AWS Policy

Back to Top

Enable MFA for Root User

Risk: Critical

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
It is strongly recommended to enable Multi-Factor Authentication (MFA) for the Root Account in an AWS account because the Root Account has the highest level of privileges. MFA is an additional security measure that enhances the protection of user credentials. To authenticate successfully, users must have a registered device that generates a time-sensitive key and knowledge of their credentials, including their user name and password. When a user with MFA enabled signs in to an AWS website, they will be asked to provide their user name, password, and the authentication code generated by their registered AWS MFA device.

Resolution
Enable the MFA for ‘root’ account user

Encrypt EBS Volume

Risk: Critical

Target: Volume

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
To meet security and compliance standards, it is important to ensure that all your Amazon Elastic Block Store (EBS) volumes are encrypted. You can confidently store sensitive, confidential, and critical data on your EBS volumes by enabling encryption.

Resolution
Enable EBS Encryption

Encrypt EFS

Risk: Critical

Target: EFS

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
It is important to ensure that your Amazon EFS file systems are encrypted to meet security and compliance requirements. This provides transparent encryption of your data as it is being written and decrypted as it is being read, without requiring any extra effort from you or your applications. AWS KMS service manages the encryption keys, so there is no need to establish and maintain a secure key management infrastructure.

Encrypting your EFS file systems is strongly advised to safeguard your data and metadata against unauthorized access and fulfill your organization’s data-at-rest encryption compliance requirements.

Resolution
Encrypt EFS data at rest

Enable CloudTrail for Multi-Region

Risk: High

Target: Account

Compliance:

Description
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

Resolution
Creating, updating, and managing trails with the AWS Command Line Interface

Enable Validation for CloudTrail Log File

Risk: Critical

Target: CloudTrail

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Enabling validation for CloudTrail log files is essential to maintain data integrity, ensure security, meet compliance requirements, establish accountability, support forensic analysis, and build trust. It helps detect unauthorized changes, comply with regulations, trace actions, and serves as a reliable source of information during security investigations.

Resolution
Enabling log file integrity validation for CloudTrail

Encrypt CloudTrail to use Key Management Service Customer Managed Keys

Risk: Medium

Target: CloudTrail

Compliance:

Description
Encrypting CloudTrail logs with KMS Customer Managed Keys is essential for enhanced security, control over encryption keys, compliance, auditing, key rotation, and granular access control. Using KMS CMKs provides greater protection for log data, ensures adherence to industry regulations, and allows for better key management and access control in AWS environments.

Resolution
Configure CloudTrail to use SSE KMS

Enable CloudTrail Global Services

Risk: High

Target: CloudTrail

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
To enhance the security and management of API activity in your AWS cloud account, ensure that your Amazon CloudTrail trails record regional and global events.

Resolution
Enable CloudTrail Global Services

Deny Public Access to CloudTrail logs

Risk: Critical

Target: CloudTrail

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Granting overly permissive or insecure permissions to your CloudTrail trail buckets may allow malicious users to gain access to your logging data, significantly heightening the risk of unauthorized access, potentially increasing it exponentially

Resolution
CloudTrail preventative security best practices

Integrate CloudTrail to CloudWatch

Risk: Critical

Target: CloudTrail

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Ensure that the CloudWatch Logs service is configured to monitor Amazon CloudTrail trail logs and notifies you when specific activity occurs. This enables you to respond quickly to critical events captured with Amazon CloudTrail and detected by CloudWatch Logs.

Resolution
Sending events to CloudWatch Logs

Deny Public Access to SSH Port 22

Risk: High

Target: SG

Compliance:

Description
Restricting internet access to the Security Group with SSH Port 22 enhances security by minimizing potential entry points for unauthorized users, controlling access, reducing the risk of brute force attacks, improving auditing and monitoring, and ensuring compliance with security policies.

Resolution
Update Security Group

Deny Public Access to RDP Port 3389

Risk: Critical

Target: SG

Description
Block public access to ports to prevent network attacks and abuse associated with common ports related to particular application and service protocols, such as RDP to port 3389.

Resolution
Update Security Group

Delete Unused Security Groups

Risk: High

Target: SG

Compliance:

Description
Deleting unused security groups in AWS is important to ensure security and effective management of AWS resources. Unused security groups can pose a security risk if they contain outdated or unnecessary rules or if they are created for temporary purposes and forgotten. They can also clutter the AWS environment and make it challenging to manage security groups effectively. Regularly reviewing and deleting unused security groups is a security best practice to help prevent unauthorized access and ensure AWS resources are secure and well-managed.

Resolution:
Delete unused Security Groups

Deny Public Access in Default Security Group

Risk: Critical

Target: SG

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
The default security groups on Amazon EC2 should restrict all inbound public traffic so that users (administrators, resource managers, etc.) are forced to create their security groups using the Principle of Least Privilege (POLP).

Resolution
Update Default Security Group

Deny Public Access to EBS Snapshots

Risk: Critical

Target: EBS Snapshot

Compliance:

Description
AWS EBS volume snapshots should be kept private for optimal data security to avoid the risk of unauthorized data access. Sharing snapshots with external accounts can pose a potential risk, as they can create volumes from it and gain access to sensitive information. It is therefore recommended to restrict public visibility or share them only with specific accounts.

Resolution
Make the snapshot private

Deny Public Access to Data Migration Service

Risk: Critical

Target: Data Migration Service

Compliance:

Description
To protect your private data and minimize security risks, it is important to ensure that your Amazon Database Migration Service (DMS) is not publicly accessible from the Internet. As long as both source and target databases are in the same network connected to the instance’s VPC through a VPN, VPC peering connection, or AWS Direct Connect dedicated connection, a DMS replication instance should have a private IP address and the Publicly Accessible feature disabled. This helps to ensure that your DMS is not exposed to external threats and keeps your data secure.

Resolution:
Security in AWS Database Migration Service

Deny Public Access to RDS Snapshot

Risk: High

Target: RDS Snapshot

Compliance:

Description
To ensure data security, denying public access to RDS snapshots is essential since they can contain sensitive information, such as database usernames, passwords, and data. Allowing public access could lead to data breaches, theft, or misuse, making controlling access to RDS snapshots necessary. Doing so reduces the risk of unauthorized access or data exposure, thus ensuring the data remains secure. It is crucial to grant access only to those who need it and follow the principle of least privilege while monitoring security measures.

Resolution
Make the snapshot private

Encrypt DocumentDB

Risk: High

Target: DocumentDB

Compliance:

Description
Enabling encryption for Amazon DocumentDB clusters protects data at rest from unauthorized access to the underlying storage and meets compliance requirements. It is recommended to activate encryption for your AWS DocumentDB (with MongoDB compatibility) clusters to bolster your data security and meet data-at-rest encryption compliance requirements. The encryption covers data elements including indexes, logs, replicas, and snapshots, and is managed by the DocumentDB service with minimal impact on performance.

Resolution
Encrypt DocumentDB

Encrypt DynamoDB Accelerator(DAX) Cluster

Risk: High

Target: DAX Cluster

Compliance:

Description

Enabling encryption at rest for Amazon DAX cache clusters ensures data protection for security-sensitive DynamoDB applications that have strict data protection requirements by organizational policies, industry, or government regulations. Server-Side Encryption is recommended to encrypt DAX cluster data at rest, including data in the cache, configuration data, and log files, and protect it from unauthorized access to the underlying storage. Enabling Server-Side Encryption integrates with AWS KMS to manage the default encryption key, adds no storage overhead, and has minimal impact on performance without requiring modifications to your applications.

Resolution
Encrypt data at-rest

Enable VPC Flow Logs for All VPCs

Risk: Critical

Target: VPC

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Enabling VPC Flow Logs for all VPCs is important to monitor and analyze network traffic within a VPC environment, investigate security incidents, comply with regulatory requirements related to data protection and security, and improve overall security posture by identifying potential vulnerabilities and taking proactive measures to prevent security threats.

Resolution
Enable Flow Logs

Encrypt ElastiCache for Redis Data

Risk: Critical

Target: ElastiCache

Compliance:

Description
Securing sensitive data stored on Redis clusters and cache storage systems is essential to meet security and compliance requirements and keep Personally Identifiable Information safe. Data encryption helps ensure that unauthorized users cannot access the data, whether it is stored as data at rest or transmitted as data in transit.

ElastiCache for Redis has encryption at rest built-in and also allows for the implementation of customer-managed master keys through AWS Key Management Service (KMS). It is critical to encrypt your AWS ElastiCache Redis clusters to safeguard your information.

Resolution
Encrypt Data at Rest
Encrypt Data in Transit

Delete Expired ACM Certificates

Risk: High

Target: ACM Certificate

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
AWS Certificate Manager is a service provided by Amazon that allows for rapidly provisioning, managing, and deploying SSL/TLS certificates with other Amazon services, including CloudFront and ELB.

To follow Amazon Security Best Practices and avoid the deployment of invalid SSL/TLS certificates to Elastic Load Balancing (ELB) and other resources, it is essential to remove any expired certificates managed by AWS Certificate Manager. Otherwise, deploying such certificates can cause front-end errors and harm the credibility of the web application or website behind the ELB.

Resolution
Delete Certificate

Deny Public Access to HTTP Port 8080

Risk: Critical

Target: SG

Compliance:

Description
Preventing public access to specific ports, including port 8080, can enhance security by decreasing the probability of cyber-attacks, guaranteeing compliance with regulations and standards, decreasing expenses associated with data transfer, and avoiding unintentional disclosure of confidential information. By regulating access to ports, you can decrease your EC2 instance’s susceptibility to hacking and minimize the chances of unauthorized entry.

