Aqua Sec

Cloud
Security Report
Scan Report Run 2022-09-22T01:48:28.000Z
Executive Summary
Aqua ran this security scan on 2022-09-22T01:48:28.000Z. The scan produced 5685 results, of which 4690 (83%) were passing
and 995 (17%) were non-passing. Out of all results, 0 were newly discovered during this scan.
Cloud Account 922503285322
Assessment Date 2022-09-22T01:48:28.000Z
Scan Summary 4690 7 398 590
Severity Counts 22 108 411 5144 0

Scan Overview
MEDIUM S3 CloudTrail Bucket Delete Policy 0 1 0 0
HIGH CloudTrail CloudTrail Enabled 18 0 0 0
LOW EC2 Elastic IP Limit 17 0 0 0
LOW EC2 VPC Elastic IP Limit 17 0 0 0
LOW EC2 Instance Limit 17 0 0 0
MEDIUM EC2 Excessive Security Groups 17 0 0 0
MEDIUM EC2 Open FTP 22 0 0 0
HIGH EC2 Open SSH 22 0 0 0
HIGH EC2 Open Telnet 22 0 0 0
LOW EC2 Open SMTP 22 0 0 0
LOW EC2 Open DNS 22 0 0 0
LOW EC2 Open RPC 22 0 0 0
LOW EC2 Open NetBIOS 22 0 0 0
LOW EC2 Open SMBoTCP 22 0 0 0
LOW EC2 Open CIFS 22 0 0 0
LOW EC2 Open SQL Server 22 0 0 0
MEDIUM EC2 Open RDP 20 0 2 0
MEDIUM EC2 Open MySQL 21 0 1 0
MEDIUM EC2 Open PostgreSQL 22 0 0 0
LOW EC2 Open VNC Client 22 0 0 0
LOW EC2 Open VNC Server 22 0 0 0
HIGH IAM Certificate Expiry 1 0 0 0
MEDIUM ELB Insecure Ciphers 17 0 0 0

MEDIUM IAM Minimum Password Length 0 0 1 0
MEDIUM IAM Password Requires Symbols 0 0 1 0
MEDIUM IAM Maximum Password Age 0 0 1 0
LOW IAM Password Reuse Prevention 0 0 1 0
HIGH IAM Root MFA Enabled 0 0 1 0
HIGH IAM Root Access Keys 1 0 0 0
MEDIUM IAM Users MFA Enabled 0 0 1 0
LOW EC2 Detect EC2 Classic Instances 17 0 0 0
MEDIUM IAM Access Keys Rotated 1 0 2 0
LOW IAM Access Keys Last Used 2 1 0 0
LOW IAM Access Keys Extra 3 0 0 0
LOW IAM Empty Groups 1 0 0 0
MEDIUM S3 S3 Bucket All Users Policy 3 0 0 0
LOW RDS RDS Restorable 17 0 0 0
LOW Route53 Domain Auto Renew 1 0 0 0
HIGH Route53 Domain Transfer Lock 1 0 0 0
HIGH Route53 Domain Expiry 1 0 0 0
MEDIUM RDS RDS Encryption Enabled 17 0 0 0
17 0 0 0
LOW RDS RDS Automated Backups
MEDIUM RDS RDS Publicly Accessible 17 0 0 0
MEDIUM IAM SSH Keys Rotated 1 0 0 0
LOW KMS KMS Key Rotation 16 0 1 0
MEDIUM CloudTrail CloudTrail File Validation 17 0 0 0
MEDIUM IAM Password Expiration 0 0 1 0
MEDIUM IAM Password Requires Lowercase 0 0 1 0

MEDIUM IAM Password Requires Numbers 0 0 1 0
MEDIUM IAM Password Requires Uppercase 0 0 1 0
HIGH IAM Root Account In Use 0 0 1 0
LOW IAM No User IAM Policies 0 3 0 0
LOW CloudTrail CloudTrail To CloudWatch 0 0 17 0
LOW ConfigService Config Service Enabled 0 0 18 0
HIGH S3 CloudTrail Bucket Access Logging 0 1 0 0
MEDIUM CloudTrail CloudTrail Encryption 17 0 0 0
MEDIUM S3 CloudTrail Bucket Private 1 0 0 0
LOW EC2 VPC Flow Logs Enabled 0 0 17 0
MEDIUM EC2 Default Security Group 0 0 17 0
MEDIUM CloudFront Public S3 CloudFront Origin 1 0 0 0
LOW EC2 VPC Multiple Subnets 17 0 0 0
LOW SES Email DKIM Enabled 17 0 0 0
LOW EC2 Public AMI 17 0 0 0
MEDIUM SNS SNS Topic Policies 17 0 0 0
MEDIUM CloudFront Secure CloudFront Origin 2 0 0 0
LOW Lambda Lambda Old Runtimes 17 0 0 0
MEDIUM Redshift Redshift Encryption Enabled 17 0 0 0
MEDIUM Redshift Redshift Publicly Accessible 17 0 0 0
MEDIUM CloudFront Insecure CloudFront Protocols 1 0 0 0
LOW EC2 Instance IAM Role 16 0 5 0
LOW EC2 Encrypted AMI 17 0 0 0
LOW AutoScaling ASG Multiple AZ 17 0 0 0
MEDIUM CloudFront CloudFront HTTPS Only 1 0 0 0

LOW ELB ELB Logging Enabled 17 0 0 0
LOW RDS RDS Multiple AZ 17 0 0 0
HIGH EC2 Open All Ports Protocols 21 0 1 0
LOW CloudFront CloudFront Logging Enabled 1 0 0 0
MEDIUM EC2 EBS Encryption Enabled 16 0 7 0
LOW S3 S3 Bucket Versioning 0 0 3 0
LOW EC2 Subnet IP Availability 55 0 0 0
MEDIUM IAM IAM User Admins 0 1 0 0
MEDIUM SQS SQS Cross Account Access 17 0 0 0
LOW SQS SQS Encrypted 17 0 0 0
LOW ELB ELB No Instances 17 0 0 0
MEDIUM IAM Users Password Last Used 1 0 0 0
LOW EC2 NAT Multiple AZ 17 0 0 0
LOW S3 S3 Bucket Logging 0 0 3 0
LOW EC2 Default VPC In Use 16 0 1 0
LOW EC2 Open Oracle 22 0 0 0
MEDIUM S3 S3 Bucket All Users ACL 3 0 0 0
MEDIUM KMS KMS Key Policy 18 0 0 0
LOW KMS KMS Default Key Usage 17 0 0 0
LOW EC2 EC2 Max Instances 18 0 0 0
LOW ACM ACM Certificate Validation 17 0 0 0
LOW EC2 Open Elasticsearch 22 0 0 0
LOW DynamoDB DynamoDB KMS Encryption 17 0 0 0
MEDIUM Transfer Transfer Logging Enabled 17 0 0 0
LOW EC2 Open Kibana 22 0 0 0

LOW EC2 Open Hadoop HDFS NameNode Metadata Service 22 0 0 0
LOW EC2 Open Hadoop HDFS NameNode WebUI 22 0 0 0
LOW RDS RDS Logging Enabled 17 0 0 0
MEDIUM Lambda Lambda Public Access 17 0 0 0
LOW EFS EFS Encryption Enabled 17 0 0 0
LOW Shield Shield Advanced Enabled 0 0 1 0
LOW Shield Shield Emergency Contacts 0 0 1 0
LOW Shield Shield Protections 0 0 1 0
LOW EKS EKS Kubernetes Version 17 0 0 0
LOW EKS EKS Logging Enabled 17 0 0 0
LOW EKS EKS Private Endpoint 17 0 0 0
LOW EKS EKS Security Groups 17 0 0 0
LOW ECR ECR Repository Policy 17 0 0 0
LOW IAM IAM Role Policies 4 0 0 0
LOW S3 S3 Bucket Encryption 0 0 3 0
MEDIUM ES ElasticSearch Public Service Domain 17 0 0 0
LOW ES ElasticSearch Encrypted Domain 17 0 0 0
LOW ES ElasticSearch Node To Node Encryption 17 0 0 0
LOW ES ElasticSearch Logging Enabled 17 0 0 0
LOW ES ElasticSearch Upgrade Available 17 0 0 0
MEDIUM ES ElasticSearch HTTPS Only 17 0 0 0
LOW EC2 Insecure EC2 Metadata Options 16 0 6 0
LOW S3 S3 Bucket Website Enabled 3 0 0 0
LOW EC2 SSM Agent Latest Version 17 0 0 0
LOW EC2 Default VPC Exists 0 0 17 0

LOW S3 S3 Bucket Public Access Block 3 0 0 0
LOW GuardDuty GuardDuty is Enabled 0 0 17 0
LOW ECR ECR Repository Tag Immutability 17 0 0 0
LOW DMS DMS Encryption Enabled 17 0 0 0
LOW ELBv2 ELBv2 Logging Enabled 17 0 0 0
LOW ELBv2 ELBv2 HTTPS Only 17 0 0 0
LOW ELBv2 ELBv2 No Instances 17 0 0 0
LOW ELBv2 ELBv2 WAF Enabled 17 0 0 0
CRITICAL EC2 Open Salt 22 0 0 0
LOW EC2 Open Docker 22 0 0 0
LOW ES ElasticSearch IAM Authentication 17 0 0 0
LOW RDS RDS DocumentDB Minor Version Upgrade 17 0 0 0
LOW Lambda Lambda Log Groups 17 0 0 0
LOW EC2 EC2 LaunchWizard Security Groups 20 0 2 0
LOW EC2 VPC PrivateLink Endpoint Acceptance Required 17 0 0 0
LOW AutoScaling Empty AutoScaling Group 17 0 0 0
LOW IAM IAM Role Last Used 1 0 1 0
LOW IAM Root Account Active Signing Certificates 1 0 0 0
LOW RDS SQL Server TLS Version 17 0 0 0
LOW AutoScaling Auto Scaling Notifications Active 17 0 0 0
LOW AutoScaling Auto Scaling Group Missing ELB 17 0 0 0
LOW Comprehend Amazon Comprehend Volume Encryption 72 0 0 0
LOW Comprehend Amazon Comprehend Output Result Encryption 72 0 0 0
LOW DynamoDB DynamoDB Accelerator Cluster Encryption 12 0 0 0
LOW EC2 Unused EBS Volumes 23 0 0 0

LOW ElasticBeanstalk ElasticBeanstalk Managed Platform Updates 17 0 0 0
LOW IAM Group Inline Policies 1 0 0 0
LOW AutoScaling AutoScaling ELB Same Availability Zone 17 0 0 0
LOW AutoScaling Suspended AutoScaling Groups 17 0 0 0
LOW CloudTrail Object Lock Enabled 0 0 1 0
LOW EC2 Unassociated Elastic IP Addresses 19 0 0 0
LOW ELBv2 ELBv2 Deletion Protection 17 0 0 0
LOW EMR EMR Encryption In Transit 17 0 0 0
LOW EMR EMR Encryption At Rest 17 0 0 0
LOW ES ElasticSearch Exposed Domain 17 0 0 0
LOW IAM Cross-Account Access External ID and MFA 4 0 0 0
LOW S3 S3 Secure Transport Enabled 1 0 2 0
LOW SNS SNS Topic CMK Encryption 16 0 1 0
LOW AutoScaling ELB Health Check Active 17 0 0 0
LOW AutoScaling Launch Configuration Referencing Missing Security

17 0 0 0
Groups
LOW EC2 Open RFC 1918 41 0 0 0
LOW EC2 Public IP Address EC2 Instances 16 0 6 0
LOW IAM IAM User Unauthorized to Edit 2 0 1 0
LOW RDS RDS CMK Encryption 17 0 0 0
LOW RDS RDS Transport Encryption Enabled 17 0 0 0
LOW SNS SNS Topic Encrypted 16 0 1 0
LOW SQS SQS Public Access 17 0 0 0
LOW EC2 SSM Agent Auto Update Enabled 17 0 0 0
LOW Redshift Redshift Cluster CMK Encryption 17 0 0 0

LOW Redshift Redshift Parameter Group SSL Required 17 0 0 0
LOW API Gateway API Gateway WAF Enabled 17 0 0 0
LOW CloudTrail CloudTrail Data Events 0 0 0 17
LOW CloudTrail CloudTrail Delivery Failing 17 0 0 0
LOW CloudTrail CloudTrail Global Services Logging Duplicated 1 0 0 0
LOW EC2 Automate EBS Snapshot Lifecycle 16 0 0 1
LOW EC2 EBS Volumes Too Old Snapshots 17 0 0 0
HIGH EC2 VPC Endpoint Exposed 17 0 0 0
LOW EC2 Unused Elastic Network Interfaces 22 0 0 0
LOW EC2 Unused Amazon Machine Images 17 0 0 0
LOW EC2 Unused VPC Internet Gateways 34 0 0 0
LOW EC2 Managed NAT Gateway In Use 0 0 17 0
LOW EC2 Unused Virtual Private Gateway 17 0 0 0
LOW EFS EFS CMK Encrypted 17 0 0 0
LOW ELBv2 ELBv2 Minimum Number of EC2 Target Instances 17 0 0 0
LOW ELBv2 ELBv2 NLB Listener Security 17 0 0 0
LOW EMR EMR Cluster Logging 17 0 0 0
LOW Redshift Redshift Cluster Audit Logging Enabled 17 0 0 0
LOW Redshift Redshift Cluster Allow Version Upgrade 17 0 0 0
LOW Redshift Redshift User Activity Logging Enabled 17 0 0 0
LOW API Gateway API Gateway Certificate Rotation 17 0 0 0
LOW API Gateway API Gateway Private Endpoints 17 0 0 0
LOW API Gateway API Gateway Content Encoding 17 0 0 0
LOW API Gateway API Gateway Tracing Enabled 17 0 0 0
LOW API Gateway API Gateway Detailed CloudWatch Metrics 17 0 0 0

LOW API Gateway API Gateway Client Certificate 17 0 0 0
LOW DynamoDB DynamoDB Continuous Backups 17 0 0 0
LOW EC2 VPC Endpoint Cross Account Access 17 0 0 0
LOW EC2 Cross Organization VPC Peering Connections 17 0 0 0
LOW EC2 VPC Subnet Instances Present 4 0 51 0
LOW EC2 Unrestricted Network ACL Outbound Traffic 0 0 17 0
LOW EKS EKS Secrets Encrypted 17 0 0 0
LOW IAM IAM Master and IAM Manager Roles 0 0 1 0
LOW IAM Trusted Cross Account Roles 3 0 1 0
LOW S3 S3 Bucket Policy CloudFront OAI 1 0 0 0
LOW S3 S3 Transfer Acceleration Enabled 0 0 3 0
LOW S3 S3 DNS Compliant Bucket Names 3 0 0 0
LOW SQS SQS Dead Letter Queue 17 0 0 0
LOW SQS SQS Queue Unprocessed Messages 17 0 0 0
LOW Lambda Lambda Admin Privileges 17 0 0 0
LOW Lambda Lambda Tracing Enabled 17 0 0 0
LOW CloudWatchLogs CloudWatch Log Retention Period 17 0 0 5
LOW Redshift Redshift Cluster In VPC 17 0 0 0
LOW Redshift Redshift Cluster Default Port 17 0 0 0
LOW Redshift Redshift Cluster Default Master Username 17 0 0 0
LOW Redshift Redshift Automated Snapshot Retention Period 17 0 0 0
LOW Redshift Redshift Nodes Count 17 0 0 0
LOW Redshift Redshift Unused Reserved Nodes 17 0 0 0
LOW WorkSpaces WorkSpaces Volume Encryption 12 0 0 0
LOW WorkSpaces Workspaces IP Access Control 12 0 0 0

LOW CloudFormation CloudFormation Drift Detection 17 0 0 0
LOW API Gateway API Gateway CloudWatch Logs 17 0 0 0
LOW CloudTrail CloudTrail Management Events 0 0 0 17
LOW ELB ELB Cross-Zone Load Balancing 17 0 0 0
LOW ELB Classic Load Balancers In Use 17 0 0 0
LOW ELB ELB Connection Draining Enabled 17 0 0 0
LOW ELBv2 ELBv2 Deregistration Delay 17 0 0 0
LOW RDS RDS IAM Database Authentication Enabled 17 0 0 0
LOW RDS RDS Deletion Protection Enabled 17 0 0 0
LOW EC2 EBS Backup Enabled 16 0 7 0
LOW ELBv2 ELB SSL Termination 17 0 0 0
LOW IAM Access Analyzer Enabled 0 0 17 0
LOW EC2 Outdated Amazon Machine Images 17 0 0 0
LOW ES ElasticSearch Domain Cross Account access 17 0 0 0
LOW ES ElasticSearch Cluster Status 17 0 0 0
LOW ES ElasticSearch Dedicated Master Enabled 17 0 0 0
LOW ES ElasticSearch TLS Version 17 0 0 0
LOW ES ElasticSearch Encryption Enabled 17 0 0 0
LOW EventBridge Event Bus Cross Account Access 17 0 0 0
LOW IAM IAM Support Policy 0 0 1 0
LOW IAM IAM User Account In Use 0 0 3 0
LOW Route53 Domain Privacy Protection 1 0 0 0
LOW Route53 Sender Policy Framework In Use 1 0 0 0
LOW Route53 Sender Privacy Framework Record Present 1 0 0 0
LOW Transfer PrivateLink in Use for Transfer for SFTP Server Endpoints
17 0 0 0
LOW Glacier S3 Glacier Vault Public Access 17 0 0 0
LOW IAM IAM User Present 1 0 0 0
LOW SSM SSM Documents Public Access 0 0 0 17
LOW MQ MQ Deployment Mode 17 0 0 0
LOW MQ MQ Auto Minor Version Upgrade 17 0 0 0
LOW MQ MQ Log Exports Enabled 17 0 0 0
LOW WorkSpaces Unused WorkSpaces 12 0 0 0
LOW ECR ECR Repository Encrypted 17 0 0 0
LOW Kendra Kendra Index Encrypted 0 0 0 7
LOW Proton Environment Template Encrypted 0 0 0 5
LOW ElastiCache ElastiCache Redis Cluster Encryption In-Transit 17 0 0 0
LOW S3 S3 Versioned Buckets Lifecycle Configuration 3 0 0 0
LOW SES SES Email Messages Encrypted 0 0 0 3
LOW QLDB Ledger Encrypted 0 0 0 11
LOW MWAA Environment Data Encrypted 0 0 0 15
LOW Neptune Neptune Database Instance Encrypted 16 0 0 0
LOW MQ MQ Broker Encrypted 17 0 0 0
0 0 0 9
LOW Connect Connect Customer Profiles Domain Encrypted
LOW CloudWatchLogs CloudWatch Log Groups Encrypted 17 0 0 0
LOW Timestream Timestream Database Encrypted 0 0 0 5
LOW MemoryDB MemoryDB Cluster Encrypted 0 0 0 15
LOW MSK MSK Cluster Encryption At-Rest 0 0 0 16
LOW ElastiCache ElastiCache Redis Cluster Encryption At-Rest 17 0 0 0
LOW App Runner Service Encrypted 0 0 0 5
LOW FinSpace FinSpace Environment Encrypted 0 0 0 5

LOW CodeBuild Project Artifacts Encrypted 17 0 0 0
LOW CodePipeline Pipeline Artifacts Encrypted 16 0 0 0
LOW HealthLake HealthLake Data Store Encrypted 0 0 0 3
LOW CodeArtifact CodeArtifact Domain Encrypted 0 0 0 12
LOW Audit Manager Audit Manager Data Encrypted 0 0 0 12
LOW AppFlow AppFlow Flow Encrypted 0 0 0 15
LOW Elastic Transcoder Elastic Transcoder Pipeline Data Encrypted 0 0 0 8
LOW Elastic Transcoder Elastic Transcoder Job Outputs Encrypted 0 0 0 8
LOW Translate Translate Job Output Encrypted 6 0 0 0
LOW Glue DataBrew AWS Glue DataBrew Job Output Encrypted 0 0 0 16
LOW Managed Blockchain Managed Blockchain Network Member Data

0 0 0 6
Encrypted
LOW DocumentDB DocumentDB Cluster Encrypted 15 0 0 0
LOW Connect Connect Instance Media Streams Encrypted 0 0 0 9
LOW Connect Connect Instance Chat Transcripts Encrypted 0 0 0 9
LOW Connect Connect Instance Exported Reports Encrypted 0 0 0 9
LOW Connect Connect Instance Call Recording Encrypted 0 0 0 9
LOW Connect Connect Instance Attachments Encrypted 0 0 0 9
LOW Backup Backup Vault Encrypted 0 0 0 17
LOW ElasticBeanstalk Enhanced Health Reporting 17 0 0 0
LOW ElasticBeanstalk Environment Access Logs 17 0 0 0
LOW ElasticBeanstalk Environment Persistent Logs 17 0 0 0
LOW EKS EKS Latest Platform Version 17 0 0 0
LOW EMR EMR Instances Counts 18 0 0 0
LOW Kinesis Video Streams Video Stream Data Encrypted 0 0 0 14
LOW KMS KMS Grant Least Privilege 18 0 0 0

LOW KMS KMS Duplicate Grants 18 0 0 0
LOW ElastiCache ElastiCache Instance Generation 17 0 0 0
17 0 0 0
LOW ElastiCache ElastiCache Engine Versions for Redis
LOW ElastiCache ElastiCache Nodes Count 18 0 0 0
LOW ElastiCache ElastiCache Redis Cluster Have Multi-AZ 17 0 0 0
LOW EC2 SSM Managed Instances 16 0 6 0
LOW Connect Connect Wisdom Domain Encrypted 0 0 0 6
LOW Connect Connect Voice ID Domain Encrypted 0 0 0 7
LOW ElastiCache ElastiCache Reserved Cache Node Payment Pending 17 0 0 0
LOW ElastiCache Unused ElastiCache Reserved Cache Nodes 17 0 0 0
LOW ElastiCache ElastiCache Reserved Cache Node Payment Failed 17 0 0 0
LOW ElastiCache ElastiCache Reserved Cache Node Lease Expiration 17 0 0 0
LOW GuardDuty GuardDuty No Active Findings 17 0 0 0
LOW GuardDuty Exported Findings Encrypted 17 0 0 0
LOW WorkSpaces WorkSpaces Instance Count 13 0 0 0
LOW DocumentDB DocumentDB Cluster Backup Retention 15 0 0 0
LOW LookoutEquipment LookoutEquipment Dataset Encrypted 0 0 0 3
LOW IoT SiteWise IoT SiteWise Data Encrypted 0 0 0 9
LOW Location Tracker Data Encrypted 0 0 0 9
LOW Location Geoference Collection Data Encrypted 0 0 0 9
LOW Lookout Model Data Encrypted 0 0 0 7
LOW LookoutMetrics LookoutMetrics Anomaly Detector Encrypted 0 0 0 9
LOW Lex Audio Logs Encrypted 0 0 0 10
LOW Forecast Forecast Dataset Encrypted 0 0 0 10
LOW Forecast Forecast Dataset Export Encrypted 0 0 0 10

LOW FSx FSx File System Encrypted 9 0 0 0
LOW WAF AWS WAFV2 In Use 0 0 17 0
LOW WAF AWS WAF In Use 0 0 18 0
LOW CloudFront CloudFront Enable Origin Failover 1 0 0 0
LOW CloudFront CloudFront Geo Restriction 1 0 0 0
LOW CloudFront CloudFront Compress Objects Automatically 1 0 0 0
LOW DMS DMS Publicly Accessible Instances 17 0 0 0
LOW DMS DMS Multi-AZ Feature Enabled 17 0 0 0
LOW DMS DMS Auto Minor Version Upgrade 17 0 0 0
LOW EC2 Unused Security Groups 5 0 17 0
LOW EMR EMR Cluster In VPC 17 0 0 0
LOW Firehose Firehose Delivery Streams CMK Encrypted 17 0 0 0
LOW Kinesis Kinesis Data Streams Encrypted 17 0 0 0
LOW ElastiCache ElastiCache Cluster In VPC 17 0 0 0
LOW ElastiCache ElastiCache Desired Node Type 17 0 0 0
LOW SageMaker Notebook instance in VPC 17 0 0 0
LOW SQS SQS Encryption Enabled 17 0 0 0
LOW Secrets Manager Secrets Manager In Use 0 0 17 0
LOW Fraud Detector Fraud Detector Data Encrypted 0 0 0 4
LOW IAM Access Analyzer Active Findings 17 0 0 0
LOW ACM ACM Single Domain Name Certificates 17 0 0 0
LOW App Mesh App Mesh VG Access Logging 16 0 0 0
LOW API Gateway API Gateway Response Caching 17 0 0 0
LOW API Gateway API Stage-Level Cache Encryption 17 0 0 0
LOW App Mesh App Mesh Restrict External Traffic 16 0 0 0

LOW App Mesh App Mesh TLS Required 16 0 0 0
LOW AutoScaling Auto Scaling Group Cooldown Period 17 0 0 0
LOW AutoScaling Auto Scaling Unused Launch Configuration 17 0 0 0
LOW CloudFront CloudFront Distribution Field-Level Encryption 1 0 0 0
LOW CloudFront CloudFront Enabled 0 0 1 0
LOW CloudFormation CloudFormation Admin Priviliges 17 0 0 0
LOW CloudFormation AWS CloudFormation In Use 0 0 17 0
LOW CloudTrail CloudTrail Notifications Enabled 16 0 1 0
LOW ConfigService AWS Config Complaint Rules 17 0 0 0
LOW ConfigService Config Delivery Failing 17 0 0 0
LOW ConfigService Config Service Missing Bucket 17 0 0 0
LOW DynamoDB DynamoDB Table Backup Exists 17 0 0 0
LOW ElastiCache ElastiCache Default Ports 17 0 0 0
LOW EventBridge Event Bus Public Access 17 0 0 0
LOW EventBridge EventBridge Event Rules In Use 0 0 1 0
LOW EC2 SSM Session Duration 17 0 0 0
LOW CloudWatch VPC Flow Logs Metric Alarm 0 0 17 0
LOW MSK MSK Cluster Encryption In-Transit 0 0 0 16
LOW Backup Backup In Use For RDS Snapshots 17 0 0 0
LOW Backup Backup Failure Notification Enabled 0 0 0 17
LOW Backup Backup Deletion Protection Enabled 0 0 0 17
LOW Backup AWS Backup Compliant Lifecycle Configured 0 0 0 17
LOW Compute Optimizer EC2 Instances Optimized 0 0 0 1
0 0 0 1
LOW Compute Optimizer Lambda Function Optimized
LOW Compute Optimizer Compute Optimizer Recommendations Enabled 0 0 0 1
LOW Compute Optimizer EBS Volumes Optimized 0 0 0 1
LOW Compute Optimizer Auto Scaling Group Optimized 0 0 0 1
LOW MSK MSK Cluster Client Broker Encryption 0 0 0 16
LOW MSK MSK Cluster Public Access 0 0 0 16
LOW MSK MSK Cluster Unauthenticated Access 0 0 0 16
LOW Image Builder Infrastructure Configuration Notification Enabled 0 0 0 17
LOW Image Builder Dockerfile Template Encrypted 0 0 0 17
LOW Image Builder Image Recipe Storage Volumes Encrypted 0 0 0 17
LOW Image Builder Image Builder Components Encrypted 0 0 0 17
LOW EC2 Open MongoDB 22 0 0 0
LOW EC2 Open Cassandra Client 22 0 0 0
LOW EC2 Open Cassandra Internode 22 0 0 0
LOW EC2 Open Cassandra Monitoring 22 0 0 0
LOW EC2 Open Cassandra Thrift 22 0 0 0
LOW EC2 Open LDAP 22 0 0 0
LOW EC2 Open LDAPS 22 0 0 0
LOW EC2 Open SNMP 22 0 0 0
LOW EC2 Open Memcached 22 0 0 0
LOW EC2 Open Internal Web 22 0 0 0
LOW EC2 Open Redis 22 0 0 0
LOW EC2 Virtual Private Gateway In VPC 17 0 0 0
LOW EC2 Internet Gateways In VPC 17 0 0 0
LOW IAM Password Policy Allows To Change Password 0 0 1 0
LOW RDS RDS Snapshot Publicly Accessible 17 0 0 0

Detailed Results
S3 CloudTrail Bucket Delete Policy
0 1 0 0
Ensures CloudTrail logging bucket has a policy to prevent deletion of logs without an MFA
Test Description
token
To provide additional security, CloudTrail logging buckets should require an MFA token to
Additional Info
delete objects
Recommended Action Enable MFA delete on the CloudTrail bucket
http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthentication
Cloud Provider Link
Delete
Result Region Resource Message
WARN us-east-1 arn:aws:s3:::siscor-trails Bucket: siscor-trails has MFA delete disabled
CloudTrail CloudTrail Enabled

18 0 0 0
Test Description Ensures CloudTrail is enabled for all regions within an account
CloudTrail should be enabled for all regions in order to detect suspicious activity in regions that
Additional Info
are not typically used.
Enable CloudTrail for all regions and ensure that at least one region monitors global service
Recommended Action
events
Cloud Provider Link http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-getting-started.html
PASS us-east-1 CloudTrail is enabled and monitoring regional and global services
PASS us-east-2 CloudTrail is enabled and monitoring regional and global services
PASS us-west-1 CloudTrail is enabled and monitoring regional and global services
PASS us-west-2 CloudTrail is enabled and monitoring regional and global services
PASS ca-central-1 CloudTrail is enabled and monitoring regional and global services
PASS eu-central-1 CloudTrail is enabled and monitoring regional and global services
PASS eu-west-1 CloudTrail is enabled and monitoring regional and global services
PASS eu-north-1 CloudTrail is enabled and monitoring regional and global services
PASS ap-northeast-1 CloudTrail is enabled and monitoring regional and global services
PASS ap-southeast-1 CloudTrail is enabled and monitoring regional and global services
PASS ap-southeast-2 CloudTrail is enabled and monitoring regional and global services
PASS ap-south-1 CloudTrail is enabled and monitoring regional and global services
PASS sa-east-1 CloudTrail is enabled and monitoring regional and global services
PASS global CloudTrail is configured and enabled to monitor global services
EC2 Elastic IP Limit

17 0 0 0
Test Description Determine if the number of allocated EIPs is close to the AWS per-account limit
AWS limits accounts to certain numbers of resources. Exceeding those limits could prevent
Additional Info
resources from launching.
Recommended Action Contact AWS support to increase the number of EIPs available
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-
Cloud Provider Link
instance-addressing-limit
PASS us-east-1 Account contains 0 of 5 (0%) available Elastic IPs
PASS us-east-2 No Elastic IPs found
PASS us-west-1 No Elastic IPs found
PASS us-west-2 No Elastic IPs found

PASS ca-central-1 No Elastic IPs found
PASS eu-central-1 No Elastic IPs found
PASS eu-west-1 No Elastic IPs found
PASS eu-north-1 No Elastic IPs found
PASS ap-northeast-1 No Elastic IPs found
PASS ap-southeast-1 No Elastic IPs found
PASS ap-southeast-2 No Elastic IPs found
PASS ap-south-1 No Elastic IPs found
PASS sa-east-1 No Elastic IPs found
EC2 VPC Elastic IP Limit

17 0 0 0
Test Description Determine if the number of allocated VPC EIPs is close to the AWS per-account limit
Additional Info
Recommended Action Contact AWS support to increase the number of EIPs available
Cloud Provider Link
PASS us-east-1 Account contains 3 of 5 (60%) available VPC Elastic IPs
PASS us-east-2 No VPC Elastic IPs found
us-west-1 No VPC Elastic IPs found

PASS
PASS us-west-2 No VPC Elastic IPs found
PASS ca-central-1 No VPC Elastic IPs found
PASS eu-central-1 No VPC Elastic IPs found
PASS eu-west-1 No VPC Elastic IPs found
PASS eu-north-1 No VPC Elastic IPs found
PASS ap-northeast-1 No VPC Elastic IPs found
PASS ap-southeast-1 No VPC Elastic IPs found
PASS ap-southeast-2 No VPC Elastic IPs found
PASS ap-south-1 No VPC Elastic IPs found
PASS sa-east-1 No VPC Elastic IPs found
EC2 Instance Limit

17 0 0 0
Test Description Determine if the number of EC2 instances is close to the AWS per-account limit
Additional Info
Recommended Action Contact AWS support to increase the number of instances available
Cloud Provider Link
PASS
us-east-1 Account contains 6 of 20 (30%) available instances
PASS us-east-2 No instances found
PASS us-west-1 No instances found
PASS ca-central-1 No instances found
PASS eu-central-1 No instances found
PASS eu-west-1 No instances found
PASS eu-north-1 No instances found
PASS ap-northeast-1 No instances found
PASS ap-southeast-1 No instances found
PASS ap-south-1 No instances found
PASS sa-east-1 No instances found
EC2 Excessive Security Groups

17 0 0 0
Test Description Determine if there are an excessive number of security groups in the account
Keeping the number of security groups to a minimum helps reduce the attack surface of an
account. Rather than creating new groups with the same rules for each project, common rules
Additional Info should be grouped under the same security groups. For example, instead of adding port 22
from a known IP to every group, create a single "SSH" security group which can be used on
multiple instances.
Recommended Action Limit the number of security groups to prevent accidental authorizations
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
PASS us-east-1 Acceptable number of security groups: 6 groups present
PASS us-east-2 Acceptable number of security groups: 1 groups present
PASS us-west-1 Acceptable number of security groups: 1 groups present
PASS us-west-2 Acceptable number of security groups: 1 groups present
PASS ca-central-1 Acceptable number of security groups: 1 groups present
PASS eu-central-1 Acceptable number of security groups: 1 groups present
PASS eu-west-1 Acceptable number of security groups: 1 groups present
PASS eu-north-1 Acceptable number of security groups: 1 groups present
PASS ap-northeast-1 Acceptable number of security groups: 1 groups present
PASS ap-southeast-1 Acceptable number of security groups: 1 groups present
PASS ap-southeast-2 Acceptable number of security groups: 1 groups present
PASS ap-south-1 Acceptable number of security groups: 1 groups present
PASS sa-east-1 Acceptable number of security groups: 1 groups present
EC2 Open FTP

22 0 0 0
Test Description Determine if TCP port 20 or 21 for FTP is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as FTP should be restricted to known IP addresses.
Recommended Action Restrict TCP ports 20 and 21 to known IP addresses

Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-015527859f4cb1ab4 (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
1) does not have TCP:20,21 open to 0.0.0.0/0 or ::0
015527859f4cb1ab4
arn:aws:ec2:us-east- Security group: sg-0b29b77965792ae5d (SG-

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have TCP:20,21 open to
0b29b77965792ae5d 0.0.0.0/0 or ::0
Security group: sg-031d418a21dd84701 (SG-Linux)
does not have TCP:20,21 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east- Security group: sg-0ea00fe2209686e28

PASS us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have TCP:20,21 open to
0ea00fe2209686e28 0.0.0.0/0 or ::0
Security group: sg-0add6fd8f5e13005e (launch-wizard-
0add6fd8f5e13005e
Security group: sg-2a94e22e (default) does not have
TCP:20,21 open to 0.0.0.0/0 or ::0
2a94e22e
Security group: sg-35cd9243 (default) does not have
TCP:20,21 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
Security group: sg-07b897bc45d1e6fe2 (default) does
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:20,21 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
08b897c32e384acbc
Security group: sg-0ae841762d2749f1a (default) does
0ae841762d2749f1a
Security group: sg-03bc08f1c58bcf815 (default) does
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast- Security group: sg-0a5f4c4f1b5983891 (default) does
PASS
northeast- 1:922503285322:security-group/sg- not have TCP:20,21 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
1 0f40a8e2330e64b60
Security group: sg-0de72c4ef2c1b7162 (default) does
2 0de72c4ef2c1b7162
Security group: sg-09c1a77d7fa721022 (default) does
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:20,21 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open SSH

22 0 0 0
Test Description Determine if TCP port 22 for SSH is open to the public
Additional Info
properly, more sensitive services such as SSH should be restricted to known IP addresses.
Recommended Action Restrict TCP port 22 to known IP addresses
Cloud Provider Link
instance.html
arn:aws:ec2:us-east- Security group: sg-015527859f4cb1ab4 (launch-

PASS us-east-1 1:922503285322:security-group/sg- wizard-1) does not have TCP:22 open to 0.0.0.0/0 or
015527859f4cb1ab4 ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have TCP:22 open to
0b29b77965792ae5d 0.0.0.0/0 or ::0
arn:aws:ec2:us-east- Security group: sg-031d418a21dd84701 (SG-Linux)

PASS us-east-1 1:922503285322:security-group/sg- does not have TCP:22 open to 0.0.0.0/0 or ::0
031d418a21dd84701

us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have TCP:22 open to
PASS 0ea00fe2209686e28 0.0.0.0/0 or ::0
arn:aws:ec2:us-east- Security group: sg-0add6fd8f5e13005e (launch-

0add6fd8f5e13005e ::0
TCP:22 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:22 open to 0.0.0.0/0 or ::0
35cd9243
not have TCP:22 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
07b897bc45d1e6fe2
1 not have TCP:22 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
Security group: sg-0a5f4c4f1b5983891 (default) does
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
arn:aws:ec2:ap-south- Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg- not have TCP:22 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
TCP:22 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Telnet

22 0 0 0
Test Description Determine if TCP port 23 for Telnet is open to the public
Additional Info
properly, more sensitive services such as Telnet should be restricted to known IP addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
does not have TCP:23 open to 0.0.0.0/0 or ::0
031d418a21dd84701

PASS us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have TCP:23 open to
0ea00fe2209686e28 0.0.0.0/0 or ::0

0add6fd8f5e13005e ::0
arn:aws:ec2:us-east- Security group: sg-2a94e22e (default) does not have

PASS us-east-1 1:922503285322:security-group/sg- TCP:23 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:23 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
us-west-2 2:922503285322:security-group/sg-
PASS 07b897bc45d1e6fe2 not have TCP:23 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:23 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open SMTP

22 0 0 0
Test Description Determine if TCP port 25 for SMTP is open to the public
Additional Info
properly, more sensitive services such as SMTP should be restricted to known IP addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0

0add6fd8f5e13005e ::0
TCP:25 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:25 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
PASS Security group: sg-07b897bc45d1e6fe2 (default) does
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
PASS eu-west-3 3:922503285322:security-group/sg- Security group: sg-03bc08f1c58bcf815 (default) does
03bc08f1c58bcf815 not have TCP:25 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:25 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open DNS

22 0 0 0
Test Description Determine if TCP or UDP port 53 for DNS is open to the public
Additional Info
properly, more sensitive services such as DNS should be restricted to known IP addresses.
Recommended Action Restrict TCP and UDP port 53 to known IP addresses
Cloud Provider Link
instance.html
arn:aws:ec2:us-east- Security group: sg-015527859f4cb1ab4 (launch-wizard-

PASS us-east-1 1:922503285322:security-group/sg- 1) does not have UDP:53, TCP:53 open to 0.0.0.0/0 or
015527859f4cb1ab4 ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have UDP:53, TCP:53 open to
0b29b77965792ae5d 0.0.0.0/0 or ::0
does not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
031d418a21dd84701

PASS us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have UDP:53, TCP:53 open
0ea00fe2209686e28 to 0.0.0.0/0 or ::0
arn:aws:ec2:us-east- Security group: sg-0add6fd8f5e13005e (launch-wizard-

PASS us-east-1 1:922503285322:security-group/sg- 2) does not have UDP:53, TCP:53 open to 0.0.0.0/0 or
0add6fd8f5e13005e ::0
UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
2a94e22e
UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
35cd9243
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
07b897bc45d1e6fe2
1 not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
1 not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
PASS southeast- 2:922503285322:security-group/sg- Security group: sg-0de72c4ef2c1b7162 (default) does
2 0de72c4ef2c1b7162 not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022

PASS ap-south-1 1:922503285322:security-group/sg- not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open RPC

22 0 0 0
Test Description Determine if TCP port 135 for RPC is open to the public
Additional Info
properly, more sensitive services such as RPC should be restricted to known IP addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
2) does not have TCP:135 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:135 open to 0.0.0.0/0 or ::0
2a94e22e
35cd9243 TCP:135 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
arn:aws:ec2:eu-north- Security group: sg-04656562bedc2ae6d (default) does

PASS eu-north-1 1:922503285322:security-group/sg- not have TCP:135 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:135 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open NetBIOS
22 0 0 0
Test Description Determine if UDP port 137 or 138 or 139 for NetBIOS is open to the public
Additional Info properly, more sensitive services such as NetBIOS should be restricted to known IP
addresses.
Recommended Action Restrict UDP ports 137 and 138 to known IP addresses
Cloud Provider Link
instance.html

PASS us-east-1 1:922503285322:security-group/sg- 1) does not have UDP:137,138,139 open to 0.0.0.0/0 or
015527859f4cb1ab4 ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have UDP:137,138,139 open
0b29b77965792ae5d to 0.0.0.0/0 or ::0
does not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
031d418a21dd84701

PASS us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have UDP:137,138,139 open
0ea00fe2209686e28 to 0.0.0.0/0 or ::0
arn:aws:ec2:us-east- Security group: sg-0add6fd8f5e13005e (launch-wizard-

PASS us-east-1 1:922503285322:security-group/sg- 2) does not have UDP:137,138,139 open to 0.0.0.0/0 or
0add6fd8f5e13005e ::0
UDP:137,138,139 open to 0.0.0.0/0 or ::0
2a94e22e
UDP:137,138,139 open to 0.0.0.0/0 or ::0
35cd9243
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
07b897bc45d1e6fe2
1 not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
Security group: sg-03bc08f1c58bcf815 (default) does not
have UDP:137,138,139 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
PASS northeast- Security group: sg-07f8aee861c34413f (default) does
2:922503285322:security-group/sg-
07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
UDP:137,138,139 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open SMBoTCP

22 0 0 0
Test Description Determine if TCP port 445 for Windows SMB over TCP is open to the public
Additional Info
properly, more sensitive services such as SMB should be restricted to known IP addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:445 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:445 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
eu-central- 1:922503285322:security-group/sg- Security group: sg-09b903e8dd37bee5f (default) does
PASS
1 09b903e8dd37bee5f not have TCP:445 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
PASS ap-south-1 Security group: sg-02cb7aa81a32263ad (default) does
02cb7aa81a32263ad
TCP:445 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open CIFS

22 0 0 0
Test Description Determine if UDP port 445 for CIFS is open to the public
Additional Info
properly, more sensitive services such as CIFS should be restricted to known IP addresses.
Recommended Action Restrict UDP port 445 to known IP addresses
Cloud Provider Link
instance.html

PASS us-east-1 1:922503285322:security-group/sg- wizard-1) does not have UDP:445 open to 0.0.0.0/0 or
015527859f4cb1ab4 ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have UDP:445 open to
0b29b77965792ae5d 0.0.0.0/0 or ::0
does not have UDP:445 open to 0.0.0.0/0 or ::0
031d418a21dd84701

PASS us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have UDP:445 open to
0ea00fe2209686e28 0.0.0.0/0 or ::0
2) does not have UDP:445 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east- Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg- UDP:445 open to 0.0.0.0/0 or ::0
2a94e22e
UDP:445 open to 0.0.0.0/0 or ::0
35cd9243
not have UDP:445 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
07b897bc45d1e6fe2
1 not have UDP:445 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
UDP:445 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open SQL Server
22 0 0 0
Test Description Determine if TCP port 1433 or UDP port 1434 for SQL Server is open to the public
Additional Info properly, more sensitive services such as SQL server should be restricted to known IP
addresses.
Recommended Action Restrict TCP port 1433 and UDP port 1434 to known IP addresses
Cloud Provider Link
instance.html
arn:aws:ec2:us-east- Security group: sg-015527859f4cb1ab4 (launch-wizard-1)

PASS us-east-1 1:922503285322:security-group/sg- does not have TCP:1433, UDP:1434 open to 0.0.0.0/0 or
015527859f4cb1ab4 ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have TCP:1433, UDP:1434
0b29b77965792ae5d open to 0.0.0.0/0 or ::0
Security group: sg-031d418a21dd84701 (SG-Linux) does
not have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east- Security group: sg-0ea00fe2209686e28 (Linux_Jumpbox)

0ea00fe2209686e28 ::0
arn:aws:ec2:us-east- Security group: sg-0add6fd8f5e13005e (launch-wizard-2)

0add6fd8f5e13005e ::0
TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
Security group: sg-07b897bc45d1e6fe2 (default) does not
have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
ca-central- Security group: sg-0221abf87bbe12971 (default) does not
1 have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
PASS eu-central- arn:aws:ec2:eu-central- Security group: sg-09b903e8dd37bee5f (default) does not
1 1:922503285322:security-group/sg- have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
08b897c32e384acbc
Security group: sg-0ae841762d2749f1a (default) does not
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
northeast- Security group: sg-0a5f4c4f1b5983891 (default) does not
0a5f4c4f1b5983891
Security group: sg-07f8aee861c34413f (default) does not
2 07f8aee861c34413f
Security group: sg-0f40a8e2330e64b60 (default) does not
1 0f40a8e2330e64b60
Security group: sg-0de72c4ef2c1b7162 (default) does not
2 0de72c4ef2c1b7162
Security group: sg-09c1a77d7fa721022 (default) does not
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open RDP

20 0 2 0
Test Description Determine if TCP port 3389 for RDP is open to the public
Additional Info
properly, more sensitive services such as RDP should be restricted to known IP addresses.

