Professional Documents
Culture Documents
Aqua Sec
Aqua Sec
Security Report
Scan Report Run 2022-09-22T01:48:28.000Z
Executive Summary
Aqua ran this security scan on 2022-09-22T01:48:28.000Z. The scan produced 5685 results, of which 4690 (83%) were passing
and 995 (17%) were non-passing. Out of all results, 0 were newly discovered during this scan.
17 0 0 0
LOW RDS RDS Automated Backups
LOW Transfer PrivateLink in Use for Transfer for SFTP Server Endpoints
17 0 0 0
LOW Glacier S3 Glacier Vault Public Access 17 0 0 0
0 0 0 9
LOW Connect Connect Customer Profiles Domain Encrypted
17 0 0 0
LOW ElastiCache ElastiCache Engine Versions for Redis
0 0 0 1
LOW Compute Optimizer Lambda Function Optimized
LOW Compute Optimizer Compute Optimizer Recommendations Enabled 0 0 0 1
Ensures CloudTrail logging bucket has a policy to prevent deletion of logs without an MFA
Test Description
token
To provide additional security, CloudTrail logging buckets should require an MFA token to
Additional Info
delete objects
http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthentication
Cloud Provider Link
Delete
Test Description Ensures CloudTrail is enabled for all regions within an account
CloudTrail should be enabled for all regions in order to detect suspicious activity in regions that
Additional Info
are not typically used.
Enable CloudTrail for all regions and ensure that at least one region monitors global service
Recommended Action
events
PASS us-east-1 CloudTrail is enabled and monitoring regional and global services
PASS us-east-2 CloudTrail is enabled and monitoring regional and global services
PASS us-west-1 CloudTrail is enabled and monitoring regional and global services
PASS us-west-2 CloudTrail is enabled and monitoring regional and global services
PASS ca-central-1 CloudTrail is enabled and monitoring regional and global services
PASS eu-central-1 CloudTrail is enabled and monitoring regional and global services
PASS eu-west-1 CloudTrail is enabled and monitoring regional and global services
PASS eu-west-2 CloudTrail is enabled and monitoring regional and global services
PASS eu-west-3 CloudTrail is enabled and monitoring regional and global services
PASS eu-north-1 CloudTrail is enabled and monitoring regional and global services
PASS ap-northeast-1 CloudTrail is enabled and monitoring regional and global services
PASS ap-northeast-2 CloudTrail is enabled and monitoring regional and global services
PASS ap-southeast-1 CloudTrail is enabled and monitoring regional and global services
PASS ap-southeast-2 CloudTrail is enabled and monitoring regional and global services
PASS ap-northeast-3 CloudTrail is enabled and monitoring regional and global services
PASS ap-south-1 CloudTrail is enabled and monitoring regional and global services
PASS sa-east-1 CloudTrail is enabled and monitoring regional and global services
Test Description Determine if the number of allocated EIPs is close to the AWS per-account limit
AWS limits accounts to certain numbers of resources. Exceeding those limits could prevent
Additional Info
resources from launching.
Recommended Action Contact AWS support to increase the number of EIPs available
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-
Cloud Provider Link
instance-addressing-limit
Test Description Determine if the number of allocated VPC EIPs is close to the AWS per-account limit
AWS limits accounts to certain numbers of resources. Exceeding those limits could prevent
Additional Info
resources from launching.
Recommended Action Contact AWS support to increase the number of EIPs available
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-
Cloud Provider Link
instance-addressing-limit
Test Description Determine if the number of EC2 instances is close to the AWS per-account limit
AWS limits accounts to certain numbers of resources. Exceeding those limits could prevent
Additional Info
resources from launching.
Recommended Action Contact AWS support to increase the number of instances available
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-
Cloud Provider Link
instance-addressing-limit
PASS
us-east-1 Account contains 6 of 20 (30%) available instances
PASS us-east-2 No instances found
Test Description Determine if there are an excessive number of security groups in the account
Keeping the number of security groups to a minimum helps reduce the attack surface of an
account. Rather than creating new groups with the same rules for each project, common rules
Additional Info should be grouped under the same security groups. For example, instead of adding port 22
from a known IP to every group, create a single "SSH" security group which can be used on
multiple instances.
Recommended Action Limit the number of security groups to prevent accidental authorizations
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
Result Region Resource Message
Test Description Determine if TCP port 20 or 21 for FTP is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as FTP should be restricted to known IP addresses.
arn:aws:ec2:us-east-
Security group: sg-015527859f4cb1ab4 (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
1) does not have TCP:20,21 open to 0.0.0.0/0 or ::0
015527859f4cb1ab4
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:20,21 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:20,21 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:20,21 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:20,21 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:20,21 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:20,21 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast- Security group: sg-0a5f4c4f1b5983891 (default) does
PASS
northeast- 1:922503285322:security-group/sg- not have TCP:20,21 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:20,21 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:20,21 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 22 for SSH is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as SSH should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:22 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:22 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:22 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:22 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:22 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south- Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg- not have TCP:22 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:22 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 23 for Telnet is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as Telnet should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:23 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:23 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
us-west-2 2:922503285322:security-group/sg-
PASS 07b897bc45d1e6fe2 not have TCP:23 open to 0.0.0.0/0 or ::0
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:23 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:23 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:23 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:23 open to 0.0.0.0/0 or ::0
ffd685b7
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as SMTP should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:25 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:25 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:25 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
PASS Security group: sg-07b897bc45d1e6fe2 (default) does
us-west-2 2:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:25 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:25 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
PASS eu-west-3 3:922503285322:security-group/sg- Security group: sg-03bc08f1c58bcf815 (default) does
03bc08f1c58bcf815 not have TCP:25 open to 0.0.0.0/0 or ::0
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:25 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:25 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP or UDP port 53 for DNS is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as DNS should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
PASS southeast- 2:922503285322:security-group/sg- Security group: sg-0de72c4ef2c1b7162 (default) does
2 0de72c4ef2c1b7162 not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
UDP:53, TCP:53 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 135 for RPC is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as RPC should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:135 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:135 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:135 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
35cd9243 TCP:135 open to 0.0.0.0/0 or ::0
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:135 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:135 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:135 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:135 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open NetBIOS
22 0 0 0
Test Description Determine if UDP port 137 or 138 or 139 for NetBIOS is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as NetBIOS should be restricted to known IP
addresses.
Recommended Action Restrict UDP ports 137 and 138 to known IP addresses
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
UDP:137,138,139 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
UDP:137,138,139 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does not
PASS eu-west-3 3:922503285322:security-group/sg-
have UDP:137,138,139 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
PASS northeast- Security group: sg-07f8aee861c34413f (default) does
2:922503285322:security-group/sg-
2 not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have UDP:137,138,139 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
UDP:137,138,139 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 445 for Windows SMB over TCP is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as SMB should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:445 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:445 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:445 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:445 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:445 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- 1:922503285322:security-group/sg- Security group: sg-09b903e8dd37bee5f (default) does
PASS
1 09b903e8dd37bee5f not have TCP:445 open to 0.0.0.0/0 or ::0
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
PASS ap-south-1 Security group: sg-02cb7aa81a32263ad (default) does
1:922503285322:security-group/sg-
not have TCP:445 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:445 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if UDP port 445 for CIFS is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as CIFS should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have UDP:445 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have UDP:445 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east- Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg- UDP:445 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
UDP:445 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have UDP:445 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have UDP:445 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have UDP:445 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
UDP:445 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open SQL Server
22 0 0 0
Test Description Determine if TCP port 1433 or UDP port 1434 for SQL Server is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as SQL server should be restricted to known IP
addresses.
Recommended Action Restrict TCP port 1433 and UDP port 1434 to known IP addresses
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux) does
PASS us-east-1 1:922503285322:security-group/sg-
not have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does not
PASS us-west-2 2:922503285322:security-group/sg-
have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does not
PASS 1:922503285322:security-group/sg-
1 have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
PASS eu-central- arn:aws:ec2:eu-central- Security group: sg-09b903e8dd37bee5f (default) does not
1 1:922503285322:security-group/sg- have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does not
PASS eu-west-2 2:922503285322:security-group/sg-
have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does not
PASS eu-west-3 3:922503285322:security-group/sg-
have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
northeast- Security group: sg-0a5f4c4f1b5983891 (default) does not
PASS 1:922503285322:security-group/sg-
1 have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does not
PASS northeast- 2:922503285322:security-group/sg-
have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does not
PASS southeast- 1:922503285322:security-group/sg-
have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does not
PASS southeast- 2:922503285322:security-group/sg-
have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does not
PASS northeast- 3:922503285322:security-group/sg-
have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:1433, UDP:1434 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 3389 for RDP is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as RDP should be restricted to known IP addresses.
arn:aws:ec2:us-east-
Security group: sg-015527859f4cb1ab4 (launch-
FAIL us-east-1 1:922503285322:security-group/sg-
wizard-1) has RDP:TCP:3389 open to 0.0.0.0/0
015527859f4cb1ab4
arn:aws:ec2:us-east-
Security group: sg-0b29b77965792ae5d (SG-
FAIL us-east-1 1:922503285322:security-group/sg-
RemoteAccess) has RDP:TCP:3389 open to 0.0.0.0/0
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:3389 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:3389 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:3389 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default)
PASS us-west-1 1:922503285322:security-group/sg-
does not have TCP:3389 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:3389 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:3389 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:3389 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:3389 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:3389 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:3389 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default)
PASS eu-north-1 1:922503285322:security-group/sg-
does not have TCP:3389 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast- Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg- not have TCP:3389 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:3389 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:3389 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:3389 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:3389 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default)
PASS ap-south-1 1:922503285322:security-group/sg-
does not have TCP:3389 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:3389 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 4333 or 3306 for MySQL is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as MySQL should be restricted to known IP addresses.