Resolution
Update EC2

Deny Public Access to NETBIOS Port 138

Risk: Critical

Target: SG

Compliance:

Description
TCP port 139 and UDP ports 137 and 138 are used for NetBIOS name resolution (i.e., mapping a NetBIOS name to an IP address) by the services such as File and Printer Sharing service running on Microsoft Windows Server OS. Allowing unrestricted NetBIOS access can increase opportunities for malicious activity such as man-in-the-middle attacks (MITM), Denial of Service (DoS) attacks, or BadTunnel exploits. Review the inbound rules of your EC2 security groups that allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 139 and UDP ports 137 and 138. If such rules are found, restrict them to only trusted IP addresses or IP ranges that require it to implement the principle of least privilege and reduce the attack surface. This will ensure that only authorized traffic is allowed access.

Resolution:
Update EC2

Deny Public Access to HTTP Port 80

Risk: Critical

Target: SG

Compliance:

Description
To implement the principle of least privilege and minimize the risk of a security breach, it’s crucial to review the inbound rules in your EC2 security groups for TCP port 80 and ensure that only the necessary IP addresses are granted access. Allowing unrestricted HTTP access can lead to various malicious activities, including hacking, denial-of-service (DoS) attacks, and data loss. Therefore, it’s advisable to update your security groups’ inbound configuration to restrict HTTP access to specific entities, such as IP addresses or IP ranges.

Resolution
Update EC2

Deny Public Access to Redshift Attached Security Group

Risk: Critical

Target: Redshift

Compliance:

Description
Amazon Redshift clusters can be accessed through different methods, including the internet, EC2 Instances outside the VPC through VPN, bastion hosts in the public subnet, or the Publicly Accessible option. The Publicly Accessible option allows Redshift clusters to be fully accessible outside the VPC while disabling it can prevent external access. Allowing public access to Redshift clusters can increase the risk of malicious activities such as SQL injections or DDoS attacks, so evaluating the security implications and implementing security measures like network security and encryption methods is essential.

Resolution
Update Security Group

Deny Security Group Public Access on Memcached Port 11211

Risk: Critical

Target: SG

Compliance:

Description
Memcached is an open-source, high-performance, distributed memory object caching system that helps optimize dynamic websites and web applications by reducing database load.

Allowing unrestricted inbound access on TCP and/or UDP port 11211 (Memcached) to your Amazon EC2 instances can increase the risk of malicious activities such as DDoS amplification attacks, which can significantly impact the health and stability of your web services and applications.

To protect the Memcached cache server instances associated with your EC2 security groups and reduce the attack surface, check your Amazon EC2 security groups for inbound rules that allow unrestricted access (i.e., 0.0.0.0/0 or::/0) on TCP and/or UDP port 11211.

Resolution
Update EC2

Deny Security Group Public Access on Redis Port 6379

Risk: Critical

Target: SG

Compliance:

Description
Redis is an open-source, in-memory data structure store commonly used as a database, cache server, and message broker.
To prevent malicious activities such as cross-site scripting, remote code execution, and crypto-jacking attacks, it is important to restrict inbound access to TCP port 6379 (Redis) on your Amazon EC2 instances.

The security groups associated with your Redis cache server instances should be configured to limit communication to only those hosts or networks that require legitimate access. It is crucial to check your Amazon EC2 security groups for inbound rules that allow unrestricted access (i.e., 0.0.0.0/0 or::/0) on TCP port 6379 to minimize the risk of security breaches.

Resolution
Update your Security Group

Set the Rotation Period of IAM Access Keys to N Days

Risk: High

Target: IAM User (AWS)

Description
Updating Identity and Access Management (IAM) credentials periodically significantly lowers the probability of an undetected compromised access key is used to access parts of your AWS account. Make sure to rotate all IAM user access keys monthly, reducing the risk of unintentional exposure and safeguarding your AWS resources from unauthorized access.

Resolution
Rotate your keys

Deny Full Administrative Privileges to Customer Managed IAM Policy

Risk: High

Target: IAM Customer Managed Policy

Compliance: IAM Policy

Description
To secure AWS cloud resources, it’s important to set IAM policies with the minimum permissions required and gradually add more as needed instead of starting with full administrative privileges. This helps to restrict access and prevent undesired actions. IAM policies that provide full administrative privileges should be avoided to prevent potential attacks. It’s recommended to use the Principle of Least Privilege by creating and using IAM policies that provide the minimum set of actions required for task completion to ensure the security and privacy of AWS cloud resources.

Resolution
Update the customer-managed policy to revoke access

Detach Any Customer-Managed Policy with Full Access from IAM Role

Risk: High

Target: IAM Role

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
By detaching customer-managed policies with full access from IAM roles and adhering to the Principle of Least Privilege, you can enhance security, compliance, access control, and auditing while minimizing the impact of human errors. This practice involves granting only necessary actions for tasks, thus minimizing AWS cloud resource permissions, reducing risks, and protecting your resources from unwanted actions.

Resolution
Detach policy from role

Detach Any Customer-Managed Policy with Full Access from IAM User

Risk: Medium

Target: IAM User (AWS)

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
By detaching customer-managed policies with full access from IAM users and adhering to the Principle of Least Privilege, you can enhance security, compliance, access control, and auditing while minimizing the impact of human errors. This practice involves granting only necessary actions for tasks, thus minimizing AWS cloud resource permissions, reducing risks, and protecting your resources from unwanted actions.

Resolution
Detach policy from user or group

Configure Dedicated IAM Role for AWS Support Access

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring a dedicated IAM role for AWS Support access is important for maintaining security, enabling efficient troubleshooting, and ensuring proper access control. By creating a specific role for AWS Support, you can grant the necessary permissions for support personnel to resolve issues, while adhering to the Principle of Least Privilege and preventing unauthorized access to your AWS resources.

Resolution
Manage access to AWS Support Center

Enable Hardware MFA for Root Account

Risk: Critical

Target: Account

Compliance: CIS Google Cloud Platform Foundation Benchmark v1.3.0

Description
Enabling Hardware MFA for the root account adds an extra layer of security to protect the AWS account against unauthorized access. Hardware MFA devices provide an added level of security by generating a unique code that needs to be entered alongside the password. Using a hardware device for MFA reduces the risk of unauthorized access in case of a password compromise. It is strongly recommended to enable MFA for the root account and use hardware devices, which are considered more secure than other MFA options.

Resolution
Install and configure a hardware MFA device for the root account

Use Single Access Key for IAM User

Risk: Medium

Target: IAM User (AWS)

Compliance:

Description
Using a single access key for an IAM user is not a recommended best practice, as it can compromise security. However, organizations might use a single access key for simplified management, limited use cases, or small-scale environments. It is crucial to weigh the trade-offs and risks of using a single access key and determine if it suits a specific use case.

Resolution
Update to make the key inactive or delete the access keys which are no longer used

Delete Expired IAM Certificates

Risk: High

Target: IAM Certificate

Compliance:

Description
Deleting expired IAM certificates is essential for security, resource optimization, compliance, maintaining trust, and reducing confusion. By removing outdated certificates, you minimize security risks, simplify management, adhere to industry regulations, and ensure that only valid certificates are used within your AWS environment.

Resolution
Remove the expired IAM certificates

Remove Root User Account Access Key

Risk: High

Target: Account

Compliance:

Description
Removing the root user account access key in AWS is essential for security, following the principle of least privilege, separation of duties, auditing, monitoring, and compliance. Using IAM users and roles helps mitigate the risk of unauthorized access, human error, and insider threats while simplifying access management and meeting regulatory requirements.

Resolution
Delete Account access keys for Root user

Configure Log Metric Filter and Alarm for Unauthorized API Calls

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for unauthorized API calls is crucial for improving security, compliance, operational visibility, and incident response capabilities. It helps detect potential security threats, ensures compliance, provides insights, enables proactive alerts, and aids incident response. Overall, it is a best practice for safeguarding systems and data from unauthorized access, meeting compliance requirements, identifying operational anomalies, and responding to security incidents effectively.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for Management Console Sign in Without MFA

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for management console sign-in without multi-factor authentication (MFA) is essential for enhancing security, ensuring compliance, gaining operational visibility and enabling prompt incident response in your AWS environment. It helps detect unauthorized access attempts, demonstrate compliance, identify user behavior anomalies, and facilitate timely responses to security incidents. By monitoring and alerting on management console sign-in without MFA, you can proactively protect your AWS resources and data by enforcing an additional layer of authentication.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for Root Account Usage

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for root account usage in AWS is crucial for security, compliance, operational visibility, and incident response. It helps detect unauthorized activities, demonstrate compliance, gain insights into root account usage, and aid incident response efforts. Monitoring root account usage is a critical security best practice. It can help organizations protect their AWS resources from unauthorized access or misuse, comply with regulatory requirements, gain visibility into privileged account activities, and enable effective incident response.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for IAM Policy Changes

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for IAM policy changes is essential for effective monitoring, heightened security, detecting unauthorized activity, maintaining compliance, and ensuring accountability, all of which contribute to a secure and well-managed AWS environment.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for CloudTrail Configuration Changes

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for CloudTrail configuration changes is crucial for improved monitoring, enhanced security, compliance adherence, efficient troubleshooting, and increased accountability, contributing to a robust and well-managed AWS environment.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for AWS Management Console Authentication Failures

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for AWS Management Console authentication failures is crucial for maintaining security, compliance, operational efficiency, and cost optimization in your AWS environment. It helps you detect potential security breaches, meet compliance requirements, troubleshoot operational issues, and prevent misuse of AWS resources. Proactive monitoring and alerting on authentication failures enable early detection and response to potential incidents, ensuring the integrity and availability of your AWS resources and data.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for Disabling or Scheduled Deletion of Customer-Created CMKs

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for disabling or scheduled deletion of customer-created CMKs is vital for effective monitoring, increased security, ensuring compliance, timely troubleshooting, and maintaining accountability, which helps safeguard and manage cryptographic keys within your AWS environment.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for S3 Bucket Policy Changes

Risk: Critical

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for S3 bucket policy changes is important for enhancing security, compliance, operational visibility, and incident response capabilities. It helps detect unauthorized changes to S3 bucket policies in real time, ensures compliance with regulations, provides operational insights, enables proactive alerting, and aids in incident response activities. Overall, it is a best practice for protecting S3 data assets.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for AWS Config Configuration Changes

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for AWS Config changes promotes real-time monitoring, improved security, compliance, faster troubleshooting, and accountability, helping you maintain a secure and well-managed AWS environment.