Cloud Provider Link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
instance.html
Security group: sg-015527859f4cb1ab4 (launch-
FAIL us-east-1 1:922503285322:security-group/sg-
wizard-1) has RDP:TCP:3389 open to 0.0.0.0/0
015527859f4cb1ab4
Security group: sg-0b29b77965792ae5d (SG-
RemoteAccess) has RDP:TCP:3389 open to 0.0.0.0/0
0b29b77965792ae5d
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0

PASS us-east-1 1:922503285322:security-group/sg- wizard-2) does not have TCP:3389 open to 0.0.0.0/0
0add6fd8f5e13005e or ::0
TCP:3389 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:3389 open to 0.0.0.0/0 or ::0
35cd9243
Security group: sg-0355558bdeb17eba4 (default)
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
Security group: sg-04656562bedc2ae6d (default)
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast- Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg- not have TCP:3389 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
Security group: sg-02cb7aa81a32263ad (default)
02cb7aa81a32263ad
TCP:3389 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open MySQL

21 0 1 0
Test Description Determine if TCP port 4333 or 3306 for MySQL is open to the public
Additional Info
properly, more sensitive services such as MySQL should be restricted to known IP addresses.
Cloud Provider Link
instance.html
015527859f4cb1ab4

0b29b77965792ae5d 0.0.0.0/0 or ::0
Security group: sg-031d418a21dd84701 (SG-Linux) has
MySQL:TCP:3306 open to 0.0.0.0/0
031d418a21dd84701

us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have TCP:3306,4333 open to
PASS 0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:3306,4333 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:3306,4333 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
PASS ap-south-1 1:922503285322:security-group/sg- not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
TCP:3306,4333 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open PostgreSQL

22 0 0 0
Test Description Determine if TCP port 5432 for PostgreSQL is open to the public
Additional Info properly, more sensitive services such as PostgreSQL should be restricted to known IP
addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:5432 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:5432 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
PASS us-west-2 2:922503285322:security-group/sg- Security group: sg-07b897bc45d1e6fe2 (default) does
07b897bc45d1e6fe2 not have TCP:5432 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
arn:aws:ec2:ap-northeast-
ap- Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- not have TCP:5432 open to 0.0.0.0/0 or ::0
0a5f4c4f1b5983891
1
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:5432 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open VNC Client

22 0 0 0
Test Description Determine if TCP port 5500 for VNC Client is open to the public
Additional Info properly, more sensitive services such as VNC Client should be restricted to known IP
addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:5500 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:5500 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
arn:aws:ec2:eu-west- Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg- not have TCP:5500 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:5500 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open VNC Server

22 0 0 0
Test Description Determine if TCP port 5900 for VNC Server is open to the public
Additional Info properly, more sensitive services such as VNC Server should be restricted to known IP
addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0
PASS us-east-1
1:922503285322:security-group/sg- RemoteAccess) does not have TCP:5900 open to
0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:5900 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:5900 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
arn:aws:ec2:sa-east- Security group: sg-ffd685b7 (default) does not have

PASS sa-east-1 1:922503285322:security-group/sg- TCP:5900 open to 0.0.0.0/0 or ::0
ffd685b7
IAM Certificate Expiry

1 0 0 0
Test Description Detect upcoming expiration of certificates used with ELBs
Additional Info Certificates that have expired will trigger warnings in all major browsers
Recommended Action Update your certificates before the expiration date
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-update-ssl-
Cloud Provider Link
cert.html
PASS global No certificates found
ELB Insecure Ciphers

17 0 0 0
Test Description Detect use of insecure ciphers on ELBs
Various security vulnerabilities have rendered several ciphers insecure. Only the
Additional Info
recommended ciphers should be used.
Recommended Action Update your ELBs to use the recommended cipher suites
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-
Cloud Provider Link
options.html
PASS us-east-1 No load balancers present
PASS us-west-1 No load balancers present
PASS ca-central-1 No load balancers present
PASS eu-central-1 No load balancers present
PASS eu-west-1 No load balancers present
PASS eu-north-1 No load balancers present
PASS ap-northeast-1 No load balancers present
PASS ap-southeast-1 No load balancers present
PASS ap-south-1 No load balancers present
PASS sa-east-1 No load balancers present
IAM Minimum Password Length

0 0 1 0
Test Description Ensures password policy requires a password of at least a minimum number of characters
Additional Info A strong password policy enforces minimum length, expirations, reuse, and symbol usage
Recommended Action Increase the minimum length requirement for the password policy
Cloud Provider Link http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html

FAIL global Account does not have a password policy
IAM Password Requires Symbols

0 0 1 0
Test Description Ensures password policy requires the use of symbols
Recommended Action Update the password policy to require the use of symbols
IAM Maximum Password Age

0 0 1 0
Test Description Ensures password policy requires passwords to be reset every 180 days
Recommended Action Descrease the maximum allowed age of passwords for the password policy
IAM Password Reuse Prevention

0 0 1 0
Test Description Ensures password policy prevents previous password reuse
Recommended Action Increase the minimum previous passwords that can be reused to 24.
IAM Root MFA Enabled

0 0 1 0
Test Description Ensures a multi-factor authentication device is enabled for the root account
Additional Info The root account should have an MFA device setup to enable two-factor authentication.
Recommended Action Enable an MFA device for the root account and then use an IAM user for managing services
Cloud Provider Link http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
FAIL global arn:aws:iam::922503285322:root An MFA device was not found for the root account
IAM Root Access Keys

1 0 0 0
Test Description Ensures the root account is not using access keys
The root account should avoid using access keys. Since the root account has full permissions
Additional Info across the entire account, creating access keys for it only increases the chance that they are
compromised. Instead, create IAM users with predefined roles.
Remove access keys for the root account and setup IAM users with limited permissions
Recommended Action
instead
Cloud Provider Link http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html

PASS global arn:aws:iam::922503285322:root Access keys were not found for the root account
IAM Users MFA Enabled

0 0 1 0
Test Description Ensures a multi-factor authentication device is enabled for all users within the account
Additional Info User accounts should have an MFA device setup to enable two-factor authentication
Recommended Action Enable an MFA device for the user account
FAIL global arn:aws:iam::922503285322:user/cloud3 User: cloud3 does not have an MFA device enabled
EC2 Detect EC2 Classic Instances

17 0 0 0
Test Description Ensures AWS VPC is being used for instances instead of EC2 Classic
VPCs are the latest and more secure method of launching AWS resources. EC2 Classic
Additional Info
should not be used.
Recommended Action Migrate instances from EC2 Classic to VPC
Cloud Provider Link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
PASS us-east-1 There are 6 instances in a VPC

IAM Access Keys Rotated

1 0 2 0
Test Description Ensures access keys are not older than 180 days in order to reduce accidental exposures
Additional Info Access keys should be rotated frequently to avoid having them accidentally exposed.
To rotate an access key, first create a new key, replace the key and secret throughout your app
Recommended Action or scripts, then set the previous key to disabled. Once you ensure that no services are broken,
then fully delete the old key.
Cloud Provider Link http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingCredentials.html
arn:aws:iam::922503285322:user/cloud3:access_key User access key 1 was last rotated 478

FAIL global
_1 days ago
arn:aws:iam::922503285322:user/cloud3- User access key 1 was last rotated 13

PASS global
sec:access_key_1 days ago
arn:aws:iam::922503285322:user/userbackup:acces User access key 1 was last rotated 367

FAIL global
s_key_1 days ago
IAM Access Keys Last Used
2 1 0 0
Detects access keys that have not been used for a period of time and that should be
Test Description
decommissioned
Having numerous, unused access keys extends the attack surface. Access keys should be
Additional Info
removed if they are no longer being used.
Recommended Action Log into the IAM portal and remove the offending access key.
arn:aws:iam::922503285322:user/cloud3:access_key User access key 1: was last used 169

WARN global
_1 days ago
arn:aws:iam::922503285322:user/cloud3- User access key 1 was last used 0 days

PASS global
sec:access_key_1 ago
arn:aws:iam::922503285322:user/userbackup:access User access key 1 was last used 1 days

PASS global
_key_1 ago
IAM Access Keys Extra

3 0 0 0
Test Description Detects the use of more than one access key by any single user
Having more than one access key for a single user increases the chance of accidental
Additional Info
exposure. Each account should only have one key that defines the users permissions.
Recommended Action Remove the extra access key for the specified user.
PASS global arn:aws:iam::922503285322:user/cloud3 User is not using both access keys
PASS global arn:aws:iam::922503285322:user/cloud3-sec User is not using both access keys
PASS global arn:aws:iam::922503285322:user/userbackup User is not using both access keys
IAM Empty Groups

1 0 0 0
Test Description Ensures all groups have at least one member
While having empty groups does not present a direct security risk, it does broaden the
Additional Info
management landscape which could potentially introduce risks in the future.
Recommended Action Remove unused groups without users
Cloud Provider Link http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html
PASS global No groups found
S3 S3 Bucket All Users Policy

3 0 0 0
Test Description Ensures S3 bucket policies do not allow global write, delete, or read permissions
S3 buckets can be configured to allow the global principal to access the bucket via the bucket
Additional Info
policy. This policy should be restricted only to known users or accounts.
Recommended Action Remove wildcard principals from the bucket policy statements.
Cloud Provider Link https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
PASS us-east-1 arn:aws:s3:::siscor-backups No additional bucket policy found
PASS us-east-1 arn:aws:s3:::siscor-trails Bucket policy does not contain any insecure allow statements
PASS us-east-1 arn:aws:s3:::siscor-transfer No additional bucket policy found
RDS RDS Restorable

17 0 0 0
Test Description Ensures RDS instances can be restored to a recent point
AWS will maintain a point to which the database can be restored. This point should not drift too
Additional Info far into the past, or else the risk of irrecoverable data loss may occur.
Ensure the instance is running and configured properly. If the time drifts too far, consider
Recommended Action
opening a support ticket with AWS.
Cloud Provider Link http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIT.html
PASS us-east-1 No RDS instances found
PASS us-west-1 No RDS instances found
PASS ca-central-1 No RDS instances found
PASS eu-central-1 No RDS instances found
PASS eu-west-1 No RDS instances found
PASS eu-north-1 No RDS instances found
PASS ap-northeast-1 No RDS instances found
PASS ap-southeast-1 No RDS instances found
PASS ap-south-1 No RDS instances found
PASS sa-east-1 No RDS instances found
Route53 Domain Auto Renew

1 0 0 0
Test Description Ensures domains are set to auto renew through Route53
Domains purchased through Route53 should be set to auto renew. Domains that are not
Additional Info
renewed can quickly be acquired by a third-party and cause loss of access for customers.
Recommended Action Enable auto renew for the domain
Cloud Provider Link http://docs.aws.amazon.com/Route53/latest/APIReference/api-enable-domain-auto-renew.html
PASS global No domains registered through Route53
Route53 Domain Transfer Lock

1 0 0 0
Test Description Ensures domains have the transfer lock set
To avoid having a domain maliciously transferred to a third-party, all domains should enable
Additional Info
the transfer lock unless actively being transferred.
Recommended Action Enable the transfer lock for the domain
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-from-route-
Cloud Provider Link
53.html
Route53 Domain Expiry

1 0 0 0
Test Description Ensures domains are not expiring too soon
Additional Info Expired domains can be lost and reregistered by a third-party.
Recommended Action Reregister the expiring domain
Cloud Provider Link http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html

RDS RDS Encryption Enabled
17 0 0 0
Test Description Ensures at-rest encryption is setup for RDS instances
AWS provides at-read encryption for RDS instances which should be enabled to ensure the
Additional Info
integrity of data stored within the databases.
RDS does not currently allow modifications to encryption after the instance has been launched,
Recommended Action
so a new instance will need to be created with encryption enabled.
Cloud Provider Link http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

RDS RDS Automated Backups
17 0 0 0
Test Description Ensures automated backups are enabled for RDS instances
AWS provides a simple method of backing up RDS instances at a regular interval. This should
Additional Info be enabled to provide an option for restoring data in the event of a database compromise or
hardware failure.
Recommended Action Enable automated backups for the RDS instance
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBa
Cloud Provider Link
ckups.html

RDS RDS Publicly Accessible
17 0 0 0
Test Description Ensures RDS instances are not launched into the public cloud
Unless there is a specific business requirement, RDS instances should not have a public
Additional Info
endpoint and should be accessed from within a VPC only.
Recommended Action Remove the public endpoint from the RDS instance
Cloud Provider Link http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html

IAM SSH Keys Rotated
1 0 0 0
Test Description Ensures SSH keys are not older than 180 days in order to reduce accidental exposures
Additional Info SSH keys should be rotated frequently to avoid having them accidentally exposed.
To rotate an SSH key, first create a new public-private key pair, then upload the public key to
Recommended Action
AWS and delete the old key.
Cloud Provider Link http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_ssh-keys.html
PASS global No SSH keys found
KMS KMS Key Rotation

16 0 1 0
Test Description Ensures KMS keys are set to rotate on a regular schedule
All KMS keys should have key rotation enabled. AWS will handle the rotation of the encryption
Additional Info key itself, as well as storage of previous keys, so previous data does not need to be re-
encrypted before the rotation occurs.
Recommended Action Enable yearly rotation for the KMS key
Cloud Provider Link http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
arn:aws:kms:us-east-1:922503285322:key/6e8f67d4-a68c-444f-9511- Key rotation is not

FAIL us-east-1
6c545e93df44 enabled
PASS us-east-2 No KMS keys found
PASS us-west-1 No KMS keys found
PASS ca-central-1 No KMS keys found
PASS eu-central-1 No KMS keys found
PASS eu-west-1 No KMS keys found

PASS eu-north-1 No KMS keys found
ap-
PASS No KMS keys found
northeast-1
ap-
northeast-2
ap-
southeast-1
ap-
southeast-2
ap-
northeast-3
PASS ap-south-1 No KMS keys found
PASS sa-east-1 No KMS keys found
CloudTrail CloudTrail File Validation

17 0 0 0
Test Description Ensures CloudTrail file validation is enabled for all regions within an account
CloudTrail file validation is essentially a hash of the file which can be used to ensure its
Additional Info
integrity in the case of an account compromise.
Recommended Action Enable CloudTrail file validation for all regions
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-
Cloud Provider Link
enabling.html
PASS us-east-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
PASS us-east-2 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
PASS us-west-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
PASS
us-west-2 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
PASS ca-central-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled

PASS eu-central-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
PASS eu-west-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
PASS eu-north-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
PASS ap-northeast-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
ap-southeast-
PASS arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
1
ap-southeast-
PASS arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
2
PASS ap-south-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
PASS sa-east-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
IAM Password Expiration

0 0 1 0
Test Description Ensures password policy enforces a password expiration
Recommended Action Enable password expiration for the account
IAM Password Requires Lowercase

0 0 1 0
Test Description Ensures password policy requires at least one lowercase letter
Recommended Action Update the password policy to require the use of lowercase letters
IAM Password Requires Numbers

0 0 1 0
Test Description Ensures password policy requires the use of numbers
Recommended Action Update the password policy to require the use of numbers
IAM Password Requires Uppercase

0 0 1 0
Test Description Ensures password policy requires at least one uppercase letter
Recommended Action Update the password policy to require the use of uppercase letters

IAM Root Account In Use

0 0 1 0
Test Description Ensures the root account is not being actively used
The root account should not be used for day-to-day account management. IAM users, roles,
Additional Info
and groups should be used instead.
Create IAM users with appropriate group-level permissions for account access. Create an MFA
Recommended Action token for the root account, and store its password and token generation QR codes in a secure
place.
Cloud Provider Link http://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html
FAIL global arn:aws:iam::922503285322:root Root account was last used 6 days ago
IAM No User IAM Policies

0 3 0 0
Test Description Ensures IAM policies are not connected directly to IAM users
To reduce management complexity, IAM permissions should only be assigned to roles and
Additional Info groups. Users can then be added to those groups. Policies should not be applied directly to a
user.
Create groups with the required policies, move the IAM users to the applicable groups, and
Recommended Action
then remove the inline and directly attached policies from the IAM user.
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-groups-for-
Cloud Provider Link
permissions
WARN global arn:aws:iam::922503285322:user/cloud3 User is using attached or inline policies
WARN global arn:aws:iam::922503285322:user/cloud3-sec User is using attached or inline policies
WARN global arn:aws:iam::922503285322:user/userbackup User is using attached or inline policies

CloudTrail CloudTrail To CloudWatch
0 0 17 0
Test Description Ensures CloudTrail logs are being properly delivered to CloudWatch
Sending CloudTrail logs to CloudWatch enables easy integration with AWS CloudWatch alerts,
Additional Info
as well as an additional backup log storage location.
Recommended Action Enable CloudTrail CloudWatch integration for all regions
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-
Cloud Provider Link
cloudwatch-logs.html
arn:aws:cloudtrail:us-east- CloudTrail CloudWatch integration is not

FAIL us-east-1
1:922503285322:trail/Siscor enabled

FAIL us-east-2

FAIL us-west-1

FAIL us-west-2

FAIL ca-central-1

FAIL eu-central-1

FAIL eu-west-1

FAIL eu-west-2

FAIL eu-west-3
FAIL arn:aws:cloudtrail:us-east- CloudTrail CloudWatch integration is not

eu-north-1
ap-northeast- arn:aws:cloudtrail:us-east- CloudTrail CloudWatch integration is not

FAIL
1 1:922503285322:trail/Siscor enabled

FAIL
ap- arn:aws:cloudtrail:us-east- CloudTrail CloudWatch integration is not

FAIL
southeast-1 1:922503285322:trail/Siscor enabled
ap- arn:aws:cloudtrail:us-east- CloudTrail CloudWatch integration is not

FAIL
southeast-2 1:922503285322:trail/Siscor enabled

FAIL

FAIL ap-south-1
FAIL sa-east-1
ConfigService Config Service Enabled

0 0 18 0
Test Description Ensures the AWS Config Service is enabled to detect changes to account resources
The AWS Config Service tracks changes to a number of resources in an AWS account and is
Additional Info invaluable in determining how account changes affect other resources and in recovery in the
event of an account intrusion or accidental configuration change.
Enable the AWS Config Service for all regions and resources in an account. Ensure that it is
Recommended Action
properly recording and delivering logs.
Cloud Provider Link https://aws.amazon.com/config/details/
FAIL us-east-1 Config Service is not configured
FAIL us-east-2 Config Service is not configured
FAIL us-west-1 Config Service is not configured
FAIL us-west-2 Config Service is not configured
FAIL ca-central-1 Config Service is not configured
FAIL eu-central-1 Config Service is not configured
FAIL eu-west-1 Config Service is not configured
FAIL eu-north-1 Config Service is not configured
FAIL ap-northeast-1 Config Service is not configured
FAIL ap-southeast-1 Config Service is not configured
FAIL Config Service is not configured

ap-southeast-2
FAIL ap-south-1 Config Service is not configured
FAIL sa-east-1 Config Service is not configured
FAIL global Config Service is not monitoring global services
S3 CloudTrail Bucket Access Logging

0 1 0 0
Test Description Ensures CloudTrail logging bucket has access logging enabled to detect tampering of log files
CloudTrail buckets should utilize access logging for an additional layer of auditing. If the log
Additional Info files are deleted or modified in any way, the additional access logs can help determine who
made the changes.
Recommended Action Enable access logging on the CloudTrail bucket from the S3 console
Cloud Provider Link http://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html
WARN us-east-1 arn:aws:s3:::siscor-trails Bucket: siscor-trails has S3 access logs disabled
CloudTrail CloudTrail Encryption

17 0 0 0
Test Description Ensures CloudTrail encryption at rest is enabled for logs
CloudTrail log files contain sensitive information about an account and should be encrypted at
Additional Info
rest for additional protection.
Recommended Action Enable CloudTrail log encryption through the CloudTrail console or API
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-
Cloud Provider Link
aws-kms.html
PASS us-east-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled

PASS us-east-2 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS us-west-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS us-west-2 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS ca-central-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS eu-central-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS eu-west-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS eu-north-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS ap-northeast-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS ap-southeast-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS ap-southeast-2 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS ap-south-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
PASS sa-east-1 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail encryption is enabled
S3 CloudTrail Bucket Private

1 0 0 0
Test Description Ensures CloudTrail logging bucket is not publicly accessible
CloudTrail buckets contain large amounts of sensitive account data and should only be
Additional Info
accessible by logged in users.
Set the S3 bucket access policy for all CloudTrail buckets to only allow known users to access
Recommended Action
its files.
Cloud Provider Link http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

PASS us-east-1 arn:aws:s3:::siscor-trails Bucket: siscor-trails does not allow public access
EC2 VPC Flow Logs Enabled

0 0 17 0
Test Description Ensures VPC flow logs are enabled for traffic logging
VPC flow logs record all traffic flowing in to and out of a VPC. These logs are critical for
Additional Info
auditing and review after security incidents.
Recommended Action Enable VPC flow logs for each VPC
Cloud Provider Link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
VPC flow logs are not

FAIL us-east-1 arn:aws:ec2:us-east-1:922503285322:vpc/vpc-26c1545b
enabled

FAIL us-east-2 arn:aws:ec2:us-east-2:922503285322:vpc/vpc-6090090b
enabled
arn:aws:ec2:us-west-1:922503285322:vpc/vpc- VPC flow logs are not

FAIL us-west-1
0c2d2282542beab46 enabled
arn:aws:ec2:us-west-2:922503285322:vpc/vpc- VPC flow logs are not

FAIL us-west-2
0a048fe7436065d58 enabled
arn:aws:ec2:ca-central-1:922503285322:vpc/vpc- VPC flow logs are not

FAIL ca-central-1
09770145827bef7d6 enabled
arn:aws:ec2:eu-central-1:922503285322:vpc/vpc- VPC flow logs are not

FAIL eu-central-1
0a58a4e7b0c93b7ab enabled
arn:aws:ec2:eu-west-1:922503285322:vpc/vpc- VPC flow logs are not

FAIL eu-west-1
08275f72a1e4e98f5 enabled

FAIL eu-west-2
0e30be664fd118c17 enabled

FAIL eu-west-3
0996522b3020b1ab5 enabled
arn:aws:ec2:eu-north-1:922503285322:vpc/vpc- VPC flow logs are not

FAIL eu-north-1
0f4d32bbc44db3bba enabled
ap-northeast- arn:aws:ec2:ap-northeast-1:922503285322:vpc/vpc- VPC flow logs are not

FAIL 1 030dd710cab63ff8d enabled

FAIL
2 0e3a3e30aee7daf8a enabled
ap- arn:aws:ec2:ap-southeast-1:922503285322:vpc/vpc- VPC flow logs are not

FAIL
southeast-1 0e19b6b8f7dfe3c2a enabled
ap- arn:aws:ec2:ap-southeast-2:922503285322:vpc/vpc- VPC flow logs are not

FAIL southeast-2 01606d90294e3ddf2 enabled

FAIL
3 0d6c6d69eecdef2fd enabled
arn:aws:ec2:ap-south-1:922503285322:vpc/vpc- VPC flow logs are not

FAIL ap-south-1
0430a98d4d8672743 enabled

FAIL sa-east-1 arn:aws:ec2:sa-east-1:922503285322:vpc/vpc-ae08c3c8
enabled
EC2 Default Security Group

0 0 17 0
Test Description Ensure the default security groups block all traffic by default
The default security group is often used for resources launched without a defined security
Additional Info group. For this reason, the default rules should be to block all traffic to prevent an accidental
exposure.
Recommended Action Update the rules for the default security group to deny all traffic by default
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-
Cloud Provider Link
security-group
arn:aws:ec2:us-east-1:922503285322:security- Default security group has 1 inbound

FAIL us-east-1
group/sg-2a94e22e and 1 outbound rules
arn:aws:ec2:us-east-2:922503285322:security- Default security group has 1 inbound

FAIL us-east-2
group/sg-35cd9243 and 1 outbound rules
arn:aws:ec2:us-west-1:922503285322:security- Default security group has 1 inbound

FAIL us-west-1
group/sg-0355558bdeb17eba4 and 1 outbound rules
arn:aws:ec2:us-west-2:922503285322:security- Default security group has 1 inbound

FAIL us-west-2
group/sg-07b897bc45d1e6fe2 and 1 outbound rules
ca-central- arn:aws:ec2:ca-central-1:922503285322:security- Default security group has 1 inbound

FAIL
1 group/sg-0221abf87bbe12971 and 1 outbound rules
eu-central- arn:aws:ec2:eu-central-1:922503285322:security- Default security group has 1 inbound

FAIL
1 group/sg-09b903e8dd37bee5f and 1 outbound rules
arn:aws:ec2:eu-west-1:922503285322:security- Default security group has 1 inbound

FAIL eu-west-1
group/sg-08b897c32e384acbc and 1 outbound rules

FAIL eu-west-2
group/sg-0ae841762d2749f1a and 1 outbound rules

FAIL eu-west-3
group/sg-03bc08f1c58bcf815 and 1 outbound rules
arn:aws:ec2:eu-north-1:922503285322:security- Default security group has 1 inbound

FAIL eu-north-1
group/sg-04656562bedc2ae6d and 1 outbound rules
ap-
arn:aws:ec2:ap-northeast-1:922503285322:security- Default security group has 1 inbound
FAIL northeast-
group/sg-0a5f4c4f1b5983891 and 1 outbound rules
1
ap-
FAIL northeast-
group/sg-07f8aee861c34413f and 1 outbound rules
2
ap-
arn:aws:ec2:ap-southeast-1:922503285322:security- Default security group has 1 inbound
FAIL southeast-
group/sg-0f40a8e2330e64b60 and 1 outbound rules
1
ap-
arn:aws:ec2:ap-southeast-2:922503285322:security- Default security group has 1 inbound
FAIL southeast-
group/sg-0de72c4ef2c1b7162 and 1 outbound rules
2
ap-
FAIL northeast-
group/sg-09c1a77d7fa721022 and 1 outbound rules
3
arn:aws:ec2:ap-south-1:922503285322:security- Default security group has 1 inbound

FAIL ap-south-1
group/sg-02cb7aa81a32263ad and 1 outbound rules
arn:aws:ec2:sa-east-1:922503285322:security- Default security group has 1 inbound

FAIL sa-east-1
group/sg-ffd685b7 and 1 outbound rules
CloudFront Public S3 CloudFront Origin

1 0 0 0
Test Description Detects the use of an S3 bucket as a CloudFront origin without an origin access identity
When S3 is used as an origin for a CloudFront bucket, the contents should be kept private and
an origin access identity should allow CloudFront access. This prevents someone from
Additional Info
bypassing the caching benefits that CloudFront provides, repeatedly loading objects directly
from S3, and amassing a large access bill.
Create an origin access identity for CloudFront, then make the contents of the S3 bucket
Recommended Action
private.
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-
Cloud Provider Link
restricting-access-to-s3.html
PASS global No CloudFront distributions found
EC2 VPC Multiple Subnets

17 0 0 0
Test Description Ensures that VPCs have multiple subnets to provide a layered architecture
VPCs should be designed to have separate public and private subnets, ideally across
Additional Info
availability zones, enabling a DMZ-style architecture.
Create at least two subnets in each VPC, utilizing one for public traffic and the other for private
Recommended Action
traffic.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#SubnetSecur
Cloud Provider Link
ity
There are 6 subnets used in one

PASS us-east-1 arn:aws:ec2:us-east-1:922503285322:vpc/vpc-26c1545b
VPC.

PASS us-east-2 arn:aws:ec2:us-east-2:922503285322:vpc/vpc-6090090b
VPC.
arn:aws:ec2:us-west-1:922503285322:vpc/vpc- There are 2 subnets used in one

PASS us-west-1
0c2d2282542beab46 VPC.
arn:aws:ec2:us-west-2:922503285322:vpc/vpc- There are 4 subnets used in one

PASS us-west-2
0a048fe7436065d58 VPC.
arn:aws:ec2:ca-central-1:922503285322:vpc/vpc- There are 3 subnets used in one

PASS ca-central-1
09770145827bef7d6 VPC.
arn:aws:ec2:eu-central-1:922503285322:vpc/vpc- There are 3 subnets used in one

PASS eu-central-1
0a58a4e7b0c93b7ab VPC.
arn:aws:ec2:eu-west-1:922503285322:vpc/vpc- There are 3 subnets used in one

PASS eu-west-1
08275f72a1e4e98f5 VPC.

PASS eu-west-2
0e30be664fd118c17 VPC.

PASS eu-west-3
0996522b3020b1ab5 VPC.
arn:aws:ec2:eu-north-1:922503285322:vpc/vpc- There are 3 subnets used in one

PASS eu-north-1
0f4d32bbc44db3bba VPC.
ap- arn:aws:ec2:ap-northeast-1:922503285322:vpc/vpc- There are 3 subnets used in one

PASS
northeast-1 030dd710cab63ff8d VPC.

PASS
northeast-2 0e3a3e30aee7daf8a VPC.
ap- arn:aws:ec2:ap-southeast-1:922503285322:vpc/vpc- There are 3 subnets used in one

PASS
southeast-1 0e19b6b8f7dfe3c2a VPC.
ap- arn:aws:ec2:ap-southeast-2:922503285322:vpc/vpc- There are 3 subnets used in one

PASS southeast-2 01606d90294e3ddf2 VPC.

PASS
northeast-3 0d6c6d69eecdef2fd VPC.
arn:aws:ec2:ap-south-1:922503285322:vpc/vpc- There are 3 subnets used in one

PASS ap-south-1
0430a98d4d8672743 VPC.

PASS sa-east-1 arn:aws:ec2:sa-east-1:922503285322:vpc/vpc-ae08c3c8
VPC.
SES Email DKIM Enabled
17 0 0 0
Test Description Ensures DomainKeys Identified Mail (DKIM) is enabled for domains and addresses in SES.
DKIM is a security feature that allows recipients of an email to veriy that the sender domain
Additional Info
has authorized the message and that it has not been spoofed.
Recommended Action Enable DKIM for all domains and addresses in all regions used to send email through SES.
Cloud Provider Link http://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html
PASS us-east-1 No SES identities found
PASS us-east-2 No SES identities found
PASS us-west-1 No SES identities found
PASS us-west-2 No SES identities found
PASS ca-central-1 No SES identities found
PASS eu-central-1 No SES identities found
PASS eu-west-1 No SES identities found
PASS eu-north-1 No SES identities found
PASS ap-northeast-1 No SES identities found
PASS ap-southeast-1 No SES identities found
PASS ap-southeast-2 No SES identities found
PASS ap-south-1 No SES identities found
PASS sa-east-1 No SES identities found

EC2 Public AMI
17 0 0 0
Test Description Checks for publicly shared AMIs
Accidentally sharing AMIs allows any AWS user to launch an EC2 instance using the image as
Additional Info
a base. This can potentially expose sensitive information stored on the host.
Recommended Action Convert the public AMI a private image.
Cloud Provider Link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
PASS us-east-1 No AMIs found
PASS us-west-1 No AMIs found
PASS ca-central-1 No AMIs found
PASS eu-central-1 No AMIs found
PASS eu-west-1 No AMIs found
PASS eu-north-1 No AMIs found
PASS ap-northeast-1 No AMIs found
PASS ap-southeast-1 No AMIs found
PASS ap-south-1 No AMIs found
PASS sa-east-1 No AMIs found

SNS SNS Topic Policies
17 0 0 0
Test Description Ensures SNS topics do not allow global send or subscribe.
SNS policies should not be configured to allow any AWS user to subscribe or send messages.
Additional Info
This could result in data leakage or financial DDoS.
Recommended Action Adjust the topic policy to only allow authorized AWS users in known accounts to subscribe.
Cloud Provider Link http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html
arn:aws:sns:us-east- The SNS topic policy does not allow global

PASS us-east-1
1:922503285322:NotifybyEmail access.
PASS us-east-2 No SNS topics found
PASS us-west-1 No SNS topics found
PASS ca-central-1 No SNS topics found
PASS eu-central-1 No SNS topics found
PASS eu-west-1 No SNS topics found
PASS eu-north-1 No SNS topics found
ap-northeast-
PASS No SNS topics found
1
ap-northeast-
2
ap-
southeast-1
ap-
southeast-2
ap-northeast-
3
PASS ap-south-1 No SNS topics found
PASS sa-east-1 No SNS topics found

CloudFront Secure CloudFront Origin
2 0 0 0
Test Description Detects the use of secure web origins with secure protocols for CloudFront.
Traffic passed between the CloudFront edge nodes and the backend resource should be sent
Additional Info
over HTTPS with modern protocols for all web-based origins.
Ensure that traffic sent between CloudFront and its origin is passed over HTTPS and uses
Recommended Action
TLSv1.1 or higher. Do not use the match-viewer option.
Cloud Provider Link http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web.html
PASS global No CloudFront origins without HTTPS or with insecure protocols found
Lambda Lambda Old Runtimes

17 0 0 0
Test Description Ensures Lambda functions are not using out-of-date runtime environments.
Lambda runtimes should be kept current with recent versions of the underlying codebase.
Additional Info
Deprecated runtimes should not be used.
Recommended Action Upgrade the Lambda function runtime to use a more current version.
Cloud Provider Link http://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html
PASS us-east-1 No Lambda functions found
PASS us-west-1 No Lambda functions found
PASS ca-central-1 No Lambda functions found
PASS eu-central-1 No Lambda functions found
PASS eu-west-1 No Lambda functions found

PASS eu-north-1 No Lambda functions found
PASS ap-northeast-1 No Lambda functions found
PASS ap-southeast-1 No Lambda functions found
PASS ap-south-1 No Lambda functions found
PASS sa-east-1 No Lambda functions found
Redshift Redshift Encryption Enabled

17 0 0 0
Test Description Ensures at-rest encryption is setup for Redshift clusters
AWS provides at-read encryption for Redshift clusters which should be enabled to ensure the
Additional Info
integrity of data stored within the cluster.
Redshift does not currently allow modifications to encryption after the cluster has been
Recommended Action
launched, so a new cluster will need to be created with encryption enabled.
Cloud Provider Link http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html
PASS us-east-1 No Redshift clusters found
PASS us-west-1 No Redshift clusters found
PASS ca-central-1 No Redshift clusters found
PASS eu-central-1 No Redshift clusters found

PASS eu-west-1 No Redshift clusters found
PASS eu-north-1 No Redshift clusters found
PASS ap-northeast-1 No Redshift clusters found
PASS ap-southeast-1 No Redshift clusters found
PASS ap-south-1 No Redshift clusters found
PASS sa-east-1 No Redshift clusters found
Redshift Redshift Publicly Accessible

17 0 0 0
Test Description Ensures Redshift clusters are not launched into the public cloud
Unless there is a specific business requirement, Redshift clusters should not have a public
Additional Info
endpoint and should be accessed from within a VPC only.
Recommended Action Remove the public endpoint from the Redshift cluster
Cloud Provider Link http://docs.aws.amazon.com/redshift/latest/mgmt/getting-started-cluster-in-vpc.html

CloudFront Insecure CloudFront Protocols

1 0 0 0
Detects the use of insecure HTTPS SSL/TLS protocols for use with HTTPS traffic between
Test Description
viewers and CloudFront
CloudFront supports SSLv3 and TLSv1 protocols for use with HTTPS traffic, but only TLSv1.1
Additional Info or higher should be used unless there is a valid business justification to support the older,
insecure SSLv3.
Ensure that traffic sent between viewers and CloudFront is passed over HTTPS and uses
Recommended Action
TLSv1.1 or higher.
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-
Cloud Provider Link
supported-viewer-protocols-ciphers.html

EC2 Instance IAM Role
16 0 5 0
Test Description Ensures EC2 instances are using an IAM role instead of hard-coded AWS credentials
IAM roles should be assigned to all instances to enable them to access AWS resources. Using
Additional Info
an IAM role is more secure than hard-coding AWS access keys into application code.
Recommended Action Attach an IAM role to the EC2 instance
Cloud Provider Link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
arn:aws:ec2:us-east-1:922503285322:instance/i- Instance does not use an IAM

FAIL us-east-1
065bb7e431488d139 role

FAIL us-east-1
05cf4724e3a4599f0 role

FAIL us-east-1
08f266f579dc814bc role

FAIL us-east-1
006fe48adf55ff7ad role

FAIL us-east-1
05e8cda4ca1cd3f78 role
PASS ap-
No instances found
northeast-1
ap-
PASS No instances found
northeast-2
ap-
southeast-1
PASS ap- No instances found
southeast-2
ap-
northeast-3
EC2 Encrypted AMI

17 0 0 0
Test Description Ensures EBS-backed AMIs are configured to use encryption
AMIs with unencrypted data volumes can be used to launch unencrypted instances that place
Additional Info
data at risk.
Recommended Action Ensure all AMIs have encrypted EBS volumes.
Cloud Provider Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
PASS ca-central-1 No AMIs found
PASS eu-central-1 No AMIs found
PASS eu-north-1 No AMIs found

PASS ap-south-1 No AMIs found
PASS sa-east-1 No AMIs found
AutoScaling ASG Multiple AZ

17 0 0 0
Test Description Ensures that ASGs are created to be cross-AZ for high availability.
ASGs can easily be configured to allow instances to launch in multiple availability zones. This
Additional Info ensures that the ASG can continue to scale, even when AWS is experiencing downtime in one
or more zones.
Recommended Action Modify the autoscaling instance to enable scaling across multiple availability zones.
Cloud Provider Link http://docs.aws.amazon.com/autoscaling/latest/userguide/AutoScalingGroup.html
PASS us-east-1 No auto scaling groups found
PASS us-west-1 No auto scaling groups found
PASS ca-central-1 No auto scaling groups found
PASS eu-central-1 No auto scaling groups found
PASS eu-west-1 No auto scaling groups found
PASS eu-north-1 No auto scaling groups found
PASS ap-northeast-1 No auto scaling groups found

PASS ap-southeast-1 No auto scaling groups found
PASS ap-south-1 No auto scaling groups found
PASS sa-east-1 No auto scaling groups found
CloudFront CloudFront HTTPS Only

1 0 0 0
Test Description Ensures CloudFront distributions are configured to redirect non-HTTPS traffic to HTTPS.
For maximum security, CloudFront distributions can be configured to only accept HTTPS
Additional Info
connections or to redirect HTTP connections to HTTPS.
Recommended Action Remove HTTP-only listeners from distributions.
Cloud Provider Link http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CloudFront.html
ELB ELB Logging Enabled

17 0 0 0
Test Description Ensures load balancers have request logging enabled.
Logging requests to ELB endpoints is a helpful way of detecting and investigating potential
Additional Info attacks, malicious activity, or misuse of backend resources.Logs can be sent to S3 and
processed for further analysis.
Recommended Action Enable ELB request logging
http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-
Cloud Provider Link
logs.html
RDS RDS Multiple AZ

17 0 0 0
Test Description Ensures that RDS instances are created to be cross-AZ for high availability.
Creating RDS instances in a single AZ creates a single point of failure for all systems relying
Additional Info on that database. All RDS instances should be created in multiple AZs to ensure proper
failover.
Recommended Action Modify the RDS instance to enable scaling across multiple availability zones.
Cloud Provider Link http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html

EC2 Open All Ports Protocols

21 0 1 0
Test Description Determine if security group has all ports or protocols open to the public
Security groups should be created on a per-service basis and avoid allowing all ports or
Additional Info
protocols.
Recommended Action Modify the security group to specify a specific port and protocol to allow.
Cloud Provider Link
instance.html
Security group: sg-015527859f4cb1ab4 (launch-wizard-1)
does not have all ports or protocols open to the public
015527859f4cb1ab4

FAIL us-east-1 1:922503285322:security-group/sg- RemoteAccess) has all ports open to 0.0.0.0/0 and all
0b29b77965792ae5d protocols open to 0.0.0.0/0
not have all ports or protocols open to the public
031d418a21dd84701
Security group: sg-0ea00fe2209686e28 (Linux_Jumpbox)
0ea00fe2209686e28
Security group: sg-0add6fd8f5e13005e (launch-wizard-2)
0add6fd8f5e13005e
Security group: sg-2a94e22e (default) does not have all
ports or protocols open to the public
2a94e22e
Security group: sg-35cd9243 (default) does not have all
35cd9243
Security group: sg-0355558bdeb17eba4 (default) does not
have all ports or protocols open to the public
0355558bdeb17eba4
07b897bc45d1e6fe2
1 have all ports or protocols open to the public
0221abf87bbe12971
eu-central- Security group: sg-09b903e8dd37bee5f (default) does not
1 have all ports or protocols open to the public
09b903e8dd37bee5f
Security group: sg-08b897c32e384acbc (default) does not
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
Security group: sg-04656562bedc2ae6d (default) does not
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast- Security group: sg-0a5f4c4f1b5983891 (default) does not
PASS northeast- 1:922503285322:security-group/sg- have all ports or protocols open to the public
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
Security group: sg-02cb7aa81a32263ad (default) does not
02cb7aa81a32263ad
Security group: sg-ffd685b7 (default) does not have all
ffd685b7
CloudFront CloudFront Logging Enabled

1 0 0 0
Test Description Ensures CloudFront distributions have request logging enabled.
Logging requests to CloudFront distributions is a helpful way of detecting and investigating

Additional Info potential attacks, malicious activity, or misuse of backend resources. Logs can be sent to S3
and processed for further analysis.
Recommended Action Enable CloudFront request logging.
Cloud Provider Link http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
EC2 EBS Encryption Enabled

16 0 7 0
Test Description Ensures EBS volumes are encrypted at rest
EBS volumes should have at-rest encryption enabled through AWS using KMS. If the volume
Additional Info is used for a root volume, the instance must be launched from an AMI that has been encrypted
as well.
Recommended Action Enable encryption for EBS volumes.
Cloud Provider Link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
arn:aws:ec2:us-east-1:922503285322:volume/vol- EBS volume is

FAIL us-east-1
0cd59f11359717779 unencrypted

FAIL us-east-1
0ea43a6b7bcc1ec0b unencrypted

FAIL us-east-1
00074031a49128610 unencrypted

FAIL us-east-1
0adda660adb702d40 unencrypted

FAIL us-east-1
0a1c7613b80c47a1b unencrypted

FAIL us-east-1
00744a919dd332543 unencrypted

FAIL us-east-1
031c96db898d68b4e unencrypted
PASS us-east-2 No EBS volumes present
PASS us-west-1 No EBS volumes present
PASS us-west-2 No EBS volumes present
PASS ca-central-1 No EBS volumes present
PASS eu-central-1 No EBS volumes present
PASS eu-west-1 No EBS volumes present
PASS eu-north-1 No EBS volumes present
ap-northeast-
PASS No EBS volumes present
1
ap-northeast-
2
ap-southeast-
1
ap-southeast-
2
ap-northeast-
3
PASS ap-south-1 No EBS volumes present
PASS sa-east-1 No EBS volumes present
S3 S3 Bucket Versioning
0 0 3 0
Test Description Ensures object versioning is enabled on S3 buckets
Object versioning can help protect against the overwriting of objects or data loss in the event of
Additional Info
a compromise.
Enable object versioning for buckets with sensitive contents at a minimum and for all buckets
Recommended Action
ideally.
Cloud Provider Link http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
FAIL us-east-1 arn:aws:s3:::siscor-backups Bucket : siscor-backups has versioning disabled
FAIL us-east-1 arn:aws:s3:::siscor-trails Bucket : siscor-trails has versioning disabled
FAIL us-east-1 arn:aws:s3:::siscor-transfer Bucket : siscor-transfer has versioning disabled
EC2 Subnet IP Availability

55 0 0 0
Test Description Determine if a subnet is at risk of running out of IP addresses
Subnets have finite IP addresses. Running out of IP addresses could prevent resources from
Additional Info
launching.
Recommended Action Add a new subnet with larger CIDR block and migrate resources.
Cloud Provider Link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

arn:aws:ec2:us-east- Subnet subnet-15e0e958 is using 6 of 4096

PASS us-east-1
1:922503285322:subnet/subnet-15e0e958 (1%) available IPs.
arn:aws:ec2:us-east- Subnet subnet-484b322e is using 6 of 4096

PASS us-east-1
1:922503285322:subnet/subnet-484b322e (1%) available IPs.
arn:aws:ec2:us-east- Subnet subnet-96b3c9c9 is using 7 of 4096

PASS us-east-1
1:922503285322:subnet/subnet-96b3c9c9 (1%) available IPs.
arn:aws:ec2:us-east- Subnet subnet-69f4c767 is using 5 of 4096

PASS us-east-1
1:922503285322:subnet/subnet-69f4c767 (1%) available IPs.
arn:aws:ec2:us-east- Subnet subnet-2c07400d is using 7 of 4096

PASS us-east-1
1:922503285322:subnet/subnet-2c07400d (1%) available IPs.
arn:aws:ec2:us-east- Subnet subnet-5d028f6c is using 5 of 4096

PASS us-east-1
1:922503285322:subnet/subnet-5d028f6c (1%) available IPs.
arn:aws:ec2:us-east- Subnet subnet-5e13ec23 is using 5 of 4096

PASS us-east-2
2:922503285322:subnet/subnet-5e13ec23 (1%) available IPs.
arn:aws:ec2:us-east- Subnet subnet-4e6e4802 is using 5 of 4096

PASS us-east-2
2:922503285322:subnet/subnet-4e6e4802 (1%) available IPs.
arn:aws:ec2:us-east- Subnet subnet-daab2ab1 is using 5 of 4096

PASS us-east-2
2:922503285322:subnet/subnet-daab2ab1 (1%) available IPs.
Subnet subnet-04b300d7a202c19c5 is using 5
PASS us-west-1 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
04b300d7a202c19c5
Subnet subnet-0a73cdb301aed1693 is using
5 of 4096 (1%) available IPs.
0a73cdb301aed1693
Subnet subnet-0e1539ff91e81c4c2 is using 5
0e1539ff91e81c4c2
Subnet subnet-01e5ca7cf1a748fc2 is using 5
01e5ca7cf1a748fc2
Subnet subnet-0b9c6375791cdc931 is using 5
0b9c6375791cdc931
Subnet subnet-0d81008a71f708459 is using 5
0d81008a71f708459
ca-central- Subnet subnet-09ef030317dbdf1ef is using 5
PASS 1:922503285322:subnet/subnet-
09ef030317dbdf1ef
ca-central- Subnet subnet-0bcddf4ab52a09da7 is using 5
0bcddf4ab52a09da7
ca-central- Subnet subnet-0206dfe4e20b91171 is using 5
0206dfe4e20b91171
eu-central- Subnet subnet-076cd8bf9dcf54fc0 is using 5
1 076cd8bf9dcf54fc0 of 4096 (1%) available IPs.
eu-central- Subnet subnet-0961df033653668b5 is using 5
0961df033653668b5
eu-central- Subnet subnet-06d29f1135051f2bc is using 5
06d29f1135051f2bc
Subnet subnet-014b0a4ac8701b21f is using 5
PASS eu-west-1 1:922503285322:subnet/subnet-
014b0a4ac8701b21f
Subnet subnet-0ab023ddc44ec48bf is using 5
0ab023ddc44ec48bf
Subnet subnet-0e3217ad2e05f871b is using 5
0e3217ad2e05f871b
Subnet subnet-023fe44b3231c8957 is using 5
023fe44b3231c8957
Subnet subnet-044ff7f6d2283a084 is using 5
044ff7f6d2283a084
PASS eu-west-2 Subnet subnet-0312a995d48d4e700 is using
2:922503285322:subnet/subnet-
0312a995d48d4e700
Subnet subnet-04e1573553bfb72e3 is using 5
04e1573553bfb72e3
Subnet subnet-02e12a84badf5299f is using 5
02e12a84badf5299f
Subnet subnet-02a418758c2c42a5f is using 5
02a418758c2c42a5f
Subnet subnet-067b47de750b8b644 is using
PASS eu-north-1 1:922503285322:subnet/subnet-
067b47de750b8b644
Subnet subnet-05feb6266871b4675 is using 5
05feb6266871b4675
Subnet subnet-02399809a6382b56d is using
02399809a6382b56d
Subnet subnet-0f84c166ccc0db45f is using 5
PASS northeast- 1:922503285322:subnet/subnet-
1 0f84c166ccc0db45f
Subnet subnet-080f510a7524813d8 is using 5
1 080f510a7524813d8
PASS ap- arn:aws:ec2:ap-northeast- Subnet subnet-03bfb532abde041c5 is using 5
northeast- 1:922503285322:subnet/subnet- of 4096 (1%) available IPs.
1 03bfb532abde041c5
Subnet subnet-0d2075fb36c202f61 is using 5
2 0d2075fb36c202f61
Subnet subnet-03c4b12b54a770b0b is using
2 03c4b12b54a770b0b
Subnet subnet-05038cc40cd35b8df is using 5
2 05038cc40cd35b8df
Subnet subnet-02afc97d7216128af is using 5
2 02afc97d7216128af
Subnet subnet-0d3848165a38d1af3 is using 5
PASS southeast- 1:922503285322:subnet/subnet-
1 0d3848165a38d1af3
Subnet subnet-021a96d5112e1d79b is using
1 021a96d5112e1d79b
Subnet subnet-07a0dd415c6839163 is using
1 07a0dd415c6839163
Subnet subnet-0dde3ef370d3997f7 is using 5
2 0dde3ef370d3997f7
Subnet subnet-0b3ce4e612ee12376 is using
2 0b3ce4e612ee12376
Subnet subnet-090e1f95ff328dc1f is using 5
2 090e1f95ff328dc1f
Subnet subnet-001a282e5e5f8a00a is using 5
3 001a282e5e5f8a00a
Subnet subnet-0607800a95005dc33 is using
3 0607800a95005dc33
Subnet subnet-006ca8371dba18eef is using 5
3 006ca8371dba18eef
Subnet subnet-0ef9e3cbbc5ee6c0a is using 5
PASS ap-south-1 1:922503285322:subnet/subnet-
0ef9e3cbbc5ee6c0a
Subnet subnet-085ffdeda8d0dd00a is using 5
085ffdeda8d0dd00a
Subnet subnet-07f12bdad47b4e2af is using 5
07f12bdad47b4e2af
arn:aws:ec2:sa-east- Subnet subnet-38ce8d63 is using 5 of 4096
PASS sa-east-1
1:922503285322:subnet/subnet-38ce8d63 (1%) available IPs.
arn:aws:ec2:sa-east- Subnet subnet-b2077dfb is using 5 of 4096

PASS sa-east-1
1:922503285322:subnet/subnet-b2077dfb (1%) available IPs.
arn:aws:ec2:sa-east- Subnet subnet-ba2a6edc is using 5 of 4096

PASS sa-east-1
1:922503285322:subnet/subnet-ba2a6edc (1%) available IPs.
IAM IAM User Admins

0 1 0 0
Test Description Ensures the number of IAM admins in the account are minimized
While at least two IAM admin users should be configured, the total number of admins should
Additional Info
be kept to a minimum.
Keep two users with admin permissions but ensure other IAM users have more limited
Recommended Action
permissions.
Cloud Provider Link http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html
WARN global There are fewer than the minimum 2 IAM user administrators
SQS SQS Cross Account Access

17 0 0 0
Test Description Ensures SQS policies disallow cross-account access
SQS policies should be carefully restricted to prevent publishing or reading from the queue
Additional Info
from unexpected sources. Queue policies can be used to limit these privileges.
Recommended Action Update the SQS policy to prevent access from external accounts.
http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-
Cloud Provider Link
creating-custom-policies.html
PASS us-east-1 No SQS queues found

PASS us-west-1 No SQS queues found
PASS ca-central-1 No SQS queues found
PASS eu-central-1 No SQS queues found
PASS eu-west-1 No SQS queues found
PASS eu-north-1 No SQS queues found
PASS ap-northeast-1 No SQS queues found
PASS ap-southeast-1 No SQS queues found
PASS ap-south-1 No SQS queues found
PASS sa-east-1 No SQS queues found
SQS SQS Encrypted

17 0 0 0
Test Description Ensures SQS encryption is enabled
Messages sent to SQS queues can be encrypted using KMS server-side encryption. Existing
Additional Info
queues can be modified to add encryption with minimal overhead.
Recommended Action Enable encryption using KMS for all SQS queues.
Cloud Provider Link
server-side-encryption.html

ELB ELB No Instances

17 0 0 0
Test Description Detects ELBs that have no backend instances attached
All ELBs should have backend server resources. Those without any are consuming costs
Additional Info without providing any functionality. Additionally, old ELBs with no instances present a security
concern if new instances are accidentally attached.
Recommended Action Delete old ELBs that no longer have backend resources.
Cloud Provider Link http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-backend-instances.html

IAM Users Password Last Used

1 0 0 0
Detects users with password logins that have not been used for a period of time and that
Test Description
should be decommissioned
Having numerous, unused user accounts extends the attack surface. If users do not log into
Additional Info
their accounts for more than the defined period of time, the account should be deleted.
Recommended Action Delete old user accounts that allow password-based logins and have not been used recently.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-
Cloud Provider Link
user.html
PASS global arn:aws:iam::922503285322:user/cloud3 User password login was last used 0 days ago
EC2 NAT Multiple AZ

17 0 0 0
Test Description Ensures managed NAT instances exist in at least 2 AZs for availability purposes
Creating NAT instances in a single AZ creates a single point of failure for all systems in the
Additional Info
VPC. All managed NAT instances should be created in multiple AZs to ensure proper failover.
Recommended Action Launch managed NAT instances in multiple AZs.
Cloud Provider Link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
PASS us-east-1 No VPCs with NAT gateways found
PASS us-east-2 No VPCs with NAT gateways found
PASS us-west-1 No VPCs with NAT gateways found
PASS us-west-2 No VPCs with NAT gateways found
PASS ca-central-1 No VPCs with NAT gateways found
PASS eu-central-1 No VPCs with NAT gateways found
PASS eu-west-1 No VPCs with NAT gateways found
PASS eu-north-1 No VPCs with NAT gateways found
PASS ap-northeast-1 No VPCs with NAT gateways found
PASS
ap-southeast-1 No VPCs with NAT gateways found
PASS ap-southeast-2 No VPCs with NAT gateways found