Recommended Action Restrict TCP ports 4333 and 3306 to known IP addresses
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-015527859f4cb1ab4 (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
1) does not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
015527859f4cb1ab4
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux) has
FAIL us-east-1 1:922503285322:security-group/sg-
MySQL:TCP:3306 open to 0.0.0.0/0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:3306,4333 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:3306,4333 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south- Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg- not have TCP:3306,4333 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:3306,4333 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 5432 for PostgreSQL is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as PostgreSQL should be restricted to known IP
addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:5432 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:5432 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:5432 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:5432 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
PASS us-west-2 2:922503285322:security-group/sg- Security group: sg-07b897bc45d1e6fe2 (default) does
07b897bc45d1e6fe2 not have TCP:5432 open to 0.0.0.0/0 or ::0
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:5432 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:5432 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
arn:aws:ec2:ap-northeast-
ap- Security group: sg-0a5f4c4f1b5983891 (default) does
1:922503285322:security-group/sg-
PASS northeast- not have TCP:5432 open to 0.0.0.0/0 or ::0
0a5f4c4f1b5983891
1
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:5432 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:5432 open to 0.0.0.0/0 or ::0
ffd685b7
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as VNC Client should be restricted to known IP
addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:5500 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:5500 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:5500 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:5500 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:5500 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:5500 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west- Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg- not have TCP:5500 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:5500 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:5500 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 5900 for VNC Server is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as VNC Server should be restricted to known IP
addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:5900 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:5900 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:5900 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:5900 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:5900 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:5900 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:5900 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
Additional Info Certificates that have expired will trigger warnings in all major browsers
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-update-ssl-
Cloud Provider Link
cert.html
Various security vulnerabilities have rendered several ciphers insecure. Only the
Additional Info
recommended ciphers should be used.
Recommended Action Update your ELBs to use the recommended cipher suites
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-
Cloud Provider Link
options.html
Result Region Resource Message
Test Description Ensures password policy requires a password of at least a minimum number of characters
Additional Info A strong password policy enforces minimum length, expirations, reuse, and symbol usage
Recommended Action Increase the minimum length requirement for the password policy
Additional Info A strong password policy enforces minimum length, expirations, reuse, and symbol usage
Recommended Action Update the password policy to require the use of symbols
Test Description Ensures password policy requires passwords to be reset every 180 days
Additional Info A strong password policy enforces minimum length, expirations, reuse, and symbol usage
Recommended Action Descrease the maximum allowed age of passwords for the password policy
Additional Info A strong password policy enforces minimum length, expirations, reuse, and symbol usage
Recommended Action Increase the minimum previous passwords that can be reused to 24.
Test Description Ensures a multi-factor authentication device is enabled for the root account
Additional Info The root account should have an MFA device setup to enable two-factor authentication.
Recommended Action Enable an MFA device for the root account and then use an IAM user for managing services
FAIL global arn:aws:iam::922503285322:root An MFA device was not found for the root account
Test Description Ensures the root account is not using access keys
The root account should avoid using access keys. Since the root account has full permissions
Additional Info across the entire account, creating access keys for it only increases the chance that they are
compromised. Instead, create IAM users with predefined roles.
Remove access keys for the root account and setup IAM users with limited permissions
Recommended Action
instead
Test Description Ensures a multi-factor authentication device is enabled for all users within the account
Additional Info User accounts should have an MFA device setup to enable two-factor authentication
FAIL global arn:aws:iam::922503285322:user/cloud3 User: cloud3 does not have an MFA device enabled
Test Description Ensures AWS VPC is being used for instances instead of EC2 Classic
VPCs are the latest and more secure method of launching AWS resources. EC2 Classic
Additional Info
should not be used.
Test Description Ensures access keys are not older than 180 days in order to reduce accidental exposures
Additional Info Access keys should be rotated frequently to avoid having them accidentally exposed.
To rotate an access key, first create a new key, replace the key and secret throughout your app
Recommended Action or scripts, then set the previous key to disabled. Once you ensure that no services are broken,
then fully delete the old key.
Detects access keys that have not been used for a period of time and that should be
Test Description
decommissioned
Having numerous, unused access keys extends the attack surface. Access keys should be
Additional Info
removed if they are no longer being used.
Recommended Action Log into the IAM portal and remove the offending access key.
Test Description Detects the use of more than one access key by any single user
Having more than one access key for a single user increases the chance of accidental
Additional Info
exposure. Each account should only have one key that defines the users permissions.
Recommended Action Remove the extra access key for the specified user.
While having empty groups does not present a direct security risk, it does broaden the
Additional Info
management landscape which could potentially introduce risks in the future.
Test Description Ensures S3 bucket policies do not allow global write, delete, or read permissions
S3 buckets can be configured to allow the global principal to access the bucket via the bucket
Additional Info
policy. This policy should be restricted only to known users or accounts.
Recommended Action Remove wildcard principals from the bucket policy statements.
PASS us-east-1 arn:aws:s3:::siscor-trails Bucket policy does not contain any insecure allow statements
AWS will maintain a point to which the database can be restored. This point should not drift too
Additional Info far into the past, or else the risk of irrecoverable data loss may occur.
Ensure the instance is running and configured properly. If the time drifts too far, consider
Recommended Action
opening a support ticket with AWS.
Test Description Ensures domains are set to auto renew through Route53
Domains purchased through Route53 should be set to auto renew. Domains that are not
Additional Info
renewed can quickly be acquired by a third-party and cause loss of access for customers.
To avoid having a domain maliciously transferred to a third-party, all domains should enable
Additional Info
the transfer lock unless actively being transferred.
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-from-route-
Cloud Provider Link
53.html
AWS provides at-read encryption for RDS instances which should be enabled to ensure the
Additional Info
integrity of data stored within the databases.
RDS does not currently allow modifications to encryption after the instance has been launched,
Recommended Action
so a new instance will need to be created with encryption enabled.
Test Description Ensures automated backups are enabled for RDS instances
AWS provides a simple method of backing up RDS instances at a regular interval. This should
Additional Info be enabled to provide an option for restoring data in the event of a database compromise or
hardware failure.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBa
Cloud Provider Link
ckups.html
Test Description Ensures RDS instances are not launched into the public cloud
Unless there is a specific business requirement, RDS instances should not have a public
Additional Info
endpoint and should be accessed from within a VPC only.
Recommended Action Remove the public endpoint from the RDS instance
Test Description Ensures SSH keys are not older than 180 days in order to reduce accidental exposures
Additional Info SSH keys should be rotated frequently to avoid having them accidentally exposed.
To rotate an SSH key, first create a new public-private key pair, then upload the public key to
Recommended Action
AWS and delete the old key.
Test Description Ensures KMS keys are set to rotate on a regular schedule
All KMS keys should have key rotation enabled. AWS will handle the rotation of the encryption
Additional Info key itself, as well as storage of previous keys, so previous data does not need to be re-
encrypted before the rotation occurs.
ap-
PASS No KMS keys found
northeast-1
ap-
PASS No KMS keys found
northeast-2
ap-
PASS No KMS keys found
southeast-1
ap-
PASS No KMS keys found
southeast-2
ap-
PASS No KMS keys found
northeast-3
Test Description Ensures CloudTrail file validation is enabled for all regions within an account
CloudTrail file validation is essentially a hash of the file which can be used to ensure its
Additional Info
integrity in the case of an account compromise.
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-
Cloud Provider Link
enabling.html
PASS
us-west-2 arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
ap-southeast-
PASS arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
1
ap-southeast-
PASS arn:aws:cloudtrail:us-east-1:922503285322:trail/Siscor CloudTrail log file validation is enabled
2
Additional Info A strong password policy enforces minimum length, expirations, reuse, and symbol usage
Test Description Ensures password policy requires at least one lowercase letter
Additional Info A strong password policy enforces minimum length, expirations, reuse, and symbol usage
Recommended Action Update the password policy to require the use of lowercase letters
Additional Info A strong password policy enforces minimum length, expirations, reuse, and symbol usage
Recommended Action Update the password policy to require the use of numbers
Test Description Ensures password policy requires at least one uppercase letter
Additional Info A strong password policy enforces minimum length, expirations, reuse, and symbol usage
Recommended Action Update the password policy to require the use of uppercase letters
Test Description Ensures the root account is not being actively used
The root account should not be used for day-to-day account management. IAM users, roles,
Additional Info
and groups should be used instead.
Create IAM users with appropriate group-level permissions for account access. Create an MFA
Recommended Action token for the root account, and store its password and token generation QR codes in a secure
place.
FAIL global arn:aws:iam::922503285322:root Root account was last used 6 days ago
Test Description Ensures IAM policies are not connected directly to IAM users
To reduce management complexity, IAM permissions should only be assigned to roles and
Additional Info groups. Users can then be added to those groups. Policies should not be applied directly to a
user.
Create groups with the required policies, move the IAM users to the applicable groups, and
Recommended Action
then remove the inline and directly attached policies from the IAM user.
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-groups-for-
Cloud Provider Link
permissions
Test Description Ensures CloudTrail logs are being properly delivered to CloudWatch
Sending CloudTrail logs to CloudWatch enables easy integration with AWS CloudWatch alerts,
Additional Info
as well as an additional backup log storage location.