Resolution
Configure CloudTrail to deliver log files from multiple regions

Configure Log Metric Filter and Alarm for Security Group Changes

Risk: Medium

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for security group changes is crucial for maintaining security, compliance, operational visibility, and incident response capabilities in AWS. It helps detect unauthorized changes, ensures compliance, provides insights, enables proactive alerts, and aids incident response. Overall, it is a best practice for securing AWS resources and preventing security breaches.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for NACL Changes

Risk: Critical

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for Network Access Control List (NACL) changes in AWS is essential for enhancing security, ensuring compliance, gaining operational visibility, and improving change management. It helps detect unauthorized changes, demonstrate compliance, troubleshoot networking issues, and ensure network configuration governance. By monitoring and alerting on NACL changes, you can promptly detect and respond to potential security vulnerabilities, track changes, and maintain a secure and compliant AWS environment.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for Changes to Network Gateways

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for changes to network gateways in AWS is important for enhancing security, ensuring compliance, gaining operational visibility, and improving change management. It helps detect unauthorized changes, demonstrate compliance, troubleshoot networking issues, and ensure network configuration governance. By monitoring and alerting on changes to network gateways, you can promptly detect and respond to potential security vulnerabilities, track changes, and maintain a secure and compliant AWS networking environment.

Resolution
Configure CloudTrail to deliver log files from multiple regions
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for Route Table Changes

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for route table changes in AWS is crucial for enhancing security, operational visibility, change management, and compliance. It helps detect unauthorized changes, provides insights into network configurations, establishes effective change management practices, and ensures compliance with security best practices and regulatory requirements. Monitoring and alerting on route table changes can aid in troubleshooting, network security, and compliance audits.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for VPC Changes

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for VPC changes is essential for improving security, compliance, operational visibility, and incident response in AWS environments. It helps detect unauthorized changes, ensures compliance, provides insights, enables proactive alerting, and aids in incident response. Overall, it is a best practice for maintaining the security and integrity of VPCs, meeting compliance requirements, identifying operational issues, and responding to security incidents effectively.

Resolution
Configure alarms for CloudTrail events

Configure Log Metric Filter and Alarm for AWS Organizations Changes

Risk: High

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Configuring log metric filters and alarms for AWS Organizations changes is essential for effective monitoring, heightened security, compliance, efficient troubleshooting, and accountability, ultimately contributing to a secure and well-managed multi-account AWS environment.

Resolution
Using Amazon CloudWatch alarms

Enable AWS Security Hub

Risk: Critical

Target: Account

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Enabling AWS Security Hub enhances your security posture by centralizing security monitoring, automating compliance checks, integrating threat detection, offering customizable insights, and continuously monitoring your AWS environment.

Resolution
Setting up AWS Security Hub

Enable EMR Data Encryption

Risk: Critical

Target: EMR

Compliance:

Description
Encryption of production data is essential to prevent unauthorized access and comply with data security regulations. AWS EMR clusters must be encrypted to secure data at rest and in transit. Data encryption prevents unauthorized users from accessing sensitive data stored on EMR clusters and related data storage systems.

Resolution
Encrypt data at rest and in transit

Deny Public Access to RDS Database

Risk: High

Target: RDS Database

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
To protect your RDS database instances from unauthorized access and mitigate security risks, disable the Publicly Accessible flag and update the associated VPC security group to disallow unrestricted access (0.0.0.0/0). This will prevent malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.

Resolution
Deny Public Access

Enable IAM Password Policy

Risk: Critical

Target: Account

Compliance:

Description
To maintain the security of your AWS account, it’s crucial to enforce strong password policies, including password strength, pattern, and rotation. A strong password policy can significantly decrease the risk of password-guessing and brute-force attacks. It’s essential to ensure that all AWS IAM users use a strong password policy specifying password requirements, such as minimum length, expiration date, and whether a specific pattern is necessary. By doing this, you can ensure that your account is well-protected against potential security breaches.

Resolution
Setup password policy

Deny Administrative Permissions to Lambda Functions

Risk: High

Target: Lambda

Compliance:

Description
Denying administrative permissions to Lambda functions is crucial for adhering to the principle of least privilege, enhancing security, meeting compliance standards, improving auditability, and maintaining system stability. Limiting permissions reduces the risk of unauthorized actions, data breaches, and unintended changes while simplifying monitoring and ensuring regulatory compliance.

Resolution
Update Lambda Permissions

Restrict Internet Access to Application ELB

Risk: Critical

Target: ALB

Compliance:

Description
The security of a publicly accessible load balancer can be compromised by brute-force login attempts, potentially leading to data leaks or loss. To reduce security risks, it is important to prevent unauthorized access attempts. To restrict internet access to the application ELB, you can disable the ‘Publicly Accessible’ flag for the database and update the security group associated with the instance in the VPC

Resolution
Configure Internal-Only ELB

Enable AWS Config Service

Risk: High

Target: Account

Compliance:

Description
Configuring your Amazon Classic Load Balancer listeners to use HTTPS or SSL encryption provides security for sensitive information transmitted between clients and the load balancer, authentication, meets regulatory requirements, and improves the user experience by avoiding browser warnings.

Resolution
Setting Up AWS Config

Enable CLB Secure Listener

Risk: Critical

Target: CLB

Compliance:

Description
Configuring your Amazon Classic Load Balancer listeners to use HTTPS or SSL encryption provides security for sensitive information transmitted between clients and the load balancer, authentication, meets regulatory requirements, and improves the user experience by avoiding browser warnings.

Resolution
Secure Listener

Encrypt OpenSearch Data at Rest

Risk: Critical

Target: OpenSearch

Compliance:

Description
It is crucial to enable encryption at rest to ensure the security and privacy of your sensitive data stored on Amazon Elasticsearch (ES) domains and their storage systems. This way, unauthorized access to the data is prevented. Utilizing this feature does not require any application changes, as Amazon Elasticsearch automatically handles encryption and decryption processes.

Resolution
Encrypt OpenSearch data at rest

Encrypt OpenSearch Data in Transit

Risk: High

Target: OpenSearch

Compliance:

Description
Encrypting OpenSearch data in transit should be considered a best practice for ensuring the security and privacy of data. It helps to ensure the security and integrity of data while it is being transferred between nodes in a distributed system. Without encryption, data can be vulnerable to interception, modification, or tampering during transmission. Encrypting data in transit adds an extra layer of security and safeguards sensitive information from unauthorized access or data breaches. This is especially crucial when dealing with sensitive or confidential data, such as financial or personal information.

Resolution
Encrypt OpenSearch data in transit

Encrypt OpenSearch Using KMS CMK

Risk: Critical

Target: OpenSearch

Compliance:

Description
The AWS KMS service provides a convenient way to create, rotate, disable, and monitor the encryption keys for your ElasticSearch domains using CMKs. Using KMS Customer Master Keys instead of the default AWS-managed keys for your Amazon ElasticSearch domains provides a more secure and controlled encryption and decryption process for data-at-rest and helps you meet compliance requirements. When protecting your ElasticSearch domains and their storage systems using your own KMS Customer Master Keys, you have complete control over who can access the cluster’s data using these keys.

Resolution
Create Customer Managed Key

Enable encryption for RDS instance

Risk: Critical

Target: RDS Database

Compliance:

Description
Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.

Resolution
Encrypting Amazon RDS resources

Encrypt EFS Using Customer-Managed Keys

Risk: High

Target: EFS

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Using your own KMS CMK customer-managed keys to encrypt Amazon EFS file systems data and metadata provides complete control over who can access the data, including the system metadata. With the AWS KMS service, you can easily create, rotate, disable, and audit CMK encryption keys for your file systems. It is recommended to use KMS CMK customer-managed keys for Amazon EFS file system encryption instead of AWS-managed keys to have greater control over the data-at-rest encryption/decryption process.

Resolution
Create Customer Managed Key

Encrypt S3 Buckets at Rest

Risk: Critical

Target: S3

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Enable encryption at rest for Amazon S3 buckets to protect sensitive content using AWS S3-managed or KMS-managed keys. Implement encryption at both the bucket and object levels to defend against unauthorized access and ensure secure data storage and retrieval.

Resolution
Enable encryption for S3 buckets

Deny HTTP Requests to S3 Bucket

Risk: Critical

Target: S3

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Denying HTTP requests to S3 buckets is crucial for enhancing security, data privacy, compliance, and data integrity while promoting industry best practices. By using encrypted protocols like HTTPS instead of HTTP, you protect data during transmission, ensure regulatory compliance, and maintain data integrity.

Resolution
Create a bucket policy that explicitly denies access when SecureTransport:false

Enable MFA Delete on S3 Bucket

Risk: High

Target: S3

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Enabling MFA (Multi-Factor Authentication) Delete on an S3 bucket can enhance security by adding an extra layer of authentication, ensuring compliance with regulations such as PCI DSS, protecting against data loss, and providing control over the deletion process.

Resolution
Configuring MFA delete

Enable S3 Bucket Object-Level Logging for Read Events

Risk: Critical

Target: S3 

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Enabling S3 bucket object-level logging for read events is important for security, compliance, and forensic analysis. Logging read events for S3 objects allows you to track access to your data, detect unauthorized access or suspicious activity, and investigate potential security incidents. It can also help you meet regulatory requirements and support forensic analysis during a security breach.