PASS ap-south-1 No VPCs with NAT gateways found
PASS sa-east-1 No VPCs with NAT gateways found
S3 S3 Bucket Logging
0 0 3 0
Test Description Ensures S3 bucket logging is enabled for S3 buckets
S3 bucket logging helps maintain an audit trail of access that can be used in the event of a
Additional Info
security incident.
Recommended Action Enable bucket logging for each S3 bucket.
Cloud Provider Link http://docs.aws.amazon.com/AmazonS3/latest/dev/Logging.html
FAIL us-east-1 arn:aws:s3:::siscor-backups Bucket : siscor-backups has logging disabled
FAIL us-east-1 arn:aws:s3:::siscor-trails Bucket : siscor-trails has logging disabled
FAIL us-east-1 arn:aws:s3:::siscor-transfer Bucket : siscor-transfer has logging disabled
EC2 Default VPC In Use

16 0 1 0
Test Description Determines whether the default VPC is being used for launching EC2 instances.
The default VPC should not be used in order to avoid launching multiple services in the same
Additional Info network which may not require connectivity. Each application, or network tier, should use its
own VPC.
Move resources from the default VPC to a new VPC created for that application or resource
Recommended Action
group.
Cloud Provider Link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html
Resour
Result Region Message
ce
FAIL us-east-1 Default VPC is in use: 6 EC2 instances; 0 ELBs; 0 Lambda functions; 0 RDS instances;
0 Redshift clusters
PASS us-east-2 Default VPC is not in use
PASS us-west-1 Default VPC is not in use
PASS us-west-2 Default VPC is not in use
PASS ca-central-1 Default VPC is not in use
eu-central-
PASS Default VPC is not in use
1
PASS eu-west-1 Default VPC is not in use
PASS eu-north-1 Default VPC is not in use
ap-
northeast-1
ap-
northeast-2
ap-
southeast-1
ap-
southeast-2
ap-
northeast-3
PASS ap-south-1 Default VPC is not in use
PASS sa-east-1 Default VPC is not in use
EC2 Open Oracle

22 0 0 0
Test Description Determine if TCP port 1521 for Oracle is open to the public
Additional Info
properly, more sensitive services such as Oracle should be restricted to known IP addresses.
Recommended Action Restrict TCP ports 1521 to known IP addresses
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:1521 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:1521 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
PASS ca-central- Security group: sg-0221abf87bbe12971 (default) does
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
PASS northeast- 1:922503285322:security-group/sg- not have TCP:1521 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:1521 open to 0.0.0.0/0 or ::0
ffd685b7
S3 S3 Bucket All Users ACL

3 0 0 0
Test Description Ensures S3 buckets do not allow global write, delete, or read ACL permissions
S3 buckets can be configured to allow anyone, regardless of whether they are an AWS user or
Additional Info not, to write objects to a bucket or delete objects. This option should not be configured unless
there is a strong business requirement.
Disable global all users policies on all S3 buckets and ensure both the bucket ACL is
Recommended Action
configured with least privileges.
Cloud Provider Link http://docs.aws.amazon.com/AmazonS3/latest/UG/EditingBucketPermissions.html
PASS us-east-1 arn:aws:s3:::siscor-backups Bucket ACL does not contain any insecure allow statements
PASS us-east-1 arn:aws:s3:::siscor-trails Bucket ACL does not contain any insecure allow statements
PASS us-east-1 arn:aws:s3:::siscor-transfer Bucket ACL does not contain any insecure allow statements
KMS KMS Key Policy
18 0 0 0
Test Description Validates the KMS key policy to ensure least-privilege access.
KMS key policies should be designed to limit the number of users who can perform encrypt
Additional Info
and decrypt operations. Each application should use its own key to avoid over exposure.
Modify the KMS key policy to remove any wildcards and limit the number of users and roles
Recommended Action
that can perform encrypt and decrypt operations using the key.
Cloud Provider Link http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
arn:aws:kms:us-east-1:922503285322:key/6e8f67d4-a68c-444f-9511- Key policy is

PASS us-east-1
6c545e93df44 sufficient
arn:aws:kms:us-east-1:922503285322:key/7f7e6f01-9e7a-4a73-9471- Key policy is

PASS us-east-1
a8a017198546 sufficient
No KMS keys
PASS us-east-2
found
No KMS keys
PASS us-west-1
found
No KMS keys
PASS us-west-2
found
No KMS keys
PASS ca-central-1
found
No KMS keys
PASS eu-central-1
found
No KMS keys
PASS eu-west-1
found
No KMS keys
PASS eu-west-2
found
No KMS keys
PASS eu-west-3
found
No KMS keys
PASS eu-north-1
found
ap- No KMS keys

PASS
northeast-1 found
ap- No KMS keys

PASS
northeast-2 found
ap- No KMS keys

PASS
southeast-1 found
ap- No KMS keys

PASS
southeast-2 found
ap- No KMS keys

PASS
northeast-3 found
PASS ap-south-1 No KMS keys
found
No KMS keys
PASS sa-east-1
found
KMS KMS Default Key Usage

17 0 0 0
Test Description Checks AWS services to ensure the default KMS key is not being used
It is recommended not to use the default key to avoid encrypting disparate sets of data with the
Additional Info
same key. Each application should have its own customer-managed KMS key
Recommended Action Avoid using the default KMS key
Cloud Provider Link http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
PASS us-east-1 No default KMS keys found in use
PASS eu-central-1 No KMS keys found
PASS ap-northeast-1 No KMS keys found
PASS ap-southeast-1 No KMS keys found
PASS ap-southeast-2 No KMS keys found

EC2 EC2 Max Instances

18 0 0 0
Test Description Ensures the total number of EC2 instances does not exceed a set threshold.
The number of running EC2 instances should be carefully audited, especially in unused
Additional Info regions, to ensure only approved applications are consuming compute resources. Many
compromised AWS accounts see large numbers of EC2 instances launched.
Ensure that the number of running EC2 instances matches the expected count. If instances
Recommended Action
are launched above the threshold, investigate to ensure they are legitimate.
Cloud Provider Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring_ec2.html
PASS us-east-1 6 instances in the region are within the regional expected count of: 100

PASS global 6 instances in the account are within the global expected count of: 200
ACM ACM Certificate Validation

17 0 0 0
Test Description ACM certificates should be configured to use DNS validation.
With DNS validation, ACM will automatically renew certificates before they expire, as long as
Additional Info
the DNS CNAME record is in place.
Recommended Action Configure ACM managed certificates to use DNS validation.
https://aws.amazon.com/blogs/security/easier-certificate-validation-using-dns-with-aws-
Cloud Provider Link
certificate-manager/
PASS us-east-1 No ACM certificates found
PASS us-west-1 No ACM certificates found
PASS ca-central-1 No ACM certificates found
PASS eu-central-1 No ACM certificates found
PASS eu-west-1 No ACM certificates found
PASS eu-north-1 No ACM certificates found
PASS ap-northeast-1 No ACM certificates found

PASS ap-southeast-1 No ACM certificates found
PASS ap-south-1 No ACM certificates found
PASS sa-east-1 No ACM certificates found
EC2 Open Elasticsearch

22 0 0 0
Test Description Determine if TCP port 9200 or 9300 for Elasticsearch is open to the public
Additional Info properly, more sensitive services such as Elasticsearch should be restricted to known IP
addresses.
Cloud Provider Link
instance.html
015527859f4cb1ab4

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701
PASS arn:aws:ec2:us-east- Security group: sg-0ea00fe2209686e28

us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have TCP:9200,9300 open to
0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:9200,9300 open to 0.0.0.0/0 or ::0
2a94e22e
PASS us-east-2 arn:aws:ec2:us-east- Security group: sg-35cd9243 (default) does not have
2:922503285322:security-group/sg- TCP:9200,9300 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
PASS eu-west-3 3:922503285322:security-group/sg- Security group: sg-03bc08f1c58bcf815 (default) does
03bc08f1c58bcf815 not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:9200,9300 open to 0.0.0.0/0 or ::0
ffd685b7
DynamoDB DynamoDB KMS Encryption
17 0 0 0
Test Description Ensures DynamoDB tables are encrypted using a customer-owned KMS key.
DynamoDB tables can be encrypted using AWS-owned or customer-owned KMS keys.

Additional Info
Customer keys should be used to ensure control over the encryption seed data.
Recommended Action Create a new DynamoDB table using a CMK KMS key.
Cloud Provider Link https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
PASS us-east-1 No DynamoDB tables found
PASS us-west-1 No DynamoDB tables found
PASS ca-central-1 No DynamoDB tables found
PASS eu-central-1 No DynamoDB tables found
PASS eu-west-1 No DynamoDB tables found
PASS eu-north-1 No DynamoDB tables found
PASS ap-northeast-1 No DynamoDB tables found
PASS ap-southeast-1 No DynamoDB tables found
PASS ap-south-1 No DynamoDB tables found
PASS sa-east-1 No DynamoDB tables found

Transfer Transfer Logging Enabled
17 0 0 0
Test Description Ensures AWS Transfer servers have CloudWatch logging enabled.
AWS Transfer servers can log activity to CloudWatch if a proper IAM service role is provided.
Additional Info
This role should be configured for all servers to ensure proper access logging.
Recommended Action Provide a valid IAM service role for AWS Transfer servers.
Cloud Provider Link https://docs.aws.amazon.com/transfer/latest/userguide/monitoring.html
PASS us-east-1 No Transfer servers found
PASS us-west-1 No Transfer servers found
PASS ca-central-1 No Transfer servers found
PASS eu-central-1 No Transfer servers found
PASS eu-west-1 No Transfer servers found
PASS eu-north-1 No Transfer servers found
PASS ap-northeast-1 No Transfer servers found
PASS ap-southeast-1 No Transfer servers found
PASS ap-south-1 No Transfer servers found
PASS sa-east-1 No Transfer servers found

EC2 Open Kibana
22 0 0 0
Test Description Determine if TCP port 5601 for Kibana is open to the public
Additional Info
properly, more sensitive services such as Kibana should be restricted to known IP addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:5601 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:5601 open to 0.0.0.0/0 or ::0
35cd9243
PASS 1:922503285322:security-group/sg- Security group: sg-0355558bdeb17eba4 (default) does
us-west-1
0355558bdeb17eba4 not have TCP:5601 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
PASS southeast- Security group: sg-0f40a8e2330e64b60 (default) does
0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:5601 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Hadoop HDFS NameNode Metadata Service

22 0 0 0
Test Description Determine if TCP port 8020 for HDFS NameNode metadata service is open to the public
Additional Info properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP
addresses.
Recommended Action Restrict TCP port 8020 to known IP addresses for Hadoop/HDFS
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:8020 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:8020 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
arn:aws:ec2:eu-central- Security group: sg-09b903e8dd37bee5f (default) does

eu-central-
PASS 1:922503285322:security-group/sg- not have TCP:8020 open to 0.0.0.0/0 or ::0
1 09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
PASS ap-south-1 Security group: sg-02cb7aa81a32263ad (default) does
02cb7aa81a32263ad
TCP:8020 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Hadoop HDFS NameNode WebUI

22 0 0 0
Determine if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open
Test Description
to the public
Additional Info properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP
addresses.
Recommended Action Restrict TCP port 50070 and 50470 to known IP addresses for Hadoop/HDFS
Cloud Provider Link
instance.html

PASS us-east-1 1:922503285322:security-group/sg- 1) does not have TCP:50070,50470 open to 0.0.0.0/0 or
015527859f4cb1ab4 ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have TCP:50070,50470 open
0b29b77965792ae5d to 0.0.0.0/0 or ::0
031d418a21dd84701

PASS us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have TCP:50070,50470 open
0ea00fe2209686e28 to 0.0.0.0/0 or ::0
0add6fd8f5e13005e does not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
TCP:50070,50470 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:50070,50470 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
PASS eu-west-2 Security group: sg-0ae841762d2749f1a (default) does
0ae841762d2749f1a
have TCP:50070,50470 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
04656562bedc2ae6d
Security group: sg-0a5f4c4f1b5983891 (default) does not
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
PASS sa-east-1 arn:aws:ec2:sa-east- Security group: sg-ffd685b7 (default) does not have
1:922503285322:security-group/sg- TCP:50070,50470 open to 0.0.0.0/0 or ::0
ffd685b7
RDS RDS Logging Enabled

17 0 0 0
Test Description Ensures logging is configured for RDS instances
Logging database level events enables teams to analyze events for the purpose diagnostics as
Additional Info
well as audit tracking for compliance purposes.
Recommended Action Modify the RDS instance to enable logging as required.
Cloud Provider Link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html

Lambda Lambda Public Access

17 0 0 0
Test Description Ensures Lambda functions are not accessible globally
Additional Info The Lambda function execution policy should not allow public invocation of the function.
Recommended Action Update the Lambda policy to prevent access from the public.
Cloud Provider Link https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

EFS EFS Encryption Enabled

17 0 0 0
Test Description Ensures that EFS volumes are encrypted at rest
EFS offers data at rest encryption using keys managed through AWS Key Management
Additional Info
Service (KMS).
Encryption of data at rest can only be enabled during file system creation. Encryption of data in
Recommended Action transit is configured when mounting your file system. 1. Backup your data in not encrypted efs
2. Recreate the EFS and select 'Enable encryption of data at rest'
Cloud Provider Link https://aws.amazon.com/blogs/aws/new-encryption-at-rest-for-amazon-elastic-file-system-efs/
PASS us-east-1 No EFS file systems present
PASS us-east-2 No EFS file systems present
PASS us-west-1 No EFS file systems present
PASS us-west-2 No EFS file systems present
PASS ca-central-1 No EFS file systems present
PASS eu-central-1 No EFS file systems present
PASS eu-west-1 No EFS file systems present
PASS eu-north-1 No EFS file systems present
PASS ap-northeast-1 No EFS file systems present
PASS ap-southeast-1 No EFS file systems present

PASS ap-southeast-2 No EFS file systems present
PASS ap-south-1 No EFS file systems present
PASS sa-east-1 No EFS file systems present
Shield Shield Advanced Enabled

0 0 1 0
Test Description Ensures AWS Shield Advanced is setup and properly configured
AWS Shield Advanced provides enhanced DDOS protection for all enrolled services within a
Additional Info
subscribed account. Subscriptions should be active.
Recommended Action Enable AWS Shield Advanced for the account.
Cloud Provider Link https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html#ddos-advanced
FAIL global Shield subscription is not enabled
Shield Shield Emergency Contacts

0 0 1 0
Test Description Ensures AWS Shield emergency contacts are configured
AWS Shield Emergency contacts should be configured so that AWS can contact an account
Additional Info
representative in the event of a DDOS event.
Recommended Action Configure emergency contacts within AWS Shield for the account.
Cloud Provider Link https://docs.aws.amazon.com/waf/latest/developerguide/ddos-edit-drt.html

Shield Shield Protections
0 0 1 0
Test Description Ensures AWS Shield Advanced is configured to protect account resources
Once AWS Shield Advanced is enabled, it can be applied to resources within the account
Additional Info
including ELBs, CloudFront.
Recommended Action Enable AWS Shield Advanced on resources within the account.
Cloud Provider Link https://docs.aws.amazon.com/waf/latest/developerguide/configure-new-protection.html
EKS EKS Kubernetes Version

17 0 0 0
Test Description Ensures the latest version of Kubernetes is installed on EKS clusters
EKS supports provisioning clusters from several versions of Kubernetes. Clusters should be
Additional Info
kept up to date to ensure Kubernetes security patches are applied.
Recommended Action Upgrade the version of Kubernetes on all EKS clusters to the latest available version.
Cloud Provider Link https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html
PASS us-east-1 No EKS clusters present
PASS us-west-1 No EKS clusters present
PASS ca-central-1 No EKS clusters present
PASS eu-central-1 No EKS clusters present
PASS eu-west-1 No EKS clusters present

PASS eu-north-1 No EKS clusters present
PASS ap-northeast-1 No EKS clusters present
PASS ap-southeast-1 No EKS clusters present
PASS ap-south-1 No EKS clusters present
PASS sa-east-1 No EKS clusters present
EKS EKS Logging Enabled

17 0 0 0
Test Description Ensures all EKS cluster logs are being sent to CloudWatch
EKS supports routing of cluster event and audit logs to CloudWatch, including control plane
Additional Info
logs. All logs should be sent to CloudWatch for security analysis.
Recommended Action Enable all EKS cluster logs to be sent to CloudWatch with proper log retention limits.
Cloud Provider Link https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html

EKS EKS Private Endpoint

17 0 0 0
Test Description Ensures the private endpoint setting is enabled for EKS clusters
EKS private endpoints can be used to route all traffic between the Kubernetes worker and
Additional Info
control plane nodes over a private VPC endpoint rather than across the public internet.
Recommended Action Enable the private endpoint setting for all EKS clusters.
Cloud Provider Link https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html

EKS EKS Security Groups

17 0 0 0
Test Description Ensures the EKS control plane only allows inbound traffic on port 443.
The EKS control plane only requires port 443 access. Security groups for the control plane
Additional Info
should not add additional port access.
Recommended Action Configure security groups for the EKS control plane to allow access only on port 443.
Cloud Provider Link https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

ECR ECR Repository Policy

17 0 0 0
Test Description Ensures ECR repository policies do not enable global or public access to images
ECR repository policies should limit access to images to known IAM entities and AWS
Additional Info
accounts and avoid the use of account-level wildcards.
Recommended Action Update the repository policy to limit access to known IAM entities.
Cloud Provider Link https://docs.aws.amazon.com/AmazonECR/latest/userguide/RepositoryPolicyExamples.html
PASS us-east-1 No ECR repositories present
PASS us-west-1 No ECR repositories present

PASS ca-central-1 No ECR repositories present
PASS eu-central-1 No ECR repositories present
PASS eu-west-1 No ECR repositories present
PASS eu-north-1 No ECR repositories present
PASS ap-northeast-1 No ECR repositories present
PASS ap-southeast-1 No ECR repositories present
PASS ap-south-1 No ECR repositories present
PASS sa-east-1 No ECR repositories present
IAM IAM Role Policies

4 0 0 0
Test Description Ensures IAM role policies are properly scoped with specific permissions
Policies attached to IAM roles should be scoped to least-privileged access and avoid the use
Additional Info
of wildcards.
Recommended Action Ensure that all IAM roles are scoped to specific services and API calls.
Cloud Provider Link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
arn:aws:iam::922503285322:role/aws-service- Role does not have

PASS global
role/support.amazonaws.com/AWSServiceRoleForSupport overly-permissive policy
PASS arn:aws:iam::922503285322:role/aws-service-
Role does not have
global role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvis
overly-permissive policy
or
Role does not have

PASS global arn:aws:iam::922503285322:role/Cloud3_AuditRole
Role does not have
PASS global arn:aws:iam::922503285322:role/CloudWatchAgentServerRole
S3 S3 Bucket Encryption
0 0 3 0
Test Description Ensures object encryption is enabled on S3 buckets
S3 object encryption provides fully-managed encryption of all objects uploaded to an S3

Additional Info
bucket.
Recommended Action Enable CMK KMS-based encryption for all S3 buckets.
Cloud Provider Link https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
FAIL us-east-1 arn:aws:s3:::siscor-backups Bucket: siscor-backups has encryption disabled
FAIL us-east-1 arn:aws:s3:::siscor-trails Bucket: siscor-trails has encryption disabled
FAIL us-east-1 arn:aws:s3:::siscor-transfer Bucket: siscor-transfer has encryption disabled
ES ElasticSearch Public Service Domain

17 0 0 0
Test Description Ensures ElasticSearch domains are created with private VPC endpoint options
ElasticSearch domains can either be created with a public endpoint or with a VPC
Additional Info configuration that enables internal VPC communication. Domains should be created without a
public endpoint to prevent potential public access to the domain.
Recommended Action Configure the ElasticSearch domain to use a VPC endpoint for secure VPC communication.
Cloud Provider Link https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html
PASS us-east-1 No ES domains found

PASS us-west-1 No ES domains found
PASS ca-central-1 No ES domains found
PASS eu-central-1 No ES domains found
PASS eu-west-1 No ES domains found
PASS eu-north-1 No ES domains found
PASS ap-northeast-1 No ES domains found
PASS ap-southeast-1 No ES domains found
PASS ap-south-1 No ES domains found
PASS sa-east-1 No ES domains found
ES ElasticSearch Encrypted Domain

17 0 0 0
Test Description Ensures ElasticSearch domains are encrypted with KMS
Additional Info ElasticSearch domains should be encrypted to ensure data at rest is secured.
Recommended Action Ensure encryption-at-rest is enabled for all ElasticSearch domains.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-
Cloud Provider Link
rest.html

ES ElasticSearch Node To Node Encryption

17 0 0 0
Test Description Ensures ElasticSearch domain traffic is encrypted in transit between nodes
ElasticSearch domains should use node-to-node encryption to ensure data in transit remains
Additional Info
encrypted using TLS 1.2.
Recommended Action Ensure node-to-node encryption is enabled for all ElasticSearch domains.
Cloud Provider Link https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html

ES ElasticSearch Logging Enabled

17 0 0 0
Test Description Ensures ElasticSearch domains are configured to log data to CloudWatch
ElasticSearch domains should be configured with logging enabled with logs sent to
Additional Info
CloudWatch for analysis and long-term storage.
Ensure logging is enabled and a CloudWatch log group is specified for each ElasticSearch
Recommended Action
domain.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-
Cloud Provider Link
createupdatedomains.html#es-createdomain-configure-slow-logs
ES ElasticSearch Upgrade Available

17 0 0 0
Test Description Ensures ElasticSearch domains are running the latest service software
ElasticSearch domains should be configured to run the latest service software which often
Additional Info
contains security updates.
Ensure each ElasticSearch domain is running the latest service software and update out-of-
Recommended Action
date domains.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-
Cloud Provider Link
migration.html
ES ElasticSearch HTTPS Only

17 0 0 0
Test Description Ensures ElasticSearch domains are configured to enforce HTTPS connections
ElasticSearch domains should be configured to enforce HTTPS connections for all clients to
Additional Info
ensure encryption of data in transit.
Recommended Action Ensure HTTPS connections are enforced for all ElasticSearch domains.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-
Cloud Provider Link
createupdatedomains.html
EC2 Insecure EC2 Metadata Options

16 0 6 0
Test Description Ensures EC2 instance metadata is updated to require HttpTokens or disable HttpEndpoint
The new EC2 metadata service prevents SSRF attack escalations from accessing the
Additional Info
sensitive instance metadata endpoints.
Recommended Action Update instance metadata options to use IMDSv2
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-
Cloud Provider Link
metadata.html#configuring-instance-metadata-service
Instance has instance metadata endpoint enabled
FAIL us-east-1 1:922503285322:instance/i-
and does not require HttpTokens
065bb7e431488d139
05cf4724e3a4599f0
045076929c6d415ad
08f266f579dc814bc
006fe48adf55ff7ad
05e8cda4ca1cd3f78
ca-central-
1
eu-central-
1
ap-
PASS northeast- No instances found
1
ap-
northeast- No instances found
PASS 2
ap-
PASS southeast- No instances found
1
ap-
PASS southeast- No instances found
2
ap-
PASS northeast- No instances found
3
S3 S3 Bucket Website Enabled

3 0 0 0
Test Description Ensures S3 buckets are not configured with static website hosting
S3 buckets should not be configured with static website hosting with public objects. Instead, a
Additional Info
CloudFront distribution should be configured with an origin access identity.
Recommended Action Disable S3 bucket static website hosting in favor or CloudFront distributions.
Cloud Provider Link https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-https-requests-s3/
arn:aws:s3:::siscor- Bucket : siscor-backups does not have static website hosting

PASS us-east-1
backups enabled
PASS us-east-1 arn:aws:s3:::siscor-trails Bucket : siscor-trails does not have static website hosting enabled
PASS us-east-1 arn:aws:s3:::siscor-transfer Bucket : siscor-transfer does not have static website hosting enabled
EC2 SSM Agent Latest Version

17 0 0 0
Test Description Ensures SSM agents installed on Linux hosts are running the latest version
Additional Info SSM agent software provides sensitive access to servers and should be kept up-to-date.
Recommended Action Update the SSM agent on all Linux hosts to the latest version.
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-
Cloud Provider Link
updates.html
PASS us-east-1 No SSM installations found
PASS us-east-2 No SSM installations found
PASS us-west-1 No SSM installations found
PASS us-west-2 No SSM installations found
PASS ca-central-1 No SSM installations found
PASS eu-central-1 No SSM installations found
PASS eu-west-1 No SSM installations found
PASS eu-north-1 No SSM installations found
PASS ap-northeast-1 No SSM installations found
PASS ap-southeast-1 No SSM installations found
PASS ap-southeast-2 No SSM installations found
PASS ap-south-1 No SSM installations found
PASS sa-east-1 No SSM installations found
EC2 Default VPC Exists

0 0 17 0
Test Description Determines whether the default VPC exists.

The default VPC should not be used in order to avoid launching multiple services in the same
Additional Info network which may not require connectivity. Each application, or network tier, should use its
own VPC.
Move resources from the default VPC to a new VPC created for that application or resource
Recommended Action
group.
Cloud Provider Link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html
FAIL us-east-1 arn:aws:ec2:us-east-1:922503285322:vpc/vpc-26c1545b Default VPC present
FAIL us-east-2 arn:aws:ec2:us-east-2:922503285322:vpc/vpc-6090090b Default VPC present
FAIL us-west-1 arn:aws:ec2:us-west-1:922503285322:vpc/vpc-0c2d2282542beab46 Default VPC present
FAIL us-west-2 arn:aws:ec2:us-west-2:922503285322:vpc/vpc-0a048fe7436065d58 Default VPC present
FAIL ca-central-1 arn:aws:ec2:ca-central-1:922503285322:vpc/vpc-09770145827bef7d6 Default VPC present
FAIL eu-central-1 arn:aws:ec2:eu-central-1:922503285322:vpc/vpc-0a58a4e7b0c93b7ab Default VPC present
FAIL eu-west-1 arn:aws:ec2:eu-west-1:922503285322:vpc/vpc-08275f72a1e4e98f5 Default VPC present
FAIL eu-west-2 arn:aws:ec2:eu-west-2:922503285322:vpc/vpc-0e30be664fd118c17 Default VPC present
FAIL eu-west-3 arn:aws:ec2:eu-west-3:922503285322:vpc/vpc-0996522b3020b1ab5 Default VPC present
FAIL eu-north-1 arn:aws:ec2:eu-north-1:922503285322:vpc/vpc-0f4d32bbc44db3bba Default VPC present
FAIL ap-northeast-1 arn:aws:ec2:ap-northeast-1:922503285322:vpc/vpc-030dd710cab63ff8d Default VPC present
arn:aws:ec2:ap-northeast-2:922503285322:vpc/vpc-
FAIL ap-northeast-2 Default VPC present
0e3a3e30aee7daf8a
ap-southeast- arn:aws:ec2:ap-southeast-1:922503285322:vpc/vpc-
FAIL Default VPC present
1 0e19b6b8f7dfe3c2a
FAIL ap-southeast- arn:aws:ec2:ap-southeast-2:922503285322:vpc/vpc-

Default VPC present
2 01606d90294e3ddf2
FAIL ap-northeast-3 arn:aws:ec2:ap-northeast-3:922503285322:vpc/vpc-0d6c6d69eecdef2fd Default VPC present
FAIL ap-south-1 arn:aws:ec2:ap-south-1:922503285322:vpc/vpc-0430a98d4d8672743 Default VPC present
FAIL sa-east-1 arn:aws:ec2:sa-east-1:922503285322:vpc/vpc-ae08c3c8 Default VPC present
S3 S3 Bucket Public Access Block

3 0 0 0
Test Description Ensures S3 public access block is enabled on all buckets or for AWS account
Blocking S3 public access at the account level or bucket-level ensures objects are not
Additional Info
accidentally exposed.
Recommended Action Enable the S3 public access block on all S3 buckets or for AWS account.
Cloud Provider Link https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
PASS us-east-1 arn:aws:s3:::siscor-backups S3 bucket has public access block fully enabled
PASS us-east-1 arn:aws:s3:::siscor-trails S3 bucket has public access block fully enabled
PASS us-east-1 arn:aws:s3:::siscor-transfer S3 bucket has public access block fully enabled
GuardDuty GuardDuty is Enabled

0 0 17 0
Test Description Ensures GuardDuty is enabled
GuardDuty provides threat intelligence by analyzing several AWS data sources for security
Additional Info
risks and should be enabled in all accounts.
Recommended Action Enable GuardDuty for all AWS accounts.
Cloud Provider Link https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
FAIL us-east-1 GuardDuty not enabled
FAIL us-east-2 GuardDuty not enabled
FAIL us-west-1 GuardDuty not enabled
FAIL us-west-2 GuardDuty not enabled
FAIL ca-central-1 GuardDuty not enabled
FAIL eu-central-1 GuardDuty not enabled
FAIL eu-west-1 GuardDuty not enabled

FAIL eu-north-1 GuardDuty not enabled
FAIL ap-northeast-1 GuardDuty not enabled
FAIL ap-southeast-1 GuardDuty not enabled
FAIL ap-southeast-2 GuardDuty not enabled
FAIL ap-south-1 GuardDuty not enabled
FAIL sa-east-1 GuardDuty not enabled
ECR ECR Repository Tag Immutability

17 0 0 0
Test Description Ensures ECR repository image tags cannot be overwritten
ECR repositories should be configured to prevent overwriting of image tags to avoid

Additional Info
potentially-malicious images from being deployed to live environments.
Recommended Action Update ECR registry configurations to ensure image tag mutability is set to immutable.
Cloud Provider Link https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html
PASS ca-central-1 No ECR repositories present
PASS eu-central-1 No ECR repositories present

PASS eu-north-1 No ECR repositories present
PASS ap-south-1 No ECR repositories present
PASS sa-east-1 No ECR repositories present
DMS DMS Encryption Enabled

17 0 0 0
Test Description Ensures DMS encryption is enabled using a CMK
Data sent through the data migration service is encrypted using KMS. Encryption is enabled by
Additional Info
default, but it is recommended to use customer managed keys.
Recommended Action Enable encryption using KMS CMKs for all DMS replication instances.
Cloud Provider Link https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html
PASS us-east-1 No replication instances found
PASS us-east-2 No replication instances found
PASS us-west-1 No replication instances found
PASS us-west-2 No replication instances found
PASS ca-central-1 No replication instances found

PASS eu-central-1 No replication instances found
PASS eu-west-1 No replication instances found
PASS eu-north-1 No replication instances found
PASS ap-northeast-1 No replication instances found
PASS ap-southeast-1 No replication instances found
PASS ap-southeast-2 No replication instances found
PASS ap-south-1 No replication instances found
PASS sa-east-1 No replication instances found
ELBv2 ELBv2 Logging Enabled

17 0 0 0
Test Description Ensures load balancers have request logging enabled.
Logging requests to ELB endpoints is a helpful way of detecting and investigating potential
Additional Info attacks, malicious activity, or misuse of backend resources.Logs can be sent to S3 and
processed for further analysis.
Recommended Action Enable ELB request logging
http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-
Cloud Provider Link
logs.html

ELBv2 ELBv2 HTTPS Only

17 0 0 0
Test Description Ensures ELBs are configured to only accept connections on HTTPS ports.
For maximum security, ELBs can be configured to only accept HTTPS connections. Standard
Additional Info HTTP connections will be blocked. This should only be done if the client application is
configured to query HTTPS directly and not rely on a redirect from HTTP.
Recommended Action Remove non-HTTPS listeners from load balancer.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-
Cloud Provider Link
options.html

ELBv2 ELBv2 No Instances

17 0 0 0
Test Description Detects ELBs that have no target groups attached
All ELBs should have backend server resources. Those without any are consuming costs
Additional Info without providing any functionality. Additionally, old ELBs with no target groups present a
security concern if new target groups are accidentally attached.
Recommended Action Delete old ELBs that no longer have backend resources.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-
Cloud Provider Link
groups.html

ELBv2 ELBv2 WAF Enabled

17 0 0 0
Test Description Ensure that all Application Load Balancers have WAF enabled.
Enabling WAF allows control over requests to the load balancer, allowing or denying traffic
Additional Info
based off rules in the Web ACL
1. Enter the WAF service. 2. Enter Web ACLs and filter by the region the Application Load
Recommended Action Balancer is in. 3. If no Web ACL is found, Create a new Web ACL in the region the ALB
resides and in Resource type to associate with web ACL, select the Load Balancer.
https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-
Cloud Provider Link
balancers/
PASS us-east-1 No Load Balancers found
PASS us-west-1 No Load Balancers found
PASS ca-central-1 No Load Balancers found
PASS eu-central-1 No Load Balancers found
PASS eu-west-1 No Load Balancers found
PASS eu-north-1 No Load Balancers found
PASS ap-northeast-1 No Load Balancers found
PASS ap-southeast-1 No Load Balancers found
PASS ap-south-1 No Load Balancers found
PASS sa-east-1 No Load Balancers found
EC2 Open Salt

22 0 0 0
Test Description Determine if TCP ports 4505 or 4506 for the Salt master are open to the public
Active Salt vulnerabilities, CVE-2020-11651 and CVE-2020-11652 are exploiting Salt instances
Additional Info
exposed to the internet. These ports should be closed immediately.
https://help.saltstack.com/hc/en-us/articles/360043056331-New-SaltStack-Release-Critical-
Cloud Provider Link Vulnerability
015527859f4cb1ab4

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:4505,4506 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:4505,4506 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
PASS northeast- 1:922503285322:security-group/sg- Security group: sg-0a5f4c4f1b5983891 (default) does
1 0a5f4c4f1b5983891 not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
1 0f40a8e2330e64b60
southeast- Security group: sg-0de72c4ef2c1b7162 (default) does
0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:4505,4506 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Docker

22 0 0 0
Test Description Determine if Docker port 2375 or 2376 is open to the public
Additional Info
properly, more sensitive services such as Docker should be restricted to known IP addresses.
Cloud Provider Link
instance.html
015527859f4cb1ab4

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:2375,2376 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:2375,2376 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
PASS ap-south-1 1:922503285322:security-group/sg- not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
TCP:2375,2376 open to 0.0.0.0/0 or ::0
ffd685b7
ES ElasticSearch IAM Authentication

17 0 0 0
Test Description Ensures ElasticSearch domains require IAM Authentication
ElasticSearch domains can allow access without IAM authentication by having a policy that
Additional Info
does not specify the principal or has a wildcard principal
Configure the ElasticSearch domain to have an access policy without a global principal or no
Recommended Action
principal
Cloud Provider Link https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html
PASS us-east-1 No ElasticSearch domains found
PASS us-east-2 No ElasticSearch domains found
PASS us-west-1 No ElasticSearch domains found
PASS us-west-2 No ElasticSearch domains found
PASS ca-central-1 No ElasticSearch domains found
PASS eu-central-1 No ElasticSearch domains found
PASS eu-west-1 No ElasticSearch domains found
PASS eu-north-1 No ElasticSearch domains found
PASS ap-northeast-1 No ElasticSearch domains found
PASS ap-southeast-1 No ElasticSearch domains found

PASS ap-southeast-2 No ElasticSearch domains found
PASS ap-south-1 No ElasticSearch domains found
PASS sa-east-1 No ElasticSearch domains found
RDS RDS DocumentDB Minor Version Upgrade

17 0 0 0
Test Description Ensures Auto Minor Version Upgrade is enabled on RDS and DocumentDB databases
RDS supports automatically upgrading the minor version of the database, which should be
Additional Info
enabled to ensure security fixes are quickly deployed.
Recommended Action Enable automatic minor version upgrades on RDS and DocumentDB databases
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upg
Cloud Provider Link
rading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades
PASS global No RDS/DocumentDB instances found

Lambda Lambda Log Groups

17 0 0 0
Test Description Ensures each Lambda function has a valid log group attached to it
Every Lambda function created should automatically have a CloudWatch log group generated
Additional Info
to handle its log streams.
Recommended Action Update the Lambda function permissions to allow CloudWatch logging.
Cloud Provider Link https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html

EC2 EC2 LaunchWizard Security Groups

20 0 2 0
Test Description Ensures security groups created by the EC2 launch wizard are not used
The EC2 launch wizard frequently creates insecure security groups that are exposed publicly.
Additional Info
These groups should not be used and custom security groups should be created instead.
Recommended Action Delete the launch wizard security group and replace it with a custom security group.
https://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-sap-security-
Cloud Provider Link
groups.html
arn:aws:ec2:us-east-1:922503285322:security- Security Group launch-wizard-1 was launched

FAIL us-east-1
group/sg-015527859f4cb1ab4 using EC2 launch wizard
arn:aws:ec2:us-east-1:922503285322:security- Security Group SG-RemoteAccess was not

PASS us-east-1
group/sg-0b29b77965792ae5d launched using EC2 launch wizard
arn:aws:ec2:us-east-1:922503285322:security- Security Group SG-Linux was not launched

PASS us-east-1
group/sg-031d418a21dd84701 using EC2 launch wizard
arn:aws:ec2:us-east-1:922503285322:security- Security Group Linux_Jumpbox was not

PASS us-east-1
group/sg-0ea00fe2209686e28 launched using EC2 launch wizard
arn:aws:ec2:us-east-1:922503285322:security- Security Group launch-wizard-2 was launched

FAIL us-east-1
group/sg-0add6fd8f5e13005e using EC2 launch wizard
PASS arn:aws:ec2:us-east-1:922503285322:security- Security Group default was not launched using

us-east-1
group/sg-2a94e22e EC2 launch wizard
arn:aws:ec2:us-east-2:922503285322:security- Security Group default was not launched using

PASS us-east-2
group/sg-35cd9243 EC2 launch wizard
arn:aws:ec2:us-west-1:922503285322:security- Security Group default was not launched using

PASS us-west-1
group/sg-0355558bdeb17eba4 EC2 launch wizard
arn:aws:ec2:us-west-2:922503285322:security- Security Group default was not launched using

PASS us-west-2
group/sg-07b897bc45d1e6fe2 EC2 launch wizard
ca-central- Security Group default was not launched using
1 EC2 launch wizard
0221abf87bbe12971
eu-central- Security Group default was not launched using
1 EC2 launch wizard
09b903e8dd37bee5f
arn:aws:ec2:eu-west-1:922503285322:security- Security Group default was not launched using

PASS eu-west-1
group/sg-08b897c32e384acbc EC2 launch wizard

PASS eu-west-2
group/sg-0ae841762d2749f1a EC2 launch wizard

PASS eu-west-3
group/sg-03bc08f1c58bcf815 EC2 launch wizard
arn:aws:ec2:eu-north-1:922503285322:security- Security Group default was not launched using

PASS eu-north-1
group/sg-04656562bedc2ae6d EC2 launch wizard
Security Group default was not launched using
EC2 launch wizard
1 0a5f4c4f1b5983891
EC2 launch wizard
2 07f8aee861c34413f
EC2 launch wizard
1 0f40a8e2330e64b60
PASS Security Group default was not launched using
southeast- 2:922503285322:security-group/sg-
EC2 launch wizard
2 0de72c4ef2c1b7162
EC2 launch wizard
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-1:922503285322:security- Security Group default was not launched using

PASS ap-south-1
group/sg-02cb7aa81a32263ad EC2 launch wizard
arn:aws:ec2:sa-east-1:922503285322:security- Security Group default was not launched using

PASS sa-east-1
group/sg-ffd685b7 EC2 launch wizard
EC2 VPC PrivateLink Endpoint Acceptance Required

17 0 0 0
Test Description Ensures VPC PrivateLink endpoints require acceptance
VPC PrivateLink endpoints should be configured to require acceptance so that access to the
Additional Info
endpoint is controlled on a case-by-case basis.
Recommended Action Update the VPC PrivateLink endpoint to require acceptance
Cloud Provider Link https://docs.aws.amazon.com/vpc/latest/userguide/accept-reject-endpoint-requests.html

PASS us-east-1 No user owned VPC endpoint services present
PASS us-east-2 No user owned VPC endpoint services present
PASS us-west-1 No user owned VPC endpoint services present
PASS us-west-2 No user owned VPC endpoint services present
PASS ca-central-1 No user owned VPC endpoint services present
PASS eu-central-1 No user owned VPC endpoint services present
PASS eu-west-1 No user owned VPC endpoint services present
PASS eu-north-1 No user owned VPC endpoint services present
PASS ap-northeast-1 No user owned VPC endpoint services present
PASS ap-southeast-1 No user owned VPC endpoint services present
PASS ap-southeast-2 No user owned VPC endpoint services present
PASS ap-south-1 No user owned VPC endpoint services present
PASS sa-east-1 No user owned VPC endpoint services present
AutoScaling Empty AutoScaling Group

17 0 0 0
Test Description Ensures all autoscaling groups contain at least 1 instance.
Additional Info AutoScaling groups that are no longer in use should be deleted to prevent accidental use.
Recommended Action Delete the unused AutoScaling group.

Cloud Provider Link https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html
IAM IAM Role Last Used

1 0 1 0
Test Description Ensures IAM roles that have not been used within the given time frame are deleted.
IAM roles that have not been used for a long period may contain old access policies that could
Additional Info allow unintended access to resources if accidentally attached to new services. These roles
should be deleted.
Recommended Action Delete IAM roles that have not been used within the expected time frame.
https://aws.amazon.com/about-aws/whats-new/2019/11/identify-unused-iam-roles-easily-and-
Cloud Provider Link
remove-them-confidently-by-using-the-last-used-timestamp/
arn:aws:iam::922503285322:role/Cloud3_AuditRol IAM role: Cloud3_AuditRole has not been

FAIL global
e used
arn:aws:iam::922503285322:role/CloudWatchAge IAM role was last used 0 days ago in the us-
PASS global
ntServerRole east-1 region
IAM Root Account Active Signing Certificates

1 0 0 0
Test Description Ensures the root user is not using x509 signing certificates
AWS supports using x509 signing certificates for API access, but these should not be attached
Additional Info
to the root user, which has full access to the account.
Recommended Action Delete the x509 certificates associated with the root account.
https://docs.aws.amazon.com/whitepapers/latest/aws-overview-security-processes/x.509-
Cloud Provider Link
certificates.html
PASS global arn:aws:iam::922503285322:root The root user does not use x509 signing certificates.
RDS SQL Server TLS Version

17 0 0 0
Test Description Ensures RDS SQL Servers do not allow outdated TLS certificate versions
TLS 1.2 or higher should be used for all TLS connections to RDS. A parameter group can be
Additional Info
used to enforce this connection type.
Create a parameter group that contains the TLS version restriction and limit access to TLS 1.2
Recommended Action
or higher
https://aws.amazon.com/about-aws/whats-new/2020/07/amazon-rds-for-sql-server-supports-
Cloud Provider Link disabling-old-versions-of-tls-and-ciphers/
PASS us-east-1 No parameter groups found
PASS us-east-2 No parameter groups found
PASS us-west-1 No parameter groups found
PASS us-west-2 No parameter groups found
PASS ca-central-1 No parameter groups found
PASS eu-central-1 No parameter groups found
PASS eu-west-1 No parameter groups found
PASS eu-north-1 No parameter groups found
PASS ap-northeast-1 No parameter groups found
PASS ap-southeast-1 No parameter groups found
PASS ap-southeast-2 No parameter groups found
PASS ap-south-1 No parameter groups found
PASS sa-east-1 No parameter groups found
AutoScaling Auto Scaling Notifications Active

17 0 0 0
Test Description Ensures auto scaling groups have notifications active.
Notifications can be sent to an SNS endpoint when scaling actions occur, which should be set
Additional Info
to ensure all scaling activity is recorded.
Recommended Action Add a notification endpoint to the auto scaling group.
Cloud Provider Link https://docs.aws.amazon.com/autoscaling/ec2/userguide/ASGettingNotifications.html

AutoScaling Auto Scaling Group Missing ELB

17 0 0 0
Test Description Ensures all Auto Scaling groups are referencing active load balancers.
Additional Info Each Auto Scaling group with a load balancer configured should reference an active ELB.
Ensure that the Auto Scaling group load balancer has not been deleted. If so, remove it from
Recommended Action
the ASG.
Cloud Provider Link https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html

PASS us-east-1 No Auto Scaling group found
PASS us-east-2 No Auto Scaling group found
PASS us-west-1 No Auto Scaling group found
PASS us-west-2 No Auto Scaling group found
PASS ca-central-1 No Auto Scaling group found
PASS eu-central-1 No Auto Scaling group found
PASS eu-west-1 No Auto Scaling group found
PASS eu-north-1 No Auto Scaling group found
PASS ap-northeast-1 No Auto Scaling group found
PASS ap-southeast-1 No Auto Scaling group found
PASS ap-southeast-2 No Auto Scaling group found
PASS ap-south-1 No Auto Scaling group found
PASS sa-east-1 No Auto Scaling group found
Comprehend Amazon Comprehend Volume Encryption

72 0 0 0
Test Description Ensures the Comprehend service is using encryption for all volumes storing data at rest.
Additional Info Comprehend supports using KMS keys to encrypt data at rest, which should be enabled.
Recommended Action Enable volume encryption for the Comprehend job
Cloud Provider Link https://docs.aws.amazon.com/comprehend/latest/dg/kms-in-comprehend.html

PASS us-east-1 No entities detection jobs found
PASS us-east-1 No document classification jobs found
PASS us-east-1 No dominant language detection jobs found
PASS us-east-1 No topics detection jobs found
PASS us-east-1 No key phrases detection jobs found
PASS us-east-1 No sentiment detection jobs found
PASS us-west-2 No entities detection jobs found
PASS us-west-2 No document classification jobs found
PASS us-west-2 No dominant language detection jobs found
PASS us-west-2 No topics detection jobs found
PASS us-west-2 No key phrases detection jobs found
PASS us-west-2 No sentiment detection jobs found
PASS eu-central-1 No entities detection jobs found
PASS eu-central-1 No document classification jobs found
PASS eu-central-1 No dominant language detection jobs found
PASS eu-central-1 No topics detection jobs found
PASS eu-central-1 No key phrases detection jobs found
PASS eu-central-1 No sentiment detection jobs found
eu-west-2 No entities detection jobs found

PASS
PASS eu-west-2 No document classification jobs found
PASS eu-west-2 No dominant language detection jobs found
PASS eu-west-2 No topics detection jobs found
PASS eu-west-2 No key phrases detection jobs found
PASS eu-west-2 No sentiment detection jobs found
PASS eu-west-1 No entities detection jobs found
PASS ap-southeast-1 No entities detection jobs found
PASS ap-southeast-1 No document classification jobs found
PASS ap-southeast-1 No dominant language detection jobs found
PASS ap-southeast-1 No topics detection jobs found
PASS ap-southeast-1 No key phrases detection jobs found
PASS ap-southeast-1 No sentiment detection jobs found
PASS ap-northeast-1 No entities detection jobs found
PASS ap-northeast-1 No document classification jobs found
PASS ap-northeast-1 No dominant language detection jobs found
PASS ap-northeast-1 No topics detection jobs found
PASS ap-northeast-1 No key phrases detection jobs found
PASS
ap-northeast-1 No sentiment detection jobs found

PASS ap-northeast-2 No sentiment detection jobs found
PASS ap-south-1 No entities detection jobs found
PASS ap-south-1 No document classification jobs found
PASS ap-south-1 No dominant language detection jobs found
PASS ap-south-1 No topics detection jobs found
PASS ap-south-1 No key phrases detection jobs found
PASS ap-south-1 No sentiment detection jobs found
PASS ca-central-1 No entities detection jobs found
PASS ca-central-1 No document classification jobs found
PASS ca-central-1 No dominant language detection jobs found
PASS ca-central-1 No topics detection jobs found
PASS ca-central-1 No key phrases detection jobs found
PASS ca-central-1 No sentiment detection jobs found

Comprehend Amazon Comprehend Output Result Encryption
72 0 0 0
Test Description Ensures the Comprehend service is using encryption for all result output.
Additional Info Comprehend supports using KMS keys to result output, which should be enabled.
Recommended Action Enable output result encryption for the Comprehend job
Cloud Provider Link https://docs.aws.amazon.com/comprehend/latest/dg/kms-in-comprehend.html
PASS us-west-2 No entities detection jobs found
PASS us-west-2 No document classification jobs found
PASS us-west-2 No dominant language detection jobs found
PASS us-west-2 No topics detection jobs found
PASS us-west-2 No key phrases detection jobs found
PASS us-west-2 No sentiment detection jobs found
PASS eu-central-1 No entities detection jobs found

PASS eu-central-1 No document classification jobs found
PASS eu-central-1 No dominant language detection jobs found
PASS eu-central-1 No topics detection jobs found
PASS eu-central-1 No key phrases detection jobs found
PASS eu-central-1 No sentiment detection jobs found
PASS No entities detection jobs found

ap-northeast-1

PASS ap-south-1 No entities detection jobs found
PASS ap-south-1 No document classification jobs found
PASS ap-south-1 No dominant language detection jobs found
PASS ap-south-1 No topics detection jobs found
PASS ap-south-1 No key phrases detection jobs found
PASS ap-south-1 No sentiment detection jobs found
PASS ca-central-1 No entities detection jobs found
PASS ca-central-1 No document classification jobs found
PASS ca-central-1 No dominant language detection jobs found

PASS ca-central-1 No topics detection jobs found
PASS ca-central-1 No key phrases detection jobs found
PASS ca-central-1 No sentiment detection jobs found
DynamoDB DynamoDB Accelerator Cluster Encryption