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-
Cloud Provider Link
cloudwatch-logs.html
Test Description Ensures the AWS Config Service is enabled to detect changes to account resources
The AWS Config Service tracks changes to a number of resources in an AWS account and is
Additional Info invaluable in determining how account changes affect other resources and in recovery in the
event of an account intrusion or accidental configuration change.
Enable the AWS Config Service for all regions and resources in an account. Ensure that it is
Recommended Action
properly recording and delivering logs.
Test Description Ensures CloudTrail logging bucket has access logging enabled to detect tampering of log files
CloudTrail buckets should utilize access logging for an additional layer of auditing. If the log
Additional Info files are deleted or modified in any way, the additional access logs can help determine who
made the changes.
Recommended Action Enable access logging on the CloudTrail bucket from the S3 console
CloudTrail log files contain sensitive information about an account and should be encrypted at
Additional Info
rest for additional protection.
Recommended Action Enable CloudTrail log encryption through the CloudTrail console or API
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-
Cloud Provider Link
aws-kms.html
CloudTrail buckets contain large amounts of sensitive account data and should only be
Additional Info
accessible by logged in users.
Set the S3 bucket access policy for all CloudTrail buckets to only allow known users to access
Recommended Action
its files.
Test Description Ensures VPC flow logs are enabled for traffic logging
VPC flow logs record all traffic flowing in to and out of a VPC. These logs are critical for
Additional Info
auditing and review after security incidents.
Test Description Ensure the default security groups block all traffic by default
The default security group is often used for resources launched without a defined security
Additional Info group. For this reason, the default rules should be to block all traffic to prevent an accidental
exposure.
Recommended Action Update the rules for the default security group to deny all traffic by default
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-
Cloud Provider Link
security-group
ap-
arn:aws:ec2:ap-northeast-2:922503285322:security- Default security group has 1 inbound
FAIL northeast-
group/sg-07f8aee861c34413f and 1 outbound rules
2
ap-
arn:aws:ec2:ap-southeast-1:922503285322:security- Default security group has 1 inbound
FAIL southeast-
group/sg-0f40a8e2330e64b60 and 1 outbound rules
1
ap-
arn:aws:ec2:ap-southeast-2:922503285322:security- Default security group has 1 inbound
FAIL southeast-
group/sg-0de72c4ef2c1b7162 and 1 outbound rules
2
ap-
arn:aws:ec2:ap-northeast-3:922503285322:security- Default security group has 1 inbound
FAIL northeast-
group/sg-09c1a77d7fa721022 and 1 outbound rules
3
Test Description Detects the use of an S3 bucket as a CloudFront origin without an origin access identity
When S3 is used as an origin for a CloudFront bucket, the contents should be kept private and
an origin access identity should allow CloudFront access. This prevents someone from
Additional Info
bypassing the caching benefits that CloudFront provides, repeatedly loading objects directly
from S3, and amassing a large access bill.
Create an origin access identity for CloudFront, then make the contents of the S3 bucket
Recommended Action
private.
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-
Cloud Provider Link
restricting-access-to-s3.html
VPCs should be designed to have separate public and private subnets, ideally across
Additional Info
availability zones, enabling a DMZ-style architecture.
Create at least two subnets in each VPC, utilizing one for public traffic and the other for private
Recommended Action
traffic.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#SubnetSecur
Cloud Provider Link
ity
Test Description Ensures DomainKeys Identified Mail (DKIM) is enabled for domains and addresses in SES.
DKIM is a security feature that allows recipients of an email to veriy that the sender domain
Additional Info
has authorized the message and that it has not been spoofed.
Recommended Action Enable DKIM for all domains and addresses in all regions used to send email through SES.
Accidentally sharing AMIs allows any AWS user to launch an EC2 instance using the image as
Additional Info
a base. This can potentially expose sensitive information stored on the host.
Test Description Ensures SNS topics do not allow global send or subscribe.
SNS policies should not be configured to allow any AWS user to subscribe or send messages.
Additional Info
This could result in data leakage or financial DDoS.
Recommended Action Adjust the topic policy to only allow authorized AWS users in known accounts to subscribe.
ap-northeast-
PASS No SNS topics found
1
ap-northeast-
PASS No SNS topics found
2
ap-
PASS No SNS topics found
southeast-1
ap-
PASS No SNS topics found
southeast-2
ap-northeast-
PASS No SNS topics found
3
Test Description Detects the use of secure web origins with secure protocols for CloudFront.
Traffic passed between the CloudFront edge nodes and the backend resource should be sent
Additional Info
over HTTPS with modern protocols for all web-based origins.
Ensure that traffic sent between CloudFront and its origin is passed over HTTPS and uses
Recommended Action
TLSv1.1 or higher. Do not use the match-viewer option.
PASS global No CloudFront origins without HTTPS or with insecure protocols found
Test Description Ensures Lambda functions are not using out-of-date runtime environments.
Lambda runtimes should be kept current with recent versions of the underlying codebase.
Additional Info
Deprecated runtimes should not be used.
Recommended Action Upgrade the Lambda function runtime to use a more current version.
AWS provides at-read encryption for Redshift clusters which should be enabled to ensure the
Additional Info
integrity of data stored within the cluster.
Redshift does not currently allow modifications to encryption after the cluster has been
Recommended Action
launched, so a new cluster will need to be created with encryption enabled.
Test Description Ensures Redshift clusters are not launched into the public cloud
Unless there is a specific business requirement, Redshift clusters should not have a public
Additional Info
endpoint and should be accessed from within a VPC only.
Recommended Action Remove the public endpoint from the Redshift cluster
Detects the use of insecure HTTPS SSL/TLS protocols for use with HTTPS traffic between
Test Description
viewers and CloudFront
CloudFront supports SSLv3 and TLSv1 protocols for use with HTTPS traffic, but only TLSv1.1
Additional Info or higher should be used unless there is a valid business justification to support the older,
insecure SSLv3.
Ensure that traffic sent between viewers and CloudFront is passed over HTTPS and uses
Recommended Action
TLSv1.1 or higher.
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-
Cloud Provider Link
supported-viewer-protocols-ciphers.html
Test Description Ensures EC2 instances are using an IAM role instead of hard-coded AWS credentials
IAM roles should be assigned to all instances to enable them to access AWS resources. Using
Additional Info
an IAM role is more secure than hard-coding AWS access keys into application code.
PASS ap-
No instances found
northeast-1
ap-
PASS No instances found
northeast-2
ap-
PASS No instances found
southeast-1
PASS ap- No instances found
southeast-2
ap-
PASS No instances found
northeast-3
AMIs with unencrypted data volumes can be used to launch unencrypted instances that place
Additional Info
data at risk.
Test Description Ensures that ASGs are created to be cross-AZ for high availability.
ASGs can easily be configured to allow instances to launch in multiple availability zones. This
Additional Info ensures that the ASG can continue to scale, even when AWS is experiencing downtime in one
or more zones.
Recommended Action Modify the autoscaling instance to enable scaling across multiple availability zones.
Test Description Ensures CloudFront distributions are configured to redirect non-HTTPS traffic to HTTPS.
For maximum security, CloudFront distributions can be configured to only accept HTTPS
Additional Info
connections or to redirect HTTP connections to HTTPS.
Logging requests to ELB endpoints is a helpful way of detecting and investigating potential
Additional Info attacks, malicious activity, or misuse of backend resources.Logs can be sent to S3 and
processed for further analysis.
http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-
Cloud Provider Link
logs.html
Result Region Resource Message
Test Description Ensures that RDS instances are created to be cross-AZ for high availability.
Creating RDS instances in a single AZ creates a single point of failure for all systems relying
Additional Info on that database. All RDS instances should be created in multiple AZs to ensure proper
failover.
Recommended Action Modify the RDS instance to enable scaling across multiple availability zones.
Test Description Determine if security group has all ports or protocols open to the public
Security groups should be created on a per-service basis and avoid allowing all ports or
Additional Info
protocols.
Recommended Action Modify the security group to specify a specific port and protocol to allow.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-015527859f4cb1ab4 (launch-wizard-1)
PASS us-east-1 1:922503285322:security-group/sg-
does not have all ports or protocols open to the public
015527859f4cb1ab4
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux) does
PASS us-east-1 1:922503285322:security-group/sg-
not have all ports or protocols open to the public
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0ea00fe2209686e28 (Linux_Jumpbox)
PASS us-east-1 1:922503285322:security-group/sg-
does not have all ports or protocols open to the public
0ea00fe2209686e28
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-2)
PASS us-east-1 1:922503285322:security-group/sg-
does not have all ports or protocols open to the public
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have all
PASS us-east-1 1:922503285322:security-group/sg-
ports or protocols open to the public
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have all
PASS us-east-2 2:922503285322:security-group/sg-
ports or protocols open to the public
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does not
PASS us-west-1 1:922503285322:security-group/sg-
have all ports or protocols open to the public
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does not
PASS us-west-2 2:922503285322:security-group/sg-
have all ports or protocols open to the public
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does not
PASS 1:922503285322:security-group/sg-
1 have all ports or protocols open to the public
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does not
PASS 1:922503285322:security-group/sg-
1 have all ports or protocols open to the public
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does not
PASS eu-west-1 1:922503285322:security-group/sg-
have all ports or protocols open to the public
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does not
PASS eu-west-2 2:922503285322:security-group/sg-
have all ports or protocols open to the public
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does not
PASS eu-west-3 3:922503285322:security-group/sg-
have all ports or protocols open to the public
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does not
PASS eu-north-1 1:922503285322:security-group/sg-
have all ports or protocols open to the public
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast- Security group: sg-0a5f4c4f1b5983891 (default) does not
PASS northeast- 1:922503285322:security-group/sg- have all ports or protocols open to the public
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does not
PASS northeast- 2:922503285322:security-group/sg-
have all ports or protocols open to the public
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does not
PASS southeast- 1:922503285322:security-group/sg-
have all ports or protocols open to the public
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does not
PASS southeast- 2:922503285322:security-group/sg-
have all ports or protocols open to the public
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does not
PASS northeast- 3:922503285322:security-group/sg-
have all ports or protocols open to the public
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does not
PASS ap-south-1 1:922503285322:security-group/sg-
have all ports or protocols open to the public
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have all
PASS sa-east-1 1:922503285322:security-group/sg-
ports or protocols open to the public
ffd685b7
EBS volumes should have at-rest encryption enabled through AWS using KMS. If the volume
Additional Info is used for a root volume, the instance must be launched from an AMI that has been encrypted
as well.