Resolution
Configure Object-level logging for S3 bucket read events

Enable S3 Bucket Object-Level Logging for Write Events

Risk: Critical

Target: S3

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Enabling S3 bucket object-level logging for write events is important for security, data integrity, compliance, forensic analysis, and following best practices. It helps you track changes to your data, detect potential security threats, ensure data authenticity, meet regulatory requirements, and follow recommended security practices.

Resolution
Configure Object-level logging for S3 bucket write events

Assign Standard Region to AWS Subnet

Risk: Low

Target: Subnet (AWS)

Compliance:

Description
Assigning a standard region to an AWS subnet is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and network traffic optimization. By choosing a region closest to your users and replicating your subnet across multiple regions, you can reduce latency, ensure data compliance, and maintain subnet availability. Using a standard region can simplify management, optimize network traffic, and make maintaining and scaling your subnet easier over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Delete Unused CLB

Risk: High

Target: CLB

Compliance:

Description
Cleaning up unused Elastic Load Balancers (ELBs) can result in cost savings, resource optimization, improved performance, simplified management, improved security, and free up resources for other applications. By removing unused ELBs, you can save money, prevent conflicts, simplify your infrastructure, improve security, and optimize your AWS usage.

Resolution:
Delete ELB

Delete Unused EBS Volume

Risk: High

Target: EBS Volume

Compliance:

Description
Deleting unused Elastic Block Store (EBS) volumes can result in cost savings, resource optimization, improved security, simplified maintenance, and compliance with regulatory requirements. By removing unused volumes, you can save money, decrease your attack surface, simplify maintenance, meet compliance requirements, and optimize your AWS usage.

Resolution:
Delete EBS

Delete Unused Elastic IP

Risk: High

Target: ElasticIP

Compliance:

Description
Deleting unused Elastic IPs can result in cost savings, resource optimization, simplified management, improved security, and compliance with regulatory requirements. By removing unused Elastic IPs, you can save money, reduce the complexity of your infrastructure, improve security, meet compliance requirements, and optimize your AWS usage.

Resolution:
Disassociate an ElasticIP

Restrict Inbound Traffic on SSH Port 22

Risk: High

Target: Network ACL

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Restricting inbound traffic on port 22 is crucial for enhancing security, adhering to the principle of least privilege, preventing brute-force and MITM attacks, and improving auditability. This practice ensures only trusted IPs have access, protects your servers from unauthorized access, and simplifies security audits.

Resolution:
Update or delete the inbound rules to deny the unrestricted inbound traffic

Restrict Inbound Traffic to RDP Port 3389

Risk: High

Target: Network ACL

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Ensure Amazon VPC NACLs restrict inbound traffic on TCP ports 22 (SSH) and 3389 (RDP) to trusted IPs or IP ranges, implementing the Principle of Least Privilege and minimizing attack surfaces. Exposing these ports to the internet increases the risk of malicious activities; therefore, limit access to known and trusted IP addresses.

Resolution:
Update or delete the inbound rules to deny the unrestricted inbound traffic

Delete DNS Entry that points to missing EIP

Risk: High

Target: Route53

Description
To protect domains/subdomains delete DNS records that are no longer in use.

Resolution:
Working with records
Deleting records

Encrypt Comprehend Analysis Results

Risk: Medium

Target: Comprehend

Compliance:

Description
Encrypting Comprehend Analysis results is essential to safeguard sensitive information, maintain privacy, ensure data integrity, comply with regulations, prevent data breaches, and build trust. Encryption protects data from unauthorized access, tampering, and theft, helping organizations adhere to industry standards and maintain a positive reputation.

Resolution:
Enable Encryption

 

 

Check Underutilized EBS Volume

Risk: High

Target: EBS Volume

Compliance:

Description
Deleting unused Elastic Block Store (EBS) volumes can result in cost savings, improved security, simplified maintenance, and compliance with regulatory requirements. By removing unused volumes, you can reduce costs, decrease your attack surface, simplify maintenance, and meet compliance requirements.

Resolution:
Amazon EBS volumes

Check Underutilized EC2 

Risk: High

Target: EC2

Compliance:

Description

EC2 instances are considered underutilized when there is low utilization for 14 consecutive days, CPU usage is below 10% for four days, and network usage is under 5 MB for four days. Downsizing unused EC2 instances can result in cost savings, improved performance, and enhanced scalability. Paying only for necessary resources frees up CPU, memory, and storage, making other apps run better and using resources more efficiently.

Resolution:
Optimizing your cost with Rightsizing Recommendations

Enable Envelope Encryption for EKS Kubernetes Secrets

Risk: Critical

Target: EKS

Compliance: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

Description
To ensure that your secrets stored in Amazon Elastic Kubernetes Service (EKS) meet security and compliance requirements, you can use AWS Key Management Service (KMS) keys to provide envelope encryption. Implementing envelope encryption of Kubernetes secrets is a security best practice for applications that handle sensitive and confidential data.

To set this up, you must create your AWS KMS Customer Master Key (CMK) and link it to your Amazon EKS cluster. When you store secrets using the Kubernetes secrets API, they will first be encrypted using a data encryption key generated by Kubernetes and then further encrypted with the connected KMS CMK. This additional layer of encryption helps to protect your secrets and meet security and compliance requirements.

Resolution:
Encrypt Secrets

Disable Public Access to EKS Cluster Endpoint

Risk: High

Target: EKS

Compliance: CIS Amazon Elastic Kubernetes Service(EKS) Benchmark v1.1.0 PDF

Description
To control access to the managed Kubernetes API server created by Amazon EKS, it is important to use AWS IAM and Kubernetes RBAC to regulate access to the public API server endpoint. Keeping the Kubernetes API server private is recommended to enhance the cluster’s security and to allow communication between worker nodes and APIs within the VPC. In situations where public access is necessary, limiting the IP addresses that can access the API server from the internet can help reduce the potential attack surface.

Resolution:
Disable public accessibility of EKS cluster endpoint

Enable Control Plane Logs for EKS

Risk: High

Target: EKS

Compliance: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0 PDF

Description
Control plane logs can help identify cluster creation, authentication, authorization, and scheduling issues. They can also help detect security breaches and compliance violations by tracking unauthorized access attempts, changes to permissions, and other activities. Enabling control plane logs for Amazon Elastic Kubernetes Service (EKS) is crucial because it provides visibility into the cluster’s control plane activity, making diagnosing and troubleshooting issues easier. In addition, control plane logs are required for auditing and compliance purposes, as they provide a detailed record of the actions taken in the cluster.

Resolution:
Enable EKS control plane logging for Amazon EKS

Update EKS Cluster Version to Latest

Risk: High

Target: EKS

Compliance:

Description
Updating the EKS cluster version to the latest is crucial to ensure that the cluster benefits from the latest features and security updates. Running outdated EKS cluster versions may expose the cluster to vulnerabilities and potential attacks, as older versions may not have the latest patches and bug fixes. Therefore, updating the EKS cluster version to the latest version helps ensure the stability, security, and efficiency of the cluster.

Resolution:
Update the Kubernetes version

Disable All Inbound Traffic for EKS Cluster Other than TCP Port 443

Risk: High

Target: EKS

Compliance:

Description
To improve the security of an EKS cluster, it’s advisable to disable all inbound traffic except for TCP port 443. This practice helps protect against network-based attacks, limits access to authorized users, ensures confidentiality through SSL/TLS encryption, and facilitates compliance with applicable regulations.

Resolution:
Allow access only on TCP port 443 by updating the Security groups associated with AWS EKS cluster

Delete Idle RDS Database

Risk: High

Target: RDS Database

Compliance:

Description
Deleting AWS RDS DB instances running in idle mode can lead to cost savings, improved security, simplified maintenance, and better compliance with regulatory requirements. It can help optimize your AWS usage and reduce your attack surface, and ensure that your database is up-to-date and free from vulnerabilities.

Resolution:
Deleting a DB instance

Check Underutilized Redshift Cluster

Risk: High

Target: Redshift

Compliance:

Description
Downsizing underused Amazon Redshift clusters can result in cost savings, resource optimization, improved performance, and better scalability. By paying only for the needed resources, you can free up CPU, memory, and storage, improve the performance of other applications, and allocate resources more efficiently.

Resolution:
Amazon Redshift clusters

Enable RDS Auto Minor Version Upgrade

Risk: Medium

Target: RDS Database

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description
Enabling RDS Auto Minor Version Upgrade is important for maintaining security, improving performance, simplifying maintenance, ensuring compliance, maintaining high availability, and reducing technical debt. Automating the update process ensures your database instances are regularly patched with the latest security updates and performance enhancements while minimizing administrative overhead and downtime.

Resolution
Set AutoUpgrade to true

Encrypt Athena Query Results

Risk: High

Target: Athena

Compliance:

Description

AWS Athena is an interactive query service that allows you to analyze data in Amazon S3 using standard SQL. While data in transit between Amazon Athena and S3 is encrypted by default using SSL/TLS, query results are not encrypted at rest by default. To ensure the security of your data and meet compliance requirements, it is recommended to enable encryption at rest for Athena query results stored in S3. AWS Athena offers different S3 encryption options including SSE-S3, SSE-KMS, and CSE-KMS, to add an extra layer of security to your data.

Resolution

Encrypting Athena query results stored in Amazon S3

Assign Mandatory Tags to ECS Task Definition

Risk: High

Target: ECS Task Definitions

Compliance:

Description
Assigning mandatory tags to ECS Task Definition can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tagging your Amazon ECS resources

Assign Standard Region to Security Groups

Risk: Low

Target: SG

Compliance:

Description
Assigning standard regions to security groups in AWS is a best practice that can provide several benefits, including improved security, compliance with regulations, simplified management, and disaster recovery and availability. Using a standard region, you can ensure that your security policies are consistently applied to your instances and comply with regional data processing requirements. Using a standard region can simplify management and make maintaining and scaling your security groups easier over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign User Permission Only through IAM Groups

Risk: Medium

Target: IAM User (AWS)

Compliance:

Description
Assigning user permissions through IAM groups simplifies management, promotes consistency, improves scalability, enhances security, and eases auditing of access control in your AWS environment, streamlining the application of the Principle of Least Privilege.