12 0 0 0
Test Description Ensures DynamoDB Cluster Accelerator DAX clusters have encryption enabled.
DynamoDB Clusters Accelerator DAX clusters should have encryption at rest enabled to
Additional Info
secure data from unauthorized access.
Recommended Action Enable encryption for DAX cluster.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.
Cloud Provider Link
html
PASS us-east-1 No DAX clusters found
PASS us-east-2 No DAX clusters found
PASS us-west-2 No DAX clusters found
PASS eu-central-1 No DAX clusters found
PASS eu-west-1 No DAX clusters found
PASS ap-northeast-1 No DAX clusters found
PASS ap-southeast-1 No DAX clusters found
PASS ap-southeast-2 No DAX clusters found
PASS ap-south-1 No DAX clusters found
PASS sa-east-1 No DAX clusters found

EC2 Unused EBS Volumes
23 0 0 0
Test Description Ensures EBS volumes are in use and attached to EC2 instances
EBS volumes should be deleted if the parent instance has been deleted to prevent accidental
Additional Info
exposure of data.
Recommended Action Delete the unassociated EBS volume.
Cloud Provider Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html
arn:aws:ec2:us-east-1:922503285322:volume/vol- EBS Volume is attached to an EC2

PASS us-east-1
0cd59f11359717779 instance

PASS us-east-1
0ea43a6b7bcc1ec0b instance

PASS us-east-1
00074031a49128610 instance

PASS us-east-1
0adda660adb702d40 instance

PASS us-east-1
0a1c7613b80c47a1b instance

PASS us-east-1
00744a919dd332543 instance

PASS us-east-1
031c96db898d68b4e instance
PASS us-east-2 No EBS Volumes found
PASS us-west-1 No EBS Volumes found
PASS ca-central-1 No EBS Volumes found
PASS eu-central-1 No EBS Volumes found
PASS eu-west-1 No EBS Volumes found
PASS eu-north-1 No EBS Volumes found
ap-
PASS No EBS Volumes found
northeast-1
ap-
PASS northeast-2 No EBS Volumes found
ap-
southeast-1
ap-
southeast-2
ap-
northeast-3
PASS ap-south-1 No EBS Volumes found
PASS sa-east-1 No EBS Volumes found
ElasticBeanstalk ElasticBeanstalk Managed Platform Updates

17 0 0 0
Test Description Ensures ElasticBeanstalk applications are configured to use managed updates.
Additional Info Environments for an application should be configured to allow platform managed updates.
Recommended Action Update the environment to enable managed updates.
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environment-platform-update-
Cloud Provider Link
managed.html
PASS us-east-1 No application environments found
PASS us-east-2 No application environments found
PASS us-west-1 No application environments found
PASS us-west-2 No application environments found
PASS ca-central-1 No application environments found
PASS eu-central-1 No application environments found
PASS eu-west-1 No application environments found
PASS
eu-north-1 No application environments found
PASS ap-northeast-1 No application environments found
PASS ap-southeast-1 No application environments found
PASS ap-southeast-2 No application environments found
PASS ap-south-1 No application environments found
PASS sa-east-1 No application environments found
IAM Group Inline Policies

1 0 0 0
Test Description Ensures that groups do not have any inline policies
Additional Info Managed Policies are recommended over inline policies.
Recommended Action Remove inline policies attached to groups
Cloud Provider Link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
PASS global No groups found
AutoScaling AutoScaling ELB Same Availability Zone

17 0 0 0
Test Description Ensures all autoscaling groups with attached ELBs are operating in the same availability zone.
To work properly and prevent orphaned instances, ELBs must be created in the same
Additional Info
availability zones as the backend instances in the autoscaling group.
Recommended Action Update the ELB to use the same availability zones as the autoscaling group.
Cloud Provider Link https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html

PASS us-east-1 No AutoScaling group found
PASS us-east-2 No AutoScaling group found
PASS us-west-1 No AutoScaling group found
PASS us-west-2 No AutoScaling group found
PASS ca-central-1 No AutoScaling group found
PASS eu-central-1 No AutoScaling group found
PASS eu-west-1 No AutoScaling group found
PASS eu-north-1 No AutoScaling group found
PASS ap-northeast-1 No AutoScaling group found
PASS ap-southeast-1 No AutoScaling group found
PASS ap-southeast-2 No AutoScaling group found
PASS ap-south-1 No AutoScaling group found
PASS sa-east-1 No AutoScaling group found
AutoScaling Suspended AutoScaling Groups

17 0 0 0
Test Description Ensures that there are no Amazon AutoScaling groups with suspended processes.
AutoScaling groups should not have any suspended processes to avoid disrupting the
Additional Info
AutoScaling workflow.
Recommended Action Update the AutoScaling group to resume the suspended processes.
Cloud Provider Link https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html

PASS us-east-1 No AutoScaling groups found
PASS us-east-2 No AutoScaling groups found
PASS us-west-1 No AutoScaling groups found
PASS us-west-2 No AutoScaling groups found
PASS ca-central-1 No AutoScaling groups found
PASS eu-central-1 No AutoScaling groups found
PASS eu-west-1 No AutoScaling groups found
PASS eu-north-1 No AutoScaling groups found
PASS ap-northeast-1 No AutoScaling groups found
PASS ap-southeast-1 No AutoScaling groups found
PASS ap-southeast-2 No AutoScaling groups found
PASS ap-south-1 No AutoScaling groups found
PASS sa-east-1 No AutoScaling groups found
CloudTrail Object Lock Enabled

0 0 1 0
Ensures that AWS CloudTrail S3 buckets use Object Lock for data protection and regulatory
Test Description
compliance.
Additional Info CloudTrail buckets should be configured to have object lock enabled. You can use it to prevent
an object from being deleted or overwritten for a fixed amount of time or indefinitely.
Recommended Action Edit trail to use a bucket with object locking enabled.
Cloud Provider Link https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-managing.html
FAIL us-east-1 arn:aws:s3:::siscor-trails Object lock is not enabled for bucket: siscor-trails
EC2 Unassociated Elastic IP Addresses

19 0 0 0
Ensures all EIPs are allocated to a resource to avoid accidental usage or reuse and to save
Test Description
costs
Additional Info EIPs should be deleted if they are not in use to avoid extra charges.
Recommended Action Delete the unassociated Elastic IP
Cloud Provider Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
Elastic IP address eipalloc-0821115729374c9d9
PASS us-east-1 1:922503285322:eip/eipalloc-
is associated to a resource
0821115729374c9d9
Elastic IP address eipalloc-0c1ab71b12ecd2092
is associated to a resource
0c1ab71b12ecd2092
Elastic IP address eipalloc-0c3df3f6731ad7226 is
associated to a resource
0c3df3f6731ad7226
PASS us-east-2 No Elastic IP Addresses found
PASS us-west-1 No Elastic IP Addresses found
PASS us-west-2 No Elastic IP Addresses found
ca-central-
PASS No Elastic IP Addresses found
1
eu-central-
PASS No Elastic IP Addresses found
1
PASS eu-west-1 No Elastic IP Addresses found

PASS eu-north-1 No Elastic IP Addresses found
ap-
PASS northeast- No Elastic IP Addresses found
1
ap-
2
ap-
PASS southeast- No Elastic IP Addresses found
1
ap-
PASS southeast- No Elastic IP Addresses found
2
ap-
3
PASS ap-south-1 No Elastic IP Addresses found
PASS sa-east-1 No Elastic IP Addresses found
ELBv2 ELBv2 Deletion Protection

17 0 0 0
Test Description Ensures ELBv2 load balancers are configured with deletion protection.
ELBv2 load balancers should be configured with deletion protection to prevent

Additional Info
accidentaldeletion of live resources in production environments.
Recommended Action Update ELBv2 load balancers to use deletion protection to prevent accidental deletion
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-
Cloud Provider Link
balancers.html#deletion-protection
PASS us-east-1 No Application/Network load balancers found
PASS us-west-1 No Application/Network load balancers found
PASS ca-central-1 No Application/Network load balancers found

PASS eu-central-1 No Application/Network load balancers found
PASS eu-west-1 No Application/Network load balancers found
PASS eu-north-1 No Application/Network load balancers found
PASS ap-northeast-1 No Application/Network load balancers found
PASS ap-southeast-1 No Application/Network load balancers found
PASS ap-south-1 No Application/Network load balancers found
PASS sa-east-1 No Application/Network load balancers found
EMR EMR Encryption In Transit

17 0 0 0
Test Description Ensures encryption in transit is enabled for EMR clusters
Additional Info EMR clusters should be configured to enable encryption in transit.
Recommended Action Update security configuration associated with EMR cluster to enable encryption in transit.
Cloud Provider Link https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-data-encryption-options.html
PASS us-east-1 No EMR cluster found
PASS us-west-1 No EMR cluster found
PASS ca-central-1 No EMR cluster found

PASS eu-central-1 No EMR cluster found
PASS eu-west-1 No EMR cluster found
PASS eu-north-1 No EMR cluster found
PASS ap-northeast-1 No EMR cluster found
PASS ap-southeast-1 No EMR cluster found
PASS ap-south-1 No EMR cluster found
PASS sa-east-1 No EMR cluster found
EMR EMR Encryption At Rest

17 0 0 0
Test Description Ensures encryption at rest for local disks is enabled for EMR clusters
Additional Info EMR clusters should be configured to enable encryption at rest for local disks.
Update security configuration associated with EMR cluster to enable encryption at rest for local
Recommended Action
disks.
Cloud Provider Link https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-data-encryption-options.html

ES ElasticSearch Exposed Domain

17 0 0 0
Test Description Ensures ElasticSearch domains are not publicly exposed to all AWS accounts
Additional Info ElasticSearch domains should not be publicly exposed to all AWS accounts.
Recommended Action Update elasticsearch domain to set access control.
Cloud Provider Link https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service/

IAM Cross-Account Access External ID and MFA

4 0 0 0
Test Description Ensures that either MFA or external IDs are used to access AWS roles.
IAM roles should be configured to require either a shared external ID or use an MFA device
Additional Info
when assuming the role.
Recommended Action Update the IAM role to either require MFA or use an external ID.
Cloud Provider Link https://aws.amazon.com/blogs/aws/mfa-protection-for-cross-account-access/
arn:aws:iam::922503285322:role/aws-service- IAM role does not contain

PASS global
role/support.amazonaws.com/AWSServiceRoleForSupport cross-account statements
arn:aws:iam::922503285322:role/aws-service-
IAM role does not contain
PASS global role/trustedadvisor.amazonaws.com/AWSServiceRoleForTruste
cross-account statements
dAdvisor
Cross-account role requires

global arn:aws:iam::922503285322:role/Cloud3_AuditRole
PASS MFA/external ID for all accounts
IAM role does not contain

PASS global arn:aws:iam::922503285322:role/CloudWatchAgentServerRole
cross-account statements
S3 S3 Secure Transport Enabled

1 0 2 0
Test Description Ensure AWS S3 buckets enforce SSL to secure data in transit
S3 buckets should be configured to strictly require SSL connections to deny unencrypted

Additional Info
HTTP requests when dealing with sensitive data.
Recommended Action Update S3 bucket policy to enforse SSL to secure data in transit.
Cloud Provider Link https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
arn:aws:s3:::siscor-
FAIL us-east-1 No bucket policy found
backups
Bucket Policy for bucket "siscor-trails" enforces SSL to secure data in

PASS us-east-1 arn:aws:s3:::siscor-trails
transit
arn:aws:s3:::siscor-
FAIL us-east-1 No bucket policy found
transfer
SNS SNS Topic CMK Encryption

16 0 1 0
Test Description Ensures Amazon SNS topics are encrypted with KMS Customer Master Keys (CMKs).
AWS SNS topics should be encrypted with KMS Customer Master Keys (CMKs) instead of
Additional Info AWS managed-keysin order to have a more granular control over the SNS data-at-rest
encryption and decryption process.
Recommended Action Update SNS topics to use Customer Master Keys (CMKs) for Server-Side Encryption.
Cloud Provider Link https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
arn:aws:sns:us-east- Server-Side Encryption is not enabled for SNS

FAIL us-east-1
1:922503285322:NotifybyEmail topic
ap-
northeast-1
ap-
northeast-2
ap-
southeast-1
ap-
southeast-2
ap-
northeast-3
AutoScaling ELB Health Check Active

17 0 0 0
Test Description Ensures all Auto Scaling groups have ELB health check active.
Auto Scaling groups should have ELB health checks active to replace unhealthy instances in
Additional Info
time.
Recommended Action Enable ELB health check for the Auto Scaling groups.
Cloud Provider Link https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html

PASS us-east-1 No Auto Scaling groups found
PASS us-west-1 No Auto Scaling groups found
PASS ca-central-1 No Auto Scaling groups found
PASS eu-central-1 No Auto Scaling groups found
PASS eu-west-1 No Auto Scaling groups found
PASS eu-north-1 No Auto Scaling groups found
PASS ap-northeast-1 No Auto Scaling groups found
PASS ap-southeast-1 No Auto Scaling groups found
PASS ap-south-1 No Auto Scaling groups found
PASS sa-east-1 No Auto Scaling groups found
AutoScaling Launch Configuration Referencing Missing Security Groups

17 0 0 0
Test Description Ensures that Auto Scaling launch configurations are not utilizing missing security groups.
Auto Scaling launch configuration should utilize an active security group to ensure safety of
Additional Info
managed instances.
Ensure that the launch configuration security group has not been deleted. If so, remove it from
Recommended Action
launch configurations
Cloud Provider Link https://docs.aws.amazon.com/autoscaling/ec2/userguide/GettingStartedTutorial.html

PASS us-east-1 No Auto Scaling launch configurations found
PASS us-west-1 No Auto Scaling launch configurations found
PASS ca-central-1 No Auto Scaling launch configurations found
PASS eu-central-1 No Auto Scaling launch configurations found
PASS eu-west-1 No Auto Scaling launch configurations found
PASS eu-north-1 No Auto Scaling launch configurations found
PASS ap-northeast-1 No Auto Scaling launch configurations found
PASS ap-southeast-1 No Auto Scaling launch configurations found
PASS ap-south-1 No Auto Scaling launch configurations found
PASS sa-east-1 No Auto Scaling launch configurations found
EC2 Open RFC 1918

41 0 0 0
Test Description Ensures EC2 security groups are configured to deny inbound traffic from RFC-1918 CIDRs
RFC-1918 IP addresses are considered reserved private addresses and should not be used in
Additional Info
security groups.
Recommended Action Modify the security group to deny private reserved addresses for inbound traffic
Cloud Provider Link https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html

Security group "launch-wizard-1" is not configured to
allow traffic from any reserved private addresses
015527859f4cb1ab4
Security group "SG-RemoteAccess" is not configured
to allow traffic from any reserved private addresses
0b29b77965792ae5d
0b29b77965792ae5d
0b29b77965792ae5d
0b29b77965792ae5d
0b29b77965792ae5d
0b29b77965792ae5d
0b29b77965792ae5d
0b29b77965792ae5d
0b29b77965792ae5d
0b29b77965792ae5d
0b29b77965792ae5d
Security group "SG-Linux" is not configured to allow
traffic from any reserved private addresses
031d418a21dd84701
031d418a21dd84701
031d418a21dd84701
031d418a21dd84701
PASS us-east-1 arn:aws:ec2:us-east- Security group "SG-Linux" is not configured to allow
1:922503285322:security-group/sg- traffic from any reserved private addresses
031d418a21dd84701
031d418a21dd84701
Security group "Linux_Jumpbox" is not configured to
0ea00fe2209686e28
0add6fd8f5e13005e
0add6fd8f5e13005e
0add6fd8f5e13005e
0add6fd8f5e13005e
0add6fd8f5e13005e
Security group "default" is not configured to allow
2a94e22e
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
ca-central- Security group "default" is not configured to allow
1 traffic from any reserved private addresses
0221abf87bbe12971
eu-central- Security group "default" is not configured to allow
1 traffic from any reserved private addresses
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast- Security group "default" is not configured to allow

PASS northeast- 1:922503285322:security-group/sg- traffic from any reserved private addresses
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
ffd685b7
EC2 Public IP Address EC2 Instances

16 0 6 0
Test Description Ensures that EC2 instances do not have public IP address attached.
EC2 instances should not have a public IP address attached in order to block public access to
Additional Info
the instances.
Recommended Action Remove the public IP address from the EC2 instances to block public access to the instance
Cloud Provider Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
EC2 instance "i-065bb7e431488d139" has a
FAIL us-east-1 1:922503285322:/instance/i-
public IP address attached
065bb7e431488d139
EC2 instance "i-05cf4724e3a4599f0" has a
05cf4724e3a4599f0
EC2 instance "i-045076929c6d415ad" has a
us-east-1 1:922503285322:/instance/i-
FAIL 045076929c6d415ad public IP address attached
EC2 instance "i-08f266f579dc814bc" has a
08f266f579dc814bc
arn:aws:ec2:us-east- EC2 instance "i-006fe48adf55ff7ad" has a public

FAIL us-east-1
1:922503285322:/instance/i-006fe48adf55ff7ad IP address attached
EC2 instance "i-05e8cda4ca1cd3f78" has a
05e8cda4ca1cd3f78
PASS us-east-2 No EC2 instances found
PASS us-west-1 No EC2 instances found
ca-central-
PASS No EC2 instances found
1
eu-central-
1
PASS eu-west-1 No EC2 instances found
PASS eu-north-1 No EC2 instances found
ap-
PASS northeast- No EC2 instances found
1
ap-
2
ap-
PASS southeast- No EC2 instances found
1
ap-
2
ap-
3
PASS ap-south-1 No EC2 instances found
PASS sa-east-1 No EC2 instances found

IAM IAM User Unauthorized to Edit
2 0 1 0
Ensures AWS IAM users that are not authorized to edit IAM access policies are
Test Description
decommissioned.
Only authorized IAM users should have permission to edit IAM access policies to prevent any
Additional Info
unauthorized requests.
Recommended Action Update unauthorized IAM users to remove permissions to edit IAM access policies.
Cloud Provider Link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html
arn:aws:iam::922503285322:us IAM user "cloud3" is not authorized to have these policies

FAIL global
er/cloud3 attached: AdministratorAccess
arn:aws:iam::922503285322:us IAM user "cloud3-sec" does not have edit access policies
PASS global
er/cloud3-sec permission
arn:aws:iam::922503285322:us IAM user "userbackup" does not have edit access policies
PASS global
er/userbackup permission
RDS RDS CMK Encryption

17 0 0 0
Test Description Ensures RDS instances are encrypted with KMS Customer Master Keys(CMKs).
RDS instances should be encrypted with Customer Master Keys in order to have full control
Additional Info
over data encryption and decryption.
RDS does not currently allow modifications to encryption after the instance has been launched,
Recommended Action
so a new instance will need to be created with KMS CMK encryption enabled.
Cloud Provider Link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
PASS us-east-1 No RDS DB instance found
PASS us-east-2 No RDS DB instance found
PASS us-west-1 No RDS DB instance found
PASS us-west-2 No RDS DB instance found
PASS ca-central-1 No RDS DB instance found

PASS eu-central-1 No RDS DB instance found
PASS eu-west-1 No RDS DB instance found
PASS eu-north-1 No RDS DB instance found
PASS ap-northeast-1 No RDS DB instance found
PASS ap-southeast-1 No RDS DB instance found
PASS ap-southeast-2 No RDS DB instance found
PASS ap-south-1 No RDS DB instance found
PASS sa-east-1 No RDS DB instance found
RDS RDS Transport Encryption Enabled

17 0 0 0
Test Description Ensures RDS SQL Server instances have Transport Encryption enabled.
Parameter group associated with the RDS instance should have transport encryption enabled
Additional Info
to handle encryption and decryption
Recommended Action Update the parameter group associated with the RDS instance to have rds.force_ssl set to true
Cloud Provider Link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
PASS global No RDS DB instances found

SNS SNS Topic Encrypted

16 0 1 0
Test Description Ensures that Amazon SNS topics enforce Server-Side Encryption (SSE)
SNS topics should enforce Server-Side Encryption (SSE) to secure data at rest. SSE protects
Additional Info the contents of messages in Amazon SNS topics using keys managed in AWS Key
Management Service (AWS KMS).
Recommended Action Enable Server-Side Encryption to protect the content of SNS topic messages.
Cloud Provider Link https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
arn:aws:sns:us-east- Server-Side Encryption is not enabled for SNS

FAIL us-east-1
1:922503285322:NotifybyEmail topic
PASS
us-west-1 No SNS topics found
ap-
northeast-1
ap-
northeast-2
ap-
southeast-1
ap-
southeast-2
ap-
northeast-3
SQS SQS Public Access

17 0 0 0
Test Description Ensures that SQS queues are not publicly accessible
Additional Info SQS queues should be not be publicly accessible to prevent unauthorized actions.
Recommended Action Update the SQS queue policy to prevent public access.
Cloud Provider Link
creating-custom-policies.html

EC2 SSM Agent Auto Update Enabled

17 0 0 0
Test Description Ensures the SSM agent is configured to automatically update to new versions
To ensure the latest version of the SSM agent is installed, it should be configured to consume
Additional Info
automatic updates.
Recommended Action Update the SSM agent configuration for all managed instances to use automatic updates.
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-
Cloud Provider Link
updates.html

PASS us-east-1 No managed instances found
PASS us-east-2 No managed instances found
PASS us-west-1 No managed instances found
PASS us-west-2 No managed instances found
PASS ca-central-1 No managed instances found
PASS eu-central-1 No managed instances found
PASS eu-west-1 No managed instances found
PASS eu-north-1 No managed instances found
PASS ap-northeast-1 No managed instances found
PASS ap-southeast-1 No managed instances found
PASS ap-southeast-2 No managed instances found
PASS ap-south-1 No managed instances found
PASS sa-east-1 No managed instances found
Redshift Redshift Cluster CMK Encryption

17 0 0 0
Test Description Ensures Redshift clusters are encrypted using KMS customer master keys (CMKs)
KMS CMKs should be used to encrypt redshift clusters in order to have full control over data
Additional Info
encryption and decryption.
Update Redshift clusters encryption configuration to use KMS CMKs instead of AWS
Recommended Action
managed-keys.
Cloud Provider Link http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html

Redshift Redshift Parameter Group SSL Required

17 0 0 0
Ensures AWS Redshift non-default parameter group associated with Redshift cluster require
Test Description
SSL connection.
Redshift parameter group associated with Redshift cluster should be configured to require SSL
Additional Info
to secure data in transit.
Recommended Action Update Redshift parameter groups to have require-ssl parameter set to true.
Cloud Provider Link https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html
API Gateway API Gateway WAF Enabled

17 0 0 0
Test Description Ensures that API Gateway APIs are associated with a Web Application Firewall.
API Gateway APIs should be associated with a Web Application Firewall to ensure API
Additional Info
security.
Recommended Action Associate API Gateway API with Web Application Firewall
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-
Cloud Provider Link
aws-waf.html
PASS us-east-1 No API Gateway Rest APIs found
PASS us-west-1 No API Gateway Rest APIs found
PASS ca-central-1 No API Gateway Rest APIs found
PASS eu-central-1 No API Gateway Rest APIs found
PASS eu-west-1 No API Gateway Rest APIs found
PASS eu-north-1 No API Gateway Rest APIs found
PASS ap-northeast-1 No API Gateway Rest APIs found
PASS ap-southeast-1 No API Gateway Rest APIs found
PASS ap-south-1 No API Gateway Rest APIs found
PASS sa-east-1 No API Gateway Rest APIs found
CloudTrail CloudTrail Data Events

0 0 0 17
Test Description Ensure Data events are included into Amazon CloudTrail trails configuration.
Additional Info AWS CloudTrail trails should be configured to enable Data Events in order to log S3 object-
level API operations.
Recommended Action Update CloudTrail to enable data events.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-
Cloud Provider Link
cloudtrail.html
arn:aws:cloudtrail:us-east- Unable to query event selectors: Unable to

UNKN us-east-1
1:922503285322:trail/Siscor obtain data

UNKN us-east-2

UNKN us-west-1

UNKN us-west-2

UNKN ca-central-1

UNKN eu-central-1

UNKN eu-west-1

UNKN eu-west-2

UNKN eu-west-3

UNKN eu-north-1
ap- arn:aws:cloudtrail:us-east- Unable to query event selectors: Unable to

UNKN
northeast-1 1:922503285322:trail/Siscor obtain data

UNKN 1:922503285322:trail/Siscor
northeast-2 obtain data

UNKN
southeast-1 1:922503285322:trail/Siscor obtain data

UNKN

UNKN

UNKN ap-south-1

UNKN sa-east-1
CloudTrail CloudTrail Delivery Failing
17 0 0 0
Test Description Ensures that Amazon CloudTrail trail log files are delivered to destination S3 bucket.
Amazon CloudTrail trail logs should be delivered to destination S3 bucket to be used for
Additional Info
security audits.
Recommended Action Modify CloudTrail trail configurations so that logs are being delivered
Cloud Provider Link https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html
arn:aws:cloudtrail:us-east- Logs for CloudTrail trail "Siscor" are being

PASS us-east-1
1:922503285322:trail/Siscor delivered

PASS us-east-2

PASS us-west-1

PASS us-west-2

PASS ca-central-1

PASS eu-central-1

PASS eu-west-1

PASS eu-west-2

PASS eu-west-3

PASS eu-north-1
ap- arn:aws:cloudtrail:us-east- Logs for CloudTrail trail "Siscor" are being

PASS
northeast-1 1:922503285322:trail/Siscor delivered

PASS

PASS
southeast-1 1:922503285322:trail/Siscor delivered

PASS
southeast-2 1:922503285322:trail/Siscor delivered

PASS

PASS ap-south-1

PASS sa-east-1 1:922503285322:trail/Siscor delivered
CloudTrail CloudTrail Global Services Logging Duplicated

1 0 0 0
Test Description Ensures that AWS CloudTrail trails are not duplicating global services events in log files.
Only one trail should have Include Global Services feature enabled to avoid duplication of
Additional Info
global services events in log files.
Recommended Action Update CloudTrail trails to log global services events enabled for only one trail
Cloud Provider Link https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
PASS global CloudTrail global services event logs are not being duplicated
EC2 Automate EBS Snapshot Lifecycle

16 0 0 1
Test Description Ensure DLM is used to automate EBS volume snapshots management.
Amazon Data Lifecycle Manager (DLM) service enables you to manage the lifecycle of EBS
Additional Info volume snapshots. Using DLM helps in enforcing regular backup schedule, retaining backups,
deleting outdated EBS snapshots
Recommended Action Create lifecycle policy for EBS volumes.
Cloud Provider Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html
R
es
Result Region o Message
ur
ce
Unable to query DLM lifecycle policies: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: dlm:GetLifecyclePolicies
on resource: arn:aws:dlm:us-east-1:922503285322:*
PASS us-east-2 No EBS volumes found
PASS us-west-1 No EBS volumes found

PASS us-west-2 No EBS volumes found
ca-central-
PASS No EBS volumes found
1
eu-central-
PASS No EBS volumes found
1
PASS eu-west-1 No EBS volumes found
PASS eu-north-1 No EBS volumes found
ap-
PASS northeast- No EBS volumes found
1
ap-
2
ap-
PASS southeast- No EBS volumes found
1
ap-
PASS southeast- No EBS volumes found
2
ap-
3
PASS ap-south-1 No EBS volumes found
PASS sa-east-1 No EBS volumes found
EC2 EBS Volumes Too Old Snapshots

17 0 0 0
Test Description Ensure that EBS volume snapshots are deleted after defined time period.
EBS volume snapshots older than indicated should be deleted after defined time period for
Additional Info
cost optimization.
Recommended Action Delete the EBS snapshots past their defined expiration date
Cloud Provider Link https://docs.amazonaws.cn/en_us/AWSEC2/latest/UserGuide/ebs-deleting-snapshot.html

PASS us-east-1 No EBS snapshots present
PASS us-east-2 No EBS snapshots present
PASS us-west-1 No EBS snapshots present
PASS us-west-2 No EBS snapshots present
PASS ca-central-1 No EBS snapshots present
PASS eu-central-1 No EBS snapshots present
PASS eu-west-1 No EBS snapshots present
PASS eu-north-1 No EBS snapshots present
PASS ap-northeast-1 No EBS snapshots present
PASS ap-southeast-1 No EBS snapshots present
PASS ap-southeast-2 No EBS snapshots present
PASS ap-south-1 No EBS snapshots present
PASS sa-east-1 No EBS snapshots present
EC2 VPC Endpoint Exposed

17 0 0 0
Test Description Ensure Amazon VPC endpoints are not publicly exposed.
VPC endpoints should not be publicly accessible in order to avoid any unsigned requests
Additional Info
made to the services inside VPC.
Recommended Action Update VPC endpoint access policy in order to stop any unsigned requests
Cloud Provider Link https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html

PASS us-east-1 No VPC endpoins present
PASS us-east-2 No VPC endpoins present
PASS us-west-1 No VPC endpoins present
PASS us-west-2 No VPC endpoins present
PASS ca-central-1 No VPC endpoins present
PASS eu-central-1 No VPC endpoins present
PASS eu-west-1 No VPC endpoins present
PASS eu-north-1 No VPC endpoins present
PASS ap-northeast-1 No VPC endpoins present
PASS ap-southeast-1 No VPC endpoins present
PASS ap-southeast-2 No VPC endpoins present
PASS ap-south-1 No VPC endpoins present
PASS sa-east-1 No VPC endpoins present
EC2 Unused Elastic Network Interfaces

22 0 0 0
Test Description Ensures that unused AWS Elastic Network Interfaces (ENIs) are removed.
Unused AWS ENIs should be removed to follow best practices and to avoid reaching the
Additional Info
service limit.
Recommended Action Delete the unused AWS Elastic Network Interfaces
Cloud Provider Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

arn:aws:ec2:us-east-1:922503285322:network-interface/eni- AWS ENI "eni-

PASS us-east-1
04353977965837285 04353977965837285" is in use

PASS us-east-1
08b3a6d3171040fb6 08b3a6d3171040fb6" is in use

PASS us-east-1
0f9c7669cfd1a3745 0f9c7669cfd1a3745" is in use

PASS us-east-1
0d7bc02dd33d4e83a 0d7bc02dd33d4e83a" is in use

PASS us-east-1
0e4aa3ebb4b57514a 0e4aa3ebb4b57514a" is in use

PASS us-east-1
075928464dda5c9f0 075928464dda5c9f0" is in use
PASS us-east-2 No AWS ENIs found
PASS us-west-1 No AWS ENIs found
PASS us-west-2 No AWS ENIs found
ca-central-
PASS No AWS ENIs found
1
eu-central-
PASS No AWS ENIs found
1
PASS eu-west-1 No AWS ENIs found
PASS eu-north-1 No AWS ENIs found
ap-
PASS northeast- No AWS ENIs found
1
ap-
2
ap-
PASS southeast- No AWS ENIs found
1
ap-
PASS southeast- No AWS ENIs found
2
ap-
3
PASS ap-south-1 No AWS ENIs found

PASS sa-east-1 No AWS ENIs found
EC2 Unused Amazon Machine Images

17 0 0 0
Test Description Ensures that all Amazon Machine Images are in use to ensure cost optimization.
Additional Info All unused/deregistered Amazon Machine Images should be deleted to avoid extraneous cost.
Recommended Action Delete the unused/deregistered AMIs
Cloud Provider Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
PASS us-east-1 No Amazon Machine Images found
PASS us-west-1 No Amazon Machine Images found
PASS ca-central-1 No Amazon Machine Images found
PASS eu-central-1 No Amazon Machine Images found
PASS eu-west-1 No Amazon Machine Images found
PASS eu-north-1 No Amazon Machine Images found
PASS ap-northeast-1 No Amazon Machine Images found
PASS ap-southeast-1 No Amazon Machine Images found
PASS ap-south-1 No Amazon Machine Images found

PASS sa-east-1 No Amazon Machine Images found
EC2 Unused VPC Internet Gateways

34 0 0 0
Ensures that unused VPC Internet Gateways and Egress-Only Internet Gateways are
Test Description
removed.
Unused VPC Internet Gateways and Egress-Only Internet Gateways must be removed to
Additional Info
avoid reaching the internet gateway limit.
Recommended Action Remove the unused/detached Internet Gateways and Egress-Only Internet Gateways
Cloud Provider Link https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
arn:aws:vpc:us-east-1:922503285322:internet- Internet Gateway "igw-8c9f67f6" is in

PASS us-east-1
gateway/igw-8c9f67f6 use
No Egress-Only Internet Gateways

PASS us-east-1
found
arn:aws:vpc:us-east-2:922503285322:internet- Internet Gateway "igw-4fe5de27" is

PASS us-east-2
gateway/igw-4fe5de27 in use

PASS us-east-2
found
arn:aws:vpc:us-west-1:922503285322:internet- Internet Gateway "igw-

PASS us-west-1
gateway/igw-0fc6ef8616f1014e3 0fc6ef8616f1014e3" is in use

PASS us-west-1
found
arn:aws:vpc:us-west-2:922503285322:internet- Internet Gateway "igw-

PASS us-west-2
gateway/igw-0c37bf32b8a48ac9a 0c37bf32b8a48ac9a" is in use

PASS us-west-2
found
ca-central- arn:aws:vpc:ca-central-1:922503285322:internet- Internet Gateway "igw-

PASS
1 gateway/igw-0e91e29a37d5b6346 0e91e29a37d5b6346" is in use
ca-central- No Egress-Only Internet Gateways

PASS
1 found
eu-central- arn:aws:vpc:eu-central-1:922503285322:internet- Internet Gateway "igw-

PASS
1 gateway/igw-0c44b43ee4c00d2b9 0c44b43ee4c00d2b9" is in use
eu-central- No Egress-Only Internet Gateways

PASS
1 found
arn:aws:vpc:eu-west-1:922503285322:internet- Internet Gateway "igw-

PASS eu-west-1
gateway/igw-0c4542f8014526bfc 0c4542f8014526bfc" is in use
PASS eu-west-1 No Egress-Only Internet Gateways
found

PASS eu-west-2
gateway/igw-0ff1485ce1a618faa 0ff1485ce1a618faa" is in use

PASS eu-west-2
found

PASS eu-west-3
gateway/igw-0af0e97fb6289c693 0af0e97fb6289c693" is in use

PASS eu-west-3
found
arn:aws:vpc:eu-north-1:922503285322:internet- Internet Gateway "igw-

PASS eu-north-1
gateway/igw-01d5d1cb4f946519a 01d5d1cb4f946519a" is in use

PASS eu-north-1
found
ap-
arn:aws:vpc:ap-northeast-1:922503285322:internet- Internet Gateway "igw-
PASS northeast-
gateway/igw-02feaf092bca87cfe 02feaf092bca87cfe" is in use
1
ap-
PASS northeast-
found
1
ap-
PASS northeast-
gateway/igw-002d64d652f4ab249 002d64d652f4ab249" is in use
2
ap-
PASS northeast-
found
2
ap- arn:aws:vpc:ap-southeast-1:922503285322:internet- Internet Gateway "igw-

PASS southeast- gateway/igw-06f89180a906d735b 06f89180a906d735b" is in use
1
ap-
PASS southeast-
found
1
ap-
arn:aws:vpc:ap-southeast-2:922503285322:internet- Internet Gateway "igw-
PASS southeast-
gateway/igw-065419b60cd4f20bb 065419b60cd4f20bb" is in use
2
ap-
PASS southeast-
found
2
ap-
PASS northeast-
gateway/igw-0b97885578518f3b8 0b97885578518f3b8" is in use
3
ap-
PASS northeast-
found
3
arn:aws:vpc:ap-south-1:922503285322:internet- Internet Gateway "igw-

PASS ap-south-1
gateway/igw-0e2c601bdc8b0b194 0e2c601bdc8b0b194" is in use

PASS ap-south-1
found
PASS sa-east-1 arn:aws:vpc:sa-east-1:922503285322:internet- Internet Gateway "igw-134a4a77" is
gateway/igw-134a4a77 in use

PASS sa-east-1
found
EC2 Managed NAT Gateway In Use

0 0 17 0
Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled
Test Description
for high availability (HA).
VPCs should use highly available Managed NAT Gateways in order to enable EC2 instances
Additional Info
to connect to the internet or with other AWS components.
Recommended Action Update VPCs to use Managed NAT Gateways instead of NAT instances
https://aws.amazon.com/blogs/aws/new-managed-nat-network-address-translation-gateway-
Cloud Provider Link
for-aws/
arn:aws:vpc:us-east-1:922503285322:/vpc/vpc- VPC "vpc-26c1545b" is not using managed

FAIL us-east-1
26c1545b NAT Gateway
arn:aws:vpc:us-east-2:922503285322:/vpc/vpc- VPC "vpc-6090090b" is not using managed

FAIL us-east-2
6090090b NAT Gateway
arn:aws:vpc:us-west-1:922503285322:/vpc/vpc- VPC "vpc-0c2d2282542beab46" is not using

FAIL us-west-1
0c2d2282542beab46 managed NAT Gateway
arn:aws:vpc:us-west-2:922503285322:/vpc/vpc- VPC "vpc-0a048fe7436065d58" is not using

FAIL us-west-2
0a048fe7436065d58 managed NAT Gateway
ca-central- arn:aws:vpc:ca-central- VPC "vpc-09770145827bef7d6" is not using

FAIL
1 1:922503285322:/vpc/vpc-09770145827bef7d6 managed NAT Gateway
eu-central- arn:aws:vpc:eu-central- VPC "vpc-0a58a4e7b0c93b7ab" is not using

FAIL
1 1:922503285322:/vpc/vpc-0a58a4e7b0c93b7ab managed NAT Gateway
arn:aws:vpc:eu-west-1:922503285322:/vpc/vpc- VPC "vpc-08275f72a1e4e98f5" is not using

FAIL eu-west-1
08275f72a1e4e98f5 managed NAT Gateway
FAIL arn:aws:vpc:eu-west-2:922503285322:/vpc/vpc- VPC "vpc-0e30be664fd118c17" is not using

eu-west-2
0e30be664fd118c17 managed NAT Gateway
arn:aws:vpc:eu-west-3:922503285322:/vpc/vpc- VPC "vpc-0996522b3020b1ab5" is not using

FAIL eu-west-3
0996522b3020b1ab5 managed NAT Gateway
arn:aws:vpc:eu-north-1:922503285322:/vpc/vpc- VPC "vpc-0f4d32bbc44db3bba" is not using

FAIL eu-north-1
0f4d32bbc44db3bba managed NAT Gateway
ap-
arn:aws:vpc:ap-northeast- VPC "vpc-030dd710cab63ff8d" is not using
FAIL northeast-
1:922503285322:/vpc/vpc-030dd710cab63ff8d managed NAT Gateway
1
FAIL ap- arn:aws:vpc:ap-northeast- VPC "vpc-0e3a3e30aee7daf8a" is not using
northeast- 2:922503285322:/vpc/vpc-0e3a3e30aee7daf8a managed NAT Gateway
2
ap-
arn:aws:vpc:ap-southeast- VPC "vpc-0e19b6b8f7dfe3c2a" is not using
FAIL southeast-
1:922503285322:/vpc/vpc-0e19b6b8f7dfe3c2a managed NAT Gateway
1
ap-
arn:aws:vpc:ap-southeast- VPC "vpc-01606d90294e3ddf2" is not using
FAIL southeast-
2:922503285322:/vpc/vpc-01606d90294e3ddf2 managed NAT Gateway
2
ap-
arn:aws:vpc:ap-northeast- VPC "vpc-0d6c6d69eecdef2fd" is not using
FAIL northeast-
3:922503285322:/vpc/vpc-0d6c6d69eecdef2fd managed NAT Gateway
3
arn:aws:vpc:ap-south-1:922503285322:/vpc/vpc- VPC "vpc-0430a98d4d8672743" is not using

FAIL ap-south-1
0430a98d4d8672743 managed NAT Gateway
arn:aws:vpc:sa-east-1:922503285322:/vpc/vpc- VPC "vpc-ae08c3c8" is not using managed

FAIL sa-east-1
ae08c3c8 NAT Gateway
EC2 Unused Virtual Private Gateway

17 0 0 0
Test Description Ensures that unused Virtual Private Gateways (VGWs) are removed.
Unused VGWs should be remove to follow best practices and to avoid reaching the service
Additional Info
limit.
Recommended Action Remove the unused Virtual Private Gateways (VGWs)
Cloud Provider Link https://docs.aws.amazon.com/vpn/latest/s2svpn/delete-vpn.html
PASS us-east-1 No Virtual Private Gateways found
PASS us-west-1 No Virtual Private Gateways found
PASS ca-central-1 No Virtual Private Gateways found
PASS eu-central-1 No Virtual Private Gateways found
PASS eu-west-1 No Virtual Private Gateways found

PASS eu-north-1 No Virtual Private Gateways found
PASS ap-northeast-1 No Virtual Private Gateways found
PASS ap-southeast-1 No Virtual Private Gateways found
PASS ap-south-1 No Virtual Private Gateways found
PASS sa-east-1 No Virtual Private Gateways found
EFS EFS CMK Encrypted

17 0 0 0
Test Description Ensure EFS file systems are encrypted using Customer Master Keys (CMKs).
EFS file systems should use KMS Customer Master Keys (CMKs) instead of AWS managed
Additional Info
keys for encryption in order to have full control over data encryption and decryption.
Encryption at rest key can only be configured during file system creation. Encryption of data in
Recommended Action transit is configured when mounting your file system. 1. Backup your data in not encrypted efs
2. Recreate the EFS and use KMS CMK for encryption of data at rest.
Cloud Provider Link https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html
PASS us-east-1 No EFS file systems found
PASS us-east-2 No EFS file systems found
PASS us-west-1 No EFS file systems found
PASS us-west-2 No EFS file systems found
PASS ca-central-1 No EFS file systems found
PASS eu-central-1 No EFS file systems found
PASS eu-west-1 No EFS file systems found

PASS eu-north-1 No EFS file systems found
PASS ap-northeast-1 No EFS file systems found
PASS ap-southeast-1 No EFS file systems found
PASS ap-southeast-2 No EFS file systems found
PASS ap-south-1 No EFS file systems found
PASS sa-east-1 No EFS file systems found
ELBv2 ELBv2 Minimum Number of EC2 Target Instances

17 0 0 0
Ensures that there is a minimum number of two healthy target instances associated with each
Test Description
AWS ELBv2 load balancer.
There should be a minimum number of two healthy target instances associated with each AWS
Additional Info
ELBv2 load balancer to ensure fault tolerance.
Recommended Action Associate at least two healthy target instances to AWS ELBv2 load balancer
Cloud Provider Link
groups.html
PASS ca-central-1 No Application/Network load balancers found

PASS eu-central-1 No Application/Network load balancers found
PASS eu-north-1 No Application/Network load balancers found
PASS ap-south-1 No Application/Network load balancers found
PASS sa-east-1 No Application/Network load balancers found
ELBv2 ELBv2 NLB Listener Security

17 0 0 0
Test Description Ensures that AWS Network Load Balancers have secured listener configured.
AWS Network Load Balancer should have TLS protocol listener configured to terminate TLS
Additional Info
traffic.
Recommended Action Attach TLS listener to AWS Network Load Balancer
Cloud Provider Link https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/network/create-tls-listener.html

EMR EMR Cluster Logging

17 0 0 0
Test Description Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3.
Additional Info EMR cluster logging should be enabled to save log files for troubleshooting purposes.
Recommended Action Modify EMR clusters to enable cluster logging
Cloud Provider Link https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-debugging.html

Redshift Redshift Cluster Audit Logging Enabled

17 0 0 0
Test Description Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes.
Additional Info Redshift clusters should be configured to enable audit logging to log cluster usage information.
Recommended Action Modify Redshift clusters to enable audit logging
Cloud Provider Link https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html

Redshift Redshift Cluster Allow Version Upgrade

17 0 0 0
Ensure that version upgrade is enabled for Redshift clusters to automatically receive upgrades
Test Description
during the maintenance window.
Redshift clusters should be configured to allow version upgrades to get the newest features,
Additional Info
bug fixes or the latest security patches released.
Recommended Action Modify Redshift clusters to allow version upgrade
Cloud Provider Link https://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-mgmt.pdf

Redshift Redshift User Activity Logging Enabled

17 0 0 0
Test Description Ensure that user activity logging is enabled for your Amazon Redshift clusters.
Redshift clusters associated parameter groups should have user activity logging enabled in
Additional Info
order to log user activities performed.
Recommended Action Update Redshift parameter groups to enable user activity logging
Cloud Provider Link https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-enable-logging

API Gateway API Gateway Certificate Rotation

17 0 0 0
Ensures that Amazon API Gateway APIs have certificates with expiration date more than the
Test Description
rotation limit.
API Gateway APIs should have certificates with long term expiry date to avoid API insecurity
Additional Info
after certificate expiration.
Recommended Action Rotate the certificate attached to API Gateway API
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-
Cloud Provider Link
authentication.html

API Gateway API Gateway Private Endpoints

17 0 0 0
Test Description Ensures that Amazon API Gateway APIs are only accessible through private endpoints.
Additional Info API Gateway APIs should be only accessible through private endpoints to ensure API security.
Recommended Action Set API Gateway API endpoint configuration to private
Cloud Provider Link https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints

API Gateway API Gateway Content Encoding

17 0 0 0
Test Description Ensures that Amazon API Gateway APIs have content encoding enabled.
API Gateway API should have content encoding enabled to enable compression of response
Additional Info
payload.
Recommended Action Enable content encoding and set minimum compression size of API Gateway API response
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-
Cloud Provider Link
compression-decompression.html
API Gateway API Gateway Tracing Enabled

17 0 0 0
Test Description Ensures that Amazon API Gateway API stages have tracing enabled for AWS X-Ray.
API Gateway API stages should have tracing enabled to send traces to AWS X-Ray for
Additional Info
enhanced distributed tracing.
Recommended Action Enable tracing on API Gateway API stages
Cloud Provider Link https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html

API Gateway API Gateway Detailed CloudWatch Metrics

17 0 0 0
Test Description Ensures that API Gateway API stages have detailed CloudWatch metrics enabled.
API Gateway API stages should have detailed CloudWatch metrics enabled to monitor logs
Additional Info
and events.
Recommended Action Add CloudWatch role ARN to API settings and enabled detailed metrics for each stage
Cloud Provider Link https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-metrics.html

API Gateway API Gateway Client Certificate

17 0 0 0
Test Description Ensures that Amazon API Gateway API stages use client certificates.
Additional Info API Gateway API stages should use client certificates to ensure API security authorization.
Recommended Action Attach client certificate to API Gateway API stages
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-
Cloud Provider Link
authentication.html
DynamoDB DynamoDB Continuous Backups

17 0 0 0
Test Description Ensures that Amazon DynamoDB tables have continuous backups enabled.
DynamoDB tables should have Continuous Backups and Point-In-Time Recovery (PITR)
Additional Info
features enabled to protect DynamoDB data against accidental data writes.
Recommended Action Enable Continuous Backups and Point-In-Time Recovery (PITR) features.
https://aws.amazon.com/blogs/aws/new-amazon-dynamodb-continuous-backups-and-point-in-
Cloud Provider Link time-recovery-pitr/
EC2 VPC Endpoint Cross Account Access

17 0 0 0
Test Description Ensures that Amazon VPC endpoints do not allow unknown cross account access.
VPC endpoints should not allow unknown cross account access to avoid any unsigned
Additional Info
requests made to the services inside VPC.
Recommended Action Update VPC endpoint access policy in order to remove untrusted cross account access
PASS us-east-1 No VPC endpoins found
PASS us-east-2 No VPC endpoins found
PASS us-west-1 No VPC endpoins found
PASS us-west-2 No VPC endpoins found
PASS ca-central-1 No VPC endpoins found
PASS eu-central-1 No VPC endpoins found
PASS eu-west-1 No VPC endpoins found
PASS eu-north-1 No VPC endpoins found
PASS ap-northeast-1 No VPC endpoins found
PASS ap-southeast-1 No VPC endpoins found
PASS ap-southeast-2 No VPC endpoins found
PASS ap-south-1 No VPC endpoins found
PASS sa-east-1 No VPC endpoins found
EC2 Cross Organization VPC Peering Connections

17 0 0 0
Ensures that VPC peering communication is only between AWS accounts, members of the
Test Description
same AWS Organization.
VPC peering communication should be only between AWS accounts to keep organization
Additional Info
resources private and isolated.
Update VPC peering connections to allow connections to AWS Accounts, members of the
Recommended Action
same organization
Cloud Provider Link https://docs.aws.amazon.com/vpc/latest/peering/working-with-vpc-peering.html
PASS us-east-1 No VPC peering connections found
PASS us-east-2 No VPC peering connections found
PASS us-west-1 No VPC peering connections found
PASS us-west-2 No VPC peering connections found
PASS ca-central-1 No VPC peering connections found
PASS eu-central-1 No VPC peering connections found
PASS eu-west-1 No VPC peering connections found
PASS eu-north-1 No VPC peering connections found
PASS ap-northeast-1 No VPC peering connections found
PASS ap-southeast-1 No VPC peering connections found
PASS ap-southeast-2 No VPC peering connections found
PASS ap-south-1 No VPC peering connections found
PASS sa-east-1 No VPC peering connections found
EC2 VPC Subnet Instances Present

4 0 51 0
Test Description Ensures that there are instances attached to every subnet.
All subnets should have instances associated and unused subnets should be removed to avoid
Additional Info
reaching the limit.
Recommended Action Update VPC subnets and attach instances to it or remove the unused VPC subnets
arn:aws:ec2:us-east-1:922503285322:subnet/subnet-
PASS us-east-1 Subnet has 1 instances attached
15e0e958
484b322e
96b3c9c9
arn:aws:ec2:us-east-1:922503285322:subnet/subnet- Subnet does not have any

