEnsure RDS database instances are not publicly accessible and prone to security risks.
Deletion protection is not Enabled for RDS InstanceEnsure Deletion Protection feature is enabled for your AWS RDS database instances.
RDS Automated Backup is not enabledEnsure that Automated Backups are created for the RDS Instances
RDS Instance Encryption is not EnabledEnsure AWS RDS instances are encrypted to meet security and compliance requirements.
KMS Customer Master Keys is not used for RDS Instance EncryptionEnsure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption.
RDS Snapshots Encryption is not EnabledEnsure that AWS RDS snapshots are encrypted to meet security and compliance requirements.
RDS Snapshots Publicly accessibleEnsure that your Amazon RDS database snapshots are not accessible to all AWS accounts.
RDS Log Exports is not Enabled (RDS MySQL, Aurora and MariaDB)Ensure Log Exports feature is enabled for your AWS RDS MySQL, Aurora and MariaDB database instances.
IAM Database Authentication is not Enabled for RDS InstancesEnsure IAM Database Authentication feature is enabled for your AWS RDS MySQL and PostgreSQL database instances.
RDS Auto Minor Version Upgrade Not EnabledEnsure AWS RDS instances have the Auto Minor Version Upgrade feature enabled.
RDS Database Instance not updatedEnsure that the RDS Instance is Updated
RDS Automated Backup is not enabledEnsure AWS RDS instances have Automated Backups feature enabled.
RDS Secure Transport is not Enabled (SQL Server, PostgreSQL)Ensure AWS RDS SQL Server instances have Transport Encryption feature enabled.
RDS Backup Retention Period is not enoughEnsure AWS RDS instances have sufficient backup retention period for compliance purposes.
SSL/TLS Certificates Already Expired for RDSEnsure that RDS Instance is using the updated SSL Certificate
RDS not using Multi-AZ deploymentEnsure AWS RDS clusters have the Multi-AZ feature enabled.
Simple Notification Service (SNS)Cross-Account Access for SNS TopicsEnsure Amazon SNS topics do not allow unknown cross account access.
SNS Topics Exposed to EveryoneEnsure that AWS Simple Notification Service (SNS) topics are not exposed to everyone.
Server-Side Encryption is Not Enabled for AWS SNS TopicsEnsure that Amazon SNS topics enforce Server-Side Encryption (SSE).
KMS Customer Master Keys is not used for SNS Topics EncryptionEnsure that Amazon SNS topics are encrypted with KMS Customer Master Keys (CMKs).
Key Management Service (KMS)Lack of KMS Key RotationEnsure KMS key rotation feature is enabled for all your Customer Master Keys (CMK).
AWS Keys Exposed to EveryoneEnsure Amazon KMS master keys are not exposed to everyone.
Cross-Account Access for KMS ServiceEnsure Amazon KMS master keys do not allow unknown cross account access.
LambdaCode Signing is not Enabled for Lambda FunctionsEnsure that Code Signing is enabled for your Amazon Lambda functions.
Lambda Runtime Environment Version is not LatestEnsure that the latest version of the runtime environment is used for your AWS Lambda functions.
Cross-Account Access for Lambda Functions QueuesEnsure AWS Lambda functions do not allow unknown cross account access via permission policies.
Lambda Function Exposed to EveryoneEnsure that your Amazon Lambda functions are not exposed to everyone.
Lambda Environment Variables are not EncryptedEnsure encryption is enabled for the AWS Lambda environment variables that store sensitive information.
KMS Customer Master Keys is not used for Lambda Environment Variables EncryptionEnsure Lambda environment variables are encrypted with KMS Customer Master Keys (CMKs) to gain full control over data encryption and decryption.
AWS ConfigAWS Config Not UsedEnsure AWS Config is enabled in all regions to get the optimal visibility of the activity on your account.
Validate AWS Config RulesValidate the AWS Config Rules and check for NonCompliant Rules
AWS GuardDutyAWS GuardDuty Not UsedEnsure Amazon GuardDuty is enabled to help you protect your AWS accounts and workloads against security threats.
Validate the AWS GuardDuty FindingsAlways validate the findings that are reported by GuardDuty
Route 53Route 53 Domain Transfer Lock is not EnabledEnsure your domain names have the Transfer Lock feature enabled in order to keep them secure.
SPF Record not PresentEnsure there is an SPF record set for each MX DNS record in order to stop spammers from spoofing your domains.
Route53 Domains Already ExpiredEnsure expired AWS Route 53 domains names are restored.
Route53 Domains are about to ExpireEnsure AWS Route 53 domain names are renewed before their expiration (90 days before expiration).
DNSSEC Signing for Route 53 Hosted Zones is not EnabledEnsure that DNSSEC signing is enabled for your Amazon Route 53 Hosted Zones.
Elastic Kubernetes Service (EKS)EKS Secret Encryption is not EnabledEnsure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled.
Kubernetes Cluster Logging is not EnabledEnsure that EKS control plane logging is enabled for your Amazon EKS clusters.
Kubernetes Cluster Version is not UpdatedEnsure that the latest version of Kubernetes is installed on your Amazon EKS clusters.
Cluster Endpoints are Publicly accessibleEnsure that AWS EKS cluster endpoint access is not public and prone to security risks.
Simple Queue Service (SQS)Server-Side Encryption is not Enabled for SQS QueuesEnsure Amazon SQS queues enforce Server-Side Encryption (SSE).
KMS Customer Master Keys is not used for SQS Queue EncryptionEnsure SQS queues are encrypted with KMS CMKs to gain full control over data encryption and decryption.
SQS Queue Exposed to EveryoneEnsure that AWS Simple Queue Service (SQS) queues are not exposed to everyone.
Cross-Account Access for SQS QueuesEnsure AWS Simple Queue Service (SQS) queues do not allow unknown cross account access.
DynamoDBContinuous Backup is Not Enabled for DynamoDBEnsure that continous backup is enabld for all the DynamoDB
KMS Customer Master Keys is not used for DynamoDB Table EncryptionEnsure that for all the DynamoDB tables are using KMS Customers Master Keys for encryption
AWS BackupsAWS Backup Vault is Not Prevented from Accidental DeletionEnsure that Accidental Deletion is enabled for AWS Backup Vault
RedShiftRedshift Cluster is publicly accessibleEnsure that Redshift Cluster is not publicly accessible
WorkSpacesWorkspaces Volume Encryption is not EnabledEnsure that the volume encryption is enabled for all the Workspaces
ElastiCacheOlder Version of ElastiCache Engine in UseEnsure that you are not using an older version of elasticache and use the latest version that is available
ElastiCache Redis cluster In-Transit and At-rest Encryption not enabledEnsure that redis clusters data In-transit and At-rest encryptions are enabled
CloudFrontAccess logging disabled for CloudFrontEnsure that access logging is enabled for Cloudfront
WAF is Not Enabled in CloudFrontEnsure that WAF is enabled for all the available Cloudfront
TLSv1.0 Supported by CloudFront DistributionEnsure that you are using latest TLS version for all Cloudfront