Resolution
Adding and removing users in an IAM user group

Assign Standard Region to VPC Resource

Risk: Low

Target: VPC

Compliance:

Description
Assigning a standard region to VPC resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your VPC resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Deny Public Access to All Ports

Risk: High

Target: SG

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description

To protect against attackers who use brute force methods to gain access to Amazon EC2 instances, it is important to ensure that the associated security groups do not allow unrestricted access (i.e., 0.0.0.0/0 or::/0) on uncommon ports. Uncommon ports are any TCP/UDP ports not included in the commonly used service ports such as HTTP, HTTPS, FTP, SSH, Telnet, DNS, RDP, SMTP, MySQL, PostgreSQL, Oracle Database, SQL Server, RPC, and SMB/CIFS. Allowing unrestricted inbound access to EC2 instances on uncommon ports can increase the risk of malicious activities such as hacking, data capture, and Denial-of-Service attacks.

Resolution: Work with Security Groups

Encrypt EBS Volume Using Customer-Managed Keys

Risk: Critical

Target: EBS Volume

Compliance:

Description: Use customer-managed Customer Master Keys (CMKs) instead of AWS-managed keys for Amazon EBS volumes for complete control of encryption and decryption. Once CMK-based encryption is enabled, it secures Amazon EBS volumes, volume snapshots, and disk I/O.

Resolution: EBS Encryption

Restrict EC2 RunInstance Privilege to Non-allow Listed IAM Role

Risk: Critical

Target: IAM Role

Compliance:

Description
To enhance the security of your AWS infrastructure, it is recommended to restrict the “RunInstances” privilege for Amazon Elastic Compute Cloud (EC2) instances to non-allow listed IAM roles only. This way, you can ensure that only authorized IAM roles can create new EC2 instances within your AWS account, thereby reducing the risk of unauthorized access and misuse of your resources.

To implement this security measure, you can create an IAM policy that allows only specific IAM roles to run EC2 instances and denies this privilege to any other role not explicitly listed. You can then attach this policy to your EC2 instances to restrict the ability to launch new instances to only authorized roles.

Resolution: Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances

Deny Networking Privileges to Non-allow Listed IAM Roles

Risk: Critical

Target: IAM Role

Compliance:

Description
When a new IAM role is created in AWS, it is given complete network access. However, not all roles necessarily need network access and granting it to non-allow listed roles can increase the risk of security threats. To reduce these risks, it is advised to identify and establish security groups that only permit network access to the essential IAM roles.

Resolution: Policies and Permissions in IAM

Deny Lambda Privilege to Non-allow Listed IAM Roles

Risk: Critical

Target: IAM Role

Compliance:

Description
To safeguard AWS resources against unauthorized access or misuse, denying Lambda privilege to non-allow listed IAM roles is essential. This practice reduces the likelihood of unauthorized access, helps maintain compliance with security standards, mitigates the risk of accidental changes, and minimizes the impact of security breaches. By limiting the actions that non-allow listed IAM roles can take on your Lambda functions, you can prevent them from harming your resources and ensure that only required privileges are granted.

Resolution: Update AWS Lambda Function Permissions

Enable Qualys Vulnerability Scan

Risk: Critical

Target: EC2

Compliance:

Description
Scanning EC2 instances monthly using the Qualys Vulnerability Assessment Tool is important for understanding and managing security risks on your cloud infrastructure. The tool can help identify vulnerabilities in software, configurations, and networking components, which malicious actors can exploit to gain unauthorized access to your systems or data.
By scanning your EC2 instances regularly, you can discover and promptly address any potential security threats. This helps to ensure that the security of your cloud environment is top-notch and that your data is safe and secure.

Resolution: Securing Amazon Web Services with Qualys

Ensure AWS ASG Launch Configurations Are Utilizing Active Amazon Machine Images

Risk: High

Target: ASG

Compliance:

Description:
Make sure your AWS Auto Scaling Groups (ASGs) launch configuration refers to an active Amazon Machine Image (AMI) to keep the auto-scaling process functioning correctly.

If your ASGs cannot launch new EC2 instances due to invalid (removed) AMIs, the scaling mechanism will be unable to allocate additional computing resources to manage the workload, resulting in a substantial negative impact on your application’s performance.

Resolution
Launch configurations

 

Remove Inactive IAM Users after 90 Days

Risk: High

Target: IAM User (AWS)

Compliance:

Description:
Removing inactive IAM users after 90 days is a best practice for security and compliance. It helps prevent users from having open access to your data and resources, which can lead to a data breach or other security threats. Additionally, removing users who are no longer actively using your services helps ensure that you are only paying for the resources you are using. Lastly, it can help simplify the management of your users and ensure that your IAM policies are up to date.

Resolution:
Finding unused credentials

Deny Public Access to Non-allow Listed S3 Buckets

Risk: High

Target: S3

Compliance: CIS Amazon Web Services Foundations Benchmark v1.5.0

Description:
To protect against malicious public data exposure, ensure that public access is not enabled for your S3 buckets. By default, S3 buckets and objects are created without public access, but an IAM principal with sufficient S3 permissions can grant public access at either the bucket or object level.

Resolution:
Blocking public access to your Amazon S3 storage

Assign Standard Region to EBS Volume

Risk: Low

Target: Volume

Compliance:

Description
Assigning a standard region to an EBS (Elastic Block Store) volume in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your volume across multiple regions, you can reduce latency and ensure data compliance, as well as maintain volume availability. Using a standard region can also simplify management and make it easier to maintain and scale your volume over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Mandatory Tags to ECS Cluster

Risk: High

Target: ECS Clusters

Compliance:

Description
Assigning mandatory tags to ECS Cluster can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tagging your Amazon ECS resources

Ensure that Ports Associated with Security Group and ALB are Same

Risk: High

Target: ALB

Compliance:

Description

Ensuring that the ports associated with the security group and ELB are the same is important to avoid any issues related to port mismatch. If there is a port mismatch between the security group and ELB, it can lead to unintended network access and make the application vulnerable to attacks. Therefore, it is crucial to ensure that the same ports are allowed in both the security group and the ELB. This helps to maintain consistency and ensure the security and reliability of the application.

Resolution: Security group rules for different use cases

Ensure that Ports Associated with Security Group and ELB are Same

Risk: High

Target: CLB

Compliance:

Description

 Ensure that the ports associated with a security group and an Application Load Balancer (ALB) are the same. This is important for ensuring proper communication between the security group and the ALB, as well as for maintaining security and avoiding potential security breaches. Having mismatched ports can lead to security vulnerabilities and communication errors. Therefore, it’s recommended to regularly check and confirm that the ports associated with the security group and the ALB are the same.

Resolution: Configure security groups for your Classic Load Balancer

Encrypt DocumentDB using Customer Managed Keys

Risk: High

Target: DocumentDB

Compliance:

Description

Using your own AWS KMS Customer Master Keys (CMKs) to encrypt your DocumentDB data, including indexes, logs, replicas, and snapshots, gives you complete authority over who can access your data using the encryption keys. With Amazon KMS service, creating, rotating, disabling, and auditing Customer Master Keys for your Amazon DocumentDB clusters is straightforward.

To achieve more granular control over DocumentDB data-at-rest encryption and decryption, it is recommended to use KMS Customer Master Keys (CMKs) instead of AWS managed-keys, which are the default keys used by the DocumentDB service when customer-managed keys are not defined.

Resolution
Key Management

Encrypt DynamoDB Tables Using Customer Managed Keys

Risk: High

Target: DynamoDB

Compliance:

Description

To have more precise control over your cluster data encryption and decryption process in Amazon DynamoDB, it is advisable to use KMS Customer Master Keys (CMKs) instead of AWS managed-keys or keys owned by the DynamoDB service. Encryption at rest with Customer Master Keys can satisfy stringent encryption compliance and regulatory requirements, especially for security-sensitive applications.

Customer-managed Customer Master Keys (CMKs) are often necessary to comply with organizational policies, industry or government regulations, and internal compliance requirements for data-at-rest encryption. Using your own KMS Customer Master Keys (CMKs) to secure DynamoDB data provides complete control over who can access your data with these keys. The key policy is viewable, and encryption/decryption of your DynamoDB data can be audited by analyzing DynamoDB API calls made to Amazon KMS with CloudTrail.

Resolution
Managing encrypted tables in DynamoDB

Restrict Internet Access to Elastic Search Endpoint

Risk: Critical

Target: OpenSearch

Compliance:

Description
AWS OpenSearch should not be accessible to the public via the internet to prevent unauthorized user access, data loss, and the potential exposure of sensitive data.

Resolution: VPC for OpenSearch

Restrict Internet Access to Classic ELB

Risk: Critical

Target: CLB

Compliance:

Description
Elastic Load Balancing distributes app traffic across multiple targets like EC2 instances, containers, IP addresses, and virtual appliances. It offers four types of load balancers with high availability, auto-scaling, and security for fault-tolerant apps, across one or multiple Availability Zones.
Restricting Internet access to a Classic Load Balancer (ELB) is an essential security measure that can help reduce the potential attack surface of your application and make it harder for attackers to access your resources. It provides protection against DDoS attacks, helps meet compliance requirements, and enables better control over access.