FAIL us-east-1
69f4c767 instance attached
2c07400d

FAIL us-east-1
5d028f6c instance attached

FAIL us-east-2
5e13ec23 instance attached

FAIL us-east-2
4e6e4802 instance attached

FAIL us-east-2
daab2ab1 instance attached
arn:aws:ec2:us-west-1:922503285322:subnet/subnet- Subnet does not have any

FAIL us-west-1
04b300d7a202c19c5 instance attached

FAIL us-west-1
0a73cdb301aed1693 instance attached

FAIL us-west-2
0e1539ff91e81c4c2 instance attached

FAIL us-west-2
01e5ca7cf1a748fc2 instance attached

FAIL us-west-2
0b9c6375791cdc931 instance attached

FAIL us-west-2
0d81008a71f708459 instance attached
ca-central- arn:aws:ec2:ca-central-1:922503285322:subnet/subnet- Subnet does not have any

FAIL
1 09ef030317dbdf1ef instance attached

FAIL
1 0bcddf4ab52a09da7 instance attached

FAIL
1 0206dfe4e20b91171 instance attached
FAIL eu-central- arn:aws:ec2:eu-central-1:922503285322:subnet/subnet- Subnet does not have any
1 076cd8bf9dcf54fc0 instance attached
eu-central- arn:aws:ec2:eu-central-1:922503285322:subnet/subnet- Subnet does not have any

FAIL
1 0961df033653668b5 instance attached
eu-central- arn:aws:ec2:eu-central-1:922503285322:subnet/subnet- Subnet does not have any

FAIL
1 06d29f1135051f2bc instance attached
arn:aws:ec2:eu-west-1:922503285322:subnet/subnet- Subnet does not have any

FAIL eu-west-1
014b0a4ac8701b21f instance attached

FAIL eu-west-1
0ab023ddc44ec48bf instance attached

FAIL eu-west-1
0e3217ad2e05f871b instance attached

FAIL eu-west-2
023fe44b3231c8957 instance attached

FAIL eu-west-2
044ff7f6d2283a084 instance attached

FAIL eu-west-2
0312a995d48d4e700 instance attached

FAIL eu-west-3
04e1573553bfb72e3 instance attached

FAIL eu-west-3
02e12a84badf5299f instance attached

FAIL eu-west-3
02a418758c2c42a5f instance attached
arn:aws:ec2:eu-north-1:922503285322:subnet/subnet- Subnet does not have any

FAIL eu-north-1
067b47de750b8b644 instance attached

FAIL eu-north-1
05feb6266871b4675 instance attached

FAIL eu-north-1
02399809a6382b56d instance attached
ap-
arn:aws:ec2:ap-northeast-1:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
0f84c166ccc0db45f instance attached
1
ap-
FAIL northeast-
080f510a7524813d8 instance attached
1
ap-
FAIL northeast-
03bfb532abde041c5 instance attached
1
ap-
FAIL northeast-
0d2075fb36c202f61 instance attached
2
ap-
FAIL northeast-
03c4b12b54a770b0b instance attached
2
ap-
FAIL arn:aws:ec2:ap-northeast-2:922503285322:subnet/subnet-
northeast- Subnet does not have any
2 05038cc40cd35b8df instance attached
ap-
FAIL northeast-
02afc97d7216128af instance attached
2
ap-
arn:aws:ec2:ap-southeast-1:922503285322:subnet/subnet- Subnet does not have any
FAIL southeast-
0d3848165a38d1af3 instance attached
1
ap-
FAIL southeast-
021a96d5112e1d79b instance attached
1
ap-
FAIL southeast-
07a0dd415c6839163 instance attached
1
ap-
FAIL southeast-
0dde3ef370d3997f7 instance attached
2
ap-
FAIL southeast-
0b3ce4e612ee12376 instance attached
2
ap-
FAIL southeast-
090e1f95ff328dc1f instance attached
2
ap-
FAIL northeast-
001a282e5e5f8a00a instance attached
3
ap-
FAIL northeast-
0607800a95005dc33 instance attached
3
ap-
FAIL northeast-
006ca8371dba18eef instance attached
3
arn:aws:ec2:ap-south-1:922503285322:subnet/subnet- Subnet does not have any

FAIL ap-south-1
0ef9e3cbbc5ee6c0a instance attached

FAIL ap-south-1
085ffdeda8d0dd00a instance attached

FAIL ap-south-1
07f12bdad47b4e2af instance attached
arn:aws:ec2:sa-east-1:922503285322:subnet/subnet- Subnet does not have any

FAIL sa-east-1
38ce8d63 instance attached

FAIL sa-east-1
b2077dfb instance attached

FAIL sa-east-1
ba2a6edc instance attached
EC2 Unrestricted Network ACL Outbound Traffic
0 0 17 0
Test Description Ensures that no Amazon Network ACL allows outbound/egress traffic to all ports.
Amazon Network ACL should not allow outbound/egress traffic to all ports to avoid
Additional Info
unauthorized access at the subnet level.
Recommended Action Update Network ACL to allow outbound/egress traffic to specific port ranges only
Cloud Provider Link https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
arn:aws:ec2:us-east-1:922503285322:network- Network ACL "acl-9bf70be7" allows

FAIL us-east-1
acl/acl-9bf70be7 unrestricted access
arn:aws:ec2:us-east-2:922503285322:network- Network ACL "acl-aa92d6c1" allows

FAIL us-east-2
acl/acl-aa92d6c1 unrestricted access
arn:aws:ec2:us-west-1:922503285322:network- Network ACL "acl-0ff108ab788a0a856"

FAIL us-west-1
acl/acl-0ff108ab788a0a856 allows unrestricted access
arn:aws:ec2:us-west-2:922503285322:network- Network ACL "acl-0929c87c87a997d5f"

FAIL us-west-2
acl/acl-0929c87c87a997d5f allows unrestricted access
ca-central- arn:aws:ec2:ca-central-1:922503285322:network- Network ACL "acl-052602daad3dc8a73"

FAIL
1 acl/acl-052602daad3dc8a73 allows unrestricted access
eu-central- arn:aws:ec2:eu-central-1:922503285322:network- Network ACL "acl-093e4973bd5f34935"

FAIL
1 acl/acl-093e4973bd5f34935 allows unrestricted access
arn:aws:ec2:eu-west-1:922503285322:network- Network ACL "acl-07cf3f362f5a00917"

FAIL eu-west-1
acl/acl-07cf3f362f5a00917 allows unrestricted access
arn:aws:ec2:eu-west-2:922503285322:network- Network ACL "acl-024d99c433b6fdf99"

FAIL eu-west-2
acl/acl-024d99c433b6fdf99 allows unrestricted access
arn:aws:ec2:eu-west-3:922503285322:network- Network ACL "acl-040b9f265ee9f8c3a"

FAIL eu-west-3
acl/acl-040b9f265ee9f8c3a allows unrestricted access
arn:aws:ec2:eu-north-1:922503285322:network- Network ACL "acl-05c276955cee0ea76"

FAIL eu-north-1
acl/acl-05c276955cee0ea76 allows unrestricted access
ap- arn:aws:ec2:ap-northeast-1:922503285322:network- Network ACL "acl-04918151fd7f2b72f"

FAIL northeast- acl/acl-04918151fd7f2b72f allows unrestricted access
1
ap-
arn:aws:ec2:ap-northeast-2:922503285322:network- Network ACL "acl-003f4e69722f9cf0d"
FAIL northeast-
acl/acl-003f4e69722f9cf0d allows unrestricted access
2
Network ACL "acl-0ed7fcbb6dbada4b9"
FAIL southeast- 1:922503285322:network-acl/acl-
allows unrestricted access
1 0ed7fcbb6dbada4b9
Network ACL "acl-0792f69e88328ba37"
FAIL southeast- 2:922503285322:network-acl/acl-
allows unrestricted access
2 0792f69e88328ba37
ap-
arn:aws:ec2:ap-northeast-3:922503285322:network- Network ACL "acl-093350ee90e5d88a4"
FAIL northeast-
acl/acl-093350ee90e5d88a4 allows unrestricted access
3
arn:aws:ec2:ap-south-1:922503285322:network- Network ACL "acl-09f3f950864a73b2e"

FAIL ap-south-1
acl/acl-09f3f950864a73b2e allows unrestricted access
arn:aws:ec2:sa-east-1:922503285322:network- Network ACL "acl-5b69a53d" allows

FAIL sa-east-1
acl/acl-5b69a53d unrestricted access
EKS EKS Secrets Encrypted

17 0 0 0
Ensures EKS clusters are configured to enable envelope encryption of Kubernetes secrets
Test Description
using KMS.
Amazon EKS clusters should be configured to enable envelope encryption for Kubernetes
Additional Info
secrets to adhere to security best practice for applications that store sensitive data.
Recommended Action Modify EKS clusters to enable envelope encryption for Kubernetes secrets
https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-
Cloud Provider Link
encryption-for-secrets-with-aws-kms/
PASS us-east-1 No EKS clusters found
PASS us-east-2 No EKS clusters found
PASS us-west-1 No EKS clusters found
PASS us-west-2 No EKS clusters found
PASS ca-central-1 No EKS clusters found
PASS eu-central-1 No EKS clusters found
PASS eu-west-1 No EKS clusters found
PASS eu-north-1 No EKS clusters found
PASS ap-northeast-1 No EKS clusters found
PASS ap-southeast-1 No EKS clusters found

PASS ap-southeast-2 No EKS clusters found
PASS ap-south-1 No EKS clusters found
PASS sa-east-1 No EKS clusters found
IAM IAM Master and IAM Manager Roles

0 0 1 0
Test Description Ensure IAM Master and IAM Manager roles are active within your AWS account.
IAM roles should be split into IAM Master and IAM Manager roles to work in two-person rule
Additional Info
manner for best prectices.
Create the IAM Master and IAM Manager roles for an efficient IAM administration and
Recommended Action
permission management within your AWS account
Cloud Provider Link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
FAIL global IAM Master and Manager Roles not found
IAM Trusted Cross Account Roles

3 0 1 0
Test Description Ensures that only trusted cross-account IAM roles can be used.
Additional Info IAM roles should be configured to allow access to trusted account IDs.
Recommended Action Delete the IAM roles that are associated with untrusted account IDs.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-
Cloud Provider Link
accounts.html
arn:aws:iam::922503285322:role/aws-service-
IAM Role "AWSServiceRoleForSupport" does
PASS global role/support.amazonaws.com/AWSServiceRole
not contain cross-account statements
ForSupport
arn:aws:iam::922503285322:role/aws-service- IAM Role "AWSServiceRoleForTrustedAdvisor"
PASS global role/trustedadvisor.amazonaws.com/AWSServic does not contain cross-account statements
eRoleForTrustedAdvisor
Cross-account role "Cloud3_AuditRole"

arn:aws:iam::922503285322:role/Cloud3_Audit
FAIL global contains these untrusted account principals:
Role
arn:aws:iam::057012691312:root
arn:aws:iam::922503285322:role/CloudWatchA IAM Role "CloudWatchAgentServerRole" does

PASS global
gentServerRole not contain cross-account statements
S3 S3 Bucket Policy CloudFront OAI

1 0 0 0
Test Description Ensures S3 bucket is origin to only one distribution and allows only that distribution.
Access to CloudFront origins should only happen via ClouFront URL and not from S3 URL or
Additional Info
any source in order to restrict access to private data.
Review the access policy for S3 bucket which is an origin to a CloudFront distribution. Make
sure the S3 bucket is origin to only one distribution. Modify the S3 bucket access policy to
Recommended Action
allow CloudFront OAI for only the associated CloudFront distribution and restrict access from
any other source.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-
Cloud Provider Link
restricting-access-to-s3.html
PASS global No S3 origins to check
S3 S3 Transfer Acceleration Enabled

0 0 3 0
Ensures that S3 buckets have transfer acceleration enabled to increase the speed of data
Test Description
transfers.
S3 buckets should have transfer acceleration enabled to increase the speed of data transfers
Additional Info
in and out of Amazon S3 using AWS edge network.
Recommended Action Modify S3 bucket to enable transfer acceleration.
Cloud Provider Link https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html

FAIL us-east-1 arn:aws:s3:::siscor- S3 bucket siscor-backups does not have transfer acceleration
backups enabled
FAIL us-east-1 arn:aws:s3:::siscor-trails S3 bucket siscor-trails does not have transfer acceleration enabled
S3 bucket siscor-transfer does not have transfer acceleration

FAIL us-east-1 arn:aws:s3:::siscor-transfer
enabled
S3 S3 DNS Compliant Bucket Names

3 0 0 0
Test Description Ensures that S3 buckets have DNS complaint bucket names.
S3 bucket names must be DNS-compliant and not contain period "." to enable S3 Transfer
Additional Info
Acceleration and to use buckets over SSL.
Recommended Action Recreate S3 bucket to use "-" instead of "." in S3 bucket names.
Cloud Provider Link https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html
PASS us-east-1 arn:aws:s3:::siscor-backups S3 bucket name is compliant with DNS naming requirements
PASS us-east-1 arn:aws:s3:::siscor-trails S3 bucket name is compliant with DNS naming requirements
PASS us-east-1 arn:aws:s3:::siscor-transfer S3 bucket name is compliant with DNS naming requirements
SQS SQS Dead Letter Queue

17 0 0 0
Test Description Ensures that each Amazon SQS queue has Dead Letter Queue configured.
Amazon SQS queues should have dead letter queue configured to avoid data loss for
Additional Info
unprocessed messages.
Recommended Action Update Amazon SQS queue and configure dead letter queue.
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-
Cloud Provider Link
dead-letter-queues.html

PASS us-east-1 No Amazon SQS queues found
PASS us-east-2 No Amazon SQS queues found
PASS us-west-1 No Amazon SQS queues found
PASS us-west-2 No Amazon SQS queues found
PASS ca-central-1 No Amazon SQS queues found
PASS eu-central-1 No Amazon SQS queues found
PASS eu-west-1 No Amazon SQS queues found
PASS eu-north-1 No Amazon SQS queues found
PASS ap-northeast-1 No Amazon SQS queues found
PASS ap-southeast-1 No Amazon SQS queues found
PASS ap-southeast-2 No Amazon SQS queues found
PASS ap-south-1 No Amazon SQS queues found
PASS sa-east-1 No Amazon SQS queues found
SQS SQS Queue Unprocessed Messages

17 0 0 0
Test Description Ensures that Amazon SQS queue has not reached unprocessed messages limit.
Amazon SQS queues should have unprocessed messages less than the limit to be highly
Additional Info
available and responsive.
Set up appropriate message polling time and set up dead letter queue for Amazon SQS queue
Recommended Action
to handle messages in time
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/working-
Cloud Provider Link
with-messages.html
Lambda Lambda Admin Privileges

17 0 0 0
Test Description Ensures no Lambda function available in your AWS account has admin privileges.
AWS Lambda Function should have most-restrictive IAM permissions for Lambda security best
Additional Info
practices.
Modify IAM role attached with Lambda function to provide the minimal amount of access
Recommended Action
required to perform its tasks
Cloud Provider Link https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html
Lambda Lambda Tracing Enabled

17 0 0 0
Test Description Ensures AWS Lambda functions have active tracing for X-Ray.
AWS Lambda functions should have active tracing in order to gain visibility into the functions
Additional Info
execution and performance.
Recommended Action Modify Lambda functions to activate tracing
Cloud Provider Link https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html
CloudWatchLogs CloudWatch Log Retention Period

17 0 0 5
Test Description Ensures that the CloudWatch Log retention period is set above a specified length of time.
Retention settings can be used to specify how long log events are kept in CloudWatch Logs.
Additional Info Expired log events get deleted automatically.
Recommended Action Ensure CloudWatch logs are retained for at least 90 days.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-
Cloud Provider Link
streams.html
PASS us-east-1 No CloudWatch Logs log groups found
PASS us-east-2 No CloudWatch Logs log groups found
PASS us-west-1 No CloudWatch Logs log groups found
PASS us-west-2 No CloudWatch Logs log groups found
PASS ca-central-1 No CloudWatch Logs log groups found
PASS eu-central-1 No CloudWatch Logs log groups found
PASS eu-west-1 No CloudWatch Logs log groups found
PASS eu-north-1 No CloudWatch Logs log groups found
UNKN eu-south-1 Unable to query CloudWatch Logs log groups: Unable to obtain data
PASS ap-northeast-1 No CloudWatch Logs log groups found
PASS ap-southeast-1 No CloudWatch Logs log groups found
PASS ap-southeast-2 No CloudWatch Logs log groups found
PASS ap-south-1 No CloudWatch Logs log groups found
PASS sa-east-1 No CloudWatch Logs log groups found
UNKN ap-east-1 Unable to query CloudWatch Logs log groups: Unable to obtain data
UNKN me-south-1 Unable to query CloudWatch Logs log groups: Unable to obtain data
UNKN af-south-1 Unable to query CloudWatch Logs log groups: Unable to obtain data
UNKN ap-southeast-3 Unable to query CloudWatch Logs log groups: Unable to obtain data
Redshift Redshift Cluster In VPC

17 0 0 0
Test Description Ensures that Amazon Redshift clusters are launched within a Virtual Private Cloud (VPC).
Amazon Redshift clusters should be launched within a Virtual Private Cloud (VPC) to ensure
Additional Info
cluster security.
Recommended Action Update Amazon Redshift cluster and attach it to VPC
Cloud Provider Link https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms

Redshift Redshift Cluster Default Port

17 0 0 0
Ensures that Amazon Redshift clusters are not using port "5439" (default port) for database
Test Description
access.
Amazon Redshift clusters should not use the default port for database access to ensure cluster
Additional Info
security.
Recommended Action Update Amazon Redshift cluster endpoint port.
Cloud Provider Link https://docs.amazonaws.cn/en_us/redshift/latest/gsg/rs-gsg-launch-sample-cluster.html

Redshift Redshift Cluster Default Master Username

17 0 0 0
Ensures that Amazon Redshift clusters are not using "awsuser" (default master username) for
Test Description
database access.
Amazon Redshift clusters should not use default master username for database access to
Additional Info
ensure cluster security.
Recommended Action Update Amazon Redshift cluster master username.
Cloud Provider Link https://docs.amazonaws.cn/en_us/redshift/latest/gsg/rs-gsg-launch-sample-cluster.html

Redshift Redshift Automated Snapshot Retention Period

17 0 0 0
Test Description Ensures that retention period is set for Amazon Redshift automated snapshots.
Amazon Redshift clusters should have retention period set for automated snapshots for data
Additional Info
protection and to avoid unexpected failures.
Recommended Action Modify Amazon Redshift cluster to set snapshot retention period
Cloud Provider Link https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html

Redshift Redshift Nodes Count

17 0 0 0
Ensures that each AWS region has not reached the limit set for the number of Redshift cluster
Test Description
nodes.
The number of provisioned Amazon Redshift cluster nodes must be less than the provided
Additional Info
nodes limit to avoid reaching the limit and exceeding the set budget.
Recommended Action Remove Redshift clusters over defined limit
https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#working-with-
Cloud Provider Link
clusters-overview

Redshift Redshift Unused Reserved Nodes

17 0 0 0
Test Description Ensures that Amazon Redshift Reserved Nodes are being utilized.
Additional Info Amazon Redshift reserved nodes must be utilized to avoid unnecessary billing.
Recommended Action Provision new Redshift clusters matching the criteria of reserved nodes
Cloud Provider Link https://docs.aws.amazon.com/redshift/latest/mgmt/purchase-reserved-node-instance.html
PASS us-east-1 No Redshift reserved nodes found
PASS us-east-2 No Redshift reserved nodes found
PASS us-west-1 No Redshift reserved nodes found
PASS us-west-2 No Redshift reserved nodes found
PASS ca-central-1 No Redshift reserved nodes found
PASS eu-central-1 No Redshift reserved nodes found
PASS eu-west-1 No Redshift reserved nodes found
PASS eu-north-1 No Redshift reserved nodes found

PASS ap-northeast-1 No Redshift reserved nodes found
PASS ap-southeast-1 No Redshift reserved nodes found
PASS ap-southeast-2 No Redshift reserved nodes found
PASS ap-south-1 No Redshift reserved nodes found
PASS sa-east-1 No Redshift reserved nodes found
WorkSpaces WorkSpaces Volume Encryption

12 0 0 0
Test Description Ensures volume encryption on WorkSpaces for data protection.
AWS WorkSpaces should have volume encryption enabled in order to protect data from
Additional Info
unauthorized access.
Recommended Action Modify WorkSpaces to enable volume encryption
Cloud Provider Link https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html
PASS us-east-1 No WorkSpaces found
PASS us-west-2 No WorkSpaces found
PASS ca-central-1 No WorkSpaces found
PASS sa-east-1 No WorkSpaces found
PASS ap-south-1 No WorkSpaces found
PASS eu-west-1 No WorkSpaces found
PASS eu-central-1 No WorkSpaces found
PASS eu-west-2 No WorkSpaces found
PASS ap-southeast-1 No WorkSpaces found

PASS ap-northeast-1 No WorkSpaces found
PASS ap-southeast-2 No WorkSpaces found
PASS ap-northeast-2 No WorkSpaces found
WorkSpaces Workspaces IP Access Control

12 0 0 0
Test Description Ensures enforced IP Access Control on Workspaces
Checking the existence of IP Access control on Workspaces and ensuring that no Workspaces
Additional Info
are open
Recommended Action Enable proper IP Access Controls for all workspaces
https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-ip-access-
Cloud Provider Link
control-groups.html
PASS us-east-1 No Workspaces found.
PASS us-west-2 No Workspaces found.
PASS ca-central-1 No Workspaces found.
PASS sa-east-1 No Workspaces found.
PASS ap-south-1 No Workspaces found.
PASS eu-west-1 No Workspaces found.
PASS eu-central-1 No Workspaces found.
PASS eu-west-2 No Workspaces found.
PASS ap-southeast-1 No Workspaces found.
PASS ap-northeast-1 No Workspaces found.
PASS ap-southeast-2 No Workspaces found.
PASS ap-northeast-2 No Workspaces found.

CloudFormation CloudFormation Drift Detection
17 0 0 0
Test Description Ensures that AWS CloudFormation stacks are not in a drifted state.
AWS CloudFormation stack should not be in drifted state to ensure that stack template is
Additional Info
aligned with the resources.
Recommended Action Resolve CloudFormation stack drift by importing drifted resource back to the stack.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-resolve-
Cloud Provider Link
drift.html
PASS us-east-1 No CloudFormation stacks found
PASS us-west-1 No CloudFormation stacks found
PASS ca-central-1 No CloudFormation stacks found
PASS eu-central-1 No CloudFormation stacks found
PASS eu-west-1 No CloudFormation stacks found
PASS eu-north-1 No CloudFormation stacks found
PASS ap-northeast-1 No CloudFormation stacks found
PASS ap-southeast-1 No CloudFormation stacks found
PASS ap-south-1 No CloudFormation stacks found
PASS sa-east-1 No CloudFormation stacks found

API Gateway API Gateway CloudWatch Logs
17 0 0 0
Test Description Ensures that Amazon API Gateway API stages have Amazon CloudWatch Logs enabled.
API Gateway API stages should have Amazon CloudWatch Logs enabled to help debug issues
Additional Info
related to request execution or client access to your API.
Recommended Action Modify API Gateway API stages to enable CloudWatch Logs
Cloud Provider Link https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html

CloudTrail CloudTrail Management Events
0 0 0 17
Test Description Ensures that AWS CloudTrail trails are configured to log management events.
AWS CloudTrail trails should be configured to log management events to record management
Additional Info
operations that are performed on resources in your AWS account.
Recommended Action Update CloudTrail to enable management events logging
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-
Cloud Provider Link
cloudtrail.html
arn:aws:cloudtrail:us-east- Unable to query for event selectors: Unable to

UNKN us-east-1

UNKN us-east-2

UNKN us-west-1

UNKN us-west-2

UNKN ca-central-1

UNKN eu-central-1

UNKN eu-west-1

UNKN eu-west-2

UNKN eu-west-3
UNKN arn:aws:cloudtrail:us-east- Unable to query for event selectors: Unable to

eu-north-1
ap- arn:aws:cloudtrail:us-east- Unable to query for event selectors: Unable to

UNKN

UNKN

UNKN

UNKN

UNKN

UNKN ap-south-1
UNKN sa-east-1
ELB ELB Cross-Zone Load Balancing

17 0 0 0
Test Description Ensures that AWS ELBs have cross-zone load balancing enabled.
AWS ELBs should have cross-zone load balancing enabled to distribute the traffic evenly
Additional Info
across the registered instances in all enabled Availability Zones.
Recommended Action Update AWS ELB to enable cross zone load balancing
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-
Cloud Provider Link
lb.html
PASS us-east-1 No load balancers found
PASS us-west-1 No load balancers found
PASS ca-central-1 No load balancers found
PASS eu-central-1 No load balancers found
PASS eu-west-1 No load balancers found
PASS eu-north-1 No load balancers found
PASS ap-northeast-1 No load balancers found
PASS ap-southeast-1 No load balancers found

PASS ap-south-1 No load balancers found
PASS sa-east-1 No load balancers found
ELB Classic Load Balancers In Use

17 0 0 0
Ensures that HTTP/HTTPS applications are using Application Load Balancer instead of
Test Description
Classic Load Balancer.
HTTP/HTTPS applications should use Application Load Balancer instead of Classic Load
Additional Info
Balancer for cost and web traffic distribution optimization.
Detach Classic Load balancer from HTTP/HTTPS applications and attach Application Load
Recommended Action
Balancer to those applications
Cloud Provider Link https://aws.amazon.com/elasticloadbalancing/features/

ELB ELB Connection Draining Enabled

17 0 0 0
Test Description Ensures that AWS ELBs have connection draining enabled.
Connection draining should be used to ensure that a Classic Load Balancer stops sending
Additional Info requests to instances that are de-registering or unhealthy, while keeping the existing
connections open.
Recommended Action Update ELBs to enable connection draining
Cloud Provider Link https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html

ELBv2 ELBv2 Deregistration Delay

17 0 0 0
Test Description Ensures that AWS ELBv2 target groups have deregistration delay configured.
AWS ELBv2 target groups should have deregistration delay configured to help in-flight
Additional Info
requests to the target to complete.
Recommended Action Update ELBv2 target group attributes and set the deregistration delay value
Cloud Provider Link
groups.html#deregistration-delay
PASS us-east-1 No Application/Network load balancer target groups found
PASS us-east-2 No Application/Network load balancer target groups found
PASS us-west-1 No Application/Network load balancer target groups found
PASS us-west-2 No Application/Network load balancer target groups found
PASS ca-central-1 No Application/Network load balancer target groups found
PASS eu-central-1 No Application/Network load balancer target groups found
PASS eu-west-1 No Application/Network load balancer target groups found
PASS eu-west-2 No Application/Network load balancer target groups found
PASS
eu-west-3 No Application/Network load balancer target groups found
PASS eu-north-1 No Application/Network load balancer target groups found
PASS ap-northeast-1 No Application/Network load balancer target groups found
PASS ap-southeast-1 No Application/Network load balancer target groups found
PASS ap-southeast-2 No Application/Network load balancer target groups found
PASS ap-south-1 No Application/Network load balancer target groups found
PASS sa-east-1 No Application/Network load balancer target groups found
RDS RDS IAM Database Authentication Enabled

17 0 0 0
Ensures IAM Database Authentication is enabled for RDS database instances to manage
Test Description
database access
AWS Identity and Access Management (IAM) can be used to authenticate to your RDS DB
Additional Info
instances.
Modify the PostgreSQL and MySQL type RDS instances to enable IAM database
Recommended Action
authentication.
Cloud Provider Link https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html

RDS RDS Deletion Protection Enabled

17 0 0 0
Test Description Ensures deletion protection is enabled for RDS database instances.
Deletion protection prevents Amazon RDS instances from being deleted accidentally by any
Additional Info
user.
Recommended Action Modify the RDS instances to enable deletion protection.
https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-
Cloud Provider Link
deletion-protection/

EC2 EBS Backup Enabled

16 0 7 0
Test Description Checks whether EBS Backup is enabled
Additional Info EBS volumes should have backups in the form of snapshots.
Recommended Action Ensure that each EBS volumes contain at least .
https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/new-ebs-volume-
Cloud Provider Link
backups.html
arn:aws:ec2:us-east-1:922503285322:volume/vol- EBS Volume is not backed

FAIL us-east-1
0cd59f11359717779 up

FAIL us-east-1
0ea43a6b7bcc1ec0b up

FAIL us-east-1
00074031a49128610 up

FAIL us-east-1
0adda660adb702d40 up

FAIL us-east-1 0a1c7613b80c47a1b up

FAIL us-east-1 00744a919dd332543 up

FAIL us-east-1
031c96db898d68b4e up
PASS us-east-2 No EBS Volumes found
PASS ca-central-1 No EBS Volumes found
PASS eu-central-1 No EBS Volumes found
PASS eu-north-1 No EBS Volumes found
ap-northeast-
1
ap-northeast-
2
ap-
southeast-1
ap-
southeast-2
ap-northeast-
3
PASS ap-south-1 No EBS Volumes found
PASS sa-east-1 No EBS Volumes found
ELBv2 ELB SSL Termination

17 0 0 0
Test Description Ensure that Load Balancers has SSL certificate configured for SSL terminations.
SSL termination or SSL offloading decrypts and verifies data on the load balancer instead of
Additional Info the application server which spares the server of having to organize incoming connections and
prioritize on other tasks like loading web pages. This helps increase server speed.
Recommended Action Attach SSL certificate with the listener to AWS Elastic Load Balancer
Cloud Provider Link https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/
IAM Access Analyzer Enabled

0 0 17 0
Test Description Ensure that IAM Access analyzer is enabled for all regions.
Access Analyzer allow you to determine if an unintended user is allowed, making it easier for
Additional Info administrators to monitor least privileges access. It analyzes only policies that are applied to
resources in the same AWS region.
Recommended Action Enable Access Analyzer for all regions
Cloud Provider Link https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html
FAIL us-east-1 Access Analyzer is not configured
FAIL us-east-2 Access Analyzer is not configured
FAIL us-west-1 Access Analyzer is not configured
FAIL us-west-2 Access Analyzer is not configured
FAIL ca-central-1 Access Analyzer is not configured
FAIL eu-central-1 Access Analyzer is not configured
FAIL eu-west-1 Access Analyzer is not configured
FAIL eu-north-1 Access Analyzer is not configured
FAIL ap-northeast-1 Access Analyzer is not configured
FAIL ap-southeast-1 Access Analyzer is not configured
FAIL ap-southeast-2 Access Analyzer is not configured
FAIL ap-south-1 Access Analyzer is not configured
FAIL sa-east-1 Access Analyzer is not configured
EC2 Outdated Amazon Machine Images

17 0 0 0
Test Description Ensures that deprecated Amazon Machine Images are not in use.
Additional Info Deprecated Amazon Machine Images should not be used to make an instance.
Recommended Action Delete the instances using deprecated AMIs
Cloud Provider Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html
PASS ca-central-1 No Amazon Machine Images found
PASS eu-central-1 No Amazon Machine Images found
PASS eu-north-1 No Amazon Machine Images found
PASS ap-south-1 No Amazon Machine Images found
PASS sa-east-1 No Amazon Machine Images found
ES ElasticSearch Domain Cross Account access

17 0 0 0
Test Description Ensures that only trusted accounts have access to ElasticSearch domains.
Allowing unrestricted access of ES clusters will cause data leaks and data loss. This can be
Additional Info prevented by restricting access only to the trusted entities by implementing the appropriate
access policies.
Recommended Action Restrict the access to ES clusters to allow only trusted accounts.
http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-gsg-configure-
Cloud Provider Link
access.html
ES ElasticSearch Cluster Status

17 0 0 0
Test Description Ensure that ElasticSearch clusters are healthy, i.e status is green.
Unhealthy Amazon ES clusters with the status set to "Red" is crucial for availability of
Additional Info
ElasticSearch applications.
Recommended Action Configure alarms to send notification if cluster status remains red for more than a minute.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/cloudwatch-
Cloud Provider Link
alarms.html

ES ElasticSearch Dedicated Master Enabled
17 0 0 0
Test Description Ensure that Amazon Elasticsearch domains are using dedicated master nodes.
Using Elasticsearch dedicated master nodes to separate management tasks from index and
Additional Info search requests will improve the clusters ability to manage easily different types of workload
and make them more resilient in production.
Recommended Action Update the domain to use dedicated master nodes.
http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-
Cloud Provider Link
createupdatedomains.html

ES ElasticSearch TLS Version
17 0 0 0
Test Description Ensure ElasticSearch domain is using the latest security policy to only allow TLS v1.2
ElasticSearch domains should be configured to enforce TLS version 1.2 for all clients to
Additional Info
ensure encryption of data in transit with updated features.
Recommended Action Update elasticsearch domain to set TLSSecurityPolicy to contain TLS version 1.2.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/infrastructure-
Cloud Provider Link
security.html

ES ElasticSearch Encryption Enabled
17 0 0 0
Test Description Ensure that AWS ElasticSearch domains have encryption enabled.
Additional Info ElasticSearch domains should be encrypted to ensure that data is secured.
Recommended Action Ensure encryption-at-rest is enabled for all ElasticSearch domains.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-
Cloud Provider Link
rest.html

EventBridge Event Bus Cross Account Access
17 0 0 0
Ensure that EventBridge event bus is configured to allow access to whitelisted AWS account
Test Description
principals.
EventBridge event bus policy should be configured to allow access only to whitelisted/trusted
Additional Info
cross-account principals.
Configure EventBridge event bus policies that allow access to whitelisted/trusted cross-
Recommended Action
account principals.
Cloud Provider Link https://docs.amazonaws.cn/en_us/eventbridge/latest/userguide/eb-event-bus-perms.html
Event bus does not use custom

PASS us-east-1 arn:aws:events:us-east-1:922503285322:event-bus/default
policy

policy

PASS us-west-1 arn:aws:events:us-west-1:922503285322:event-bus/default
policy

policy
arn:aws:events:ca-central-1:922503285322:event- Event bus does not use custom

PASS ca-central-1
bus/default policy
arn:aws:events:eu-central-1:922503285322:event- Event bus does not use custom

PASS eu-central-1
bus/default policy
arn:aws:events:eu-west-1:922503285322:event- Event bus does not use custom

PASS eu-west-1
bus/default policy

PASS eu-west-2
bus/default policy

PASS eu-west-3
bus/default policy
arn:aws:events:eu-north-1:922503285322:event- Event bus does not use custom

PASS eu-north-1
bus/default policy
ap-northeast- arn:aws:events:ap-northeast-1:922503285322:event- Event bus does not use custom

PASS
1 bus/default policy

PASS
ap- arn:aws:events:ap-southeast-1:922503285322:event- Event bus does not use custom

PASS
southeast-1 bus/default policy

PASS

PASS
arn:aws:events:ap-south-1:922503285322:event- Event bus does not use custom

PASS ap-south-1
bus/default policy
PASS sa-east-1 arn:aws:events:sa-east-1:922503285322:event-bus/default
policy
IAM IAM Support Policy

0 0 1 0
Ensures that an IAM role, group or user exists with specific permissions to access support
Test Description
center.
AWS provides a support center that can be used for incident notification and response, as well
Additional Info as technical support and customer services. An IAM Role should be present to allow
authorized users to manage incidents with AWS Support.
Recommended Action Ensure that an IAM role has permission to access support center.
Cloud Provider Link https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html
FAIL global No role, user or group attached to the AWSSupportAccess policy
IAM IAM User Account In Use

0 0 3 0
Test Description Ensure that IAM user accounts are not being actively used.
Additional Info IAM users, roles, and groups should not be used for day-to-day account management.
Recommended Action Delete IAM user accounts which are being actively used.
Cloud Provider Link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
FAIL global arn:aws:iam::922503285322:user/cloud3 IAM user was last used 0 days ago
FAIL global arn:aws:iam::922503285322:user/cloud3-sec IAM user was last used 0 days ago
FAIL global arn:aws:iam::922503285322:user/userbackup IAM user was last used 1 days ago
Route53 Domain Privacy Protection
1 0 0 0
Test Description Ensure that Privacy Protection feature is enabled for your Amazon Route 53 domains.
Enabling the Privacy Protection feature protects against receiving spams and sharing contact
Additional Info
information in response of WHOIS queries.
Recommended Action Enable Privacy Protection for Domain
Cloud Provider Link https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-privacy-protection.html
Route53 Sender Policy Framework In Use

1 0 0 0
Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your
Test Description
AWS Route 53 domain.
The Sender Policy Framework enables AWS Route 53 registered domain to publicly state the
Additional Info
mail servers that are authorized to send emails on its behalf.
Recommended Action Updated the domain records to have SPF.
Cloud Provider Link https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/rrsets-working-with.html
PASS us-east-1 No Route53 Hosted Zones found
Route53 Sender Privacy Framework Record Present

1 0 0 0
Ensure that Route 53 hosted zones have a DNS record containing Sender Policy Framework
Test Description
(SPF) value set for each MX record available.
The SPF record enables Route 53 registered domains to publicly state the mail servers that
Additional Info
are authorized to send emails on its behalf.
Recommended Action Add SPF records to the DNS records.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-
Cloud Provider Link
creating.html
PASS us-east-1 No Route53 Hosted Zones found
Transfer PrivateLink in Use for Transfer for SFTP Server Endpoints

17 0 0 0
Ensure that AWS Transfer for SFTP server endpoints are configured to use VPC endpoints
Test Description
powered by AWS PrivateLink.
PrivateLink provides secure and private connectivity between VPCs and other AWS resources
Additional Info
using a dedicated network.
Recommended Action Configure the SFTP server endpoints to use endpoints powered by PrivateLink.
Cloud Provider Link https://docs.aws.amazon.com/transfer/latest/userguide/update-endpoint-type-vpc.html
PASS ca-central-1 No Transfer servers found
PASS eu-central-1 No Transfer servers found
PASS eu-north-1 No Transfer servers found

PASS ap-south-1 No Transfer servers found
PASS sa-east-1 No Transfer servers found
Glacier S3 Glacier Vault Public Access

17 0 0 0
Test Description Ensure that S3 Glacier Vault public access block is enabled for the account.
Blocking S3 Glacier Vault public access at the account level ensures objects are not
Additional Info
accidentally exposed.
Recommended Action Add access policy for the S3 Glacier Vault to block public access for the AWS account.
Cloud Provider Link https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html
PASS us-east-1 No S3 Glacier vaults found
PASS us-east-2 No S3 Glacier vaults found
PASS us-west-1 No S3 Glacier vaults found
PASS us-west-2 No S3 Glacier vaults found
PASS ca-central-1 No S3 Glacier vaults found
PASS eu-central-1 No S3 Glacier vaults found
PASS eu-west-1 No S3 Glacier vaults found
PASS eu-north-1 No S3 Glacier vaults found
PASS ap-northeast-1 No S3 Glacier vaults found

PASS ap-southeast-1 No S3 Glacier vaults found
PASS ap-southeast-2 No S3 Glacier vaults found
PASS ap-south-1 No S3 Glacier vaults found
PASS sa-east-1 No S3 Glacier vaults found
IAM IAM User Present

1 0 0 0
Ensure that at least one IAM user exists so that access to your AWS services and resources is
Test Description
made only through IAM users instead of the root account.
To protect your AWS root account and adhere to IAM security best practices, create individual
Additional Info
IAM users to access your AWS environment.
Recommended Action Create IAM user(s) and use them to access AWS services and resources.
Cloud Provider Link https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
PASS global Found 3 users
SSM SSM Documents Public Access

0 0 0 17
Test Description Ensure that SSM service has block public sharing setting enabled.
Public documents can be viewed by all AWS accounts. To prevent unwanted access to your
Additional Info
documents, turn on the block public access sharing setting.
Recommended Action Enable block public sharing setting under SSM documents preferences.
Cloud Provider Link https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-share-block.html

Resource
arn:aws:ssm:us- Unable to query SSM service settings: User:

east- arn:aws:sts::922503285322:assumed-
1:922503285322:ser role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
UNKN us-east-1 vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:us-east-
uments/console/publ 1:922503285322:servicesetting/ssm/documents/console/public-sharing-
ic-sharing- permission because no identity-based policy allows the
permission ssm:GetServiceSetting action

UNKN us-east-2 vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:us-east-

west- arn:aws:sts::922503285322:assumed-
UNKN us-west-1 vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:us-west-

UNKN us-west-2 vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:us-west-
arn:aws:ssm:ca- Unable to query SSM service settings: User:

central- arn:aws:sts::922503285322:assumed-
ca-central-
UNKN vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:ca-central-
1
arn:aws:ssm:eu- Unable to query SSM service settings: User:

central- arn:aws:sts::922503285322:assumed-
eu-central-
UNKN vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:eu-central-
1

UNKN eu-west-1 vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:eu-west-


north- arn:aws:sts::922503285322:assumed-
UNKN eu-north-1 vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:eu-north-
arn:aws:ssm:ap- Unable to query SSM service settings: User:

northeast- arn:aws:sts::922503285322:assumed-
ap- 1:922503285322:ser role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
UNKN northeast- vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:ap-northeast-
1 uments/console/publ 1:922503285322:servicesetting/ssm/documents/console/public-sharing-


southeast- arn:aws:sts::922503285322:assumed-
UNKN southeast- vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:ap-southeast-

southeast- arn:aws:sts::922503285322:assumed-
UNKN southeast- vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:ap-southeast-


south- arn:aws:sts::922503285322:assumed-
UNKN ap-south-1 vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:ap-south-
arn:aws:ssm:sa- Unable to query SSM service settings: User:

UNKN sa-east-1 vicesetting/ssm/doc ssm:GetServiceSetting on resource: arn:aws:ssm:sa-east-
MQ MQ Deployment Mode
17 0 0 0
Ensure that for high availability, your AWS MQ brokers are using the active/standby
Test Description
deployment mode instead of single-instance
With the active/standby deployment mode as opposed to the single-broker mode (enabled by
Additional Info default), you can achieve high availability for your Amazon MQ brokers as the service provides
failure proof no risk.
Recommended Action Enabled Deployment Mode feature for MQ brokers
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/active-standby-broker-
Cloud Provider Link
deployment.html
PASS us-east-1 No MQ brokers found
PASS us-west-1 No MQ brokers found
PASS ca-central-1 No MQ brokers found
PASS eu-central-1 No MQ brokers found
PASS eu-west-1 No MQ brokers found
PASS eu-north-1 No MQ brokers found
PASS ap-northeast-1 No MQ brokers found
PASS ap-southeast-1 No MQ brokers found

PASS ap-south-1 No MQ brokers found
PASS sa-east-1 No MQ brokers found
MQ MQ Auto Minor Version Upgrade

17 0 0 0
Test Description Ensure that Amazon MQ brokers have the Auto Minor Version Upgrade feature enabled.
As AWS MQ deprecates minor engine version periodically and provides new versions for
Additional Info upgrade, it is highly recommended that Auto Minor Version Upgrade feature is enabled to
apply latest upgrades.
Recommended Action Enabled Auto Minor Version Upgrade feature for MQ brokers
Cloud Provider Link https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker.html

MQ MQ Log Exports Enabled

17 0 0 0
Test Description Ensure that Amazon MQ brokers have the Log Exports feature enabled.
Amazon MQ has a feature of AWS CloudWatch Logs, a service of storing, accessing and
Additional Info
monitoring your log files from different sources within your AWS account.
Recommended Action Enable Log Exports feature for MQ brokers
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-
Cloud Provider Link
monitoring.html

WorkSpaces Unused WorkSpaces

12 0 0 0
Ensure that there are no unused AWS WorkSpaces instances available within your AWS
Test Description
account.
An AWS WorkSpaces instance is considered unused if it has 0 known user connections

Additional Info
registered within the past 30 days. Remove these instances to avoid unnecessary billing.
Recommended Action Identify and remove unused Workspaces instance
Cloud Provider Link https://aws.amazon.com/workspaces/pricing/
PASS us-east-1 No WorkSpaces instance connection status found
PASS us-west-2 No WorkSpaces instance connection status found
PASS ca-central-1 No WorkSpaces instance connection status found
PASS sa-east-1 No WorkSpaces instance connection status found
PASS ap-south-1 No WorkSpaces instance connection status found
PASS eu-west-1 No WorkSpaces instance connection status found
PASS eu-central-1 No WorkSpaces instance connection status found
PASS eu-west-2 No WorkSpaces instance connection status found
PASS
ap-southeast-1 No WorkSpaces instance connection status found
PASS ap-northeast-1 No WorkSpaces instance connection status found

PASS ap-southeast-2 No WorkSpaces instance connection status found
PASS ap-northeast-2 No WorkSpaces instance connection status found
ECR ECR Repository Encrypted

17 0 0 0
Test Description Ensure that the images in ECR repository are encrypted using desired encryption level.
By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption
keys which encrypts your data at rest using an AES-256 encryption algorithm. Use customer-
Additional Info
managed keys instead, in order to gain more granular control over encryption/decryption
process.
Recommended Action Create ECR Repository with customer-manager keys (CMKs).
Cloud Provider Link https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html
PASS us-east-1 No ECR repositories found
PASS us-east-2 No ECR repositories found
PASS us-west-1 No ECR repositories found
PASS us-west-2 No ECR repositories found
PASS ca-central-1 No ECR repositories found
PASS eu-central-1 No ECR repositories found
PASS eu-west-1 No ECR repositories found
PASS eu-north-1 No ECR repositories found
PASS ap-northeast-1 No ECR repositories found
PASS ap-southeast-1 No ECR repositories found

PASS ap-southeast-2 No ECR repositories found
PASS ap-south-1 No ECR repositories found
PASS sa-east-1 No ECR repositories found
Kendra Kendra Index Encrypted

0 0 0 7
Test Description Ensure that the Kendra index is encrypted using desired encryption level.
Amazon Kendra encrypts your data at rest with AWS-manager keys by default. Use customer-
Additional Info managed keys instead in order to gain more granular control over encryption/decryption
process.
Recommended Action Create Kendra Index with customer-manager keys (CMKs).
Cloud Provider Link https://docs.aws.amazon.com/kendra/latest/dg/encryption-at-rest.html
Res
Result Region our Message
ce
Unable to query Kendra Indices: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kendra:ListIndices

UNKN us-east-2

UNKN us-west-2
ap-
UNKN southeast-
1
ap-
UNKN southeast-
2
ca-central- Unable to query Kendra Indices: User: arn:aws:sts::922503285322:assumed-

UNKN
1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kendra:ListIndices

UNKN eu-west-1
Proton Environment Template Encrypted
0 0 0 5
Test Description Ensure that AWS Proton environment template is encrypted with desired level.
AWS Proton encrypts sensitive data in your template bundles at rest in the S3 bucket where
Additional Info you store your template bundles using AWS-managed keys. Use customer-managed keys
(CMKs) in order to meet regulatory compliance requirements within your organization.
Recommended Action Create Proton environment template with customer-manager keys (CMKs)
Cloud Provider Link https://docs.aws.amazon.com/proton/latest/adminguide/data-protection.html
R
e
s
o
u
r
c
e
Unable to query Environment Template: User: arn:aws:sts::922503285322:assumed-

role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
UNKN us-east-1
proton:ListEnvironmentTemplates because no identity-based policy allows the
proton:ListEnvironmentTemplates action

UNKN us-east-2

UNKN us-west-2

ap-
UNKN northeast-
1

UNKN eu-west-1
ElastiCache ElastiCache Redis Cluster Encryption In-Transit

17 0 0 0
Test Description Ensure that your AWS ElastiCache Redis clusters have encryption in-transit enabled.
Amazon ElastiCache in-transit encryption is an optional feature that allows you to increase the
Additional Info security of your data at its most vulnerable points—when it is in transit from one location to
another.
Recommended Action Enable in-transit encryption for ElastiCache clusters
Cloud Provider Link https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html
PASS us-east-1 No ElastiCache clusters found
PASS us-west-1 No ElastiCache clusters found
PASS ca-central-1 No ElastiCache clusters found
PASS eu-central-1 No ElastiCache clusters found
PASS eu-west-1 No ElastiCache clusters found
PASS eu-north-1 No ElastiCache clusters found
PASS ap-northeast-1 No ElastiCache clusters found
PASS ap-southeast-1 No ElastiCache clusters found
PASS ap-south-1 No ElastiCache clusters found
PASS sa-east-1 No ElastiCache clusters found
S3 S3 Versioned Buckets Lifecycle Configuration

3 0 0 0
Ensure that S3 buckets having versioning enabled also have liecycle policy configured for non-
Test Description
current objects.
When object versioning is enabled on a bucket, every modification/update to an object results

Additional Info in a new version of the object that will be stored indefinitely. Enable a lifecycle policy, so that
non-current object versions are removed or transitioned in a predictable manner.
Recommended Action Configure lifecycle rules for buckets which have versioning enabled
https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-set-lifecycle-configuration-
Cloud Provider Link
intro.html
PASS us-east-1 arn:aws:s3:::siscor-backups Bucket : siscor-backups has versioning disabled
PASS us-east-1 arn:aws:s3:::siscor-trails Bucket : siscor-trails has versioning disabled
PASS us-east-1 arn:aws:s3:::siscor-transfer Bucket : siscor-transfer has versioning disabled
SES SES Email Messages Encrypted