ap-northeast-
PASS No EBS volumes present
1
ap-northeast-
PASS No EBS volumes present
2
ap-southeast-
PASS No EBS volumes present
1
ap-southeast-
PASS No EBS volumes present
2
ap-northeast-
PASS No EBS volumes present
3
S3 S3 Bucket Versioning
0 0 3 0
Object versioning can help protect against the overwriting of objects or data loss in the event of
Additional Info
a compromise.
Enable object versioning for buckets with sensitive contents at a minimum and for all buckets
Recommended Action
ideally.
Subnets have finite IP addresses. Running out of IP addresses could prevent resources from
Additional Info
launching.
Recommended Action Add a new subnet with larger CIDR block and migrate resources.
arn:aws:ec2:us-west-
Subnet subnet-04b300d7a202c19c5 is using 5
PASS us-west-1 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
04b300d7a202c19c5
arn:aws:ec2:us-west-
Subnet subnet-0a73cdb301aed1693 is using
PASS us-west-1 1:922503285322:subnet/subnet-
5 of 4096 (1%) available IPs.
0a73cdb301aed1693
arn:aws:ec2:us-west-
Subnet subnet-0e1539ff91e81c4c2 is using 5
PASS us-west-2 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
0e1539ff91e81c4c2
arn:aws:ec2:us-west-
Subnet subnet-01e5ca7cf1a748fc2 is using 5
PASS us-west-2 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
01e5ca7cf1a748fc2
arn:aws:ec2:us-west-
Subnet subnet-0b9c6375791cdc931 is using 5
PASS us-west-2 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
0b9c6375791cdc931
arn:aws:ec2:us-west-
Subnet subnet-0d81008a71f708459 is using 5
PASS us-west-2 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
0d81008a71f708459
arn:aws:ec2:ca-central-
ca-central- Subnet subnet-09ef030317dbdf1ef is using 5
PASS 1:922503285322:subnet/subnet-
1 of 4096 (1%) available IPs.
09ef030317dbdf1ef
arn:aws:ec2:ca-central-
ca-central- Subnet subnet-0bcddf4ab52a09da7 is using 5
PASS 1:922503285322:subnet/subnet-
1 of 4096 (1%) available IPs.
0bcddf4ab52a09da7
arn:aws:ec2:ca-central-
ca-central- Subnet subnet-0206dfe4e20b91171 is using 5
PASS 1:922503285322:subnet/subnet-
1 of 4096 (1%) available IPs.
0206dfe4e20b91171
arn:aws:ec2:eu-central-
eu-central- Subnet subnet-076cd8bf9dcf54fc0 is using 5
PASS 1:922503285322:subnet/subnet-
1 076cd8bf9dcf54fc0 of 4096 (1%) available IPs.
arn:aws:ec2:eu-central-
eu-central- Subnet subnet-0961df033653668b5 is using 5
PASS 1:922503285322:subnet/subnet-
1 of 4096 (1%) available IPs.
0961df033653668b5
arn:aws:ec2:eu-central-
eu-central- Subnet subnet-06d29f1135051f2bc is using 5
PASS 1:922503285322:subnet/subnet-
1 of 4096 (1%) available IPs.
06d29f1135051f2bc
arn:aws:ec2:eu-west-
Subnet subnet-014b0a4ac8701b21f is using 5
PASS eu-west-1 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
014b0a4ac8701b21f
arn:aws:ec2:eu-west-
Subnet subnet-0ab023ddc44ec48bf is using 5
PASS eu-west-1 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
0ab023ddc44ec48bf
arn:aws:ec2:eu-west-
Subnet subnet-0e3217ad2e05f871b is using 5
PASS eu-west-1 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
0e3217ad2e05f871b
arn:aws:ec2:eu-west-
Subnet subnet-023fe44b3231c8957 is using 5
PASS eu-west-2 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
023fe44b3231c8957
arn:aws:ec2:eu-west-
Subnet subnet-044ff7f6d2283a084 is using 5
PASS eu-west-2 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
044ff7f6d2283a084
arn:aws:ec2:eu-west-
PASS eu-west-2 Subnet subnet-0312a995d48d4e700 is using
2:922503285322:subnet/subnet-
5 of 4096 (1%) available IPs.
0312a995d48d4e700
arn:aws:ec2:eu-west-
Subnet subnet-04e1573553bfb72e3 is using 5
PASS eu-west-3 3:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
04e1573553bfb72e3
arn:aws:ec2:eu-west-
Subnet subnet-02e12a84badf5299f is using 5
PASS eu-west-3 3:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
02e12a84badf5299f
arn:aws:ec2:eu-west-
Subnet subnet-02a418758c2c42a5f is using 5
PASS eu-west-3 3:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
02a418758c2c42a5f
arn:aws:ec2:eu-north-
Subnet subnet-067b47de750b8b644 is using
PASS eu-north-1 1:922503285322:subnet/subnet-
5 of 4096 (1%) available IPs.
067b47de750b8b644
arn:aws:ec2:eu-north-
Subnet subnet-05feb6266871b4675 is using 5
PASS eu-north-1 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
05feb6266871b4675
arn:aws:ec2:eu-north-
Subnet subnet-02399809a6382b56d is using
PASS eu-north-1 1:922503285322:subnet/subnet-
5 of 4096 (1%) available IPs.
02399809a6382b56d
ap- arn:aws:ec2:ap-northeast-
Subnet subnet-0f84c166ccc0db45f is using 5
PASS northeast- 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
1 0f84c166ccc0db45f
ap- arn:aws:ec2:ap-northeast-
Subnet subnet-080f510a7524813d8 is using 5
PASS northeast- 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
1 080f510a7524813d8
PASS ap- arn:aws:ec2:ap-northeast- Subnet subnet-03bfb532abde041c5 is using 5
northeast- 1:922503285322:subnet/subnet- of 4096 (1%) available IPs.
1 03bfb532abde041c5
ap- arn:aws:ec2:ap-northeast-
Subnet subnet-0d2075fb36c202f61 is using 5
PASS northeast- 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
2 0d2075fb36c202f61
ap- arn:aws:ec2:ap-northeast-
Subnet subnet-03c4b12b54a770b0b is using
PASS northeast- 2:922503285322:subnet/subnet-
5 of 4096 (1%) available IPs.
2 03c4b12b54a770b0b
ap- arn:aws:ec2:ap-northeast-
Subnet subnet-05038cc40cd35b8df is using 5
PASS northeast- 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
2 05038cc40cd35b8df
ap- arn:aws:ec2:ap-northeast-
Subnet subnet-02afc97d7216128af is using 5
PASS northeast- 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
2 02afc97d7216128af
ap- arn:aws:ec2:ap-southeast-
Subnet subnet-0d3848165a38d1af3 is using 5
PASS southeast- 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
1 0d3848165a38d1af3
ap- arn:aws:ec2:ap-southeast-
Subnet subnet-021a96d5112e1d79b is using
PASS southeast- 1:922503285322:subnet/subnet-
5 of 4096 (1%) available IPs.
1 021a96d5112e1d79b
ap- arn:aws:ec2:ap-southeast-
Subnet subnet-07a0dd415c6839163 is using
PASS southeast- 1:922503285322:subnet/subnet-
5 of 4096 (1%) available IPs.
1 07a0dd415c6839163
ap- arn:aws:ec2:ap-southeast-
Subnet subnet-0dde3ef370d3997f7 is using 5
PASS southeast- 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
2 0dde3ef370d3997f7
ap- arn:aws:ec2:ap-southeast-
Subnet subnet-0b3ce4e612ee12376 is using
PASS southeast- 2:922503285322:subnet/subnet-
5 of 4096 (1%) available IPs.
2 0b3ce4e612ee12376
ap- arn:aws:ec2:ap-southeast-
Subnet subnet-090e1f95ff328dc1f is using 5
PASS southeast- 2:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
2 090e1f95ff328dc1f
ap- arn:aws:ec2:ap-northeast-
Subnet subnet-001a282e5e5f8a00a is using 5
PASS northeast- 3:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
3 001a282e5e5f8a00a
ap- arn:aws:ec2:ap-northeast-
Subnet subnet-0607800a95005dc33 is using
PASS northeast- 3:922503285322:subnet/subnet-
5 of 4096 (1%) available IPs.