Resolution: Configure security groups for your Classic Load Balancer

Delete Idle CLB

Risk: High

Target: CLB

Compliance:

Description
To reduce the cost of your monthly AWS bill, it’s recommended to identify any Amazon Elastic Load Balancers (ELBs) that are not being used and terminate them. An ELB is considered idle when it records less than 100 requests made to it in the past 7 days. The AWS CloudWatch metric ‘RequestCount (Sum)’ is used to detect such idle ELBs, which records the number of requests completed or connections made during a specified timeframe (1 or 5 minutes) for the HTTP/HTTPS or TCP/SSL listeners.

Resolution
Delete an Application Load Balancer

Assign Standard Region to KMS CMK

Risk: Low

Target: KMS Key (AWS)

Compliance:

Description
Assigning a standard region to KMS resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your KMS resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Mandatory Tags to Classic ELB

Risk: High

Target: CLB

Compliance:

Description
Assigning mandatory tags to Classic ELB (Elastic Load Balancer) can provide several benefits, including improved resource management, cost tracking, enhanced visibility, security, and streamlined operations. These tags can help track and manage ELBs, optimize resource allocation, analyze cost, identify and group related ELBs, restrict access to load balancers, and automate routine tasks.

Resolution
Tag your Classic Load Balancer

Assign Mandatory Tags to Elastic Search Resources

Risk: High

Target: OpenSearch

Compliance:

Description
Assigning mandatory tags to Elastic Search Resources can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tagging AWS resources

Prevent Unauthorized CloudFront Content Distribution

Risk: Medium

Target: CloudFront

Compliance:

Description
Preventing unauthorized CloudFront content distribution is essential for content protection, data privacy, compliance, reputation management, and resource optimization. It helps maintain data privacy, protect against data breaches, ensure compliance with regulations, and maintain the integrity of your brand. Preventing unauthorized CloudFront content distribution is a recommended best practice for managing your AWS environment and ensuring your content is used appropriately.

Resolution
Configuring secure access and restricting access to content

 

 

Check the Expiry Status of the ACM Certificate

Risk: High

Target: ACM Certificate

Compliance:

Description
To comply with Amazon Security Best Practices, remove all expired SSL/TLS certificates managed by AWS Certificate Manager. This prevents accidental deployment of invalid certificates to resources like Elastic Load Balancing, which could cause errors and harm your web application or website’s reputation.

Resolution
Check a certificate’s renewal status

Ensure the Launch Config for ASG Contains Updated Information

Risk: Critical

Target: ASG

Compliance:

Description:
It is essential to keep your AWS Auto Scaling Groups (ASGs) launch configuration up to date to prevent your application performance from being negatively impacted and to avoid downtime. If the ASGs fail to launch new EC2 instances due to inactive (deleted) Security Groups, the scaling mechanism cannot add compute resources to handle the traffic load.

To fix this, replace the unhealthy ASGs with a valid launch configuration that references one or more active Security Groups (SGs).

Resolution: Change the Launch Configuration for an Auto Scaling Group

Enable ELB HTTPS Listener

Risk: High

Target: ALB

Compliance:

Description

Enabling secure listeners for Elastic Load Balancers (ELBs) is essential to protect web applications and ensure secure communication between clients and servers. Secure listeners use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption to secure the connection between the client and the load balancer. This protects sensitive data, such as login credentials and credit card information, from interception and theft by malicious actors. Enabling secure listeners for ELBs also helps to ensure compliance with various security standards and regulations, such as the Payment Card Industry Data Security Standard (PCI DSS).

Resolution:
Configure an HTTPS listener for your Classic Load Balancer

Encrypt AppFlow Using CMK

Risk: High

Target: AppFlow

Compliance:

Description

A Customer Master Key (CMK) is a logical representation of a symmetric master key managed by Amazon KMS service, containing metadata such as the key ID, creation date, description, and key state, as well as the key material used for encryption and decryption of data. To meet security and compliance requirements and gain full control over encrypted data, it is recommended to encrypt Amazon AppFlow flows using customer-managed Customer Master Keys (CMKs).

Resolution
Data protection in Amazon AppFlow

Encrypt DMS Replication Using CMK

Risk: High

Target: DMS

Compliance:

Description

Amazon DMS provides encryption for replication instance storage and endpoint connection information, with the option to use AWS KMS Customer Master Keys (CMKs) for increased data protection. Using your own AWS KMS CMKs allows for greater control over who can access your data, and AWS KMS service enables easy management of Customer Master Keys. To have more control over data-at-rest encryption and decryption for AWS DMS replication instances, it is recommended to use KMS Customer Master Keys instead of AWS managed-keys, ensuring a higher level of control over data and improved data security.

Resolution
Security in AWS database migration service

Configure ECS Task Definition Log Driver

Risk: High

Target: ECS Task Definitions

Compliance:

Description
Configure a log driver for containers in Amazon ECS task definitions to effectively manage logs. This enables centralized logging, additional operational capabilities and prevents logs from consuming disk space on ECS container instances.

Resolution
Using the awslogs log driver

Resolve IAM Access Analyzer Findings

Risk: High

Target: IAM Access Analyzer

Compliance:

Description
Utilize Amazon IAM Access Analyzer to identify and address security issues related to public or untrusted cross-account access in your AWS environment. This feature analyzes resource-based policies, generates findings, and helps maintain the principle of least privilege by continuously monitoring policy changes, thus reducing the need for manual checks.

Resolution
Findings for public and cross-account access

Enable Access Log for CloudFront and Attach to the Mentioned Bucket

Risk: High

Target: CloudFront

Compliance:

Description
Enabling access logs for CloudFront and attaching them to a specified S3 bucket provides several benefits, including monitoring user activity, maintaining security and compliance, troubleshooting issues, optimizing performance, managing costs, and centralizing log storage. These logs offer valuable insights into web traffic patterns and can help improve the overall performance and security of your web application.

Resolution
Configuring and using standard logs (access logs)

Enable Access Log for App ELB and Attach to the Mentioned Bucket

Risk: High

Target: ALB

Compliance:

Description
Enabling access logs for App ELB and attaching them to a specified S3 bucket is beneficial for performance monitoring, troubleshooting, security and compliance, user activity analysis, centralized log storage, and cost management. Access logs provide valuable insights into traffic patterns and client behavior, helping you optimize your application, identify potential security threats, and manage resources more effectively.

Resolution
Enable access logs for your Application Load Balancer

Enable Access Log for Classic ELB and Attach to the Mentioned Bucket

Risk: High

Target: CLB

Compliance:

Description
Enabling access logs for Classic ELB and attaching them to a specified S3 bucket provides benefits such as performance monitoring, troubleshooting, security and compliance, user activity analysis, centralized log storage, and cost management. Access logs offer valuable insights into client traffic patterns and user behavior, helping you optimize your application, identify potential security threats, and manage resources more effectively.

Resolution
Enable access logs for your Classic Load Balancer

Restrict Internet Access to EC2 Instance with Remotely Exploitable Vulnerability (S5)

Risk: Critical

Target: EC2

Compliance:

Description
Minimizing the risk of network attacks is crucial when an EC2 instance has a remotely exploitable vulnerability. Key steps to take include identifying the affected instance, restricting inbound traffic via security group rules, using a bastion host to control access, and applying relevant patches or updates. By taking these measures, the vulnerability can be addressed, and the instance can be safeguarded while still allowing legitimate traffic to reach it.

Resolution:
Restrict Traffic by Configuring Security Groups

EC2 Instance Stopped more than N days

Risk: Low

Target: EC2

Compliance:

Description
EC2 instances should not be left in a stopped state for more than 60 days because it can result in increased costs due to storage charges, security vulnerabilities, compliance violations, and performance issues.

Resolution
Stop and start your instance

Remove Access Keys Associated with the Root User

Risk: Medium

Qualys Found S3 Vulnerabilities

Risk: Medium

Target: EC2

Compliance:

Description
S3 vulnerability could allow attackers to access the underlying operating system, resources, and data. To prevent the S3 vulnerability from affecting EC2 instances, update the firmware, disable the Management Engine if necessary, implement access controls and security policies, monitor the instance for suspicious activity, and use strong authentication measures.

Resolution
Best practices for Amazon EC2

Qualys Found S4 Vulnerabilities

Risk: High

Target: EC2

Compliance:

Description:
S4 vulnerability could allow attackers to access the underlying operating system, resources, and data. To prevent the S4 vulnerability from affecting EC2 instances, update the firmware, disable the Management Engine if necessary, implement access controls and security policies, monitor the instance for suspicious activity, and use strong authentication measures.

Resolution:
Security in Amazon EC2

Qualys Found S5 Vulnerabilities

Risk: Critical

Target: EC2

Compliance:

Description:
S5 vulnerability can enable attackers to gain control of a target system and affects EC2 instances with Intel processors with Intel Management Engine firmware. To prevent the S5 vulnerability from affecting EC2 instances, update the firmware, disable the Management Engine if necessary, implement access controls and security policies, monitor the instance for suspicious activity, and use strong authentication measures.

Resolution:
Best practices for Amazon EC2

Ensure that no Guard Duty Findings are Found for an EC2 Instance

Risk: High

Target: EC2

Compliance:

Description:
Address AWS GuardDuty findings to protect your AWS infrastructure from security threats. GuardDuty, a managed threat detection service, monitors logs for malicious activity and generates findings for suspicious behavior. By using these findings, you can evaluate your AWS infrastructure in an automated manner without additional security hardware or software and integrate alerts into various communication channels.

Resolution:
Understanding Amazon GuardDuty Findings

Check the Expiry Status of the IAM Certificate

Risk: High

Target: IAM Certificate
Compliance:

Description
Regularly checking the expiry status of IAM certificates is crucial to ensure that they are valid and have not expired. IAM certificates are used for authentication and encryption purposes in AWS, and an expired certificate can lead to security breaches and service interruptions. Renewing IAM certificates before they expire helps maintain the security and availability of AWS resources.