0 0 0 3
Ensure that Amazon SES email messages are encrypted before delivering them to specified
Test Description
buckets.
Amazon SES email messages should be encrypted in case they are being delivered to S3
Additional Info
bucket to meet regulatory compliance requirements within your organization.
Recommended Action Enable encryption for SES email messages if they are being delivered to S3 in active rule-set .
Cloud Provider Link https://docs.aws.amazon.com/kms/latest/developerguide/services-ses.html
R
e
s
o
u
r
c
e
Unable to query for SES active rule set: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
ses:DescribeActiveReceiptRuleSet because no identity-based policy allows the
ses:DescribeActiveReceiptRuleSet action

UNKN us-west-2
ses:DescribeActiveReceiptRuleSet because no identity-based policy allows the

eu-west-1
UNKN ses:DescribeActiveReceiptRuleSet because no identity-based policy allows the
QLDB Ledger Encrypted

0 0 0 11
Test Description Ensure that AWS QLDB ledger is encrypted using desired encryption level
QLDB encryption at rest provides enhanced security by encrypting all ledger data at rest using
Additional Info encryption keys in AWS Key Management Service (AWS KMS).Use customer-managed keys
(CMKs) instead in order to gain more granular control over encryption/decryption process.
Recommended Action Create QLDB ledger with customer-manager keys (CMKs)
Cloud Provider Link https://docs.aws.amazon.com/qldb/latest/developerguide/encryption-at-rest.html
Re
so
ur
ce
Unable to query Ledgers: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
resource: arn:aws:qldb:us-east-1:922503285322:ledger/*

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
resource: arn:aws:qldb:us-east-2:922503285322:ledger/*

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
resource: arn:aws:qldb:us-west-2:922503285322:ledger/*
ap- Unable to query Ledgers: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
2 resource: arn:aws:qldb:ap-northeast-2:922503285322:ledger/*

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
1 resource: arn:aws:qldb:ap-southeast-1:922503285322:ledger/*

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
2 resource: arn:aws:qldb:ap-southeast-2:922503285322:ledger/*

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
1 resource: arn:aws:qldb:ap-northeast-1:922503285322:ledger/*

ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
1
resource: arn:aws:qldb:ca-central-1:922503285322:ledger/*

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
1
resource: arn:aws:qldb:eu-central-1:922503285322:ledger/*

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
resource: arn:aws:qldb:eu-west-1:922503285322:ledger/*

UNKN eu-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: qldb:ListLedgers on
resource: arn:aws:qldb:eu-west-2:922503285322:ledger/*
MWAA Environment Data Encrypted

0 0 0 15
Test Description Ensure that AWS MWAA environment data is encrypted
Amazon MWAA encrypts data saved to persistent media with AWS-manager keys by default.
Additional Info Use customer-managed keys instead in order to gain more granular control over
encryption/decryption process.
Recommended Action Create MWAA environments with customer-manager keys (CMKs)
Cloud Provider Link https://docs.aws.amazon.com/mwaa/latest/userguide/encryption-at-rest.html
R
e
s
ur
c
e
Unable to query MWAA Environments: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
on resource: arn:aws:airflow:us-east-1:922503285322:*

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
on resource: arn:aws:airflow:us-east-2:922503285322:*

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
on resource: arn:aws:airflow:us-west-2:922503285322:*

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
on resource: arn:aws:airflow:eu-west-1:922503285322:*



ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
UNKN on resource: arn:aws:airflow:ap-south-1:922503285322:*

UNKN eu-north-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
on resource: arn:aws:airflow:eu-north-1:922503285322:*

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
1
on resource: arn:aws:airflow:eu-central-1:922503285322:*
ap- Unable to query MWAA Environments: User: arn:aws:sts::922503285322:assumed-

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
2 on resource: arn:aws:airflow:ap-southeast-2:922503285322:*

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
1 on resource: arn:aws:airflow:ap-southeast-1:922503285322:*

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
2 on resource: arn:aws:airflow:ap-northeast-2:922503285322:*

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
1 on resource: arn:aws:airflow:ap-northeast-1:922503285322:*

ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
1
on resource: arn:aws:airflow:ca-central-1:922503285322:*

UNKN sa-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: airflow:ListEnvironments
on resource: arn:aws:airflow:sa-east-1:922503285322:*
Neptune Neptune Database Instance Encrypted

16 0 0 0
Ensure that your AWS Neptune database instances are encrypted with KMS Customer Master
Test Description
Keys (CMKs) instead of AWS managed-keys.
Neptune encrypted instances provide an additional layer of data protection by helping to

secure your data from unauthorized access to the underlying storage. You can use Neptune
Additional Info
encryption to increase data protection of your applications that are deployed in the cloud. You
can also use it to fulfill compliance requirements for data-at-rest encryption.
Recommended Action Encrypt Neptune database with desired encryption level
Cloud Provider Link https://docs.aws.amazon.com/neptune/latest/userguide/encrypt.html
PASS us-east-1 No Neptune database instances found
us-east-2 No Neptune database instances found

PASS
PASS us-west-1 No Neptune database instances found
PASS us-west-2 No Neptune database instances found
PASS ca-central-1 No Neptune database instances found
PASS eu-central-1 No Neptune database instances found
PASS eu-west-1 No Neptune database instances found
PASS eu-north-1 No Neptune database instances found
PASS ap-northeast-1 No Neptune database instances found
PASS ap-northeast-2 No Neptune database instances found
PASS ap-southeast-1 No Neptune database instances found
PASS ap-southeast-2 No Neptune database instances found
PASS ap-south-1 No Neptune database instances found
PASS sa-east-1 No Neptune database instances found
MQ MQ Broker Encrypted
17 0 0 0
Test Description Ensure that Amazon MQ brokers have data ecrypted at-rest feature enabled.
Amazon MQ encryption at rest provides enhanced security by encrypting your data using
Additional Info
encryption keys stored in the AWS Key Management Service (KMS).
Recommended Action Enabled data at-rest encryption feature for MQ brokers
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/data-protection.html#data-
Cloud Provider Link
protection-encryption-at-rest

Connect Connect Customer Profiles Domain Encrypted

0 0 0 9
Test Description Ensure that AWS Connect Customer Profiles domains are using desired encryption level.
Customer profiles domain is a container for all data, such as customer profiles, object types,
Additional Info profile keys, and encryption keys. To encrypt this data, use a KMS key with desired encrypted
level to meet regulatory compliance requirements within your organization.
Recommended Action Enabled data encryption feature for Connect Customer Profiles
Cloud Provider Link https://docs.aws.amazon.com/connect/latest/adminguide/enable-customer-profiles.html
R
e
s
ur
c
e
Unable to query customerprofiles domain: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: profile:ListDomains on
resource: arn:aws:profile:us-east-1:922503285322:domains

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: profile:ListDomains on
resource: arn:aws:profile:us-west-2:922503285322:domains

UNKN eu-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: profile:ListDomains on
resource: arn:aws:profile:eu-west-2:922503285322:domains

ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: profile:ListDomains on
1
resource: arn:aws:profile:ca-central-1:922503285322:domains

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: profile:ListDomains on
1
resource: arn:aws:profile:eu-central-1:922503285322:domains
ap- Unable to query customerprofiles domain: User: arn:aws:sts::922503285322:assumed-

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: profile:ListDomains on
1 resource: arn:aws:profile:ap-southeast-1:922503285322:domains

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: profile:ListDomains on
1 resource: arn:aws:profile:ap-northeast-1:922503285322:domains

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: profile:ListDomains on
2 resource: arn:aws:profile:ap-southeast-2:922503285322:domains

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: profile:ListDomains on
2 resource: arn:aws:profile:ap-northeast-2:922503285322:domains
CloudWatchLogs CloudWatch Log Groups Encrypted

17 0 0 0
Test Description Ensure that the CloudWatch Log groups are encrypted using desired encryption level.
Log group data is always encrypted in CloudWatch Logs. You can optionally use AWS Key
Management Service for this encryption. After you associate a customer managed key with a
Additional Info log group, all newly ingested data for the log group is encrypted using this key. This data is
stored in encrypted format throughout its retention period. CloudWatch Logs decrypts this data
whenever it is requested.
Recommended Action Ensure CloudWatch Log groups have encryption enabled with desired AWS KMS key
Cloud Provider Link https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html

PASS us-east-1 No CloudWatch log groups found
PASS us-east-2 No CloudWatch log groups found
PASS us-west-1 No CloudWatch log groups found
PASS us-west-2 No CloudWatch log groups found
PASS ca-central-1 No CloudWatch log groups found
PASS eu-central-1 No CloudWatch log groups found
PASS eu-west-1 No CloudWatch log groups found
PASS eu-north-1 No CloudWatch log groups found
PASS ap-northeast-1 No CloudWatch log groups found
PASS ap-southeast-1 No CloudWatch log groups found
PASS ap-southeast-2 No CloudWatch log groups found
PASS ap-south-1 No CloudWatch log groups found
PASS sa-east-1 No CloudWatch log groups found
Timestream Timestream Database Encrypted

0 0 0 5
Ensure that AWS Timestream databases are encrypted with KMS Customer Master Keys
Test Description
(CMKs) instead of AWS managed-keys.
Timestream encryption at rest provides enhanced security by encrypting all your data at rest
using encryption keys. This functionality helps reduce the operational burden and complexity
Additional Info involved in protecting sensitive data. With encryption at rest using customer-managed keys,
you can build security-sensitive applications that meet strict encryption compliance and
regulatory requirements.
Recommended Action Modify Timestream database encryption configuration to use desired encryption key
Cloud Provider Link https://docs.aws.amazon.com/timestream/latest/developerguide/EncryptionAtRest.html
R
e
s
o
u
r
c
e
Unable to query Timestream databases: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
timestream:DescribeEndpoints because no identity-based policy allows the
timestream:DescribeEndpoints action

UNKN us-east-2

UNKN us-west-2

eu-central- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
UNKN
1 timestream:DescribeEndpoints because no identity-based policy allows the

UNKN eu-west-1
MemoryDB MemoryDB Cluster Encrypted

0 0 0 15
Test Description Ensure that your Amazon MemoryDB cluster is encrypted with desired encryption level.
To help keep your data secure, MemoryDB at-rest encryption is always enabled to increase
data security by encrypting persistent data using AWS-managed KMS keys. Use AWS
Additional Info
customer-managed Keys (CMKs) instead in order to have a fine-grained control over data-at-
rest encryption/decryption process and meet compliance requirements.
Recommended Action Modify MemoryDB cluster encryption configuration to use desired encryption key
Cloud Provider Link https://docs.aws.amazon.com/memorydb/latest/devguide/at-rest-encryption.html
R
e
s
u
r
c
e
Unable to list MemoryDB clusters: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 memorydb:DescribeClusters on resource: arn:aws:memorydb:us-east-
1:922503285322:cluster/* because no identity-based policy allows the
memorydb:DescribeClusters action

UNKN us-east-2 memorydb:DescribeClusters on resource: arn:aws:memorydb:us-east-

UNKN us-west-1 memorydb:DescribeClusters on resource: arn:aws:memorydb:us-west-

UNKN us-west-2 memorydb:DescribeClusters on resource: arn:aws:memorydb:us-west-

ca-central-
UNKN memorydb:DescribeClusters on resource: arn:aws:memorydb:ca-central-
1

eu-central-
UNKN memorydb:DescribeClusters on resource: arn:aws:memorydb:eu-central-
1

UNKN eu-west-1 memorydb:DescribeClusters on resource: arn:aws:memorydb:eu-west-

UNKN eu-west-2 memorydb:DescribeClusters on resource: arn:aws:memorydb:eu-west-

UNKN eu-north-1 memorydb:DescribeClusters on resource: arn:aws:memorydb:eu-north-

ap- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
UNKN northeast- memorydb:DescribeClusters on resource: arn:aws:memorydb:ap-northeast-
1 1:922503285322:cluster/* because no identity-based policy allows the
UNKN northeast- memorydb:DescribeClusters on resource: arn:aws:memorydb:ap-northeast-

UNKN southeast- memorydb:DescribeClusters on resource: arn:aws:memorydb:ap-southeast-

UNKN southeast- memorydb:DescribeClusters on resource: arn:aws:memorydb:ap-southeast-

UNKN ap-south-1 memorydb:DescribeClusters on resource: arn:aws:memorydb:ap-south-

UNKN sa-east-1 memorydb:DescribeClusters on resource: arn:aws:memorydb:sa-east-
MSK MSK Cluster Encryption At-Rest

0 0 0 16
Ensure that Amazon Managed Streaming for Kafka (MSK) clusters are using desired
Test Description
encryption key for at-rest encryption.
Amazon MSK encrypts all data at rest using AWS-managed KMS keys by default. Use AWS
Additional Info customer-managed Keys (CMKs) instead in order to have a fine-grained control over data-at-
rest encryption/decryption process and meet compliance requirements.
Recommended Action Modify MSK cluster encryption configuration to use desired encryption key
Cloud Provider Link https://docs.aws.amazon.com/msk/1.0/apireference/clusters-clusterarn-security.html
R
es
ur
ce
Unable to list MSK clusters : User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
resource: arn:aws:kafka:us-east-1:922503285322:/v1/clusters


UNKN us-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
resource: arn:aws:kafka:us-west-1:922503285322:/v1/clusters


ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
1
resource: arn:aws:kafka:ca-central-1:922503285322:/v1/clusters

eu-central-
1
resource: arn:aws:kafka:eu-central-1:922503285322:/v1/clusters

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
resource: arn:aws:kafka:eu-west-1:922503285322:/v1/clusters



UNKN eu-north-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
resource: arn:aws:kafka:eu-north-1:922503285322:/v1/clusters
ap- Unable to list MSK clusters : User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
1 resource: arn:aws:kafka:ap-northeast-1:922503285322:/v1/clusters


UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
1 resource: arn:aws:kafka:ap-southeast-1:922503285322:/v1/clusters


UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
resource: arn:aws:kafka:ap-south-1:922503285322:/v1/clusters

UNKN sa-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
resource: arn:aws:kafka:sa-east-1:922503285322:/v1/clusters
ElastiCache ElastiCache Redis Cluster Encryption At-Rest

17 0 0 0
Test Description Ensure that your Amazon ElastiCache Redis clusters are encrypted to increase data security.
Amazon ElastiCache provides an optional feature to encrypt your data saved to persistent
Additional Info media. Enable this feature and use customer-managed keys In order to protect it from
unauthorized access and fulfill compliance requirements within your organization.
Recommended Action Enable encryption for ElastiCache cluster data-at-rest
Cloud Provider Link https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html

App Runner Service Encrypted
0 0 0 5
Test Description Ensure that AWS App Runner service is encrypted using using desired encryption level.
To protect your application's data at rest, App Runner encrypts all stored copies of your
application source image or source bundle using AWS-managed key by default.Use customer-
Additional Info
managed keys (CMKs) instead in order to gain more granular control over
Recommended Action Create App Runner Service with customer-manager keys (CMKs)
Cloud Provider Link https://docs.aws.amazon.com/apprunner/latest/dg/security-data-protection-encryption.html
R
e
s
o
u
r
c
e
Unable to query Service: User: arn:aws:sts::922503285322:assumed-

role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: apprunner:ListServices
UNKN us-east-1
on resource: arn:aws:apprunner:us-east-1:922503285322:service/*/* because no identity-
based policy allows the apprunner:ListServices action

UNKN us-west-2
on resource: arn:aws:apprunner:us-west-2:922503285322:service/*/* because no identity-

UNKN us-west-2
on resource: arn:aws:apprunner:us-west-2:922503285322:service/*/* because no identity-

UNKN eu-west-1
on resource: arn:aws:apprunner:eu-west-1:922503285322:service/*/* because no identity-
ap- Unable to query Service: User: arn:aws:sts::922503285322:assumed-

northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: apprunner:ListServices
UNKN
1 on resource: arn:aws:apprunner:ap-northeast-1:922503285322:service/*/* because no identity-
FinSpace FinSpace Environment Encrypted

0 0 0 5
Test Description Ensure that AWS FinSpace Environments are using desired encryption level.
Amazon FinSpace is a fully managed data management and analytics service that makes it
easy to store, catalog, and prepare financial industry data at scale.To encrypt this data, use a
Additional Info
KMS key with desired encrypted level to meet regulatory compliance requirements within your
organization.
Recommended Action Create FinSpace Environment with customer-manager keys (CMKs).
Cloud Provider Link https://docs.aws.amazon.com/finspace/latest/userguide/data-encryption.html
R
e
s
ur
c
e
Unable to query FinSpace Environment: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
finspace:ListEnvironments on resource: arn:aws:finspace:us-east-
1:922503285322:environment/*

UNKN us-east-2
finspace:ListEnvironments on resource: arn:aws:finspace:us-east-
2:922503285322:environment/*

UNKN us-west-2
finspace:ListEnvironments on resource: arn:aws:finspace:us-west-
2:922503285322:environment/*

ca-central- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
UNKN
1 finspace:ListEnvironments on resource: arn:aws:finspace:ca-central-
1:922503285322:environment/*

UNKN eu-west-1
finspace:ListEnvironments on resource: arn:aws:finspace:eu-west-
1:922503285322:environment/*
CodeBuild Project Artifacts Encrypted

17 0 0 0
Test Description Ensure that your AWS CodeBuild project artifacts are encrypted with desired encryption level.
AWS CodeBuild encrypts artifacts such as a cache, logs, exported raw test report data files,
Additional Info and build results by default using AWS managed keys. Use customer-managed key instead, in
order to to gain more granular control over encryption/decryption process.
Encrypt them using customer-managed keys to gain more control over data encryption and
Recommended Action
decryption process.
Cloud Provider Link https://docs.aws.amazon.com/codebuild/latest/userguide/security-encryption.html

PASS us-east-1 No CodeBuild projects found
PASS us-east-2 No CodeBuild projects found
PASS us-west-1 No CodeBuild projects found
PASS us-west-2 No CodeBuild projects found
PASS ca-central-1 No CodeBuild projects found
PASS eu-central-1 No CodeBuild projects found
PASS eu-west-1 No CodeBuild projects found
PASS eu-north-1 No CodeBuild projects found
PASS ap-northeast-1 No CodeBuild projects found
PASS ap-southeast-1 No CodeBuild projects found
PASS ap-southeast-2 No CodeBuild projects found
PASS ap-south-1 No CodeBuild projects found
PASS sa-east-1 No CodeBuild projects found
CodePipeline Pipeline Artifacts Encrypted

16 0 0 0
Ensure that AWS CodePipeline is using desired encryption level to encrypt pipeline artifacts
Test Description
being stored in S3.
CodePipeline creates an S3 artifact bucket and default AWS managed key when you create a
pipeline.By default, these artifacts are encrypted using default AWS-managed S3 key. Use
Additional Info
customer-managed key for encryption in order to to gain more granular control over
Recommended Action Ensure customer-manager keys (CMKs) are being used for CodePipeline pipeline artifacts.
Cloud Provider Link https://docs.aws.amazon.com/codepipeline/latest/userguide/S3-artifact-encryption.html
PASS us-east-1 No Pipeline Artifacts found
PASS us-east-2 No Pipeline Artifacts found
PASS us-west-1 No Pipeline Artifacts found
PASS us-west-2 No Pipeline Artifacts found
PASS ca-central-1 No Pipeline Artifacts found
PASS eu-central-1 No Pipeline Artifacts found
PASS eu-west-1 No Pipeline Artifacts found
PASS eu-north-1 No Pipeline Artifacts found
PASS ap-northeast-1 No Pipeline Artifacts found
PASS ap-northeast-2 No Pipeline Artifacts found
PASS ap-southeast-1 No Pipeline Artifacts found
PASS ap-southeast-2 No Pipeline Artifacts found
PASS ap-south-1 No Pipeline Artifacts found
PASS sa-east-1 No Pipeline Artifacts found
HealthLake HealthLake Data Store Encrypted

0 0 0 3
Test Description Ensure that AWS HealthLake Data Store is using desired encryption level.
Amazon HealthLake is a Fast Healthcare Interoperability Resources (FHIR)-enabled patient

Data Store that uses AWS-managed KMS keys for encryption. Encrypt these data stores using
Additional Info
customer-managed keys (CMKs) in order to gain more granular control over
Recommended Action Create HealthLake Data Store with customer-manager keys (CMKs).
Cloud Provider Link https://docs.aws.amazon.com/healthlake/latest/devguide/data-protection.html
R
e
s
o
u
r
c
e
Unable to query HealthLake Data Store: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 healthlake:ListFHIRDatastores on resource: arn:aws:healthlake:us-east-
1:922503285322:datastore/fhir/* because no identity-based policy allows the
healthlake:ListFHIRDatastores action

UNKN us-east-2 healthlake:ListFHIRDatastores on resource: arn:aws:healthlake:us-east-

UNKN us-west-2 healthlake:ListFHIRDatastores on resource: arn:aws:healthlake:us-west-
CodeArtifact CodeArtifact Domain Encrypted

0 0 0 12
Ensures that AWS CodeArtifact domains have encryption enabled with desired encryption
Test Description
level.
CodeArtifact domains make it easier to manage multiple repositories across an organization.

By default, domain assets are encrypted with AWS-managed KMS key. Encrypt them using
Additional Info
customer-managed keys in order to gain more granular control over encryption/decryption
process
Recommended Action Encrypt CodeArtifact domains with desired encryption level
Cloud Provider Link https://docs.aws.amazon.com/codeartifact/latest/ug/domain-create.html
R
e
s
o
u
r
c
e
Unable to list CodeArtifact domains: User: arn:aws:sts::922503285322:assumed-
UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains
on resource: * because no identity-based policy allows the codeartifact:ListDomains action

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains
1

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains



UNKN eu-north-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains
ap- Unable to list CodeArtifact domains: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains
1 on resource: * because no identity-based policy allows the codeartifact:ListDomains action

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains

UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains
Audit Manager Audit Manager Data Encrypted

0 0 0 12
Test Description Ensure that all data in Audit Manager is encrypted with desired encryption level.
All resource in AWS Audit Manager such as assessments, controls, frameworks, evidence are
encrypted under a customer managed key or an AWS owned key, depending on your selected
Additional Info settings. If you don’t provide a customer managed key, AWS Audit Manager uses an AWS
owned key to encrypt your content. Encrypt these resources using customer-managed keys in
order to gain more granular control over encryption/decryption process.
Modify Audit Manager data encryption settings and choose desired encryption key for data
Recommended Action
encryption
Cloud Provider Link https://docs.aws.amazon.com/audit-manager/latest/userguide/data-protection.html
R
e
s
ur
c
e
Unable to query Audit Manager settings: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
auditmanager:GetSettings on resource: arn:aws:auditmanager:us-east-1:922503285322:*

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
auditmanager:GetSettings on resource: arn:aws:auditmanager:us-east-2:922503285322:*

UNKN us-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
auditmanager:GetSettings on resource: arn:aws:auditmanager:us-west-1:922503285322:*

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
auditmanager:GetSettings on resource: arn:aws:auditmanager:us-west-2:922503285322:*

ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
1
auditmanager:GetSettings on resource: arn:aws:auditmanager:ca-central-1:922503285322:*

eu-central-
1
auditmanager:GetSettings on resource: arn:aws:auditmanager:eu-central-1:922503285322:*

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
auditmanager:GetSettings on resource: arn:aws:auditmanager:eu-west-1:922503285322:*

UNKN eu-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
auditmanager:GetSettings on resource: arn:aws:auditmanager:eu-west-2:922503285322:*

ap-
UNKN northeast-
auditmanager:GetSettings on resource: arn:aws:auditmanager:ap-northeast-
1
1:922503285322:*

ap-
UNKN southeast-
auditmanager:GetSettings on resource: arn:aws:auditmanager:ap-southeast-
1
1:922503285322:*

ap-
UNKN southeast-
auditmanager:GetSettings on resource: arn:aws:auditmanager:ap-southeast-
2
2:922503285322:*

UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
auditmanager:GetSettings on resource: arn:aws:auditmanager:ap-south-1:922503285322:*
AppFlow AppFlow Flow Encrypted
0 0 0 15
Test Description Ensure that your Amazon AppFlow flows are encrypted with desired encryption level.
Amazon AppFlow encrypts your access tokens, secret keys, and data in transit and data at
Additional Info rest with AWS-manager keys by default. Encrypt them using customer-managed keys in order
to gain more granular control over encryption/decryption process.
Recommended Action Create AppFlow flows with customer-manager keys (CMKs).
Cloud Provider Link https://docs.aws.amazon.com/appflow/latest/userguide/data-protection.html
R
es
ur
ce
Unable to list AppFlow flows: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
resource: arn:aws:appflow:us-east-1:922503285322:flow/*

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
resource: arn:aws:appflow:us-east-2:922503285322:flow/*

UNKN us-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
resource: arn:aws:appflow:us-west-1:922503285322:flow/*

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
resource: arn:aws:appflow:us-west-2:922503285322:flow/*

ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
1
resource: arn:aws:appflow:ca-central-1:922503285322:flow/*

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
1
resource: arn:aws:appflow:eu-central-1:922503285322:flow/*

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
resource: arn:aws:appflow:eu-west-1:922503285322:flow/*


ap- Unable to list AppFlow flows: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
1 resource: arn:aws:appflow:ap-northeast-1:922503285322:flow/*

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
2 resource: arn:aws:appflow:ap-northeast-2:922503285322:flow/*
UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
1 resource: arn:aws:appflow:ap-southeast-1:922503285322:flow/*

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
2 resource: arn:aws:appflow:ap-southeast-2:922503285322:flow/*

UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
resource: arn:aws:appflow:ap-south-1:922503285322:flow/*

UNKN sa-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: appflow:ListFlows on
resource: arn:aws:appflow:sa-east-1:922503285322:flow/*
Elastic Transcoder Elastic Transcoder Pipeline Data Encrypted

0 0 0 8
Ensure that Elastic Transcoder pipelines have encryption enabled with desired encryption level
Test Description
to encrypt your data.
Amazon Elastic Transcoder pipelines use AWS-managed KMS keys to encrypt your data.You
Additional Info should use customer-managed keys in order to gain more granular control over
encryption/decryption process
Recommended Action Modify Elastic Transcoder pipelines encryption settings to use custom KMS key
Cloud Provider Link https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/encryption.html
R
e
s
o
u
r
c
e
Unable to list Elastic Transcoder pipelines: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
elastictranscoder:ListPipelines because no identity-based policy allows the
elastictranscoder:ListPipelines action

UNKN us-west-2

UNKN us-west-1 elastictranscoder:ListPipelines because no identity-based policy allows the

UNKN eu-west-1 elastictranscoder:ListPipelines because no identity-based policy allows the

ap-
UNKN southeast-
1

ap-
UNKN northeast-
1

ap-
UNKN southeast-
2

UNKN ap-south-1
Elastic Transcoder Elastic Transcoder Job Outputs Encrypted

0 0 0 8
Ensure that Elastic Transcoder jobs have encryption enabled to encrypt your data before
Test Description
saving on S3.
Amazon Elastic Transcoder jobs saves th result output on S3. If you don't configure encryption
parameters, these job will save the file unencrypted. You should enabled encryption for output
Additional Info
files and use customer-managed keys for encryption in order to gain more granular control
over encryption/decryption process
Recommended Action Enable encryption for Elastic Transcoder job outputs
Cloud Provider Link https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/encryption.html
R
e
s
o
u
r
c
e

UNKN us-east-1

UNKN us-west-2 elastictranscoder:ListPipelines because no identity-based policy allows the
UNKN us-west-1

UNKN eu-west-1

ap-
UNKN southeast-
1

ap-
UNKN northeast-
1

ap-
UNKN southeast-
2

UNKN ap-south-1
Translate Translate Job Output Encrypted

6 0 0 0
Ensure that your Amazon Translate jobs have CMK encryption enabled for output data residing
Test Description
on S3.
Amazon Translate encrypts your output data with AWS-manager keys by default. Encrypt your
Additional Info files using customer-managed keys in order to gain more granular control over
Recommended Action Create Translate jobs with customer-manager keys (CMKs).
Cloud Provider Link https://docs.aws.amazon.com/translate/latest/dg/encryption-at-rest.html
PASS us-east-1 No Translate text jobs found
PASS us-east-2 No Translate text jobs found
PASS us-west-2 No Translate text jobs found
PASS eu-west-1 No Translate text jobs found

PASS eu-west-2 No Translate text jobs found
PASS ap-northeast-2 No Translate text jobs found
Glue DataBrew AWS Glue DataBrew Job Output Encrypted

0 0 0 16
Ensure that AWS Glue DataBrew jobs have encryption enabled for output files with desired
Test Description
encryption level.
AWS Glue DataBrew jobs should have encryption enabled to encrypt S3 targets i.e. output
Additional Info
files to meet regulatory compliance requirements within your organization.
Recommended Action Modify Glue DataBrew jobs to set desired encryption configuration
Cloud Provider Link https://docs.aws.amazon.com/databrew/latest/dg/encryption-security-configuration.html
R
es
ur
ce
Unable to list DataBrew jobs: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
resource: arn:aws:databrew:us-east-1:922503285322:*

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
resource: arn:aws:databrew:us-east-2:922503285322:*

UNKN us-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
resource: arn:aws:databrew:us-west-1:922503285322:*

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
resource: arn:aws:databrew:us-west-2:922503285322:*

ca-central- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
UNKN
1 resource: arn:aws:databrew:ca-central-1:922503285322:*

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
1
resource: arn:aws:databrew:eu-central-1:922503285322:*

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
resource: arn:aws:databrew:eu-west-1:922503285322:*


UNKN eu-north-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
resource: arn:aws:databrew:eu-north-1:922503285322:*
ap- Unable to list DataBrew jobs: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
1 resource: arn:aws:databrew:ap-northeast-1:922503285322:*

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
2 resource: arn:aws:databrew:ap-northeast-2:922503285322:*

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
1 resource: arn:aws:databrew:ap-southeast-1:922503285322:*

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
2 resource: arn:aws:databrew:ap-southeast-2:922503285322:*

UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
resource: arn:aws:databrew:ap-south-1:922503285322:*

UNKN sa-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: databrew:ListJobs on
resource: arn:aws:databrew:sa-east-1:922503285322:*
Managed Blockchain Managed Blockchain Network Member Data Encrypted

0 0 0 6
Ensure that members created in Amazon Managed Blockchain are encrtypted using desired
Test Description
encryption level.
Amazon Managed Blockchain encrypts the network member data at-rest by default with AWS-
Additional Info managed keys. Use your own key (CMK) to encrypt this data to meet regulatory compliance
requirements within your organization
Recommended Action Ensure members in Managed Blockchain are using desired encryption level for encryption
https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/managed-
Cloud Provider Link
blockchain-encryption-at-rest.html
R
e
s
o
u
r
c
e
Unable to query for Managed Blockchain networks: User:

arn:aws:sts::922503285322:assumed-role/Cloud3_AuditRole/cloudsploit_scan is not
UNKN us-east-1
authorized to perform: managedblockchain:ListNetworks on resource:
arn:aws:managedblockchain:us-east-1:922503285322:*

ap-
UNKN northeast-
2
arn:aws:managedblockchain:ap-northeast-2:922503285322:*

ap-
UNKN southeast-
1
arn:aws:managedblockchain:ap-southeast-1:922503285322:*

ap-
UNKN northeast-
1
arn:aws:managedblockchain:ap-northeast-1:922503285322:*

UNKN eu-west-1
arn:aws:managedblockchain:eu-west-1:922503285322:*

UNKN eu-west-2
arn:aws:managedblockchain:eu-west-2:922503285322:*
DocumentDB DocumentDB Cluster Encrypted

15 0 0 0
Ensure that data at-rest in encrypted in AWS DocumentDB clusters using desired encryption
Test Description
level.
Amazon DocumentDB integrates with AWS KMS and uses a method known as envelope
Additional Info encryption to protect your data. This gives you an extra layer of data security and help meet
security compliance and regulations within your organization.
Recommended Action Modify DocumentDB cluster at-rest encryption configuration to use desired encryption key
Cloud Provider Link https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html
PASS us-east-1 No DocumentDB clusters found
PASS us-west-2 No DocumentDB clusters found
PASS ca-central-1 No DocumentDB clusters found
PASS eu-central-1 No DocumentDB clusters found

PASS eu-west-1 No DocumentDB clusters found
PASS eu-north-1 No DocumentDB clusters found
PASS ap-northeast-1 No DocumentDB clusters found
PASS ap-southeast-1 No DocumentDB clusters found
PASS ap-south-1 No DocumentDB clusters found
PASS sa-east-1 No DocumentDB clusters found
Connect Connect Instance Media Streams Encrypted

0 0 0 9
Ensure that Amazon Connect instances have encryption enabled for media streams being
Test Description
saved on Kinesis Video Stream.
In Amazon Connect, you can capture customer audio during an interaction with your contact
center by sending the audio to a Kinesis video stream. All data put into a Kinesis video stream
Additional Info
is encrypted at rest using AWS-managed KMS keys. Use customer-managed keys instead, in
order to meet regulatory compliance requirements within your organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for media streams
Cloud Provider Link https://docs.aws.amazon.com/connect/latest/adminguide/enable-live-media-streams.html
R
e
s
ur
c
e
Unable to query Connect instances: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: connect:ListInstances on
resource: arn:aws:connect:us-east-1:922503285322:/instance

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: connect:ListInstances on
resource: arn:aws:connect:us-west-2:922503285322:/instance

UNKN eu-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: connect:ListInstances on
resource: arn:aws:connect:eu-west-2:922503285322:/instance

ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: connect:ListInstances on
1
resource: arn:aws:connect:ca-central-1:922503285322:/instance

eu-central-
1
resource: arn:aws:connect:eu-central-1:922503285322:/instance
ap- Unable to query Connect instances: User: arn:aws:sts::922503285322:assumed-

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: connect:ListInstances on
1 resource: arn:aws:connect:ap-southeast-1:922503285322:/instance


UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: connect:ListInstances on
1 resource: arn:aws:connect:ap-northeast-1:922503285322:/instance

Connect Connect Instance Chat Transcripts Encrypted

0 0 0 9
Ensure that Amazon Connect instances have encryption enabled for chat transcripts being
Test Description
saved on S3.
You can configure Amazon Connect instance to save transcripts for chats to be saved on S3.
Additional Info When you save such data on S3, enable encryption for the data and use a KMS key with
desired encrypted level to meet regulatory compliance requirements within your organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for chat transcripts
Cloud Provider Link https://docs.aws.amazon.com/connect/latest/adminguide/encryption-at-rest.html
R
e
s
ur
c
e




ca-central-
1

eu-central-
1




Connect Connect Instance Exported Reports Encrypted

0 0 0 9
Ensure that Amazon Connect instances have encryption enabled for exported reports being
Test Description
saved on S3.
You can configure Amazon Connect instance to save exported reports on S3. When you save
Additional Info such data on S3, enable encryption for the data and use a KMS key with desired encrypted
level to meet regulatory compliance requirements within your organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for exported reports
R
e
s
ur
c
e



ca-central-
1

eu-central-
1




Connect Connect Instance Call Recording Encrypted

0 0 0 9
Ensure that Amazon Connect instances have encryption enabled for call recordgins being
Test Description
saved on S3.
You can configure Amazon Connect instance to save recordings for incoming call to be saved
on S3. When you save such data on S3, enable encryption for the data and use a KMS key
Additional Info
with desired encrypted level to meet regulatory compliance requirements within your
organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for call recordings
R
e
s
ur
c
e




ca-central-
1

eu-central-
1




Connect Connect Instance Attachments Encrypted

0 0 0 9
Ensure that Amazon Connect instances have encryption enabled for attachments being saved
Test Description
on S3.
You can configure Amazon Connect instance to save attachments on S3. When you save such
Additional Info data on S3, enable encryption for the data and use a KMS key with desired encrypted level to
meet regulatory compliance requirements within your organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for attachments
Cloud Provider Link https://docs.aws.amazon.com/connect/latest/adminguide/set-up-recordings.html
R
e
s
ur
c
e



ca-central-
1

eu-central-
1




Backup Backup Vault Encrypted

0 0 0 17
Ensure that your Amazon Backup vaults are using AWS KMS Customer Master Keys instead
Test Description
of AWS managed-keys (i.e. default encryption keys).
When you encrypt AWS Backup using your own AWS KMS Customer Master Keys (CMKs) for
Additional Info enhanced protection, you have full control over who can use the encryption keys to access
your backups.
Recommended Action Encrypt Backup Vault with desired encryption level
Cloud Provider Link https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault.html
R
e
s
o
ur
c
e
Unable to list Backup vaults: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
backup:ListBackupVaults because no identity-based policy allows the
backup:ListBackupVaults action

UNKN us-east-2

UNKN us-west-1

UNKN us-west-2

UNKN
1 backup:ListBackupVaults because no identity-based policy allows the

UNKN
1 backup:ListBackupVaults because no identity-based policy allows the

UNKN eu-west-1

UNKN eu-west-2

UNKN eu-west-3 backup:ListBackupVaults because no identity-based policy allows the

UNKN eu-north-1

ap-
UNKN northeast-
1

ap-
UNKN northeast-
2

ap-
UNKN southeast-
1
ap-
UNKN southeast-
2

ap-
UNKN northeast-
3

UNKN ap-south-1

sa-east-1
ElasticBeanstalk Enhanced Health Reporting

17 0 0 0
Ensure that Amazon Elastic Beanstalk (EB) environments have enhanced health reporting
Test Description
feature enabled.
Enhanced health reporting is a feature that you can enable on your environment to allow AWS
Elastic Beanstalk to gather additionalinformation about resources in your environment. Elastic
Additional Info Beanstalk analyzes the information gathered to provide a better picture of overallenvironment
health and aid in the identification of issues that can cause your application to become
unavailable.
Recommended Action Modify Elastic Beanstalk environmentsand enable enhanced health reporting.
Cloud Provider Link https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/health-enhanced.html
PASS us-east-1 No Elastic Beanstalk environments found
PASS us-east-2 No Elastic Beanstalk environments found
PASS us-west-1 No Elastic Beanstalk environments found
PASS us-west-2 No Elastic Beanstalk environments found
PASS ca-central-1 No Elastic Beanstalk environments found
PASS eu-central-1 No Elastic Beanstalk environments found
PASS eu-west-1 No Elastic Beanstalk environments found

PASS eu-north-1 No Elastic Beanstalk environments found
PASS ap-northeast-1 No Elastic Beanstalk environments found
PASS ap-southeast-1 No Elastic Beanstalk environments found
PASS ap-southeast-2 No Elastic Beanstalk environments found
PASS ap-south-1 No Elastic Beanstalk environments found
PASS sa-east-1 No Elastic Beanstalk environments found
ElasticBeanstalk Environment Access Logs

17 0 0 0
Ensure that your Amazon Elastic Beanstalk environment is configured to save logs for load
Test Description
balancer associated with the application environment.
Elastic Load Balancing provides access logs that capture detailed information about requests
sent to your load balancer. Each log contains information such as the time the request was
Additional Info
received, the client's IP address, latencies, request paths, and server responses. You can use
these access logs to analyze traffic patterns and troubleshoot issues.
Go to specific environment, select Configuration, edit Load Balancer category, and enable
Recommended Action
Store logs
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-
Cloud Provider Link
logs.html
PASS us-east-1 No ElasticBeanstalk environments found
PASS us-west-1 No ElasticBeanstalk environments found

PASS ca-central-1 No ElasticBeanstalk environments found
PASS eu-central-1 No ElasticBeanstalk environments found
PASS eu-west-1 No ElasticBeanstalk environments found
PASS eu-north-1 No ElasticBeanstalk environments found
PASS ap-northeast-1 No ElasticBeanstalk environments found
PASS ap-southeast-1 No ElasticBeanstalk environments found
PASS ap-south-1 No ElasticBeanstalk environments found
PASS sa-east-1 No ElasticBeanstalk environments found
ElasticBeanstalk Environment Persistent Logs

17 0 0 0
Test Description Ensure that AWS Elastic Beanstalk environment logs are retained and saved on S3.
Elastic Beanstalk environment logs should be retained in order to keep the logging data for
Additional Info future audits, historical purposes or to track and analyze the EB application environment
behavior for a long period of time.
Go to specific environment, select Configuration, edit Software category, and enable Log
Recommended Action
streaming
Cloud Provider Link https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatchlogs.html

PASS ca-central-1 No ElasticBeanstalk environments found
PASS eu-central-1 No ElasticBeanstalk environments found
PASS eu-north-1 No ElasticBeanstalk environments found
PASS ap-south-1 No ElasticBeanstalk environments found
PASS sa-east-1 No ElasticBeanstalk environments found
EKS EKS Latest Platform Version

17 0 0 0
Test Description Ensure that EKS clusters are using latest platform version.
Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control
plane, such as which Kubernetes API server flags are enabled, as well as the current
Additional Info
Kubernetes patch version.Clusters should be kept up to date of latest platforms to ensure
Kubernetes security patches are applied.
Recommended Action Check for the version on all EKS clusters to be the latest platform version.
Cloud Provider Link https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html

EMR EMR Instances Counts

18 0 0 0
Ensure that the number of EMR cluster instances provisioned in your AWS account has not
Test Description
reached the desired threshold established by your organization.
Setting threshold for the number of EMR cluster instances provisioned within your AWS
Additional Info account will help to manage EMR compute resources andprevent unexpected charges on your
AWS bill.
Ensure that the number of running EMR cluster instances matches the expected count. If
Recommended Action
instances are launched above the threshold, investigate to ensure they are legitimate.
Cloud Provider Link https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-manage-view-clusters.html

PASS us-east-1 No EMR clusters found
PASS us-east-2 No EMR clusters found
PASS us-west-1 No EMR clusters found
PASS us-west-2 No EMR clusters found
PASS ca-central-1 No EMR clusters found
PASS eu-central-1 No EMR clusters found
PASS eu-west-1 No EMR clusters found
PASS eu-north-1 No EMR clusters found
PASS ap-northeast-1 No EMR clusters found
PASS ap-southeast-1 No EMR clusters found
PASS ap-southeast-2 No EMR clusters found
PASS ap-south-1 No EMR clusters found
PASS sa-east-1 No EMR clusters found
PASS global 0 EMR instances in the account are within the global expected count of: 200
Kinesis Video Streams Video Stream Data Encrypted

0 0 0 14
Test Description Ensure that Amazon Kinesis Video Streams is using desired encryption level for Data at-rest.
Server-side encryption is always enabled on Kinesis video streams data. If a user-provided key
is not specified when the stream is created, the default key (provided by Kinesis Video
Additional Info Streams) is used. It is recommended to use customer-managed keys (CMKs) for encryption in
order to gain more granular control over encryption/decryption process.
Recommended Action Encrypt Kinesis Video Streams data with customer-manager keys (CMKs).
Cloud Provider Link https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/how-kms.html
R
e
s
ur
c
e
Unable to query Kinesis Video Streams: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams
because no identity-based policy allows the kinesisvideo:ListStreams action

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams

ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams
1

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams
1

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams


ap- Unable to query Kinesis Video Streams: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams
1 because no identity-based policy allows the kinesisvideo:ListStreams action

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams

UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams
UNKN sa-east-1 Unable to query Kinesis Video Streams: User: arn:aws:sts::922503285322:assumed-
role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kinesisvideo:ListStreams
KMS KMS Grant Least Privilege

18 0 0 0
Test Description Ensure that AWS KMS key grants use the principle of least privileged access.
AWS KMS key grants should be created with minimum set of permissions required by grantee
Additional Info
principal to adhere to AWS security best practices.
Recommended Action Create KMS grants with minimum permission required
Cloud Provider Link https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
arn:aws:kms:us-east-1:922503285322:key/6e8f67d4-a68c-444f-9511- No grants exist for the

PASS us-east-1
6c545e93df44 KMS key
arn:aws:kms:us-east-1:922503285322:key/7f7e6f01-9e7a-4a73- KMS key is AWS-

PASS us-east-1
9471-a8a017198546 managed
eu-central-
1
ap-
northeast-1
ap-
PASS northeast-2 No KMS keys found
ap-
southeast-1
ap-
southeast-2
ap-
northeast-3
KMS KMS Duplicate Grants

18 0 0 0
Ensure that AWS KMS keys does not have duplicate grants to adhere to AWS security best
Test Description
practices.
Duplicate grants have the same key ARN, API actions, grantee principal, encryption context,
Additional Info and name. If you retire or revoke the original grant but leave the duplicates, the leftover
duplicate grants constitute unintended escalations of privilege.
Recommended Action Delete duplicate grants for AWS KMS keys
Cloud Provider Link https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
arn:aws:kms:us-east-1:922503285322:key/6e8f67d4-a68c-444f-9511- No grants exist for the

PASS us-east-1
6c545e93df44 KMS key
arn:aws:kms:us-east-1:922503285322:key/7f7e6f01-9e7a-4a73- KMS key is AWS-

PASS us-east-1
9471-a8a017198546 managed
eu-central-
1
eu-north-1 No KMS keys found

PASS
ap-
northeast-1
ap-
northeast-2
ap-
southeast-1
ap-
southeast-2
ap-
northeast-3
ElastiCache ElastiCache Instance Generation

17 0 0 0
Ensure that all ElastiCache clusters provisioned within your AWS account are using the latest
Test Description
generation of instances
Using the latest generation of Amazon ElastiCache instances instances will benefit clusters for
Additional Info higher hardware performance, better support for latest Memcached and Redis in-memory
engines versions and lower costs.
Recommended Action Upgrade ElastiCache instance generaion to the latest available generation.
Cloud Provider Link https://aws.amazon.com/elasticache/previous-generation/

ElastiCache ElastiCache Engine Versions for Redis

17 0 0 0
Ensure that Amazon ElastiCache clusters are using the stable latest version of Redis cache
Test Description
engine.
ElastiCache clusters with the latest version of Redis cache engine, You will benefit from new
features and enhancements, Using engines prior to version 3.2.6 will not be benefited with
Additional Info
Encryption Options, support for HIPAA compliance and much more. Also engine version 3.2.10
does not support Encryption options.
Recommended Action Upgrade the version of Redis on all ElastiCache clusters to the latest available version.
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-
Cloud Provider Link
versions.html

ElastiCache ElastiCache Nodes Count

18 0 0 0
Ensure that the number of ElastiCache cluster cache nodes has not reached the limit quota
Test Description
established by your organization.
Defining limits for the maximum number of ElastiCache cluster nodes that can be created
Additional Info within your AWS account will help you to better manage your ElastiCache compute resources
and prevent unexpected charges on your AWS bill.
Recommended Action Enable limit for ElastiCache cluster nodes count
Cloud Provider Link https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.html
us-west-2 No ElastiCache clusters found

PASS
PASS global Region contains "0" provisioned ElastiCache nodes of "200" limit
ElastiCache ElastiCache Redis Cluster Have Multi-AZ

17 0 0 0
Ensure that your ElastiCache Redis Cache clusters are using a Multi-AZ deployment
Test Description
configuration to enhance High Availability.
Enabling the Multi-AZ feature for your Redis Cache clusters will improve the fault tolerance in
Additional Info case the read/write primary node becomes unreachable due to loss of network connectivity,
loss of availability in the primary’s AZ, etc.
Recommended Action Enable Redis Multi-AZ for ElastiCache clusters
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-
Cloud Provider Link
ug/AutoFailover.html#AutoFailover.Enable

PASS us-east-1 No elasticache clusters found
PASS us-east-2 No elasticache clusters found
PASS us-west-1 No elasticache clusters found
PASS us-west-2 No elasticache clusters found
PASS ca-central-1 No elasticache clusters found
PASS eu-central-1 No elasticache clusters found
PASS eu-west-1 No elasticache clusters found
PASS eu-north-1 No elasticache clusters found
PASS ap-northeast-1 No elasticache clusters found
PASS ap-southeast-1 No elasticache clusters found
PASS ap-southeast-2 No elasticache clusters found
PASS ap-south-1 No elasticache clusters found
PASS sa-east-1 No elasticache clusters found
EC2 SSM Managed Instances

16 0 6 0
Test Description Ensure that all Amazon EC2 instances are managed by AWS Systems Manager (SSM).
Systems Manager simplifies AWS cloud resource management, quickly detects and resolve
Additional Info operational problems, and makes it easier to operate and manage your instances securely at
large scale.
Recommended Action Configure AWS EC2 instance as SSM Managed Instances
Cloud Provider Link https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html

EC2 Instance: i-065bb7e431488d139 is not
managed by AWS Systems Manager
065bb7e431488d139
EC2 Instance: i-05cf4724e3a4599f0 is not
05cf4724e3a4599f0
EC2 Instance: i-045076929c6d415ad is not
045076929c6d415ad
EC2 Instance: i-08f266f579dc814bc is not
08f266f579dc814bc
EC2 Instance: i-006fe48adf55ff7ad is not managed
by AWS Systems Manager
006fe48adf55ff7ad
EC2 Instance: i-05e8cda4ca1cd3f78 is not
05e8cda4ca1cd3f78
PASS us-east-2 No EC2 instances found
ca-central-
1
eu-central-
1
PASS eu-north-1 No EC2 instances found
ap-
1
ap-
2
ap-
1
ap-
2
ap-
3
PASS ap-south-1 No EC2 instances found
PASS sa-east-1 No EC2 instances found
Connect Connect Wisdom Domain Encrypted

0 0 0 6
Ensure that Wisdom domains created under Amazon Connect instances are using desired
Test Description
KMS encryption level.
All user data stored in Amazon Connect Wisdom is encrypted at rest using encryption keys
Additional Info stored in AWS Key Management Service. Additionally, you can provide customer managed
KMS keys in order to gain more control over encryption/decryption processes.
Recommended Action Ensure that Amazon Connect Wisdom domains have encryption enabled.
R
e
s
ur
c
e
Unable to query Connect Wisdom domains: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: wisdom:ListAssistants
on resource: arn:aws:wisdom:us-east-1:922503285322:assistant/*