3 0607800a95005dc33
ap- arn:aws:ec2:ap-northeast-
Subnet subnet-006ca8371dba18eef is using 5
PASS northeast- 3:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
3 006ca8371dba18eef
arn:aws:ec2:ap-south-
Subnet subnet-0ef9e3cbbc5ee6c0a is using 5
PASS ap-south-1 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
0ef9e3cbbc5ee6c0a
arn:aws:ec2:ap-south-
Subnet subnet-085ffdeda8d0dd00a is using 5
PASS ap-south-1 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
085ffdeda8d0dd00a
arn:aws:ec2:ap-south-
Subnet subnet-07f12bdad47b4e2af is using 5
PASS ap-south-1 1:922503285322:subnet/subnet-
of 4096 (1%) available IPs.
07f12bdad47b4e2af
arn:aws:ec2:sa-east- Subnet subnet-38ce8d63 is using 5 of 4096
PASS sa-east-1
1:922503285322:subnet/subnet-38ce8d63 (1%) available IPs.
Test Description Ensures the number of IAM admins in the account are minimized
While at least two IAM admin users should be configured, the total number of admins should
Additional Info
be kept to a minimum.
Keep two users with admin permissions but ensure other IAM users have more limited
Recommended Action
permissions.
WARN global There are fewer than the minimum 2 IAM user administrators
SQS policies should be carefully restricted to prevent publishing or reading from the queue
Additional Info
from unexpected sources. Queue policies can be used to limit these privileges.
Recommended Action Update the SQS policy to prevent access from external accounts.
http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-
Cloud Provider Link
creating-custom-policies.html
Messages sent to SQS queues can be encrypted using KMS server-side encryption. Existing
Additional Info
queues can be modified to add encryption with minimal overhead.
Recommended Action Enable encryption using KMS for all SQS queues.
http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-
Cloud Provider Link
server-side-encryption.html
All ELBs should have backend server resources. Those without any are consuming costs
Additional Info without providing any functionality. Additionally, old ELBs with no instances present a security
concern if new instances are accidentally attached.
Recommended Action Delete old ELBs that no longer have backend resources.
Detects users with password logins that have not been used for a period of time and that
Test Description
should be decommissioned
Having numerous, unused user accounts extends the attack surface. If users do not log into
Additional Info
their accounts for more than the defined period of time, the account should be deleted.
Recommended Action Delete old user accounts that allow password-based logins and have not been used recently.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-
Cloud Provider Link
user.html
Result Region Resource Message
PASS global arn:aws:iam::922503285322:user/cloud3 User password login was last used 0 days ago
Test Description Ensures managed NAT instances exist in at least 2 AZs for availability purposes
Creating NAT instances in a single AZ creates a single point of failure for all systems in the
Additional Info
VPC. All managed NAT instances should be created in multiple AZs to ensure proper failover.
PASS
ap-southeast-1 No VPCs with NAT gateways found
S3 S3 Bucket Logging
0 0 3 0
S3 bucket logging helps maintain an audit trail of access that can be used in the event of a
Additional Info
security incident.
Test Description Determines whether the default VPC is being used for launching EC2 instances.
The default VPC should not be used in order to avoid launching multiple services in the same
Additional Info network which may not require connectivity. Each application, or network tier, should use its
own VPC.
Move resources from the default VPC to a new VPC created for that application or resource
Recommended Action
group.
Resour
Result Region Message
ce
FAIL us-east-1 Default VPC is in use: 6 EC2 instances; 0 ELBs; 0 Lambda functions; 0 RDS instances;
0 Redshift clusters
eu-central-
PASS Default VPC is not in use
1
ap-
PASS Default VPC is not in use
northeast-1
ap-
PASS Default VPC is not in use
northeast-2
ap-
PASS Default VPC is not in use
southeast-1
ap-
PASS Default VPC is not in use
southeast-2
ap-
PASS Default VPC is not in use
northeast-3
Test Description Determine if TCP port 1521 for Oracle is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as Oracle should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:1521 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:1521 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:1521 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:1521 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
PASS ca-central- Security group: sg-0221abf87bbe12971 (default) does
1:922503285322:security-group/sg-
1 not have TCP:1521 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:1521 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg- not have TCP:1521 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:1521 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:1521 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Ensures S3 buckets do not allow global write, delete, or read ACL permissions
S3 buckets can be configured to allow anyone, regardless of whether they are an AWS user or
Additional Info not, to write objects to a bucket or delete objects. This option should not be configured unless
there is a strong business requirement.
Disable global all users policies on all S3 buckets and ensure both the bucket ACL is
Recommended Action
configured with least privileges.
PASS us-east-1 arn:aws:s3:::siscor-backups Bucket ACL does not contain any insecure allow statements
PASS us-east-1 arn:aws:s3:::siscor-trails Bucket ACL does not contain any insecure allow statements
PASS us-east-1 arn:aws:s3:::siscor-transfer Bucket ACL does not contain any insecure allow statements
KMS KMS Key Policy
18 0 0 0
Test Description Validates the KMS key policy to ensure least-privilege access.
KMS key policies should be designed to limit the number of users who can perform encrypt
Additional Info
and decrypt operations. Each application should use its own key to avoid over exposure.
Modify the KMS key policy to remove any wildcards and limit the number of users and roles
Recommended Action
that can perform encrypt and decrypt operations using the key.
No KMS keys
PASS us-east-2
found
No KMS keys
PASS us-west-1
found
No KMS keys
PASS us-west-2
found
No KMS keys
PASS ca-central-1
found
No KMS keys
PASS eu-central-1
found
No KMS keys
PASS eu-west-1
found
No KMS keys
PASS eu-west-2
found
No KMS keys
PASS eu-west-3
found
No KMS keys
PASS eu-north-1
found
No KMS keys
PASS sa-east-1
found
Test Description Checks AWS services to ensure the default KMS key is not being used
It is recommended not to use the default key to avoid encrypting disparate sets of data with the
Additional Info
same key. Each application should have its own customer-managed KMS key
Test Description Ensures the total number of EC2 instances does not exceed a set threshold.
The number of running EC2 instances should be carefully audited, especially in unused
Additional Info regions, to ensure only approved applications are consuming compute resources. Many
compromised AWS accounts see large numbers of EC2 instances launched.
Ensure that the number of running EC2 instances matches the expected count. If instances
Recommended Action
are launched above the threshold, investigate to ensure they are legitimate.
PASS us-east-1 6 instances in the region are within the regional expected count of: 100
PASS global 6 instances in the account are within the global expected count of: 200
With DNS validation, ACM will automatically renew certificates before they expire, as long as
Additional Info
the DNS CNAME record is in place.
https://aws.amazon.com/blogs/security/easier-certificate-validation-using-dns-with-aws-
Cloud Provider Link
certificate-manager/
Test Description Determine if TCP port 9200 or 9300 for Elasticsearch is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as Elasticsearch should be restricted to known IP
addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-015527859f4cb1ab4 (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
1) does not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
015527859f4cb1ab4
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:9200,9300 open to 0.0.0.0/0 or ::0
2a94e22e
PASS us-east-2 arn:aws:ec2:us-east- Security group: sg-35cd9243 (default) does not have
2:922503285322:security-group/sg- TCP:9200,9300 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
PASS eu-west-3 3:922503285322:security-group/sg- Security group: sg-03bc08f1c58bcf815 (default) does
03bc08f1c58bcf815 not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:9200,9300 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:9200,9300 open to 0.0.0.0/0 or ::0
ffd685b7
DynamoDB DynamoDB KMS Encryption
17 0 0 0
Test Description Ensures DynamoDB tables are encrypted using a customer-owned KMS key.
Recommended Action Create a new DynamoDB table using a CMK KMS key.
Test Description Ensures AWS Transfer servers have CloudWatch logging enabled.
AWS Transfer servers can log activity to CloudWatch if a proper IAM service role is provided.
Additional Info
This role should be configured for all servers to ensure proper access logging.
Recommended Action Provide a valid IAM service role for AWS Transfer servers.
Test Description Determine if TCP port 5601 for Kibana is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as Kibana should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:5601 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:5601 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:5601 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:5601 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
PASS 1:922503285322:security-group/sg- Security group: sg-0355558bdeb17eba4 (default) does
us-west-1
0355558bdeb17eba4 not have TCP:5601 open to 0.0.0.0/0 or ::0
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:5601 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:5601 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
PASS southeast- Security group: sg-0f40a8e2330e64b60 (default) does
1:922503285322:security-group/sg-
1 not have TCP:5601 open to 0.0.0.0/0 or ::0
0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:5601 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:5601 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 8020 for HDFS NameNode metadata service is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP
addresses.
Recommended Action Restrict TCP port 8020 to known IP addresses for Hadoop/HDFS
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:8020 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:8020 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:8020 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:8020 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:8020 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
PASS ap-south-1 Security group: sg-02cb7aa81a32263ad (default) does
1:922503285322:security-group/sg-
not have TCP:8020 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:8020 open to 0.0.0.0/0 or ::0
ffd685b7
Determine if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open
Test Description
to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP
addresses.