Resolution
Managed renewal for ACM certificates

Restrict full IAM Access to Non-Admin IAM Roles

Risk: High

Target: IAM Role

Compliance:

Description:
Restricting full IAM access to non-admin roles is vital for adhering to the principle of least privilege, enhancing security, ensuring compliance, improving auditability, and maintaining system stability. This practice minimizes the risk of unauthorized actions, breaches, and unintended changes while simplifying audits and promoting regulatory compliance.

Resolution:
Policies and permissions in IAM

Assign Standard Region to API Resource

Risk: Low

Target: API Gateway

Compliance:

Description
Assigning a standard region to an API resource is a best practice that brings several benefits, such as improved performance, compliance with regulations, disaster recovery, availability, and simplified management. It also helps organizations avoid legal or regulatory issues and maintain customer trust by ensuring data is stored in compliance with regulations. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions, and if assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to App ELB Resource

Risk: Low

Target: ALB

Compliance:

Description
Assigning a standard region to an App ELB (Elastic Load Balancer) resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region that is closest to your users and replicating your App ELB across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions, and if assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to DynamoDB

Risk: Low

Target: DynamoDB

Compliance:

Description
Assigning a standard region to DynamoDB resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your DynamoDB across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to EFS Resource

Risk: Low

Target: EFS

Compliance:

Description
Assigning a standard region to EFS resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your EFS resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to Elasticache Resource

Risk: Low

Target: Elasticache

Compliance:

Description
Assigning a standard region to Elasticache resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your Elasticache resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Choosing regions and availability zones

Assign Standard Region to Elastic IP Resource

Risk: Low

Target: Elastic IP

Compliance:

Description
Assigning a standard region to ElasticIP resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your Elastic resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to Elasticsearch Resource

Risk: Low

Target: Open Search

Compliance:

Description
Assigning a standard region to Elasticsearch resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. You can improve latency, ensure data compliance, and maintain application availability by choosing a region closest to your users and replicating your Elasticsearch resource across multiple regions. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to EMR Resource

Risk: Low

Target: EMR

Compliance:

Description
Assigning a standard region to EMR resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your EMR resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to Elastic Network Interfaces (ENI) Resource

Risk: Low

Target: ENI

Compliance:

Description
Assigning a standard region to ENI resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your ENI resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to RDS DB Resource

Risk: Low

Target: RDS Database

Compliance:

Description
Assigning a standard region to RDS DB resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your RDS DB resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to Redshift Resource

Risk: Low

Target: Redshift

Compliance:

Description
Assigning a standard region to Redshift resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your Redshift resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to ASG Resource

Risk: Low

Target: ASG

Compliance:

Description
Assigning a standard region to ASG resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your ASG resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to Classic ELB Resource

Risk: Low

Target: CLB

Compliance:

Description
Assigning a standard region to Classic ELB resource is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your Classic ELB resource across multiple regions, you can improve latency, ensure data compliance, and maintain application availability. Additionally, a policy can be configured to define the customer’s intent to create their assets in specific regions. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to Lambda

Risk: Low

Target: Lambda

Compliance:

Description
Assigning a standard region to a Lambda function in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and potential cost savings. By choosing a region closest to your users and replicating your Lambda function across multiple regions, you can reduce latency, ensure data compliance, and maintain application availability. Using a standard region can simplify management and lower costs, making it an important best practice for many organizations. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to Launchconfig

Risk: Low

Target: ASG Launch Config

Compliance:

Description
Assigning a standard region to a Launch Configuration in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and consistency. By choosing a region closest to your users and replicating your instances across multiple regions, you can reduce latency, ensure data compliance, and maintain instance availability. Using a standard region can simplify management, ensure consistency, and simplify troubleshooting and managing instances, making it an important best practice for many organizations. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to RDS Snapshot

Risk: Low

Target: RDS Snapshot

Compliance:

Description
Assigning a standard region to an RDS snapshot in AWS is a best practice that can provide several benefits, including disaster recovery and availability, improved performance, compliance with regulations, and simplified management. You can ensure database availability even during a regional outage by replicating your RDS snapshot across multiple regions. Choosing a region closest to your users can improve performance, and using a standard region can simplify management and ensure compliance with regulations. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to Snapshot

Risk: Low

Target: EBS Snapshot

Compliance:

Description
Assigning a standard region to a snapshot in AWS is a best practice that can provide several benefits, including disaster recovery and availability, improved performance, compliance with regulations, and simplified management. By replicating your snapshot across multiple regions, you can ensure its availability even during a regional outage. Choosing a region closest to your users can improve performance, and using a standard region can simplify management and ensure compliance with regulations. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to Stack

Risk: Low

Target: Stack

Compliance:

Description
Assigning a standard region to a stack in AWS CloudFormation is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your stack across multiple regions, you can reduce latency, ensure data compliance, and maintain stack availability. Using a standard region can simplify management and make maintaining and scaling your stack easier over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to SNS Topic

Risk: Low

Target: SNS Topic

Compliance:

Description
Assigning a standard region to an SNS topic in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, and disaster recovery and availability. By choosing a region closest to your users and replicating your topic across multiple regions, you can reduce latency, ensure data compliance, and maintain topic availability. Using a standard region can simplify management and make maintaining and scaling your topics easier over time. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to EC2 Instance

Risk: Low

Target: EC2

Compliance:

Description
Assigning a standard region to an EC2 instance in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and potential cost savings. By choosing a region closest to your users and replicating your instances across multiple regions, you can reduce latency, ensure data compliance, and maintain instance availability. Using a standard region can simplify management, lower costs, and make maintaining and scaling your instances easier. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Assign Standard Region to S3 Buckets

Risk: Low

Target: S3

Compliance:

Description
Assigning a standard region to an S3 bucket in AWS is a best practice that can provide several benefits, including improved performance, compliance with regulations, simplified management, disaster recovery and availability, and potential cost savings. By choosing a region closest to your users and replicating your bucket across multiple regions, you can reduce latency, ensure data compliance, and maintain bucket availability. Using a standard region can also simplify management, lower costs, and make it easier to maintain and scale your buckets. If assets are created in other regions, a notification or alert is generated for those assets to bring them into compliance with the policy.

Resolution
Managing AWS Regions

Deny Hosting Website or Redirecting Requests for S3 Bucket

Risk: High

Target: S3

Compliance:

Description
Denying hosting websites or redirecting requests for S3 buckets enhances security, prevents data leakage, ensures access control, maintains compliance, and simplifies resource management. This practice safeguards sensitive data, adheres to regulatory requirements, and promotes efficient infrastructure management.

Resolution
Setting permissions for website access

Deny Listed Privileges to Service Account

Risk: Critical

Target: IAM User (AWS)

Compliance:

Description
Denying listed privileges to a service account in AWS is crucial for securing your AWS resources from unauthorized access or misuse. It helps minimize the risk of unauthorized access, ensures compliance with security standards, prevents accidental changes, and limits the impact of a security breach.

By denying privileges to service accounts, you can reduce the risk of damage to your resources caused by compromised accounts, comply with regulatory frameworks and avoid penalties, and prevent unauthorized actions that could lead to accidental changes or disruptions to your environment.

Resolution: IAM Roles for Service Accounts

Restrict Unauthorized HTML Content on CloudFront

Risk: Critical

Target: CloudFront

Compliance:

Description
To prevent security risks in CloudFront, only approved HTML content should be served to users. This can be done by configuring CloudFront to allowlist approved sources through custom headers or cookies to verify the source of the HTML content. AWS WAF can also block requests that do not meet specific criteria. These measures can protect against various security risks, such as cross-site scripting attacks, phishing attacks, and malware infections.

Resolution: Creating a Distribution

Restrict Core Networking Privileges to Non-Allow listed IAM Users

Risk: Critical

Target: IAM User (AWS)

Compliance:

Description
Restricting core networking privileges to non-allow listed IAM users is an important security best practice in AWS that reduces the risk of unauthorized access to your network resources. This is important because it minimizes the attack surface, mitigates the risk of insider threats, and ensures compliance with regulatory and compliance frameworks. Limiting access to only non-allow listed IAM users with specific permissions can protect your network resources from unauthorized access, reduce the risk of data breaches, and ensure that only legitimate users have access.

Resolution: Changing Permissions for an IAM User

Encrypt AWS AMI

Risk: High

Target: AMI

Compliance:

Description

To comply with data-at-rest encryption requirements, it is important to verify that your Amazon Machine Images (AMIs) are encrypted. The encryption and decryption of AMI data are handled automatically without the need for any additional action from your applications.

When dealing with critical business data in production environments, it is strongly advised to implement data encryption to safeguard against unauthorized access or attacks. The encryption keys used for AMIs employ the AES-256 algorithm and are fully managed and protected by AWS’s Key Management Service (KMS).

Resolution

Use encryption with EBS-backed AMIs

Enable AWS Guard Duty Service across All Regions and Accounts

Risk: High

Target: Account

Compliance:

Description
Enabling AWS GuardDuty across all regions and accounts is essential for comprehensive security coverage. It provides centralized security monitoring, ensures consistent security posture, enables faster detection and response to threats, and can lead to cost savings by reducing the need for manual security monitoring. By covering all AWS resources in your organization, you better protect your environment from unauthorized access, data leaks, and other malicious activities.

Resolution
Guard duty-enabled-centralized

Remove any VPC Peering Connections to Non-Allowlisted AWS Accounts

Risk: High

Target:  VPC Peering Connection

Compliance:

Description

Removing any VPC peering connections to non-allow listed AWS accounts is essential for security reasons. VPC peering connections can allow traffic to flow between VPCs in different accounts, which can potentially expose sensitive data or resources to unauthorized access or attacks. Therefore, restricting VPC peering connections to only the allowed and trusted AWS accounts can help prevent potential security breaches and maintain the confidentiality and integrity of your resources.