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: wisdom:ListAssistants
on resource: arn:aws:wisdom:us-west-2:922503285322:assistant/*

UNKN eu-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: wisdom:ListAssistants
on resource: arn:aws:wisdom:eu-west-2:922503285322:assistant/*
UNKN eu-central- Unable to query Connect Wisdom domains: User: arn:aws:sts::922503285322:assumed-

1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: wisdom:ListAssistants
on resource: arn:aws:wisdom:eu-central-1:922503285322:assistant/*
ap- Unable to query Connect Wisdom domains: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: wisdom:ListAssistants
1 on resource: arn:aws:wisdom:ap-northeast-1:922503285322:assistant/*
ap- Unable to query Connect Wisdom domains: User: arn:aws:sts::922503285322:assumed-

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: wisdom:ListAssistants
2 on resource: arn:aws:wisdom:ap-southeast-2:922503285322:assistant/*
Connect Connect Voice ID Domain Encrypted
0 0 0 7
Ensure that Voice domains created under Amazon Connect instances are using desired KMS
Test Description
encryption level.
All user data stored in Amazon Connect Voice ID is encrypted at rest using encryption keys
Additional Info stored in AWS Key Management Service. Additionally, you can provide customer managed
KMS keys in order to gain more control over encryption/decryption processes.
Recommended Action Ensure that Amazon Voice ID domains have encryption enabled.
R
e
s
o
u
r
c
e
Unable to query Connect Voice ID domains: User: arn:aws:sts::922503285322:assumed-

role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: voiceid:ListDomains on
UNKN us-east-1
resource: arn:aws:voiceid:us-east-1:922503285322:domain/* because no identity-based policy
allows the voiceid:ListDomains action

UNKN us-west-2
resource: arn:aws:voiceid:us-west-2:922503285322:domain/* because no identity-based policy

UNKN eu-west-2
resource: arn:aws:voiceid:eu-west-2:922503285322:domain/* because no identity-based policy

eu-central- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: voiceid:ListDomains on
UNKN
1 resource: arn:aws:voiceid:eu-central-1:922503285322:domain/* because no identity-based
policy allows the voiceid:ListDomains action
ap- Unable to query Connect Voice ID domains: User: arn:aws:sts::922503285322:assumed-

southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: voiceid:ListDomains on
UNKN
1 resource: arn:aws:voiceid:ap-southeast-1:922503285322:domain/* because no identity-based

ap-
UNKN northeast-
resource: arn:aws:voiceid:ap-northeast-1:922503285322:domain/* because no identity-based
1

ap-
UNKN southeast-
resource: arn:aws:voiceid:ap-southeast-2:922503285322:domain/* because no identity-based
2
ElastiCache ElastiCache Reserved Cache Node Payment Pending
17 0 0 0
Ensure that payments for ElastiCache Reserved Cache Nodes available within your AWS
Test Description
account has been processed completely.
When using ElastiCache Reserved Cache Nodes over standard On-Demand Cache Nodes
savings are up to max that they give when used in steady state, therefore in order to receive
Additional Info
this benefit you need to make sure that all your ElastiCache reservation purchases have been
fully successful.
Recommended Action Identify any pending payments for ElastiCache reserved cache nodes
Cloud Provider Link https://aws.amazon.com/elasticache/reserved-cache-nodes/
PASS us-east-1 No ElastiCache reserved cache node found
PASS us-east-2 No ElastiCache reserved cache node found
PASS us-west-1 No ElastiCache reserved cache node found
PASS us-west-2 No ElastiCache reserved cache node found
PASS ca-central-1 No ElastiCache reserved cache node found
PASS eu-central-1 No ElastiCache reserved cache node found
PASS eu-west-1 No ElastiCache reserved cache node found
PASS eu-north-1 No ElastiCache reserved cache node found
PASS ap-northeast-1 No ElastiCache reserved cache node found
PASS ap-southeast-1 No ElastiCache reserved cache node found
PASS ap-southeast-2 No ElastiCache reserved cache node found
PASS ap-south-1 No ElastiCache reserved cache node found
PASS sa-east-1 No ElastiCache reserved cache node found

ElastiCache Unused ElastiCache Reserved Cache Nodes
17 0 0 0
Ensure that all your AWS ElastiCache reserved nodes have corresponding cache nodes
Test Description
running within the same account of an AWS Organization.
Creating cache nodes for your unused reserved cache clusters will prevent your investment
Additional Info having a negative return. When an Amazon ElastiCache RCN is not in use the investment
made is not properly exploited.
Recommended Action Enable prevention of unused reserved nodes for ElastiCache clusters
PASS us-east-1 No elasticache reserved nodes found
PASS us-east-2 No elasticache reserved nodes found
PASS us-west-1 No elasticache reserved nodes found
PASS us-west-2 No elasticache reserved nodes found
PASS ca-central-1 No elasticache reserved nodes found
PASS eu-central-1 No elasticache reserved nodes found
PASS eu-west-1 No elasticache reserved nodes found
PASS eu-north-1 No elasticache reserved nodes found
PASS ap-northeast-1 No elasticache reserved nodes found
PASS ap-southeast-1 No elasticache reserved nodes found
PASS ap-southeast-2 No elasticache reserved nodes found
PASS ap-south-1 No elasticache reserved nodes found
PASS sa-east-1 No elasticache reserved nodes found

ElastiCache ElastiCache Reserved Cache Node Payment Failed
17 0 0 0
Ensure that payments for ElastiCache Reserved Cache Nodes available within your AWS
Test Description
account has been processed completely.
When using ElastiCache Reserved Cache Nodes over standard On-Demand Cache Nodes
savings are up to max that they give when used in steady state, therefore in order to receive
Additional Info
this benefit you need to make sure that all your ElastiCache reservation purchases have been
fully successful.
Recommended Action Identify any failed payments for ElastiCache reserved cache nodes
PASS us-east-1 No ElastiCache reserved cache nodes found
PASS us-west-1 No ElastiCache reserved cache nodes found
PASS ca-central-1 No ElastiCache reserved cache nodes found
PASS eu-central-1 No ElastiCache reserved cache nodes found
PASS eu-west-1 No ElastiCache reserved cache nodes found
PASS eu-north-1 No ElastiCache reserved cache nodes found
PASS ap-northeast-1 No ElastiCache reserved cache nodes found
PASS ap-southeast-1 No ElastiCache reserved cache nodes found
PASS ap-south-1 No ElastiCache reserved cache nodes found
PASS sa-east-1 No ElastiCache reserved cache nodes found

ElastiCache ElastiCache Reserved Cache Node Lease Expiration
17 0 0 0
Ensure that your AWS ElastiCache Reserved Cache Nodes are renewed before expiration in
Test Description
order to get a significant discount.
Reserved Cache Nodes can optimize your Amazon ElastiCache costs based on your expected
Additional Info usage. Since RCNs are not renewed automatically, purchasing another reserved ElastiCache
nodes before expiration will guarantee their billing at a discounted hourly rate.
Recommended Action Enable ElastiCache reserved cache nodes expiration days alert
PASS ca-central-1 No ElastiCache reserved cache nodes found
PASS eu-central-1 No ElastiCache reserved cache nodes found
PASS eu-north-1 No ElastiCache reserved cache nodes found
PASS ap-south-1 No ElastiCache reserved cache nodes found
PASS sa-east-1 No ElastiCache reserved cache nodes found

GuardDuty GuardDuty No Active Findings
17 0 0 0
Test Description Ensure that GurardDuty active/current findings does not exist in your AWS account.
Amazon GuardDuty is a threat detection service that continuously monitors your AWS
accounts and workloads for malicious activity and delivers detailed security findings for
Additional Info visibility and remediation. These findings should be acted upon and archived after they have
been remediated in order to follow security best practices. If a finding had not been archived
after set amount of time, Aqua CSPM plugin will display a FAIL result.
Recommended Action Resolve the GuardDuty findings and archive them
Cloud Provider Link https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
PASS us-east-1 No GuardDuty detectors found
PASS us-west-1 No GuardDuty detectors found
PASS ca-central-1 No GuardDuty detectors found
PASS eu-central-1 No GuardDuty detectors found
PASS eu-west-1 No GuardDuty detectors found
PASS eu-north-1 No GuardDuty detectors found
PASS ap-northeast-1 No GuardDuty detectors found
PASS ap-southeast-1 No GuardDuty detectors found
PASS ap-south-1 No GuardDuty detectors found
PASS sa-east-1 No GuardDuty detectors found

GuardDuty Exported Findings Encrypted
17 0 0 0
Test Description Ensure that GuardDuty findings export is encrypted using desired KMS encryption level.
GuardDuty data, such as findings, is encrypted at rest using AWS owned customer master
Additional Info keys (CMK). Additionally, you can use your use key (CMKs) in order to gain more control over
data encryption/decryption process.
Recommended Action Encrypt GuardDuty Export Findings with customer-manager keys (CMKs)
Cloud Provider Link https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html
PASS ca-central-1 No GuardDuty detectors found
PASS eu-central-1 No GuardDuty detectors found
PASS eu-north-1 No GuardDuty detectors found
PASS ap-south-1 No GuardDuty detectors found
PASS sa-east-1 No GuardDuty detectors found

WorkSpaces WorkSpaces Instance Count
13 0 0 0
Ensure that the number of Amazon WorkSpaces provisioned in your AWS account has not
Test Description
reached set limit.
In order to manage your WorkSpaces compute resources efficiently and prevent unexpected
Additional Info charges on your AWS bill, monitor and configure limits for the maximum number of
WorkSpaces instances provisioned within your AWS account.
Recommended Action Ensure that number of WorkSpaces created within your AWS account is within set limit
Cloud Provider Link https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-limits.html
PASS us-east-1 No WorkSpaces instances found
PASS us-west-2 No WorkSpaces instances found
PASS ca-central-1 No WorkSpaces instances found
PASS sa-east-1 No WorkSpaces instances found
PASS ap-south-1 No WorkSpaces instances found
PASS eu-west-1 No WorkSpaces instances found
PASS eu-central-1 No WorkSpaces instances found
PASS eu-west-2 No WorkSpaces instances found
PASS ap-southeast-1 No WorkSpaces instances found
PASS ap-northeast-1 No WorkSpaces instances found
PASS ap-southeast-2 No WorkSpaces instances found
PASS ap-northeast-2 No WorkSpaces instances found
PASS global WorkSpaces Instance count is 0 of 50 desired threshold
DocumentDB DocumentDB Cluster Backup Retention

15 0 0 0
Test Description Ensure that your Amazon DocumentDB clusters have set a minimum backup retention period.
DocumentDB cluster provides feature to retain incremental backups between 1 and 35
allowing you to quickly restore to any point within the backup retention period. Ensure that you
Additional Info
have sufficient backup retention period configured in order to restore your data in the event of
failure.
Recommended Action Modify DocumentDb cluster to configure sufficient backup retention period.
Cloud Provider Link https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-modify.html
PASS us-west-2 No DocumentDB clusters found
PASS ca-central-1 No DocumentDB clusters found
PASS eu-central-1 No DocumentDB clusters found
PASS eu-north-1 No DocumentDB clusters found
PASS ap-south-1 No DocumentDB clusters found
PASS sa-east-1 No DocumentDB clusters found
LookoutEquipment LookoutEquipment Dataset Encrypted

0 0 0 3
Ensure that Amazon Lookout for Equipment datasets are encrypted using desired KMS
Test Description
encryption level
Amazon Lookout for Equipment encrypts your data at rest with AWS owned KMS key by
Additional Info default. It is recommended to use customer-managed keys instead you will gain more granular
control over encryption/decryption process.
Recommended Action Encrypt Amazon LookoutEquipment Dataset with customer-manager keys (CMKs)
Cloud Provider Link https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/encryption-at-rest.html
R
e
s
o
u
r
c
e
Unable to query Lookout for Equipment Dataset: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 lookoutequipment:ListDatasets on resource: arn:aws:lookoutequipment:us-east-
1:922503285322:dataset/* because no identity-based policy allows the
lookoutequipment:ListDatasets action

UNKN eu-west-1 lookoutequipment:ListDatasets on resource: arn:aws:lookoutequipment:eu-west-
1:922503285322:dataset/* because no identity-based policy allows the

UNKN northeast- lookoutequipment:ListDatasets on resource: arn:aws:lookoutequipment:ap-northeast-
2 2:922503285322:dataset/* because no identity-based policy allows the
IoT SiteWise IoT SiteWise Data Encrypted

0 0 0 9
Test Description Ensure that AWS IoT SiteWise is using desired encryption level for data at-rest.
AWS IoT SiteWise encrypts data such as your asset property values and aggregate values by
Additional Info default.It is recommended to use customer managed keys in order to gain more control over
data encryption/decryption process.
Recommended Action Update IoT SiteWise encryption configuration to use a CMK.
Cloud Provider Link https://docs.aws.amazon.com/iot-sitewise/latest/userguide/encryption-at-rest.html
R
e
s
o
u
r
c
e
Unable to query IoT SiteWise encryption configuration: User:

UNKN us-east-1 authorized to perform: iotsitewise:DescribeDefaultEncryptionConfiguration on resource: *
because no identity-based policy allows the
iotsitewise:DescribeDefaultEncryptionConfiguration action

UNKN us-west-2 authorized to perform: iotsitewise:DescribeDefaultEncryptionConfiguration on resource: *

UNKN ap-south-1 authorized to perform: iotsitewise:DescribeDefaultEncryptionConfiguration on resource: *

ap- arn:aws:sts::922503285322:assumed-role/Cloud3_AuditRole/cloudsploit_scan is not
UNKN southeast- authorized to perform: iotsitewise:DescribeDefaultEncryptionConfiguration on resource: *
1 because no identity-based policy allows the

UNKN northeast- authorized to perform: iotsitewise:DescribeDefaultEncryptionConfiguration on resource: *

UNKN southeast- authorized to perform: iotsitewise:DescribeDefaultEncryptionConfiguration on resource: *

UNKN northeast- authorized to perform: iotsitewise:DescribeDefaultEncryptionConfiguration on resource: *

eu-central-
UNKN authorized to perform: iotsitewise:DescribeDefaultEncryptionConfiguration on resource: *
1

UNKN eu-west-1 authorized to perform: iotsitewise:DescribeDefaultEncryptionConfiguration on resource: *
Location Tracker Data Encrypted

0 0 0 9
Test Description Ensure that Amazon Location tracker data is encrypted using desired KMS encryption level
Amazon Location Service provides encryption by default to protect sensitive customer data at
Additional Info rest using AWS owned encryption keys. It is recommended to use customer-managed keys
instead in order to gain more granular control over encryption/decryption process.
Recommended Action Encrypt Amazon Location tracker with customer-manager keys (CMKs)
Cloud Provider Link https://docs.aws.amazon.com/location/latest/developerguide/encryption-at-rest.html
R
es
ur
ce
Unable to query Location trackers: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: geo:ListTrackers on
resource: arn:aws:geo:us-east-1:922503285322:tracker/

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: geo:ListTrackers on
resource: arn:aws:geo:us-east-2:922503285322:tracker/

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: geo:ListTrackers on
resource: arn:aws:geo:us-west-2:922503285322:tracker/

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: geo:ListTrackers on
1
resource: arn:aws:geo:eu-central-1:922503285322:tracker/

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: geo:ListTrackers on
resource: arn:aws:geo:eu-west-1:922503285322:tracker/

UNKN eu-north-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: geo:ListTrackers on
resource: arn:aws:geo:eu-north-1:922503285322:tracker/
ap- Unable to query Location trackers: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: geo:ListTrackers on
1 resource: arn:aws:geo:ap-northeast-1:922503285322:tracker/

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: geo:ListTrackers on
1 resource: arn:aws:geo:ap-southeast-1:922503285322:tracker/

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: geo:ListTrackers on
2 resource: arn:aws:geo:ap-southeast-2:922503285322:tracker/
Location Geoference Collection Data Encrypted

0 0 0 9
Ensure that Amazon Location geoference collection data is encrypted using desired KMS
Test Description
encryption level.
Amazon Location Service provides encryption by default to protect sensitive customer data at
Additional Info rest using AWS owned encryption keys. It is recommended to use customer-managed keys
instead in order to gain more granular control over encryption/decryption process.
Recommended Action Encrypt Amazon Location geoference collection with customer-manager keys (CMKs)
Cloud Provider Link https://docs.aws.amazon.com/location/latest/developerguide/encryption-at-rest.html
R
e
s
o
u
r
c
e
Unable to query Location geoference collection: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
geo:ListGeofenceCollections on resource: arn:aws:geo:us-east-1:922503285322:geofence-
collection/

UNKN us-east-2
geo:ListGeofenceCollections on resource: arn:aws:geo:us-east-2:922503285322:geofence-
collection/

UNKN us-west-2
geo:ListGeofenceCollections on resource: arn:aws:geo:us-west-2:922503285322:geofence-
collection/

UNKN
1 geo:ListGeofenceCollections on resource: arn:aws:geo:eu-central-1:922503285322:geofence-
collection/

UNKN eu-west-1
geo:ListGeofenceCollections on resource: arn:aws:geo:eu-west-1:922503285322:geofence-
collection/

UNKN eu-north-1
geo:ListGeofenceCollections on resource: arn:aws:geo:eu-north-1:922503285322:geofence-
collection/

ap-
UNKN northeast-
geo:ListGeofenceCollections on resource: arn:aws:geo:ap-northeast-
1
1:922503285322:geofence-collection/

ap-
UNKN southeast-
geo:ListGeofenceCollections on resource: arn:aws:geo:ap-southeast-
1

ap-
UNKN southeast-
geo:ListGeofenceCollections on resource: arn:aws:geo:ap-southeast-
2
Lookout Model Data Encrypted
0 0 0 7
Test Description Ensure that Lookout for Vision model data is encrypted using desired KMS encryption level
By default, trained models and manifest files are encrypted in Amazon S3 using server-side
encryption with KMS keys stored in AWS Key Management Service (SSE-KMS). You can also
Additional Info
use customer-managed keys instead in order to gain more granular control over
Recommended Action Encrypt LookoutVision model with customer-manager keys (CMKs) present in your account
https://docs.aws.amazon.com/lookout-for-vision/latest/developer-guide/security-data-
Cloud Provider Link
encryption.html
R
e
s
o
u
r
c
e
Unable to query for Lookout for Vision projects: User: arn:aws:sts::922503285322:assumed-

role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lookoutvision:ListProjects
UNKN us-east-1
on resource: arn:aws:lookoutvision:us-east-1:922503285322:project/* because no identity-
based policy allows the lookoutvision:ListProjects action

UNKN us-east-2
on resource: arn:aws:lookoutvision:us-east-2:922503285322:project/* because no identity-

ap-
UNKN northeast-
on resource: arn:aws:lookoutvision:ap-northeast-1:922503285322:project/* because no
1
identity-based policy allows the lookoutvision:ListProjects action
ap- Unable to query for Lookout for Vision projects: User: arn:aws:sts::922503285322:assumed-
UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lookoutvision:ListProjects
2 on resource: arn:aws:lookoutvision:ap-northeast-2:922503285322:project/* because no
identity-based policy allows the lookoutvision:ListProjects action

eu-central- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lookoutvision:ListProjects
UNKN
1 on resource: arn:aws:lookoutvision:eu-central-1:922503285322:project/* because no identity-

UNKN eu-west-1
on resource: arn:aws:lookoutvision:eu-west-1:922503285322:project/* because no identity-

UNKN us-west-2
on resource: arn:aws:lookoutvision:us-west-2:922503285322:project/* because no identity-
LookoutMetrics LookoutMetrics Anomaly Detector Encrypted
0 0 0 9
Ensure that Amazon LookoutMetrics Anomaly Detector is encrypted using desired KMS
Test Description
encryption level
Amazon Lookout for Metrics encrypts your data at rest with your choice of an encryption key. If
you do not specify an encryption key, your data is encrypted with AWS owned key by default.
Additional Info
So use customer-managed keys instead in order to gain more granular control over
Recommended Action Encrypt Amazon LookoutMetrics Anomaly Detector with customer-manager keys (CMKs)
https://docs.aws.amazon.com/lookoutmetrics/latest/dev/security-dataprotection.html#security-
Cloud Provider Link
privacy-atrest
R
e
s
o
u
r
c
e
Unable to query LookoutMetrics Anomaly Detector: User:

UNKN us-east-1
authorized to perform: lookoutmetrics:ListAnomalyDetectors on resource:
arn:aws:lookoutmetrics:us-east-1:922503285322:/ListAnomalyDetectors

UNKN us-east-2
arn:aws:lookoutmetrics:us-east-2:922503285322:/ListAnomalyDetectors

ap-
UNKN southeast-
1
arn:aws:lookoutmetrics:ap-southeast-1:922503285322:/ListAnomalyDetectors

ap-
UNKN southeast-
2
arn:aws:lookoutmetrics:ap-southeast-2:922503285322:/ListAnomalyDetectors

ap-
UNKN northeast-
1
arn:aws:lookoutmetrics:ap-northeast-1:922503285322:/ListAnomalyDetectors

eu-central- arn:aws:sts::922503285322:assumed-role/Cloud3_AuditRole/cloudsploit_scan is not
UNKN
1 authorized to perform: lookoutmetrics:ListAnomalyDetectors on resource:
arn:aws:lookoutmetrics:eu-central-1:922503285322:/ListAnomalyDetectors

UNKN eu-west-1
arn:aws:lookoutmetrics:eu-west-1:922503285322:/ListAnomalyDetectors

eu-north-1
UNKN authorized to perform: lookoutmetrics:ListAnomalyDetectors on resource:
arn:aws:lookoutmetrics:eu-north-1:922503285322:/ListAnomalyDetectors

UNKN us-west-2
arn:aws:lookoutmetrics:us-west-2:922503285322:/ListAnomalyDetectors
Lex Audio Logs Encrypted

0 0 0 10
Test Description Ensure that Amazon Lex audio logs are encrypted using desired KMS encryption level
For audio logs you use default encryption on your S3 bucket or specify an AWS KMS key to
Additional Info encrypt your audio objects. Even if your S3 bucket uses default encryption you can still specify
a different AWS KMS key to encrypt your audio objects for enhanced security.
Recommended Action Encrypt Lex audio logs with customer-manager keys (CMKs) present in your account
Cloud Provider Link https://docs.aws.amazon.com/lex/latest/dg/conversation-logs-encrypting.html
Re
so
ur
ce
Unable to query for Lex bots: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
resource: arn:aws:lex:us-east-1:922503285322:*

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
resource: arn:aws:lex:us-west-2:922503285322:*

ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
1
resource: arn:aws:lex:ca-central-1:922503285322:*

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
1
resource: arn:aws:lex:eu-central-1:922503285322:*

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
resource: arn:aws:lex:eu-west-1:922503285322:*

UNKN eu-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
resource: arn:aws:lex:eu-west-2:922503285322:*
ap- Unable to query for Lex bots: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
1 resource: arn:aws:lex:ap-northeast-1:922503285322:*

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
2 resource: arn:aws:lex:ap-northeast-2:922503285322:*

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
1 resource: arn:aws:lex:ap-southeast-1:922503285322:*

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lex:ListBots on
2 resource: arn:aws:lex:ap-southeast-2:922503285322:*
Forecast Forecast Dataset Encrypted

0 0 0 10
Test Description Ensure that AWS Forecast datasets are using desired KMS key for data encryption.
Datasets contain the data used to train a predictor. You create one or more Amazon Forecast
datasets and import your training data into them. Make sure to enable encryption for these
Additional Info
datasets using customer-managed keys (CMKs) in order to gain more granular control over
Recommended Action Create Forecast datasets using customer-manager KMS keys (CMKs).
Cloud Provider Link https://docs.aws.amazon.com/forecast/latest/dg/API_CreateDataset.html
R
e
s
ur
c
e
Unable to query Forecast datasets: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets
because no identity-based policy allows the forecast:ListDatasets action

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets

UNKN eu-central-
role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets
1

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets
ap- Unable to query Forecast datasets: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets
1 because no identity-based policy allows the forecast:ListDatasets action

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets

UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: forecast:ListDatasets
Forecast Forecast Dataset Export Encrypted

0 0 0 10
Ensure that AWS Forecast exports have encryption enabled before they are being saved on
Test Description
S3.
In AWS Forecast, you can save forecast reports on S3 in CSV format. Make sure to encrypt
Additional Info these export before writing them to the bucket in order to follow your organizations's security
and compliance requirements.
Recommended Action Create Forecast exports with encryption enabled
Cloud Provider Link https://docs.aws.amazon.com/forecast/latest/dg/howitworks-forecast.html
R
e
s
o
u
r
c
e
Unable to query Forecast exports: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
forecast:ListForecastExportJobs because no identity-based policy allows the
forecast:ListForecastExportJobs action

UNKN us-east-2

UNKN us-west-2 forecast:ListForecastExportJobs because no identity-based policy allows the

UNKN
1 forecast:ListForecastExportJobs because no identity-based policy allows the

UNKN eu-west-1

ap-
UNKN northeast-
1

ap-
UNKN northeast-
2

ap-
UNKN southeast-
1

ap-
UNKN southeast-
2

UNKN ap-south-1
FSx FSx File System Encrypted

9 0 0 0
Ensure that Amazon FSx for Windows File Server file systems are encrypted using desired
Test Description
KMS encryption level.
If your organization is subject to corporate or regulatory policies that require encryption of data
Additional Info
and metadata at rest, AWS recommends creating encrypted file systems.
Recommended Action Enable encryption for file systems created under Amazon FSx for Windows File Server
Cloud Provider Link https://docs.aws.amazon.com/fsx/latest/WindowsGuide/encryption.html
PASS us-east-1 No FSx file systems found
PASS us-west-2 No FSx file systems found
PASS eu-west-2 No FSx file systems found
PASS ca-central-1 No FSx file systems found

PASS eu-central-1 No FSx file systems found
PASS ap-southeast-1 No FSx file systems found
PASS ap-southeast-2 No FSx file systems found
PASS ap-northeast-1 No FSx file systems found
PASS ap-northeast-2 No FSx file systems found
WAF AWS WAFV2 In Use

0 0 17 0
Ensure that AWS Web Application Firewall V2 (WAFV2) is in use to achieve availability and
Test Description
security for AWS-powered web applications.
Using WAF for your web application running in AWS environment can help you against
Additional Info
common web-based attacks, SQL injection attacks, DDOS attacks and more.
Recommended Action Create one or more WAF ACLs with proper actions and rules
Cloud Provider Link https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
FAIL us-east-1 WAFV2 is not enabled
FAIL us-east-2 WAFV2 is not enabled
FAIL us-west-1 WAFV2 is not enabled
FAIL us-west-2 WAFV2 is not enabled
FAIL ca-central-1 WAFV2 is not enabled
FAIL eu-central-1 WAFV2 is not enabled
FAIL eu-west-1 WAFV2 is not enabled
FAIL eu-north-1 WAFV2 is not enabled
FAIL ap-northeast-1 WAFV2 is not enabled

FAIL ap-southeast-1 WAFV2 is not enabled
FAIL ap-southeast-2 WAFV2 is not enabled
FAIL ap-south-1 WAFV2 is not enabled
FAIL sa-east-1 WAFV2 is not enabled
WAF AWS WAF In Use

0 0 18 0
Ensure that AWS Web Application Firewall (WAF) is in use to achieve availability and security
Test Description
for AWS-powered web applications.
Using WAF for your web application running in AWS environment can help against common
Additional Info
web-based attacks, SQL injection attacks, DDOS attacks and more.
Recommended Action Create one or more WAF ACLs with proper actions and rules
Cloud Provider Link https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
FAIL us-east-1 WAF is not enabled
FAIL us-east-2 WAF is not enabled
FAIL us-west-1 WAF is not enabled
FAIL us-west-2 WAF is not enabled
FAIL ca-central-1 WAF is not enabled
FAIL eu-central-1 WAF is not enabled
FAIL eu-west-1 WAF is not enabled
FAIL eu-north-1 WAF is not enabled

FAIL ap-northeast-1 WAF is not enabled
FAIL ap-southeast-1 WAF is not enabled
FAIL ap-southeast-2 WAF is not enabled
FAIL ap-south-1 WAF is not enabled
FAIL sa-east-1 WAF is not enabled
FAIL global WAF is not enabled
CloudFront CloudFront Enable Origin Failover

1 0 0 0
Ensure that Origin Failover feature is enabled for your CloudFront distributions in order to
Test Description
improve the availability of the content delivered to your end users.
With Origin Failover capability, you can setup two origins for your CloudFront web distributions
Additional Info primary and secondary. In the event of primary origin failure, your content is automatically
served from the secondary origin, maintaining the distribution high reliability.
Recommended Action Modify CloudFront distributions and configure origin group instead of a single origin
https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_OriginGroupFailoverCriteria.
Cloud Provider Link
html
CloudFront CloudFront Geo Restriction

1 0 0 0
Ensure that geo-restriction feature is enabled for your CloudFront distribution to allow or block
Test Description
location-based access.
AWS CloudFront geo restriction feature can be used to assist in mitigation of Distributed Denial
Additional Info of Service (DDoS) attacks. Also you have the ability to block IP addresses based on Geo IP
from reaching your distribution and your web application content delivered by the distribution.
Recommended Action Enable CloudFront geo restriction to whitelist or block location-based access.
Cloud Provider Link https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html
CloudFront CloudFront Compress Objects Automatically

1 0 0 0
Ensure that your Amazon Cloudfront distributions are configured to automatically compress
Test Description
files(object).
Cloudfront data transfer is based on the total amount of data served, sending compressed files
to the viewers is much less expensive than sending uncompressed files. To optimise your AWS
Additional Info
cloud costs and speed up your web applications, configure your Cloudfront distributions to
compress the web content served with compression enabled.
Recommended Action Ensures that CloudFront is configured to automatically compress files
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressed
Cloud Provider Link
Files.html
DMS DMS Publicly Accessible Instances

17 0 0 0
Test Description Ensure that Amazon Database Migration Service (DMS) instances are not publicly accessible.
An AWS DMS replication instance can have one public IP address and one private IP address.
Additional Info If you uncheck (disable) the box for Publicly accessible, then the replication instance has only
a private IP address. that prevents from exposure of data to other users
Recommended Action Ensure that DMS replication instances have only private IP address and not public IP address
https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.h
Cloud Provider Link
tml
PASS us-east-1 No DMS replication instances found
PASS us-west-1 No DMS replication instances found
PASS ca-central-1 No DMS replication instances found
PASS eu-central-1 No DMS replication instances found
PASS eu-west-1 No DMS replication instances found
PASS eu-north-1 No DMS replication instances found
PASS ap-northeast-1 No DMS replication instances found
PASS ap-southeast-1 No DMS replication instances found
PASS ap-south-1 No DMS replication instances found
PASS sa-east-1 No DMS replication instances found
DMS DMS Multi-AZ Feature Enabled

17 0 0 0
Ensure that your Amazon Database Migration Service (DMS) replication instances are using
Test Description
Multi-AZ deployment configurations.
AWS Database Migration Service (AWS DMS) helps you migrate databases to AWS quickly
Additional Info and securely. In a Multi-AZ deployment, AWS DMS automatically provisions and maintains a
synchronous standby replica of the replication instance in a different Availability Zone.
Recommended Action Enable Multi-AZ deployment feature in order to get high availability and failover support
Cloud Provider Link https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html
DMS DMS Auto Minor Version Upgrade

17 0 0 0
Ensure that your Amazon Database Migration Service (DMS) replication instances have the
Test Description
Auto Minor Version Upgrade feature enabled
AWS Database Migration Service (AWS DMS) helps you migrate databases to AWS quickly
Additional Info and securely. The DMS service releases engine version upgrades regularly to introduce new
software features, bug fixes, security patches and performance improvements.
Enable Auto Minor Version Upgrade feature in order to automatically receive minor engine
Recommended Action
upgrades for improved performance and security
Cloud Provider Link https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.Modifying.html
EC2 Unused Security Groups

5 0 17 0
Test Description Identify and remove unused EC2 security groups.
Keeping the number of security groups to a minimum makes the management easier and
Additional Info
helps to avoid reaching the service limit.
Recommended Action Remove security groups that are not being used.
Cloud Provider Link https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
arn:aws:ec2:us-east-1:922503285322:security-group/sg- Security group is being

PASS us-east-1
015527859f4cb1ab4 used

PASS us-east-1
0b29b77965792ae5d used

PASS us-east-1
031d418a21dd84701 used

PASS us-east-1
0ea00fe2209686e28 used

PASS us-east-1
0add6fd8f5e13005e used
Security group is not

FAIL us-east-1 arn:aws:ec2:us-east-1:922503285322:security-group/sg-2a94e22e
being used

FAIL us-east-2 arn:aws:ec2:us-east-2:922503285322:security-group/sg-35cd9243
being used
arn:aws:ec2:us-west-1:922503285322:security-group/sg- Security group is not

FAIL us-west-1
0355558bdeb17eba4 being used
arn:aws:ec2:us-west-2:922503285322:security-group/sg- Security group is not

FAIL us-west-2
07b897bc45d1e6fe2 being used
arn:aws:ec2:ca-central-1:922503285322:security-group/sg- Security group is not

FAIL ca-central-1
0221abf87bbe12971 being used
arn:aws:ec2:eu-central-1:922503285322:security-group/sg- Security group is not

FAIL eu-central-1
09b903e8dd37bee5f being used
arn:aws:ec2:eu-west-1:922503285322:security-group/sg- Security group is not

FAIL eu-west-1
08b897c32e384acbc being used

FAIL eu-west-2
0ae841762d2749f1a being used

FAIL eu-west-3
03bc08f1c58bcf815 being used
arn:aws:ec2:eu-north-1:922503285322:security-group/sg- Security group is not

FAIL eu-north-1
04656562bedc2ae6d being used
ap- arn:aws:ec2:ap-northeast-1:922503285322:security-group/sg- Security group is not

FAIL
northeast-1 0a5f4c4f1b5983891 being used

FAIL
northeast-2 07f8aee861c34413f being used
ap- arn:aws:ec2:ap-southeast-1:922503285322:security-group/sg- Security group is not

FAIL
southeast-1 0f40a8e2330e64b60 being used
FAIL ap- arn:aws:ec2:ap-southeast-2:922503285322:security-group/sg- Security group is not
southeast-2 0de72c4ef2c1b7162 being used

FAIL
northeast-3 09c1a77d7fa721022 being used
arn:aws:ec2:ap-south-1:922503285322:security-group/sg- Security group is not

FAIL ap-south-1
02cb7aa81a32263ad being used

FAIL sa-east-1 arn:aws:ec2:sa-east-1:922503285322:security-group/sg-ffd685b7
being used
EMR EMR Cluster In VPC

17 0 0 0
Ensure that your Amazon Elastic MapReduce (EMR) clusters are provisioned using the AWS
Test Description
VPC platform instead of EC2-Classic platform.
AWS EMR clusters using VPC platform instead of EC2-Classic can bring multiple advantages
Additional Info
such as better networking infrastructure, much more flexible control over access security .
Recommended Action EMR clusters Available in VPC
Cloud Provider Link https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-vpc-launching-job-flows.htmll

Firehose Firehose Delivery Streams CMK Encrypted

17 0 0 0
Ensures Firehose delivery stream are encrypted using AWS KMS key of desired encryption
Test Description
level.
Data sent through Firehose delivery streams can be encrypted using KMS server-side
encryption. Existing delivery streams can be modified to add encryption with minimal
Additional Info
overhead. Use customer-managed keys instead in order to gain more granular control over
Recommended Action Enable encryption using desired level for all Firehose Delivery Streams.
Cloud Provider Link https://docs.aws.amazon.com/firehose/latest/dev/encryption.html
PASS us-east-1 No Firehose delivery streams found
PASS us-east-2 No Firehose delivery streams found
PASS us-west-1 No Firehose delivery streams found
PASS us-west-2 No Firehose delivery streams found
PASS ca-central-1 No Firehose delivery streams found
PASS eu-central-1 No Firehose delivery streams found
PASS eu-west-1 No Firehose delivery streams found

PASS eu-north-1 No Firehose delivery streams found
PASS ap-northeast-1 No Firehose delivery streams found
PASS ap-southeast-1 No Firehose delivery streams found
PASS ap-southeast-2 No Firehose delivery streams found
PASS ap-south-1 No Firehose delivery streams found
PASS sa-east-1 No Firehose delivery streams found
Kinesis Kinesis Data Streams Encrypted

17 0 0 0
Test Description Ensures Kinesis data streams are encrypted using AWS KMS key of desired encryption level.
Data sent to Kinesis data streams can be encrypted using KMS server-side encryption.
Existing streams can be modified to add encryption with minimal overhead. Use customer-
Additional Info
managed keys instead in order to gain more granular control over encryption/decryption
process.
Recommended Action Enable encryption using desired level for all Kinesis streams
Cloud Provider Link https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html
PASS us-east-1 No Kinesis streams found
PASS us-east-2 No Kinesis streams found
PASS us-west-1 No Kinesis streams found
PASS us-west-2 No Kinesis streams found
PASS ca-central-1 No Kinesis streams found
PASS eu-central-1 No Kinesis streams found
PASS eu-west-1 No Kinesis streams found

PASS eu-north-1 No Kinesis streams found
PASS ap-northeast-1 No Kinesis streams found
PASS ap-southeast-1 No Kinesis streams found
PASS ap-southeast-2 No Kinesis streams found
PASS ap-south-1 No Kinesis streams found
PASS sa-east-1 No Kinesis streams found
ElastiCache ElastiCache Cluster In VPC

17 0 0 0
Test Description Ensure that your ElastiCache clusters are provisioned within the AWS VPC platform.
Creating Amazon ElastiCache clusters inside Amazon VPC can bring multiple advantages
Additional Info
such as better networking infrastructure and flexible control over access security .
Recommended Action Create ElastiCache clusters within VPC network
Cloud Provider Link https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.EC.html

ElastiCache ElastiCache Desired Node Type

17 0 0 0
Ensure that the Amazon ElastiCache cluster nodes provisioned in your AWS account have the
Test Description
desired node type established within your organization based on the workload deployed.
Setting limits for the type of Amazon ElastiCache cluster nodes will help you address internal
Additional Info
compliance requirements and prevent unexpected charges on your AWS bill.
Recommended Action Create ElastiCache clusters with desired node types
Cloud Provider Link https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html
PASS us-east-1 No ElastiCache cluster found
PASS us-east-2 No ElastiCache cluster found
PASS us-west-1 No ElastiCache cluster found
PASS us-west-2 No ElastiCache cluster found
PASS ca-central-1 No ElastiCache cluster found
PASS eu-central-1 No ElastiCache cluster found

PASS eu-west-1 No ElastiCache cluster found
PASS eu-north-1 No ElastiCache cluster found
PASS ap-northeast-1 No ElastiCache cluster found
PASS ap-southeast-1 No ElastiCache cluster found
PASS ap-southeast-2 No ElastiCache cluster found
PASS ap-south-1 No ElastiCache cluster found
PASS sa-east-1 No ElastiCache cluster found
SageMaker Notebook instance in VPC

17 0 0 0
Test Description Ensure that Amazon SageMaker Notebook instances are launched within a VPC.
Launching instances can bring multiple advantages such as better networking infrastructure,
Additional Info much more flexible control over access security. Also it makes it possible to access VPC-only
resources such as EFS file systems.
Recommended Action Migrate Notebook instances to exist within a VPC
https://docs.aws.amazon.com/sagemaker/latest/dg/API_CreateNotebookInstance.html#API_Cr
Cloud Provider Link
eateNotebookInstance_RequestSyntax
PASS us-east-1 No Notebook Instances Found
PASS us-east-2 No Notebook Instances Found
PASS us-west-1 No Notebook Instances Found
PASS us-west-2 No Notebook Instances Found
PASS ca-central-1 No Notebook Instances Found

PASS eu-central-1 No Notebook Instances Found
PASS eu-west-1 No Notebook Instances Found
PASS eu-north-1 No Notebook Instances Found
PASS ap-northeast-1 No Notebook Instances Found
PASS ap-southeast-1 No Notebook Instances Found
PASS ap-southeast-2 No Notebook Instances Found
PASS ap-south-1 No Notebook Instances Found
PASS sa-east-1 No Notebook Instances Found
SQS SQS Encryption Enabled

17 0 0 0
Test Description Ensure SQS queues are encrypted using keys of desired encryption level
Messages sent to SQS queues can be encrypted using KMS server-side encryption. Existing
Additional Info queues can be modified to add encryption with minimal overhead.Use customer-managed
keys instead in order to gain more granular control over encryption/decryption process.
Recommended Action Enable encryption using KMS Customer Master Keys (CMKs) for all SQS queues.
Cloud Provider Link
server-side-encryption.html

Secrets Manager Secrets Manager In Use

0 0 17 0
Ensure that Amazon Secrets Manager service is being used in your account to manage all the
Test Description
credentials.
Amazon Secrets Manager helps you protect sensitive information needed to access your cloud
Additional Info applications, services and resources. Users and apps can use secrets manager to get the
secrets stored with a call to Secrets Manager API, enhancing access security.
Recommended Action Use Secrets Manager service to store sensitive information in your AWS account.
Cloud Provider Link https://docs.aws.amazon.com/secretsmanager/latest/userguide/asm_access.html
FAIL us-east-1 Secrets Manager is not enabled: Unable to obtain data
FAIL us-east-2 Secrets Manager is not enabled: Unable to obtain data

FAIL us-west-1 Secrets Manager is not enabled: Unable to obtain data
FAIL us-west-2 Secrets Manager is not enabled: Unable to obtain data
FAIL ca-central-1 Secrets Manager is not enabled: Unable to obtain data
FAIL eu-central-1 Secrets Manager is not enabled: Unable to obtain data
FAIL eu-west-1 Secrets Manager is not enabled: Unable to obtain data
FAIL eu-north-1 Secrets Manager is not enabled: Unable to obtain data
FAIL ap-northeast-1 Secrets Manager is not enabled: Unable to obtain data
FAIL ap-southeast-1 Secrets Manager is not enabled: Unable to obtain data
FAIL ap-southeast-2 Secrets Manager is not enabled: Unable to obtain data
FAIL ap-south-1 Secrets Manager is not enabled: Unable to obtain data
FAIL sa-east-1 Secrets Manager is not enabled: Unable to obtain data
Fraud Detector Fraud Detector Data Encrypted

0 0 0 4
Ensure that Amazon Fraud Detector has encryption enabled for data at rest with desired KMS
Test Description
encryption level.
Amazon Fraud Detector encrypts your data at rest with AWS-managed KMS key. Use
Additional Info customer-manager KMS keys (CMKs) instead in order to follow your organizations's security
and compliance requirements.
Recommended Action Enable encryption for data at rest using PutKMSEncryptionKey API
Cloud Provider Link https://docs.aws.amazon.com/frauddetector/latest/ug/encryption-at-rest.html
R
e
s
u
r
c
e
Unable to query Fraud Detectors: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 frauddetector:GetDetectors on resource: arn:aws:frauddetector:us-east-
1:922503285322:detector/* because no identity-based policy allows the
frauddetector:GetDetectors action

UNKN us-west-2 frauddetector:GetDetectors on resource: arn:aws:frauddetector:us-west-
2:922503285322:detector/* because no identity-based policy allows the

UNKN southeast- frauddetector:GetDetectors on resource: arn:aws:frauddetector:ap-southeast-
1 1:922503285322:detector/* because no identity-based policy allows the

UNKN southeast- frauddetector:GetDetectors on resource: arn:aws:frauddetector:ap-southeast-
2 2:922503285322:detector/* because no identity-based policy allows the
IAM Access Analyzer Active Findings

17 0 0 0
Ensure that IAM Access analyzer findings are reviewed and resolved by taking all necessary
Test Description
actions.
IAM Access Analyzer helps you evaluate access permissions across your AWS cloud
environment and gives insights into intended access to your resources. It can monitor the
Additional Info access policies associated with S3 buckets, KMS keys, SQS queues, IAM roles and Lambda
functions for permissions changes. You can view IAM Access Analyzer findings at any time.
Work through all of the findings in your account until you have zero active findings.
Investigate into active findings in your account and do the needful until you have zero active
Recommended Action
findings.
Cloud Provider Link https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-work-with-findings.html
PASS us-east-1 No IAM Access Analyzer analyzers found
PASS us-east-2 No IAM Access Analyzer analyzers found
PASS us-west-1 No IAM Access Analyzer analyzers found

PASS us-west-2 No IAM Access Analyzer analyzers found
PASS ca-central-1 No IAM Access Analyzer analyzers found
PASS eu-central-1 No IAM Access Analyzer analyzers found
PASS eu-west-1 No IAM Access Analyzer analyzers found
PASS eu-north-1 No IAM Access Analyzer analyzers found
PASS ap-northeast-1 No IAM Access Analyzer analyzers found
PASS ap-southeast-1 No IAM Access Analyzer analyzers found
PASS ap-southeast-2 No IAM Access Analyzer analyzers found
PASS ap-south-1 No IAM Access Analyzer analyzers found
PASS sa-east-1 No IAM Access Analyzer analyzers found
ACM ACM Single Domain Name Certificates

17 0 0 0
Ensure that ACM single domain name certificates are used instead of wildcard certificates
Test Description
within your AWS account.
Using wildcard certificates can compromise the security of all sites i.e. domains and
Additional Info subdomains if the private key of a certificate is hacked. So it is recommended to use ACM
single domain name certificates instead of wildcard certificates.
Recommended Action Configure ACM managed certificates to use single name domain instead of wildcards.
Cloud Provider Link https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html

PASS ca-central-1 No ACM certificates found
PASS eu-central-1 No ACM certificates found
PASS eu-north-1 No ACM certificates found
PASS ap-south-1 No ACM certificates found
PASS sa-east-1 No ACM certificates found
App Mesh App Mesh VG Access Logging

16 0 0 0
Test Description Ensure that your Amazon App Mesh virtual gateways have access logging enabled.
Enabling access logging feature for App Mesh virtual gateways lets you track application mesh
Additional Info user access, helps you meet compliance regulations, and gives insight into security audits and
investigations.
To enable access logging, modify virtual gateway configuration settings and configure the file
Recommended Action
path to write access logs to.
Cloud Provider Link https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy-logs.html

PASS us-east-1 No App Mesh meshes found
PASS us-west-1 No App Mesh meshes found
PASS ca-central-1 No App Mesh meshes found
PASS eu-central-1 No App Mesh meshes found
PASS eu-west-1 No App Mesh meshes found
PASS eu-north-1 No App Mesh meshes found
PASS ap-northeast-1 No App Mesh meshes found
PASS ap-southeast-1 No App Mesh meshes found
PASS ap-south-1 No App Mesh meshes found
PASS sa-east-1 No App Mesh meshes found
API Gateway API Gateway Response Caching

17 0 0 0
Test Description Ensure that response caching is enabled for your Amazon API Gateway REST APIs.
A REST API in API Gateway is a collection of resources and methods that are integrated with
backend HTTP endpoints, Lambda functions, or other AWS services.You can enable API
Additional Info caching in Amazon API Gateway to cache your endpoint responses. With caching, you can
reduce the number of calls made to your endpoint and also improve the latency of requests to
your API.
Recommended Action Modify API Gateway API stages to enable API cache
Cloud Provider Link https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html

PASS us-east-1 No API Gateway rest APIs found
PASS us-west-1 No API Gateway rest APIs found
PASS ca-central-1 No API Gateway rest APIs found
PASS eu-central-1 No API Gateway rest APIs found
PASS eu-west-1 No API Gateway rest APIs found
PASS eu-north-1 No API Gateway rest APIs found
PASS ap-northeast-1 No API Gateway rest APIs found
PASS ap-southeast-1 No API Gateway rest APIs found
PASS ap-south-1 No API Gateway rest APIs found
PASS sa-east-1 No API Gateway rest APIs found
API Gateway API Stage-Level Cache Encryption

17 0 0 0
Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached
Test Description
responses.
It is strongly recommended to enforce encryption for API cached responses in order to protect
Additional Info
your data from unauthorized access.
Recommended Action Modify API Gateway API stages to enable encryption on cache data
https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-
Cloud Provider Link
encryption.html
PASS ca-central-1 No API Gateway rest APIs found
PASS eu-central-1 No API Gateway rest APIs found
PASS eu-north-1 No API Gateway rest APIs found
PASS ap-south-1 No API Gateway rest APIs found
PASS sa-east-1 No API Gateway rest APIs found
App Mesh App Mesh Restrict External Traffic

16 0 0 0
Ensure that Amazon App Mesh virtual nodes have egress only access to other defined
Test Description
resources available within the service mesh.
Amazon App Mesh gives you controls to choose whether or not to allow App Mesh services to
Additional Info communicate with outside world. If you choose to deny external traffic, the proxies will not
forward traffic to external services not defined in the mesh. The traffic to the external services
should be denied to adhere to cloud security best practices and minimize the security risks.
Recommended Action Deny all traffic to the external services
Cloud Provider Link https://docs.aws.amazon.com/app-mesh/latest/userguide/security.html
App Mesh App Mesh TLS Required

16 0 0 0
Test Description Ensure that AWS App Mesh virtual gateway listeners only accepts TLS enabled connections.
In App Mesh, Transport Layer Security (TLS) encrypts communication between the envoy
Additional Info proxies deployed on compute resources that are represented in App Mesh by mesh endpoints,
such as Virtual nodes and Virtual gateways.
Recommended Action Restrict AWS App Mesh virtual gateway listeners to accept only TLS enabled connections.
Cloud Provider Link https://docs.aws.amazon.com/app-mesh/latest/APIReference/API_ListenerTls.html
AutoScaling Auto Scaling Group Cooldown Period