Recommended Action Restrict TCP port 50070 and 50470 to known IP addresses for Hadoop/HDFS
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-2)
PASS us-east-1 1:922503285322:security-group/sg-
0add6fd8f5e13005e does not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:50070,50470 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:50070,50470 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
PASS eu-west-2 Security group: sg-0ae841762d2749f1a (default) does
2:922503285322:security-group/sg-
not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does not
PASS eu-west-3 3:922503285322:security-group/sg-
have TCP:50070,50470 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does not
PASS northeast- 1:922503285322:security-group/sg-
have TCP:50070,50470 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does not
PASS northeast- 2:922503285322:security-group/sg-
have TCP:50070,50470 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:50070,50470 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
PASS sa-east-1 arn:aws:ec2:sa-east- Security group: sg-ffd685b7 (default) does not have
1:922503285322:security-group/sg- TCP:50070,50470 open to 0.0.0.0/0 or ::0
ffd685b7
Logging database level events enables teams to analyze events for the purpose diagnostics as
Additional Info
well as audit tracking for compliance purposes.
Additional Info The Lambda function execution policy should not allow public invocation of the function.
Recommended Action Update the Lambda policy to prevent access from the public.
EFS offers data at rest encryption using keys managed through AWS Key Management
Additional Info
Service (KMS).
Encryption of data at rest can only be enabled during file system creation. Encryption of data in
Recommended Action transit is configured when mounting your file system. 1. Backup your data in not encrypted efs
2. Recreate the EFS and select 'Enable encryption of data at rest'
Test Description Ensures AWS Shield Advanced is setup and properly configured
AWS Shield Advanced provides enhanced DDOS protection for all enrolled services within a
Additional Info
subscribed account. Subscriptions should be active.
AWS Shield Emergency contacts should be configured so that AWS can contact an account
Additional Info
representative in the event of a DDOS event.
Recommended Action Configure emergency contacts within AWS Shield for the account.
Test Description Ensures AWS Shield Advanced is configured to protect account resources
Once AWS Shield Advanced is enabled, it can be applied to resources within the account
Additional Info
including ELBs, CloudFront.
Recommended Action Enable AWS Shield Advanced on resources within the account.
Test Description Ensures the latest version of Kubernetes is installed on EKS clusters
EKS supports provisioning clusters from several versions of Kubernetes. Clusters should be
Additional Info
kept up to date to ensure Kubernetes security patches are applied.
Recommended Action Upgrade the version of Kubernetes on all EKS clusters to the latest available version.
Test Description Ensures all EKS cluster logs are being sent to CloudWatch
EKS supports routing of cluster event and audit logs to CloudWatch, including control plane
Additional Info
logs. All logs should be sent to CloudWatch for security analysis.
Recommended Action Enable all EKS cluster logs to be sent to CloudWatch with proper log retention limits.
Test Description Ensures the private endpoint setting is enabled for EKS clusters
EKS private endpoints can be used to route all traffic between the Kubernetes worker and
Additional Info
control plane nodes over a private VPC endpoint rather than across the public internet.
Recommended Action Enable the private endpoint setting for all EKS clusters.
Test Description Ensures the EKS control plane only allows inbound traffic on port 443.
The EKS control plane only requires port 443 access. Security groups for the control plane
Additional Info
should not add additional port access.
Recommended Action Configure security groups for the EKS control plane to allow access only on port 443.
Test Description Ensures ECR repository policies do not enable global or public access to images
ECR repository policies should limit access to images to known IAM entities and AWS
Additional Info
accounts and avoid the use of account-level wildcards.
Recommended Action Update the repository policy to limit access to known IAM entities.
Test Description Ensures IAM role policies are properly scoped with specific permissions
Policies attached to IAM roles should be scoped to least-privileged access and avoid the use
Additional Info
of wildcards.
Recommended Action Ensure that all IAM roles are scoped to specific services and API calls.
PASS arn:aws:iam::922503285322:role/aws-service-
Role does not have
global role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvis
overly-permissive policy
or
S3 S3 Bucket Encryption
0 0 3 0
Test Description Ensures ElasticSearch domains are created with private VPC endpoint options
ElasticSearch domains can either be created with a public endpoint or with a VPC
Additional Info configuration that enables internal VPC communication. Domains should be created without a
public endpoint to prevent potential public access to the domain.
Recommended Action Configure the ElasticSearch domain to use a VPC endpoint for secure VPC communication.
Additional Info ElasticSearch domains should be encrypted to ensure data at rest is secured.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-
Cloud Provider Link
rest.html
Test Description Ensures ElasticSearch domain traffic is encrypted in transit between nodes
ElasticSearch domains should use node-to-node encryption to ensure data in transit remains
Additional Info
encrypted using TLS 1.2.
Recommended Action Ensure node-to-node encryption is enabled for all ElasticSearch domains.
Test Description Ensures ElasticSearch domains are configured to log data to CloudWatch
ElasticSearch domains should be configured with logging enabled with logs sent to
Additional Info
CloudWatch for analysis and long-term storage.
Ensure logging is enabled and a CloudWatch log group is specified for each ElasticSearch
Recommended Action
domain.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-
Cloud Provider Link
createupdatedomains.html#es-createdomain-configure-slow-logs
Result Region Resource Message
Test Description Ensures ElasticSearch domains are running the latest service software
ElasticSearch domains should be configured to run the latest service software which often
Additional Info
contains security updates.
Ensure each ElasticSearch domain is running the latest service software and update out-of-
Recommended Action
date domains.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-
Cloud Provider Link
migration.html
Test Description Ensures ElasticSearch domains are configured to enforce HTTPS connections
ElasticSearch domains should be configured to enforce HTTPS connections for all clients to
Additional Info
ensure encryption of data in transit.
Recommended Action Ensure HTTPS connections are enforced for all ElasticSearch domains.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-
Cloud Provider Link
createupdatedomains.html
Test Description Ensures EC2 instance metadata is updated to require HttpTokens or disable HttpEndpoint
The new EC2 metadata service prevents SSRF attack escalations from accessing the
Additional Info
sensitive instance metadata endpoints.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-
Cloud Provider Link
metadata.html#configuring-instance-metadata-service
arn:aws:ec2:us-east-
Instance has instance metadata endpoint enabled
FAIL us-east-1 1:922503285322:instance/i-
and does not require HttpTokens
065bb7e431488d139
arn:aws:ec2:us-east-
Instance has instance metadata endpoint enabled
FAIL us-east-1 1:922503285322:instance/i-
and does not require HttpTokens
05cf4724e3a4599f0
arn:aws:ec2:us-east-
Instance has instance metadata endpoint enabled
FAIL us-east-1 1:922503285322:instance/i-
and does not require HttpTokens
045076929c6d415ad
arn:aws:ec2:us-east-
Instance has instance metadata endpoint enabled
FAIL us-east-1 1:922503285322:instance/i-
and does not require HttpTokens
08f266f579dc814bc
arn:aws:ec2:us-east-
Instance has instance metadata endpoint enabled
FAIL us-east-1 1:922503285322:instance/i-
and does not require HttpTokens
006fe48adf55ff7ad
arn:aws:ec2:us-east-
Instance has instance metadata endpoint enabled
FAIL us-east-1 1:922503285322:instance/i-
and does not require HttpTokens
05e8cda4ca1cd3f78
ca-central-
PASS No instances found
1
eu-central-
PASS No instances found
1
ap-
PASS northeast- No instances found
1
ap-
northeast- No instances found
PASS 2
ap-
PASS southeast- No instances found
1
ap-
PASS southeast- No instances found
2
ap-
PASS northeast- No instances found
3
Test Description Ensures S3 buckets are not configured with static website hosting
S3 buckets should not be configured with static website hosting with public objects. Instead, a
Additional Info
CloudFront distribution should be configured with an origin access identity.
Recommended Action Disable S3 bucket static website hosting in favor or CloudFront distributions.
PASS us-east-1 arn:aws:s3:::siscor-trails Bucket : siscor-trails does not have static website hosting enabled
PASS us-east-1 arn:aws:s3:::siscor-transfer Bucket : siscor-transfer does not have static website hosting enabled
Test Description Ensures SSM agents installed on Linux hosts are running the latest version
Additional Info SSM agent software provides sensitive access to servers and should be kept up-to-date.
Recommended Action Update the SSM agent on all Linux hosts to the latest version.
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-
Cloud Provider Link
updates.html
Move resources from the default VPC to a new VPC created for that application or resource
Recommended Action
group.
arn:aws:ec2:ap-northeast-2:922503285322:vpc/vpc-
FAIL ap-northeast-2 Default VPC present
0e3a3e30aee7daf8a
ap-southeast- arn:aws:ec2:ap-southeast-1:922503285322:vpc/vpc-
FAIL Default VPC present
1 0e19b6b8f7dfe3c2a
Test Description Ensures S3 public access block is enabled on all buckets or for AWS account
Blocking S3 public access at the account level or bucket-level ensures objects are not
Additional Info
accidentally exposed.
Recommended Action Enable the S3 public access block on all S3 buckets or for AWS account.
PASS us-east-1 arn:aws:s3:::siscor-backups S3 bucket has public access block fully enabled
PASS us-east-1 arn:aws:s3:::siscor-trails S3 bucket has public access block fully enabled
PASS us-east-1 arn:aws:s3:::siscor-transfer S3 bucket has public access block fully enabled
GuardDuty provides threat intelligence by analyzing several AWS data sources for security
Additional Info
risks and should be enabled in all accounts.
Recommended Action Update ECR registry configurations to ensure image tag mutability is set to immutable.
Data sent through the data migration service is encrypted using KMS. Encryption is enabled by
Additional Info
default, but it is recommended to use customer managed keys.
Recommended Action Enable encryption using KMS CMKs for all DMS replication instances.
Logging requests to ELB endpoints is a helpful way of detecting and investigating potential
Additional Info attacks, malicious activity, or misuse of backend resources.Logs can be sent to S3 and
processed for further analysis.
http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-
Cloud Provider Link
logs.html
Test Description Ensures ELBs are configured to only accept connections on HTTPS ports.