Resolution

Delete a VPC peering connection

Increase AWS Service Limits to Meet Growing Needs

Risk: Medium

Target: Account

Compliance:

Description
Increasing AWS service limits is crucial for ensuring scalability, performance optimization, cost optimization, innovation, and future-proofing your AWS infrastructure. It helps accommodate more users, resources, and workloads, reduce bottlenecks, optimize costs, explore new use cases, and prepare for future growth and expansion. Increasing AWS service limits is a recommended best practice for managing your AWS environment and meeting growing needs and demands.

Resolution
AWS service quotas

Delete Unused ALB

Risk: High

Target: ALB

Compliance:

Description
Deleting unused Application Elastic Load Balancers (ELBs) can result in cost savings, resource optimization, improved performance, simplified management, and free up resources for other applications. By removing unused ELBs, you can save money, prevent conflicts, simplify your infrastructure, and optimize your AWS usage.

Resolution
Delete an Application Load Balancer

Enable Private S3 Buckets with Access Logs

Risk: High

Target: S3

Compliance:

Description
To track access requests for security and access auditability, enable Amazon S3’s Server Access Logging feature for your S3 buckets. This feature creates detailed records of request type, resources, and processing date/time, which can provide valuable data for security, compliance audits, user behavior analysis, and S3 billing insights. Note that the feature is not enabled by default.

Resolution
Blocking public access to your Amazon S3 storage

Deny Public Access to Non-Allow listed SQS Resources

Risk: Critical

Target: Simple Queue Service

Compliance:

Description: AWS SQS is a cloud-based queue service that enables the integration of distributed software systems and components. It offers a web services API that is compatible with any programming language that is supported by AWS SDK.

When SQS queues are public, they can expose existing interfaces to unwanted third parties, potentially leading to data leaks.

To ensure security, SQS policies must restrict access to the queues. In line with the security principle of least privilege, an SQS policy should grant access only to essential principals.

Resolution: Authentication and Access Control for Amazon SQS

Assign Mandatory Tags to Application ELB

Risk: High

Target: ALB

Compliance:

Description
Assigning mandatory tags to Application Elastic Load Balancers (ELBs) is important for identifying resources, allocating costs, automation, security, and compliance purposes. Mandatory tags ensure consistency, manageability, cost-effectiveness, security, and compliance across your AWS infrastructure.

Resolution
Tag your Classic Load Balancer

Assign Mandatory Tags to Auto-Scaling Groups

Risk: High
Target: ASG

Compliance:

Description
Assigning mandatory tags to Auto-Scaling Groups (ASGs) is important for identifying resources, cost allocation, and automation purposes. This practice guarantees consistency, manageability, and cost-effectiveness across your AWS infrastructure.

Resolution
Tag Auto Scaling groups and instances

Assign Mandatory Tags to CloudFront

Risk: High

Target: CloudFront

Compliance:

Description
Assigning mandatory tags to CloudFront can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tagging Amazon CloudFront distributions

Assign Mandatory Tags to DynamoDB

Risk: High

Target: DynamoDB

Compliance:

Description
Assigning mandatory tags to DynamoDB can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Help enforce DynamoDB tagging

Assign Mandatory Tags to AWS Elastic File System

Risk: High
Target: EFS

Compliance:

Description
Assigning mandatory tags to AWS Elastic File System can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Create Tags

Assign Mandatory Tags to AWS Elastic MapReduce

Risk: High

Target: EMR

Compliance:

Description
Assigning mandatory tags to AWS Elastic MapReduce can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Enforce tagging of Amazon EMR clusters at launch

Assign Mandatory Tags to Lambda Functions

Risk: High

Target: Lambda

Compliance:

Description
Assigning mandatory tags to Lambda functions can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Using tags on Lambda functions

Assign Mandatory Tags to RDS Database

Risk: High

Target: RDS Database

Compliance:

Description
Assigning mandatory tags to RDS database can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Enforce automatic tagging of Amazon RDS databases at launch

Assign Mandatory Tags to Redshift

Risk: High

Target: Redshift

Compliance:

Description
Assigning mandatory tags to Redshift can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tagging resources in Amazon Redshift

Assign Mandatory Tags to S3

Risk: High

Target: S3

Compliance:

Description
Assigning mandatory tags to S3 can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tagging and access control policies

Assign Mandatory Tags to Network Security Group

Risk: High

Target: SG

Compliance:

Description
Assigning mandatory tags to Network Security Group center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Work with security groups

Assign Mandatory Tags to EBS Snapshots

Risk: High

Target: EBS Snapshot

Compliance:

Description
Assigning mandatory tags to EBS Snapshots center can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Create Amazon EBS snapshots

Assign Mandatory Tags to Cloud Formation Stacks

Risk: High

Target: Stack

Compliance:

Description
Assigning mandatory tags to Cloud Formation Stacks can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Required-tags

Assign Mandatory Tags to Subnets

Risk: High

Target: Subnet (AWS)

Compliance:

Description
Assigning mandatory tags to Subnets can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
AWS::EC2::Subnet

Assign Mandatory Tags to VPNGateway

Risk: High

Target: VPN Gateway

Compliance:

Description
Assigning mandatory tags to VPN Gateway can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
[VpnGateway]
(https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VpnGateway.html)

Assign Mandatory Tags to EBS Volumes

Risk: High

Target: EBS Volume

Compliance:

Description
Assigning mandatory tags to EBS Volumes can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tag your Amazon EC2 resources

Assign Mandatory Tags to VPC

Risk: High

Target: VPC

Compliance:

Description
Assigning mandatory tags to VPC can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tag your Amazon EC2 resources

Configure AWS Backup Vault Access Policy

Risk: High

Target: Backup Vault

Compliance:

Description
Implementing an Amazon Backup vault access policy not only safeguards AWS backups but also provides better control over user permissions. This added layer of protection maintains the integrity of your data and ensures a reliable recovery process when needed.

Resolution
Setting access policies on backup vaults

Assign Mandatory Tags to EC2 Instance

Risk: High

Target: EC2

Compliance:

Description
Assigning mandatory tags to EC2 Instance can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tag your Amazon EC2 resources

Assign Mandatory Tags to Elasticache

Risk: High

Target: ElastiCache

Compliance:

Description
Assigning mandatory tags to Elasticache can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tag Elasticache

Assign Mandatory Tags to KMS Customer Managed Keys

Risk: High

Target: KMS Key (AWS)

Compliance:

Description
Assigning mandatory tags to AWS Key Management Services can help with cost management, resource management, access management, and automation. Mandatory tags can streamline operations and reduce the risk of mismanaging resources.

Resolution
Tagging Keys

 

Update EC2 Generation

Risk: High

Target: EC2

Compliance:

Description

Updating Amazon EC2 instances to newer generations offers improved performance, cost-effectiveness, and enhanced security. It provides access to new features and supports modern workloads. Upgrading ensures compliance with regulations and future-proofs infrastructure and enhances flexibility and scalability. However, thorough application compatibility testing is crucial before the update to prevent disruptions.

Resolution

Amazon EC2 Instance Types 

Delete Unused AMI

Risk: High

Target: AMI

Compliance:

Description

Deleting unused Amazon Machine Images (AMIs) is essential for cost optimization, resource management, security, and compliance. It helps reduce storage costs, avoids security risks, and simplifies image selection. Regularly cleaning up unused AMIs aligns with AWS best practices and optimizes account performance. Exercise caution and verify the AMIs are genuinely unused before deletion. Create backups for critical AMIs as a precautionary measure.

Resolution

Amazon Machine Images (AMIs)

Enable Tenable Vulnerability Scan

Risk: High

Target: EC2

Compliance:

Description

Enabling the Tenable EC2 Vulnerability Scan enhances security by proactively identifying and addressing potential weaknesses in your virtual computers, safeguarding your system from potential threats, and ensuring its reliability.

Resolution

Create a Tenable Vulnerability Management Scan

Tenable Found Critical Vulnerabilities

Risk: Critical

Target: EC2

Compliance:

Description

Tenable employs active and passive scanning techniques to identify vulnerabilities within EC2 instances. It detects possible security weaknesses and unusual patterns by analyzing network interactions and traffic. By promptly scanning and addressing critical vulnerabilities, the potential risk of compromising the EC2 instance’s security or functionality by malicious actors can be mitigated. It highlights the need for immediate attention and remediation to ensure the instance’s safety and integrity.

Resolution

View Vulnerabilities

Tenable Found High Vulnerabilities

Risk: High

Target: EC2

Compliance:

Description

Tenable employs active and passive scanning techniques to identify vulnerabilities within EC2 instances. It detects possible security weaknesses and unusual patterns by analyzing network interactions and traffic. By promptly scanning and addressing high vulnerabilities, the potential risk of compromising the EC2 instance’s security or functionality by malicious actors can be mitigated. It highlights the need for immediate attention and remediation to ensure the instance’s safety and integrity.

Resolution

View Vulnerabilities

Tenable Found Medium Vulnerabilities

Risk: Medium

Target: EC2

Compliance:

Description

Tenable employs active and passive scanning techniques to identify vulnerabilities within EC2 instances. It detects possible security weaknesses and unusual patterns by analyzing network interactions and traffic. By promptly scanning and addressing medium vulnerabilities, the potential risk of compromising the EC2 instance’s security or functionality by malicious actors can be mitigated. It highlights the need for immediate attention and remediation to ensure the instance’s safety and integrity.

Resolution

View Vulnerabilities

Enable Automatic CMK Rotation

Risk: Medium

Target: KMS Key (AWS)

Compliance:

Description

Enabling Automatic CMK Rotation enhances data security by regularly changing encryption keys. This practice reduces the risk of unauthorized access and aligns with security best practices, safeguarding sensitive information and preserving data integrity.

Resolution

Rotating AWS KMS Keys