17 0 0 0
Test Description Ensure that your AWS Auto Scaling Groups are configured to use a cool down period.
Additional Info A scaling cool down helps you prevent your Auto Scaling group from launching or terminating
additional instances before the effects of previous activities are visible.
Implement proper cool down period for Auto Scaling groups to temporarily suspend any
Recommended Action
scaling actions.
Cloud Provider Link https://docs.aws.amazon.com/autoscaling/ec2/userguide/Cooldown.html
PASS ca-central-1 No Auto Scaling groups found
PASS eu-central-1 No Auto Scaling groups found
PASS eu-north-1 No Auto Scaling groups found
PASS ap-south-1 No Auto Scaling groups found
PASS sa-east-1 No Auto Scaling groups found
AutoScaling Auto Scaling Unused Launch Configuration

17 0 0 0
Ensure that any unused Auto Scaling Launch Configuration templates are identified and
Test Description
removed from your account in order to adhere to AWS best practices.
A launch configuration is an instance configuration template that an Auto Scaling group uses to
launch EC2 instances. When you create a launch configuration, you specify information for the
Additional Info
instances. Every unused Launch Configuration template should be removed for a better
management of your AWS Auto Scaling components.
Identify and remove any Auto Scaling Launch Configuration templates that are not associated
Recommended Action
anymore with ASGs available in the selected AWS region.
Cloud Provider Link https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchConfiguration.html
PASS ca-central-1 No Auto Scaling launch configurations found
PASS eu-central-1 No Auto Scaling launch configurations found
PASS eu-north-1 No Auto Scaling launch configurations found
PASS ap-south-1 No Auto Scaling launch configurations found
PASS
sa-east-1 No Auto Scaling launch configurations found
CloudFront CloudFront Distribution Field-Level Encryption
1 0 0 0
Test Description Ensure that field-level encryption is enabled for your Amazon CloudFront web distributions.
With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by
using HTTPS. Field-level encryption adds an additional layer of security that lets you protect
Additional Info specific data throughout system processing so that only certain applications can see it.Field-
level encryption allows you to enable users to securely upload sensitive information to web
servers.
Recommended Action Enable field-level encryption for CloudFront distributions.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-
Cloud Provider Link
encryption.html
CloudFront CloudFront Enabled

0 0 1 0
Test Description Ensure that AWS CloudFront service is used within your AWS account.
Amazon CloudFront is a web service that speeds up distribution of your static and dynamic
Additional Info web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your
content through a worldwide network of data centers called edge locations.
Recommended Action Create CloudFront distributions as per requirement.
Cloud Provider Link https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
FAIL global CloudFront service is not in use
CloudFormation CloudFormation Admin Priviliges

17 0 0 0
Test Description Ensures no AWS CloudFormation stacks available in your AWS account has admin privileges.
A service role is an AWS Identity and Access Management (IAM) role that allows AWS
Additional Info CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM
role that allows AWS CloudFormation to create, update, or delete your stack resources
Modify IAM role attached with AWS CloudFormation stack to provide the minimal amount of
Recommended Action
access required to perform its tasks
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-
Cloud Provider Link
servicerole.html
PASS ca-central-1 No CloudFormation stacks found
PASS eu-central-1 No CloudFormation stacks found
PASS eu-north-1 No CloudFormation stacks found
PASS ap-south-1 No CloudFormation stacks found
PASS sa-east-1 No CloudFormation stacks found
CloudFormation AWS CloudFormation In Use

0 0 17 0
Ensure that Amazon CloudFormation service is in use within your AWS account to automate
Test Description
your infrastructure management and deployment.
AWS CloudFormation is a service that helps you model and set up your AWS resources so
that you can spend less time managing those resources and more time focusing on your
Additional Info applications that run in AWS. A stack is a collection of AWS resources that you can manage as
a single unit. In other words, you can create, update, or delete a collection of resources by
creating, updating, or deleting stacks.
Recommended Action Check if CloudFormation is in use or not by observing the stacks
Cloud Provider Link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html
FAIL us-east-1 CloudFormation service is not being used
FAIL us-east-2 CloudFormation service is not being used
FAIL us-west-1 CloudFormation service is not being used
FAIL us-west-2 CloudFormation service is not being used
FAIL ca-central-1 CloudFormation service is not being used
FAIL eu-central-1 CloudFormation service is not being used
FAIL eu-west-1 CloudFormation service is not being used
FAIL eu-north-1 CloudFormation service is not being used
FAIL ap-northeast-1 CloudFormation service is not being used
FAIL ap-southeast-1 CloudFormation service is not being used
FAIL ap-southeast-2 CloudFormation service is not being used
FAIL ap-south-1 CloudFormation service is not being used
FAIL
sa-east-1 CloudFormation service is not being used
CloudTrail CloudTrail Notifications Enabled
16 0 1 0
Ensure that Amazon CloudTrail trails are using active Simple Notification Service (SNS) topics
Test Description
to deliver notifications.
CloudTrail trails should reference active SNS topics to notify for log files delivery to S3 buckets.
Additional Info
Otherwise, you will lose the ability to take immediate actions based on log information.
Make sure that CloudTrail trails are using active SNS topics and that SNS topics have not
Recommended Action
been deleted after trail creation.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-
Cloud Provider Link
cloudtrail.html
arn:aws:cloudtrail:us-east- CloudTrail trail has no SNS topic

FAIL us-east-1
1:922503285322:trail/Siscor attached
PASS us-east-2 No CloudTrail trails found
PASS us-west-1 No CloudTrail trails found
PASS us-west-2 No CloudTrail trails found
PASS ca-central-1 No CloudTrail trails found
PASS eu-central-1 No CloudTrail trails found
PASS eu-west-1 No CloudTrail trails found
PASS eu-north-1 No CloudTrail trails found
ap-northeast-
PASS No CloudTrail trails found
1
ap-northeast-
2
ap-southeast-
1
ap-southeast-
2
ap-northeast-
3
PASS ap-south-1 No CloudTrail trails found
sa-east-1 No CloudTrail trails found

PASS
ConfigService AWS Config Complaint Rules

17 0 0 0
Ensures that all the evaluation results returned from the Amazon Config rules created within
Test Description
your AWS account are compliant.
AWS Config provides AWS managed rules, which are predefined customizable rules that AWS
Additional Info
Config uses to evaluate whether your AWS resources comply with common best practices.
Recommended Action Enable the AWS Config Service rules for compliance checks and close security gaps.
Cloud Provider Link https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html
PASS us-east-1 No Config Rules found
PASS us-east-2 No Config Rules found
PASS us-west-1 No Config Rules found
PASS us-west-2 No Config Rules found
PASS ca-central-1 No Config Rules found
PASS eu-central-1 No Config Rules found
PASS eu-west-1 No Config Rules found
PASS eu-north-1 No Config Rules found
PASS ap-northeast-1 No Config Rules found
PASS ap-southeast-1 No Config Rules found
PASS ap-southeast-2 No Config Rules found

PASS ap-south-1 No Config Rules found
PASS sa-east-1 No Config Rules found
ConfigService Config Delivery Failing

17 0 0 0
Ensure that the AWS Config log files are delivered to the S3 bucket in order to store logging
Test Description
data for auditing purposes without any failures.
Amazon Config keep record of the changes within the configuration of your AWS resources
Additional Info
and it regularly stores this data to log files that are send to an S3 bucket specified by you.
Recommended Action Configure AWS Config log files to be delivered without any failures to designated S3 bucket.
Cloud Provider Link https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html
PASS us-east-1 No Config Service configuration recorder statuses found
PASS us-east-2 No Config Service configuration recorder statuses found
PASS us-west-1 No Config Service configuration recorder statuses found
PASS us-west-2 No Config Service configuration recorder statuses found
PASS ca-central-1 No Config Service configuration recorder statuses found
PASS eu-central-1 No Config Service configuration recorder statuses found
PASS eu-west-1 No Config Service configuration recorder statuses found
PASS eu-north-1 No Config Service configuration recorder statuses found
PASS ap-northeast-1 No Config Service configuration recorder statuses found
PASS
ap-northeast-2 No Config Service configuration recorder statuses found
PASS ap-southeast-1 No Config Service configuration recorder statuses found

PASS ap-southeast-2 No Config Service configuration recorder statuses found
PASS ap-northeast-3 No Config Service configuration recorder statuses found
PASS ap-south-1 No Config Service configuration recorder statuses found
PASS sa-east-1 No Config Service configuration recorder statuses found
ConfigService Config Service Missing Bucket

17 0 0 0
Ensure that Amazon Config service is pointing an S3 bucket that is active in your account in
Test Description
order to save configuration information
Amazon Config tracks changes within the configuration of your AWS resources and it regularly
sends updated configuration details to an S3 bucket that you specify. When AWS Config is not
Additional Info referencing an active S3 bucket, the service is unable to send the recorded information to the
designated bucket, therefore you lose the ability to audit later the configuration changes made
within your AWS account.
Ensure that Amazon Config service is referencing an active S3 bucket in order to save
Recommended Action
configuration information.
Cloud Provider Link https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
PASS us-east-1 No Config delivery channels found
PASS us-east-2 No Config delivery channels found
PASS us-west-1 No Config delivery channels found
PASS us-west-2 No Config delivery channels found
PASS ca-central-1 No Config delivery channels found
PASS eu-central-1 No Config delivery channels found
PASS eu-west-1 No Config delivery channels found
PASS eu-north-1 No Config delivery channels found

PASS ap-northeast-1 No Config delivery channels found
PASS ap-southeast-1 No Config delivery channels found
PASS ap-southeast-2 No Config delivery channels found
PASS ap-south-1 No Config delivery channels found
PASS sa-east-1 No Config delivery channels found
DynamoDB DynamoDB Table Backup Exists

17 0 0 0
Test Description Ensures that Amazon DynamoDB tables are using on-demand backups.
With AWS Backup, you can configure backup policies and monitor activity for your AWS
resources and on-premises workloads in one place. Using DynamoDB with AWS Backup, you
Additional Info can copy your on-demand backups across AWS accounts and regions, add cost allocation
tags to on-demand backups, and transition on-demand backups to cold storage for lower
costs.
Recommended Action Create on-demand backups for DynamoDB tables.
Cloud Provider Link https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/BackupRestore.html

ElastiCache ElastiCache Default Ports

17 0 0 0
Ensure AWS ElastiCache clusters are not using the default ports set for Redis and
Test Description
Memcached cache engines.
ElastiCache clusters should be configured not to use the default assigned port value for Redis
Additional Info
(6379) and Memcached (11211).
Recommended Action Configure ElastiCache clusters to use the non-default ports.
Cloud Provider Link https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/accessing-elasticache.html

EventBridge Event Bus Public Access

17 0 0 0
Test Description Ensure that EventBridge event bus is configured to prevent exposure to public access.
The default event bus in your Amazon account only allows events from one account. You can
Additional Info
grant additional permissions to an event bus by attaching a resource-based policy to it.
Configure EventBridge event bus policies that allow access to whitelisted/trusted account
Recommended Action
principals but not public access.
Cloud Provider Link https://docs.amazonaws.cn/en_us/eventbridge/latest/userguide/eb-event-bus-perms.html

policy

policy

policy

policy
arn:aws:events:ca-central-1:922503285322:event- Event bus does not use custom

PASS ca-central-1
bus/default policy
arn:aws:events:eu-central-1:922503285322:event- Event bus does not use custom

PASS eu-central-1 bus/default policy

PASS eu-west-1
bus/default policy

PASS eu-west-2
bus/default policy

PASS eu-west-3
bus/default policy
arn:aws:events:eu-north-1:922503285322:event- Event bus does not use custom

PASS eu-north-1
bus/default policy

PASS

PASS

PASS

PASS

PASS
arn:aws:events:ap-south-1:922503285322:event- Event bus does not use custom

PASS ap-south-1
bus/default policy

PASS sa-east-1 arn:aws:events:sa-east-1:922503285322:event-bus/default
policy
EventBridge EventBridge Event Rules In Use

0 0 1 0
Ensure that Amazon EventBridge Events service is in use in order to enable you to react
Test Description
selectively and efficiently to system events.
Amazon EventBridge Events delivers a near real-time stream of system events that describe
Additional Info changes in Amazon Web Services (AWS) resources. Using simple rules that you can quickly
set up, you can match events and route them to one or more target functions or streams.
Create EventBridge event rules to meet regulatory and compliance requirement within your
Recommended Action
organization.
Cloud Provider Link https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html
FAIL us-east-1 EventBridge event rules are not in use

EC2 SSM Session Duration
17 0 0 0
Ensure that all active sessions in the AWS Session Manager do not exceed the duration set in
Test Description
the settings.
The session manager gives users the ability to either open a shell in a EC2 instance or
Additional Info execute commands in a ECS task. This can be useful for when debugging issues in a
container or instance.
Recommended Action Terminate all the sessions which exceed the specified duration mentioned in settings.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-max-
Cloud Provider Link
timeout.html
PASS us-east-1 No Active SSM sessions found: Unable to obtain data
PASS us-east-2 No Active SSM sessions found: Unable to obtain data
PASS us-west-1 No Active SSM sessions found: Unable to obtain data
PASS us-west-2 No Active SSM sessions found: Unable to obtain data
PASS ca-central-1 No Active SSM sessions found: Unable to obtain data
PASS eu-central-1 No Active SSM sessions found: Unable to obtain data
PASS eu-west-1 No Active SSM sessions found: Unable to obtain data
PASS eu-north-1 No Active SSM sessions found: Unable to obtain data
PASS ap-northeast-1 No Active SSM sessions found: Unable to obtain data
PASS ap-southeast-1 No Active SSM sessions found: Unable to obtain data
PASS ap-southeast-2 No Active SSM sessions found: Unable to obtain data
PASS ap-south-1 No Active SSM sessions found: Unable to obtain data
PASS sa-east-1 No Active SSM sessions found: Unable to obtain data

CloudWatch VPC Flow Logs Metric Alarm
0 0 17 0
Ensure that an AWS CloudWatch alarm exists and configured for metric filter attached with
Test Description
VPC flow logs CloudWatch group.
A metric alarm watches a single CloudWatch metric or the result of a math expression based
on CloudWatch metrics. The alarm performs one or more actions based on the value of the
Additional Info
metric or expression relative to a threshold over a number of time periods. The action can be
sending a notification to an Amazon SNS topic.
Create a CloudWatch group, attached metric filter to log VPC flow logs changes and create an
Recommended Action
CloudWatch alarm for the metric filter.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.ht
Cloud Provider Link
ml
FAIL us-east-1 No CloudWatch logs metric filters found
FAIL us-east-2 No CloudWatch logs metric filters found
FAIL us-west-1 No CloudWatch logs metric filters found
FAIL us-west-2 No CloudWatch logs metric filters found
FAIL ca-central-1 No CloudWatch logs metric filters found
FAIL eu-central-1 No CloudWatch logs metric filters found
FAIL eu-west-1 No CloudWatch logs metric filters found
FAIL eu-north-1 No CloudWatch logs metric filters found
FAIL ap-northeast-1 No CloudWatch logs metric filters found
FAIL ap-southeast-1 No CloudWatch logs metric filters found
FAIL ap-southeast-2 No CloudWatch logs metric filters found
FAIL ap-south-1 No CloudWatch logs metric filters found

FAIL sa-east-1 No CloudWatch logs metric filters found
MSK MSK Cluster Encryption In-Transit

0 0 0 16
Ensure that TLS encryption within the cluster feature is enabled for your Amazon MSK
Test Description
clusters.
Amazon MSK in-transit encryption is an optional feature which encrypts data in transit within
Additional Info
your MSK cluster. You can override this default at the time you create the cluster.
Recommended Action Enable TLS encryption within the cluster for all MSK clusters
Cloud Provider Link https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html
R
e
s
ur
c
e
Unable to query for MSK clusters: User: arn:aws:sts::922503285322:assumed-





ca-central-
1

eu-central-
1




ap- Unable to query for MSK clusters: User: arn:aws:sts::922503285322:assumed-






Backup Backup In Use For RDS Snapshots

17 0 0 0
Ensure that Amazon Backup is integrated with Amazon Relational Database Service in order
Test Description
to manage RDS database instance snapshots
Amazon RDS creates and saves automated backups of your DB instance during the backup
Additional Info window of your DB instance. With Amazon Backup, you can centrally configure backup
policies and rules, and monitor backup activity for AWS RDS database instances.
Recommended Action Enable RDS database instance snapshots to improve the reliability of your backup strategy.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedB
Cloud Provider Link
ackups.html
PASS us-east-1 No RDS snapshots found
PASS us-west-1 No RDS snapshots found

PASS ca-central-1 No RDS snapshots found
PASS eu-central-1 No RDS snapshots found
PASS eu-west-1 No RDS snapshots found
PASS eu-north-1 No RDS snapshots found
PASS ap-northeast-1 No RDS snapshots found
PASS ap-southeast-1 No RDS snapshots found
PASS ap-south-1 No RDS snapshots found
PASS sa-east-1 No RDS snapshots found
Backup Backup Failure Notification Enabled

0 0 0 17
Ensure that Amazon Backup vaults send notifications via Amazon SNS for each failed backup
Test Description
job event.
AWS Backup can take advantage of the robust notifications delivered by Amazon Simple
Additional Info Notification Service (Amazon SNS). You can configure Amazon SNS to notify you of AWS
Backup events from the Amazon SNS console.
Recommended Action Configure Backup vaults to sent notifications alert for failed backup job events.
Cloud Provider Link https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html
R
e
s
ur
c
e
Unable to query for Backup vault list: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults
because no identity-based policy allows the backup:ListBackupVaults action


UNKN us-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults


ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults
1

eu-central-
1

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults



UNKN eu-north-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults
ap- Unable to query for Backup vault list: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults
1 because no identity-based policy allows the backup:ListBackupVaults action


UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults



UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults

UNKN sa-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults
Backup Backup Deletion Protection Enabled

0 0 0 17
Ensure that an Amazon Backup vault access policy is configured to prevent the deletion of
Test Description
AWS backups in the backup vault.
With AWS Backup, you can assign policies to backup vaults and the resources they contain.
Additional Info Assigning policies allows you to do things like grant access to users to create backup plans
and on-demand backups, but limit their ability to delete recovery points after they are created.
Add a statement in Backup vault access policy which denies global access to action:
Recommended Action
backup:DeleteRecoveryPoint
Cloud Provider Link https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html
R
e
s
ur
c
e





ca-central-
1

eu-central-
1




UNKN eu-north-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults






UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults

UNKN sa-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupVaults
Backup AWS Backup Compliant Lifecycle Configured

0 0 0 17
Ensure that a compliant lifecycle configuration is enabled for your Amazon Backup plans in
Test Description
order to meet compliance requirements when it comes to security and cost optimization.
The AWS Backup lifecycle configuration contains an array of transition objects specifying how
Additional Info
long in days before a recovery point transitions to cold storage or is deleted.
Recommended Action Enable compliant lifecycle configuration for your Amazon Backup plans
Cloud Provider Link https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html
R
e
s
ur
c
e
Unable to list Backup plans: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans
because no identity-based policy allows the backup:ListBackupPlans action

UNKN us-east-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans

UNKN us-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans

UNKN us-west-2 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans

ca-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans
1

eu-central-
UNKN role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans
1

UNKN eu-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans



UNKN eu-north-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans
ap- Unable to list Backup plans: User: arn:aws:sts::922503285322:assumed-

UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans
1 because no identity-based policy allows the backup:ListBackupPlans action


UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans

UNKN southeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans


UNKN ap-south-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans

UNKN sa-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: backup:ListBackupPlans
Compute Optimizer EC2 Instances Optimized

0 0 0 1
Ensure that Compute Optimizer does not have active recommendation summaries for over-
Test Description
provisioned or under-provisioned EC2 instances.
An EC2 instance is considered optimized when all specifications of an instance, such as CPU,
memory, and network, meet the performance requirements of your workload, and the instance
Additional Info
is not over-provisioned. For optimized instances, Compute Optimizer might sometimes
recommend a new generation instance type.
Recommended Action Resolve Compute Optimizer recommendations for EC2 instances.
Cloud Provider Link https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ec2-recommendations.html
R
e
s
o
u
r
c
e
Unable to get recommendation summaries: User: arn:aws:sts::922503285322:assumed-

role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: compute-
UNKN us-east-1
optimizer:GetRecommendationSummaries on resource: * because no identity-based policy
allows the compute-optimizer:GetRecommendationSummaries action
Compute Optimizer Lambda Function Optimized

0 0 0 1
Ensure that Compute Optimizer does not have active recommendation summaries for
Test Description
unoptimized Lambda Functions.
AWS Compute Optimizer generates memory size recommendations for AWS Lambda
functions. A Lambda function is considered optimized when Compute Optimizer determines
Additional Info
that its configured memory or CPU power (which is proportional to the configured memory) is
correctly provisioned to run your workload.
Recommended Action Resolve Compute Optimizer recommendations for Lambda functions.
https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-lambda-
Cloud Provider Link
recommendations.html
R
e
s
o
u
r
c
e

UNKN us-east-1
Compute Optimizer Compute Optimizer Recommendations Enabled

0 0 0 1
Test Description Ensure that Compute Optimizer is enabled for your AWS account.
AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of
your AWS resources. It reports whether your resources are optimal, and generates
Additional Info
optimization recommendations to reduce the cost and improve the performance of your
workloads.
Recommended Action Enable Compute Optimizer Opt In options for current of all AWS account in your organization.
Cloud Provider Link https://docs.aws.amazon.com/compute-optimizer/latest/ug/what-is-compute-optimizer.html
R
e
s
o
u
r
c
e
Unable to get Compute Optimizer recommendation summaries: User:

UNKN us-east-1 authorized to perform: compute-optimizer:GetRecommendationSummaries on resource: *
because no identity-based policy allows the compute-
optimizer:GetRecommendationSummaries action
Compute Optimizer EBS Volumes Optimized

0 0 0 1
Test Description
unoptimized EBS Volumes.
An EBS volume is considered optimized when Compute Optimizer determines that the volume
is correctly provisioned to run your workload, based on the chosen volume type, volume size,
Additional Info
and IOPS specification. For optimized resources, Compute Optimizer might sometimes
recommend a new generation volume type.
Recommended Action Resolve Compute Optimizer recommendations for EBS volumes.
Cloud Provider Link https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ebs-recommendations.html
R
e
s
o
u
r
c
e

UNKN us-east-1
Compute Optimizer Auto Scaling Group Optimized

0 0 0 1
Test Description
unoptimized Auto Scaling groups.
An Auto Scaling group is considered optimized when Compute Optimizer determines that the
group is correctly provisioned to run your workload, based on the chosen instance type. For
Additional Info
optimized Auto Scaling groups, Compute Optimizer might sometimes recommend a new
generation instance type.
Recommended Action Resolve Compute Optimizer recommendations for Auto Scaling groups.
Cloud Provider Link https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-asg-recommendations.html
R
e
s
o
u
r
c
e

UNKN us-east-1
MSK MSK Cluster Client Broker Encryption
0 0 0 16
Ensure that only TLS encryption between the client and broker feature is enabled for your
Test Description
Amazon MSK clusters.
Amazon MSK in-transit encryption is an optional feature which encrypts data in transit between
Additional Info the client and brokers. Select the Transport Layer Security (TLS) protocol to encrypt data as it
travels between brokers and clients within the cluster.
Recommended Action Enable only TLS encryption between the client and broker for all MSK clusters
Cloud Provider Link https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html
R
e
s
ur
c
e





ca-central-
1

eu-central-
1




UNKN ap- Unable to query for MSK clusters: User: arn:aws:sts::922503285322:assumed-
northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on





MSK MSK Cluster Public Access

0 0 0 16
Test Description Ensure that public access feature within the cluster is disabled for your Amazon MSK clusters.
Amazon MSK gives you the option to turn on public access to the brokers of MSK clusters
running Apache Kafka 2.6.0 or later versions. For security reasons, you cannot turn on public
Additional Info
access while creating an MSK cluster. However, you can update an existing cluster to make it
publicly accessible.
Recommended Action Check for public access feature within the cluster for all MSK clusters
Cloud Provider Link https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html
R
e
s
ur
c
e



us-west-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kafka:ListClusters on
UNKN resource: arn:aws:kafka:us-west-1:922503285322:/v1/clusters


ca-central-
1

eu-central-
1










MSK MSK Cluster Unauthenticated Access

0 0 0 16
Test Description Ensure that unauthenticated access feature is disabled for your Amazon MSK clusters.
Amazon MSK authenticates clients to allow or deny Apache Kafka actions. Alternatively, TLS
Additional Info or SASL/SCRAM can be used to authenticate clients, and Apache Kafka ACLs to allow or
deny actions.
Recommended Action Ensure that MSK clusters does not have unauthenticated access enabled.
Cloud Provider Link https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html
R
e
s
ur
c
e





ca-central-
1

eu-central-
1









Image Builder Infrastructure Configuration Notification Enabled

0 0 0 17
Test Description Ensure that Image Builder infrastructure configurations have SNS notifications enabled.
Infrastructure configurations allow you to specify the infrastructure within which to build and
Additional Info
test your EC2 Image Builder image.
Enable SNS notification in EC2 Image Builder infrastructure configurations to get notified of
Recommended Action
any changes in the service.
Cloud Provider Link https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-infra-config.html
R
e
s
o
u
r
c
e
Unable to query for infrastructure configuration summary List: User:

UNKN us-east-1
authorized to perform: imagebuilder:ListInfrastructureConfigurations on resource:
arn:aws:imagebuilder:us-east-1:922503285322:infrastructure-configuration/*

UNKN us-east-2
arn:aws:imagebuilder:us-east-2:922503285322:infrastructure-configuration/*

UNKN us-west-1 authorized to perform: imagebuilder:ListInfrastructureConfigurations on resource:
arn:aws:imagebuilder:us-west-1:922503285322:infrastructure-configuration/*

UNKN us-west-2
arn:aws:imagebuilder:us-west-2:922503285322:infrastructure-configuration/*

ca-central- arn:aws:sts::922503285322:assumed-role/Cloud3_AuditRole/cloudsploit_scan is not
UNKN
1 authorized to perform: imagebuilder:ListInfrastructureConfigurations on resource:
arn:aws:imagebuilder:ca-central-1:922503285322:infrastructure-configuration/*

eu-central- arn:aws:sts::922503285322:assumed-role/Cloud3_AuditRole/cloudsploit_scan is not
UNKN
1 authorized to perform: imagebuilder:ListInfrastructureConfigurations on resource:
arn:aws:imagebuilder:eu-central-1:922503285322:infrastructure-configuration/*

UNKN eu-west-1
arn:aws:imagebuilder:eu-west-1:922503285322:infrastructure-configuration/*

UNKN eu-west-2

UNKN eu-west-3

UNKN eu-north-1 arn:aws:sts::922503285322:assumed-role/Cloud3_AuditRole/cloudsploit_scan is not
arn:aws:imagebuilder:eu-north-1:922503285322:infrastructure-configuration/*

ap-
UNKN northeast-
1
arn:aws:imagebuilder:ap-northeast-1:922503285322:infrastructure-configuration/*

ap-
UNKN northeast-
2

ap-
UNKN southeast-
1
arn:aws:imagebuilder:ap-southeast-1:922503285322:infrastructure-configuration/*

ap-
UNKN southeast-
2
arn:aws:imagebuilder:ap-southeast-2:922503285322:infrastructure-configuration/*

ap-
UNKN northeast-
3

UNKN ap-south-1
arn:aws:imagebuilder:ap-south-1:922503285322:infrastructure-configuration/*

UNKN sa-east-1 authorized to perform: imagebuilder:ListInfrastructureConfigurations on resource:
arn:aws:imagebuilder:sa-east-1:922503285322:infrastructure-configuration/*
Image Builder Dockerfile Template Encrypted
0 0 0 17
Test Description Ensure that Image Recipe dockerfile templates are encrypted.
Image Builder now offers a managed service for building Docker images. With Image Builder,
you can automatically produce new up-to-date container images and publish them to specified
Additional Info
Amazon Elastic Container Registry (Amazon ECR) repositories after running stipulated tests.
Custom components are encrypted with your KMS key or a KMS key owned by Image Builder.
Ensure that container recipe docker file templates are encrypted using AWS keys or customer
Recommended Action
managed keys in Imagebuilder service
Cloud Provider Link https://docs.aws.amazon.com/imagebuilder/latest/userguide/data-protection.html
R
e
s
o
u
r
c
e
Unable to query container recipe: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:us-east-
1:922503285322:container-recipe/*

UNKN us-east-2
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:us-east-

UNKN us-west-1
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:us-west-

UNKN us-west-2
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:us-west-

UNKN imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:ca-central-
1

UNKN
1 imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:eu-central-

UNKN eu-west-1 imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:eu-west-

UNKN eu-west-2
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:eu-west-

UNKN eu-west-3
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:eu-west-

UNKN eu-north-1
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:eu-north-

ap-
UNKN northeast-
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:ap-northeast-
1

ap-
UNKN northeast-
2

ap-
southeast-
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:ap-southeast-
1

ap-
UNKN southeast-
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:ap-southeast-
2

ap-
UNKN northeast-
3

UNKN ap-south-1
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:ap-south-

UNKN sa-east-1
imagebuilder:ListContainerRecipes on resource: arn:aws:imagebuilder:sa-east-
Image Builder Image Recipe Storage Volumes Encrypted

0 0 0 17
Test Description Ensure that Image Recipe storage ebs volumes are encrypted.
EC2 Image Builder is a fully managed AWS service that makes it easier to automate the
creation, management, and deployment of customized, secure, and up-to-date server images
Additional Info
that are pre-installed and pre-configured with software and settings to meet specific IT
standards.
Ensure that storage volumes for ebs are encrypted using AWS keys or customer managed
Recommended Action
keys in Image recipe
R
e
s
o
u
r
c
e
Unable to query for image recipe summary list: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:us-east-
1:922503285322:image-recipe/*

UNKN us-east-2
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:us-east-
2:922503285322:image-recipe/*

UNKN us-west-1
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:us-west-
1:922503285322:image-recipe/*

UNKN us-west-2
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:us-west-
2:922503285322:image-recipe/*

UNKN
1 imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:ca-central-
1:922503285322:image-recipe/*

UNKN
1 imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:eu-central-
1:922503285322:image-recipe/*

UNKN eu-west-1
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:eu-west-
1:922503285322:image-recipe/*

UNKN eu-west-2
2:922503285322:image-recipe/*

UNKN eu-west-3
3:922503285322:image-recipe/*

UNKN eu-north-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform:
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:eu-north-
1:922503285322:image-recipe/*

ap-
UNKN northeast-
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:ap-northeast-
1
1:922503285322:image-recipe/*

ap-
UNKN northeast-
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:ap-northeast-
2
2:922503285322:image-recipe/*

ap-
UNKN southeast-
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:ap-southeast-
1
1:922503285322:image-recipe/*

ap-
UNKN southeast-
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:ap-southeast-
2
2:922503285322:image-recipe/*

UNKN northeast- imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:ap-northeast-
3 3:922503285322:image-recipe/*

UNKN ap-south-1
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:ap-south-
1:922503285322:image-recipe/*

UNKN sa-east-1
imagebuilder:ListImageRecipes on resource: arn:aws:imagebuilder:sa-east-
1:922503285322:image-recipe/*
Image Builder Image Builder Components Encrypted

0 0 0 17
Test Description Ensure that Image Builder components are encrypted.
Build components contain software, settings, and configurations that are installed or applied
during the process of building custom images. Tests are run after a custom image is built to
Additional Info
validate functionality, security, performance, etc. Custom components are encrypted with your
KMS key or a KMS key owned by Image Builder.
Ensure that components are encrypted using AWS keys or customer managed keys in Image
Recommended Action
Builder service
R
e
s
u
r
c
e
Unable to query component version list: User: arn:aws:sts::922503285322:assumed-

UNKN us-east-1
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:us-east-
1:922503285322:component/*

UNKN us-east-2
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:us-east-
2:922503285322:component/*

UNKN us-west-1
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:us-west-
1:922503285322:component/*

UNKN us-west-2
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:us-west-
2:922503285322:component/*

UNKN
1 imagebuilder:ListComponents on resource: arn:aws:imagebuilder:ca-central-
1:922503285322:component/*

UNKN
1 imagebuilder:ListComponents on resource: arn:aws:imagebuilder:eu-central-
1:922503285322:component/*

UNKN eu-west-1
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:eu-west-
1:922503285322:component/*

eu-west-2
2:922503285322:component/*

UNKN eu-west-3
3:922503285322:component/*

UNKN eu-north-1
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:eu-north-
1:922503285322:component/*

ap-
UNKN northeast-
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:ap-northeast-
1
1:922503285322:component/*

ap-
UNKN northeast-
2
2:922503285322:component/*
ap-
UNKN southeast-
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:ap-southeast-
1
1:922503285322:component/*

ap-
UNKN southeast-
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:ap-southeast-
2
2:922503285322:component/*

ap-
UNKN northeast-
3
3:922503285322:component/*

UNKN ap-south-1
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:ap-south-
1:922503285322:component/*

UNKN sa-east-1
imagebuilder:ListComponents on resource: arn:aws:imagebuilder:sa-east-
1:922503285322:component/*
EC2 Open MongoDB

22 0 0 0
Test Description Determine if TCP port 27017 or 27018 or 27019 for MongoDB is open to the public
Additional Info properly, more sensitive services such as MongoDB should be restricted to known IP
addresses.
Recommended Action Restrict TCP port 27017 or 27018 or 27019 to known IP addresses
Cloud Provider Link
instance.html

PASS us-east-1 1:922503285322:security-group/sg- does not have TCP:27017,27018,27019 open to 0.0.0.0/0
015527859f4cb1ab4 or ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have TCP:27017,27018,27019
0b29b77965792ae5d open to 0.0.0.0/0 or ::0
arn:aws:ec2:us-east- Security group: sg-031d418a21dd84701 (SG-Linux) does

PASS us-east-1 1:922503285322:security-group/sg- not have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 or ::0
TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
35cd9243
Security group: sg-0355558bdeb17eba4 (default) does not
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
07b897bc45d1e6fe2
1 have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
1 have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
08b897c32e384acbc
2:922503285322:security-group/sg- Security group: sg-0ae841762d2749f1a (default) does not
PASS eu-west-2 have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Cassandra Client

22 0 0 0
Test Description Determine if TCP port 9042 for Cassandra Client is open to the public
Additional Info properly, more sensitive services such as Cassandra Client should be restricted to known IP
addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
1:922503285322:security-group/sg- Security group: sg-2a94e22e (default) does not have
PASS us-east-1
2a94e22e TCP:9042 open to 0.0.0.0/0 or ::0
TCP:9042 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
PASS 07b897bc45d1e6fe2 not have TCP:9042 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
PASS northeast- 1:922503285322:security-group/sg- Security group: sg-0a5f4c4f1b5983891 (default) does
1 0a5f4c4f1b5983891 not have TCP:9042 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:9042 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Cassandra Internode

22 0 0 0
Test Description Determine if TCP port 7000 for Cassandra Internode is open to the public
Additional Info properly, more sensitive services such as Cassandra Internode should be restricted to known
IP addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:7000 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:7000 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
arn:aws:ec2:eu-west- Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg- not have TCP:7000 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:7000 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Cassandra Monitoring

22 0 0 0
Test Description Determine if TCP port 7199 for Cassandra Monitoring is open to the public
addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:7199 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:7199 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
arn:aws:ec2:sa-east- Security group: sg-ffd685b7 (default) does not have

PASS sa-east-1 1:922503285322:security-group/sg- TCP:7199 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Cassandra Thrift

22 0 0 0
Test Description Determine if TCP port 9160 for Cassandra Thrift is open to the public
addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:9160 open to 0.0.0.0/0 or ::0
2a94e22e
PASS us-east-2 2:922503285322:security-group/sg- Security group: sg-35cd9243 (default) does not have
35cd9243 TCP:9160 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:9160 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open LDAP
22 0 0 0
Test Description Determine if TCP or UDP port 389 for LDAP is open to the public
Additional Info
properly, more sensitive services such as LDAP should be restricted to known IP addresses.
Recommended Action Restrict TCP or UDP port 389 to known IP addresses
Cloud Provider Link
instance.html

PASS us-east-1 1:922503285322:security-group/sg- 1) does not have TCP:389, UDP:389 open to 0.0.0.0/0 or
015527859f4cb1ab4 ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have TCP:389, UDP:389 open
0b29b77965792ae5d to 0.0.0.0/0 or ::0
031d418a21dd84701

PASS us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have TCP:389, UDP:389
0ea00fe2209686e28 open to 0.0.0.0/0 or ::0
does not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
35cd9243
1:922503285322:security-group/sg- Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1
0355558bdeb17eba4 not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
1 not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
1 not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
northeast- Security group: sg-07f8aee861c34413f (default) does not
07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open LDAPS

22 0 0 0
Test Description Determine if TCP port 636 for LDAP SSL is open to the public
LDAP SSL port 636 is used for Secure LDAP authentication. Allowing Inbound traffic from any
Additional Info IP address to TCP port 636 is vulnerable to DoS attacks. It is a best practice to block port 636
from the public internet.
Recommended Action Restrict TCP port 636 to known IP addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:636 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:636 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
eu-central- 1:922503285322:security-group/sg- Security group: sg-09b903e8dd37bee5f (default) does
PASS not have TCP:636 open to 0.0.0.0/0 or ::0
1 09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
PASS arn:aws:ec2:ap-south-
ap-south-1 1:922503285322:security-group/sg-
02cb7aa81a32263ad
TCP:636 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open SNMP

22 0 0 0
Test Description Determine if UDP port 161 for SNMP is open to the public
SNMP UDP 161 used by various devices and applications for logging events, monitoring and
Additional Info management. Allowing Inbound traffic from any external IP address on port 161 is vulnerable
to DoS attack. It is a best practice to block port 161 completely unless explicitly required.
Recommended Action Restrict UDP port 161 to known IP addresses.
Cloud Provider Link
instance.html

PASS us-east-1 1:922503285322:security-group/sg- wizard-1) does not have UDP:161 open to 0.0.0.0/0 or
015527859f4cb1ab4 ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have UDP:161 open to
0b29b77965792ae5d 0.0.0.0/0 or ::0
does not have UDP:161 open to 0.0.0.0/0 or ::0
031d418a21dd84701

PASS us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have UDP:161 open to
0ea00fe2209686e28 0.0.0.0/0 or ::0
2) does not have UDP:161 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
UDP:161 open to 0.0.0.0/0 or ::0
2a94e22e
UDP:161 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
UDP:161 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Memcached

22 0 0 0
Test Description Determine if TCP or UDP port 11211 for Memcached is open to the public
Additional Info properly, more sensitive services such as Memcached should be restricted to known IP
addresses.
Recommended Action Restrict TCP and UDP port 11211 to known IP addresses
Cloud Provider Link
instance.html

PASS us-east-1 1:922503285322:security-group/sg- does not have UDP:11211, TCP:11211 open to 0.0.0.0/0
015527859f4cb1ab4 or ::0

PASS us-east-1 1:922503285322:security-group/sg- RemoteAccess) does not have UDP:11211, TCP:11211
0b29b77965792ae5d open to 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 or ::0

UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
2a94e22e
UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
1 have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
1 have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
PASS northeast- 1:922503285322:security-group/sg- Security group: sg-0a5f4c4f1b5983891 (default) does not
1 0a5f4c4f1b5983891 have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Internal Web

22 0 0 0
Test Description Determine if TCP port 8080 for internal web is open to the public
Internal web port 8080 is used for web applications and proxy services. Allowing Inbound
Additional Info traffic from any IP address to TCP port 8080 is vulnerable to exploits like backdoor trojan
attacks. It is a best practice to block port 8080 from the public internet.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701

0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:8080 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:8080 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d not have TCP:8080 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:8080 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open Redis

22 0 0 0
Test Description Determine if TCP port 6379 for Redis is open to the public
Additional Info
properly, more sensitive services such as Redis should be restricted to known IP addresses.
Cloud Provider Link
instance.html

015527859f4cb1ab4 ::0

0b29b77965792ae5d 0.0.0.0/0 or ::0
031d418a21dd84701
0ea00fe2209686e28 0.0.0.0/0 or ::0
0add6fd8f5e13005e
TCP:6379 open to 0.0.0.0/0 or ::0
2a94e22e
TCP:6379 open to 0.0.0.0/0 or ::0
35cd9243
0355558bdeb17eba4
07b897bc45d1e6fe2
0221abf87bbe12971
09b903e8dd37bee5f
08b897c32e384acbc
0ae841762d2749f1a
03bc08f1c58bcf815
04656562bedc2ae6d
1 0a5f4c4f1b5983891
2 07f8aee861c34413f
1 0f40a8e2330e64b60
2 0de72c4ef2c1b7162
3 09c1a77d7fa721022
02cb7aa81a32263ad
TCP:6379 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Virtual Private Gateway In VPC

17 0 0 0
Test Description Ensure Virtual Private Gateways are associated with at least one VPC.
Virtual Private Gateways allow communication between cloud infrastructure and the remote
customer network. They help in establishing VPN connection between VPC and the customer
Additional Info
gateway. Make sure virtual private gateways are always associated with a VPC to meet
security and regulatory compliance requirements within your organization.
Recommended Action Check if virtual private gateways have vpc associated
Cloud Provider Link https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html
PASS ca-central-1 No Virtual Private Gateways found
PASS eu-central-1 No Virtual Private Gateways found
PASS eu-north-1 No Virtual Private Gateways found

PASS ap-south-1 No Virtual Private Gateways found
PASS sa-east-1 No Virtual Private Gateways found
EC2 Internet Gateways In VPC

17 0 0 0
Test Description Ensure Internet Gateways are associated with at least one available VPC.
Internet Gateways allow communication between instances in VPC and the internet. They
provide a target in VPC route tables for internet-routable traffic and also perform network
Additional Info address translation (NAT) for instances that have been assigned public IPv4 addresses. Make
sure they are always associated with a VPC to meet security and compliance requirements
within your organization.
Recommended Action Ensure Internet Gateways have VPC attached to them.
Cloud Provider Link https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
arn:aws:vpc:us-east-1:922503285322:internet-gateway/igw- Internet Gateway is associated

PASS us-east-1
8c9f67f6 with VPC
arn:aws:vpc:us-east-2:922503285322:internet-gateway/igw- Internet Gateway is associated

PASS us-east-2
4fe5de27 with VPC
arn:aws:vpc:us-west-1:922503285322:internet-gateway/igw- Internet Gateway is associated

PASS us-west-1
0fc6ef8616f1014e3 with VPC
arn:aws:vpc:us-west-2:922503285322:internet-gateway/igw- Internet Gateway is associated

PASS us-west-2
0c37bf32b8a48ac9a with VPC
ca-central- arn:aws:vpc:ca-central-1:922503285322:internet-gateway/igw- Internet Gateway is associated

PASS
1 0e91e29a37d5b6346 with VPC
PASS eu-central- arn:aws:vpc:eu-central-1:922503285322:internet-gateway/igw- Internet Gateway is associated

1 0c44b43ee4c00d2b9 with VPC
arn:aws:vpc:eu-west-1:922503285322:internet-gateway/igw- Internet Gateway is associated

PASS eu-west-1
0c4542f8014526bfc with VPC

PASS eu-west-2
0ff1485ce1a618faa with VPC

PASS eu-west-3
0af0e97fb6289c693 with VPC
arn:aws:vpc:eu-north-1:922503285322:internet-gateway/igw- Internet Gateway is associated
PASS eu-north-1
01d5d1cb4f946519a with VPC
ap-
arn:aws:vpc:ap-northeast-1:922503285322:internet-gateway/igw- Internet Gateway is associated
PASS northeast-
02feaf092bca87cfe with VPC
1
ap-
PASS northeast-
002d64d652f4ab249 with VPC
2
ap-
arn:aws:vpc:ap-southeast-1:922503285322:internet-gateway/igw- Internet Gateway is associated
PASS southeast-
06f89180a906d735b with VPC
1
ap-
arn:aws:vpc:ap-southeast-2:922503285322:internet-gateway/igw- Internet Gateway is associated
PASS southeast-
065419b60cd4f20bb with VPC
2
ap-
PASS northeast-
0b97885578518f3b8 with VPC
3
arn:aws:vpc:ap-south-1:922503285322:internet-gateway/igw- Internet Gateway is associated

PASS ap-south-1
0e2c601bdc8b0b194 with VPC
arn:aws:vpc:sa-east-1:922503285322:internet-gateway/igw- Internet Gateway is associated

PASS sa-east-1
134a4a77 with VPC
IAM Password Policy Allows To Change Password

0 0 1 0
Test Description Ensure IAM password policy allows users to change their passwords.
Additional Info Password policy should allow users to rotate their passwords as a security best practice.
Recommended Action Update the password policy for users to change their passwords
RDS RDS Snapshot Publicly Accessible

17 0 0 0
Test Description
Ensure that Amazon RDS database snapshots are not publicly exposed.
If an RDS snapshot is exposed to the public, any AWS account can copy the snapshot and
Additional Info create a new database instance from it. It is a best practice to ensure RDS snapshots are not
exposed to the public to avoid any accidental leak of sensitive information.
Ensure Amazon RDS database snapshot is not publicly accessible and available for any AWS
Recommended Action
account to copy or restore it.
Cloud Provider Link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html
PASS ca-central-1 No RDS snapshots found
PASS eu-central-1 No RDS snapshots found
PASS eu-north-1 No RDS snapshots found
PASS ap-south-1 No RDS snapshots found
PASS sa-east-1 No RDS snapshots found

Aqua Sec

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aqua Sec

Uploaded by

Copyright:

Available Formats

Cloud

Cloud Account 922503285322

Assessment Date 2022-09-22T01:48:28.000Z

Scan Summary 4690 7 398 590

Severity Counts 22 108 411 5144 0

HIGH CloudTrail CloudTrail Enabled 18 0 0 0

LOW EC2 Elastic IP Limit 17 0 0 0

LOW EC2 VPC Elastic IP Limit 17 0 0 0

LOW EC2 Instance Limit 17 0 0 0

MEDIUM EC2 Excessive Security Groups 17 0 0 0

MEDIUM EC2 Open FTP 22 0 0 0

HIGH EC2 Open SSH 22 0 0 0

HIGH EC2 Open Telnet 22 0 0 0

LOW EC2 Open SMTP 22 0 0 0

LOW EC2 Open DNS 22 0 0 0

LOW EC2 Open RPC 22 0 0 0

LOW EC2 Open NetBIOS 22 0 0 0

LOW EC2 Open SMBoTCP 22 0 0 0

LOW EC2 Open CIFS 22 0 0 0

LOW EC2 Open SQL Server 22 0 0 0

MEDIUM EC2 Open RDP 20 0 2 0

MEDIUM EC2 Open MySQL 21 0 1 0

MEDIUM EC2 Open PostgreSQL 22 0 0 0

LOW EC2 Open VNC Client 22 0 0 0

LOW EC2 Open VNC Server 22 0 0 0

HIGH IAM Certificate Expiry 1 0 0 0

MEDIUM ELB Insecure Ciphers 17 0 0 0

MEDIUM IAM Password Requires Symbols 0 0 1 0

MEDIUM IAM Maximum Password Age 0 0 1 0

LOW IAM Password Reuse Prevention 0 0 1 0

HIGH IAM Root MFA Enabled 0 0 1 0

HIGH IAM Root Access Keys 1 0 0 0

MEDIUM IAM Users MFA Enabled 0 0 1 0

LOW EC2 Detect EC2 Classic Instances 17 0 0 0

MEDIUM IAM Access Keys Rotated 1 0 2 0

LOW IAM Access Keys Last Used 2 1 0 0

LOW IAM Access Keys Extra 3 0 0 0

LOW IAM Empty Groups 1 0 0 0

MEDIUM S3 S3 Bucket All Users Policy 3 0 0 0

LOW RDS RDS Restorable 17 0 0 0

LOW Route53 Domain Auto Renew 1 0 0 0

HIGH Route53 Domain Transfer Lock 1 0 0 0

HIGH Route53 Domain Expiry 1 0 0 0

MEDIUM RDS RDS Encryption Enabled 17 0 0 0

MEDIUM RDS RDS Publicly Accessible 17 0 0 0

MEDIUM IAM SSH Keys Rotated 1 0 0 0

LOW KMS KMS Key Rotation 16 0 1 0

MEDIUM CloudTrail CloudTrail File Validation 17 0 0 0

MEDIUM IAM Password Expiration 0 0 1 0

MEDIUM IAM Password Requires Lowercase 0 0 1 0

MEDIUM IAM Password Requires Uppercase 0 0 1 0

HIGH IAM Root Account In Use 0 0 1 0

LOW IAM No User IAM Policies 0 3 0 0

LOW CloudTrail CloudTrail To CloudWatch 0 0 17 0

LOW ConfigService Config Service Enabled 0 0 18 0

HIGH S3 CloudTrail Bucket Access Logging 0 1 0 0

MEDIUM CloudTrail CloudTrail Encryption 17 0 0 0

MEDIUM S3 CloudTrail Bucket Private 1 0 0 0

LOW EC2 VPC Flow Logs Enabled 0 0 17 0

MEDIUM EC2 Default Security Group 0 0 17 0

MEDIUM CloudFront Public S3 CloudFront Origin 1 0 0 0

LOW EC2 VPC Multiple Subnets 17 0 0 0