For maximum security, ELBs can be configured to only accept HTTPS connections. Standard
Additional Info HTTP connections will be blocked. This should only be done if the client application is
configured to query HTTPS directly and not rely on a redirect from HTTP.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-
Cloud Provider Link
options.html
All ELBs should have backend server resources. Those without any are consuming costs
Additional Info without providing any functionality. Additionally, old ELBs with no target groups present a
security concern if new target groups are accidentally attached.
Recommended Action Delete old ELBs that no longer have backend resources.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-
Cloud Provider Link
groups.html
Test Description Ensure that all Application Load Balancers have WAF enabled.
Enabling WAF allows control over requests to the load balancer, allowing or denying traffic
Additional Info
based off rules in the Web ACL
1. Enter the WAF service. 2. Enter Web ACLs and filter by the region the Application Load
Recommended Action Balancer is in. 3. If no Web ACL is found, Create a new Web ACL in the region the ALB
resides and in Resource type to associate with web ACL, select the Load Balancer.
https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-
Cloud Provider Link
balancers/
Result Region Resource Message
Test Description Determine if TCP ports 4505 or 4506 for the Salt master are open to the public
Active Salt vulnerabilities, CVE-2020-11651 and CVE-2020-11652 are exploiting Salt instances
Additional Info
exposed to the internet. These ports should be closed immediately.
Recommended Action Restrict TCP ports 4505 and 4506 to known IP addresses
https://help.saltstack.com/hc/en-us/articles/360043056331-New-SaltStack-Release-Critical-
Cloud Provider Link Vulnerability
arn:aws:ec2:us-east-
Security group: sg-015527859f4cb1ab4 (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
1) does not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
015527859f4cb1ab4
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:4505,4506 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:4505,4506 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
PASS northeast- 1:922503285322:security-group/sg- Security group: sg-0a5f4c4f1b5983891 (default) does
1 0a5f4c4f1b5983891 not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
southeast- Security group: sg-0de72c4ef2c1b7162 (default) does
PASS 2:922503285322:security-group/sg-
2 not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:4505,4506 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:4505,4506 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if Docker port 2375 or 2376 is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as Docker should be restricted to known IP addresses.
Recommended Action Restrict TCP ports 2375 and 2376 to known IP addresses
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-015527859f4cb1ab4 (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
1) does not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
015527859f4cb1ab4
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:2375,2376 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:2375,2376 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south- Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg- not have TCP:2375,2376 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:2375,2376 open to 0.0.0.0/0 or ::0
ffd685b7
ElasticSearch domains can allow access without IAM authentication by having a policy that
Additional Info
does not specify the principal or has a wildcard principal
Configure the ElasticSearch domain to have an access policy without a global principal or no
Recommended Action
principal
Test Description Ensures Auto Minor Version Upgrade is enabled on RDS and DocumentDB databases
RDS supports automatically upgrading the minor version of the database, which should be
Additional Info
enabled to ensure security fixes are quickly deployed.
Recommended Action Enable automatic minor version upgrades on RDS and DocumentDB databases
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upg
Cloud Provider Link
rading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades
Test Description Ensures each Lambda function has a valid log group attached to it
Every Lambda function created should automatically have a CloudWatch log group generated
Additional Info
to handle its log streams.
Recommended Action Update the Lambda function permissions to allow CloudWatch logging.
Test Description Ensures security groups created by the EC2 launch wizard are not used
The EC2 launch wizard frequently creates insecure security groups that are exposed publicly.
Additional Info
These groups should not be used and custom security groups should be created instead.
Recommended Action Delete the launch wizard security group and replace it with a custom security group.
https://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-sap-security-
Cloud Provider Link
groups.html
arn:aws:ec2:eu-central-
eu-central- Security Group default was not launched using
PASS 1:922503285322:security-group/sg-
1 EC2 launch wizard
09b903e8dd37bee5f
ap- arn:aws:ec2:ap-northeast-
Security Group default was not launched using
PASS northeast- 1:922503285322:security-group/sg-
EC2 launch wizard
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security Group default was not launched using
PASS northeast- 2:922503285322:security-group/sg-
EC2 launch wizard
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security Group default was not launched using
PASS southeast- 1:922503285322:security-group/sg-
EC2 launch wizard
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
PASS Security Group default was not launched using
southeast- 2:922503285322:security-group/sg-
EC2 launch wizard
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security Group default was not launched using
PASS northeast- 3:922503285322:security-group/sg-
EC2 launch wizard
3 09c1a77d7fa721022
VPC PrivateLink endpoints should be configured to require acceptance so that access to the
Additional Info
endpoint is controlled on a case-by-case basis.
Additional Info AutoScaling groups that are no longer in use should be deleted to prevent accidental use.
Test Description Ensures IAM roles that have not been used within the given time frame are deleted.
IAM roles that have not been used for a long period may contain old access policies that could
Additional Info allow unintended access to resources if accidentally attached to new services. These roles
should be deleted.
Recommended Action Delete IAM roles that have not been used within the expected time frame.
https://aws.amazon.com/about-aws/whats-new/2019/11/identify-unused-iam-roles-easily-and-
Cloud Provider Link
remove-them-confidently-by-using-the-last-used-timestamp/
arn:aws:iam::922503285322:role/CloudWatchAge IAM role was last used 0 days ago in the us-
PASS global
ntServerRole east-1 region
Test Description Ensures the root user is not using x509 signing certificates
AWS supports using x509 signing certificates for API access, but these should not be attached
Additional Info
to the root user, which has full access to the account.
Recommended Action Delete the x509 certificates associated with the root account.
https://docs.aws.amazon.com/whitepapers/latest/aws-overview-security-processes/x.509-
Cloud Provider Link
certificates.html
PASS global arn:aws:iam::922503285322:root The root user does not use x509 signing certificates.
Test Description Ensures RDS SQL Servers do not allow outdated TLS certificate versions
TLS 1.2 or higher should be used for all TLS connections to RDS. A parameter group can be
Additional Info
used to enforce this connection type.
Create a parameter group that contains the TLS version restriction and limit access to TLS 1.2
Recommended Action
or higher
https://aws.amazon.com/about-aws/whats-new/2020/07/amazon-rds-for-sql-server-supports-
Cloud Provider Link disabling-old-versions-of-tls-and-ciphers/
Result Region Resource Message
Notifications can be sent to an SNS endpoint when scaling actions occur, which should be set
Additional Info
to ensure all scaling activity is recorded.
Test Description Ensures all Auto Scaling groups are referencing active load balancers.
Additional Info Each Auto Scaling group with a load balancer configured should reference an active ELB.
Ensure that the Auto Scaling group load balancer has not been deleted. If so, remove it from
Recommended Action
the ASG.
Test Description Ensures the Comprehend service is using encryption for all volumes storing data at rest.
Additional Info Comprehend supports using KMS keys to encrypt data at rest, which should be enabled.
PASS
ap-northeast-1 No sentiment detection jobs found
Test Description Ensures the Comprehend service is using encryption for all result output.
Additional Info Comprehend supports using KMS keys to result output, which should be enabled.
Recommended Action Enable output result encryption for the Comprehend job
Test Description Ensures DynamoDB Cluster Accelerator DAX clusters have encryption enabled.
DynamoDB Clusters Accelerator DAX clusters should have encryption at rest enabled to
Additional Info
secure data from unauthorized access.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.
Cloud Provider Link
html
Test Description Ensures EBS volumes are in use and attached to EC2 instances
EBS volumes should be deleted if the parent instance has been deleted to prevent accidental
Additional Info
exposure of data.
ap-
PASS No EBS Volumes found
northeast-1
ap-
PASS northeast-2 No EBS Volumes found
ap-
PASS No EBS Volumes found
southeast-1
ap-
PASS No EBS Volumes found
southeast-2
ap-
PASS No EBS Volumes found
northeast-3
Test Description Ensures ElasticBeanstalk applications are configured to use managed updates.
Additional Info Environments for an application should be configured to allow platform managed updates.
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environment-platform-update-
Cloud Provider Link
managed.html
PASS
eu-north-1 No application environments found
PASS ap-northeast-1 No application environments found
Test Description Ensures that groups do not have any inline policies
Test Description Ensures all autoscaling groups with attached ELBs are operating in the same availability zone.
To work properly and prevent orphaned instances, ELBs must be created in the same
Additional Info
availability zones as the backend instances in the autoscaling group.
Recommended Action Update the ELB to use the same availability zones as the autoscaling group.
Test Description Ensures that there are no Amazon AutoScaling groups with suspended processes.
AutoScaling groups should not have any suspended processes to avoid disrupting the
Additional Info
AutoScaling workflow.
Recommended Action Update the AutoScaling group to resume the suspended processes.
Ensures that AWS CloudTrail S3 buckets use Object Lock for data protection and regulatory
Test Description
compliance.
Additional Info CloudTrail buckets should be configured to have object lock enabled. You can use it to prevent
an object from being deleted or overwritten for a fixed amount of time or indefinitely.
Recommended Action Edit trail to use a bucket with object locking enabled.
FAIL us-east-1 arn:aws:s3:::siscor-trails Object lock is not enabled for bucket: siscor-trails
Ensures all EIPs are allocated to a resource to avoid accidental usage or reuse and to save
Test Description
costs
Additional Info EIPs should be deleted if they are not in use to avoid extra charges.
arn:aws:ec2:us-east-
Elastic IP address eipalloc-0821115729374c9d9
PASS us-east-1 1:922503285322:eip/eipalloc-
is associated to a resource
0821115729374c9d9
arn:aws:ec2:us-east-
Elastic IP address eipalloc-0c1ab71b12ecd2092
PASS us-east-1 1:922503285322:eip/eipalloc-
is associated to a resource
0c1ab71b12ecd2092
arn:aws:ec2:us-east-
Elastic IP address eipalloc-0c3df3f6731ad7226 is
PASS us-east-1 1:922503285322:eip/eipalloc-
associated to a resource
0c3df3f6731ad7226
ca-central-
PASS No Elastic IP Addresses found
1
eu-central-
PASS No Elastic IP Addresses found
1
ap-
PASS northeast- No Elastic IP Addresses found
1
ap-
PASS northeast- No Elastic IP Addresses found
2
ap-
PASS southeast- No Elastic IP Addresses found
1
ap-
PASS southeast- No Elastic IP Addresses found
2
ap-
PASS northeast- No Elastic IP Addresses found
3
Test Description Ensures ELBv2 load balancers are configured with deletion protection.
Recommended Action Update ELBv2 load balancers to use deletion protection to prevent accidental deletion
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-
Cloud Provider Link
balancers.html#deletion-protection
Recommended Action Update security configuration associated with EMR cluster to enable encryption in transit.
Test Description Ensures encryption at rest for local disks is enabled for EMR clusters
Additional Info EMR clusters should be configured to enable encryption at rest for local disks.
Update security configuration associated with EMR cluster to enable encryption at rest for local
Recommended Action
disks.
Test Description Ensures ElasticSearch domains are not publicly exposed to all AWS accounts
Additional Info ElasticSearch domains should not be publicly exposed to all AWS accounts.
Test Description Ensures that either MFA or external IDs are used to access AWS roles.
IAM roles should be configured to require either a shared external ID or use an MFA device
Additional Info
when assuming the role.
Recommended Action Update the IAM role to either require MFA or use an external ID.
arn:aws:iam::922503285322:role/aws-service-
IAM role does not contain
PASS global role/trustedadvisor.amazonaws.com/AWSServiceRoleForTruste
cross-account statements
dAdvisor
Test Description Ensure AWS S3 buckets enforce SSL to secure data in transit
Recommended Action Update S3 bucket policy to enforse SSL to secure data in transit.
arn:aws:s3:::siscor-
FAIL us-east-1 No bucket policy found
backups
arn:aws:s3:::siscor-
FAIL us-east-1 No bucket policy found
transfer
Test Description Ensures Amazon SNS topics are encrypted with KMS Customer Master Keys (CMKs).
AWS SNS topics should be encrypted with KMS Customer Master Keys (CMKs) instead of
Additional Info AWS managed-keysin order to have a more granular control over the SNS data-at-rest
encryption and decryption process.
Recommended Action Update SNS topics to use Customer Master Keys (CMKs) for Server-Side Encryption.
ap-
PASS No SNS topics found
northeast-1
ap-
PASS No SNS topics found
northeast-2
ap-
PASS No SNS topics found
southeast-1
ap-
PASS No SNS topics found
southeast-2
ap-
PASS No SNS topics found
northeast-3
Test Description Ensures all Auto Scaling groups have ELB health check active.
Auto Scaling groups should have ELB health checks active to replace unhealthy instances in
Additional Info
time.
Recommended Action Enable ELB health check for the Auto Scaling groups.
Test Description Ensures that Auto Scaling launch configurations are not utilizing missing security groups.
Auto Scaling launch configuration should utilize an active security group to ensure safety of
Additional Info
managed instances.
Ensure that the launch configuration security group has not been deleted. If so, remove it from
Recommended Action
launch configurations
Test Description Ensures EC2 security groups are configured to deny inbound traffic from RFC-1918 CIDRs
RFC-1918 IP addresses are considered reserved private addresses and should not be used in
Additional Info
security groups.
Recommended Action Modify the security group to deny private reserved addresses for inbound traffic
arn:aws:ec2:us-east-
Security group "launch-wizard-1" is not configured to
PASS us-east-1 1:922503285322:security-group/sg-
allow traffic from any reserved private addresses
015527859f4cb1ab4
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-RemoteAccess" is not configured
PASS us-east-1 1:922503285322:security-group/sg-
to allow traffic from any reserved private addresses
0b29b77965792ae5d
arn:aws:ec2:us-east-
Security group "SG-Linux" is not configured to allow
PASS us-east-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
031d418a21dd84701
arn:aws:ec2:us-east-
Security group "SG-Linux" is not configured to allow
PASS us-east-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
031d418a21dd84701
arn:aws:ec2:us-east-
Security group "SG-Linux" is not configured to allow
PASS us-east-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
031d418a21dd84701
arn:aws:ec2:us-east-
Security group "SG-Linux" is not configured to allow
PASS us-east-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
031d418a21dd84701
PASS us-east-1 arn:aws:ec2:us-east- Security group "SG-Linux" is not configured to allow
1:922503285322:security-group/sg- traffic from any reserved private addresses
031d418a21dd84701
arn:aws:ec2:us-east-
Security group "SG-Linux" is not configured to allow
PASS us-east-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
031d418a21dd84701
arn:aws:ec2:us-east-
Security group "Linux_Jumpbox" is not configured to
PASS us-east-1 1:922503285322:security-group/sg-
allow traffic from any reserved private addresses
0ea00fe2209686e28
arn:aws:ec2:us-east-
Security group "launch-wizard-2" is not configured to
PASS us-east-1 1:922503285322:security-group/sg-
allow traffic from any reserved private addresses
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group "launch-wizard-2" is not configured to
PASS us-east-1 1:922503285322:security-group/sg-
allow traffic from any reserved private addresses
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group "launch-wizard-2" is not configured to
PASS us-east-1 1:922503285322:security-group/sg-
allow traffic from any reserved private addresses
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group "launch-wizard-2" is not configured to
PASS us-east-1 1:922503285322:security-group/sg-
allow traffic from any reserved private addresses
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group "launch-wizard-2" is not configured to
PASS us-east-1 1:922503285322:security-group/sg-
allow traffic from any reserved private addresses
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group "default" is not configured to allow
PASS us-east-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
2a94e22e
arn:aws:ec2:us-east-
Security group "default" is not configured to allow
PASS us-east-2 2:922503285322:security-group/sg-
traffic from any reserved private addresses
35cd9243
arn:aws:ec2:us-west-
Security group "default" is not configured to allow
PASS us-west-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group "default" is not configured to allow
PASS us-west-2 2:922503285322:security-group/sg-
traffic from any reserved private addresses
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group "default" is not configured to allow
PASS 1:922503285322:security-group/sg-
1 traffic from any reserved private addresses
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group "default" is not configured to allow
PASS 1:922503285322:security-group/sg-
1 traffic from any reserved private addresses
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group "default" is not configured to allow
PASS eu-west-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group "default" is not configured to allow
PASS eu-west-2 2:922503285322:security-group/sg-
traffic from any reserved private addresses
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group "default" is not configured to allow
PASS eu-west-3 3:922503285322:security-group/sg-
traffic from any reserved private addresses
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group "default" is not configured to allow
PASS eu-north-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group "default" is not configured to allow
PASS northeast- 2:922503285322:security-group/sg-
traffic from any reserved private addresses
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group "default" is not configured to allow
PASS southeast- 1:922503285322:security-group/sg-
traffic from any reserved private addresses
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group "default" is not configured to allow
PASS southeast- 2:922503285322:security-group/sg-
traffic from any reserved private addresses
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group "default" is not configured to allow
PASS northeast- 3:922503285322:security-group/sg-
traffic from any reserved private addresses
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group "default" is not configured to allow
PASS ap-south-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group "default" is not configured to allow
PASS sa-east-1 1:922503285322:security-group/sg-
traffic from any reserved private addresses
ffd685b7
Test Description Ensures that EC2 instances do not have public IP address attached.
EC2 instances should not have a public IP address attached in order to block public access to
Additional Info
the instances.
Recommended Action Remove the public IP address from the EC2 instances to block public access to the instance
arn:aws:ec2:us-east-
EC2 instance "i-065bb7e431488d139" has a
FAIL us-east-1 1:922503285322:/instance/i-
public IP address attached
065bb7e431488d139
arn:aws:ec2:us-east-
EC2 instance "i-05cf4724e3a4599f0" has a
FAIL us-east-1 1:922503285322:/instance/i-
public IP address attached
05cf4724e3a4599f0
arn:aws:ec2:us-east-
EC2 instance "i-045076929c6d415ad" has a
us-east-1 1:922503285322:/instance/i-
FAIL 045076929c6d415ad public IP address attached
arn:aws:ec2:us-east-
EC2 instance "i-08f266f579dc814bc" has a
FAIL us-east-1 1:922503285322:/instance/i-
public IP address attached
08f266f579dc814bc
arn:aws:ec2:us-east-
EC2 instance "i-05e8cda4ca1cd3f78" has a
FAIL us-east-1 1:922503285322:/instance/i-
public IP address attached
05e8cda4ca1cd3f78
ca-central-
PASS No EC2 instances found
1
eu-central-
PASS No EC2 instances found
1
ap-
PASS northeast- No EC2 instances found
1
ap-
PASS northeast- No EC2 instances found
2
ap-
PASS southeast- No EC2 instances found
1
ap-
PASS southeast- No EC2 instances found
2
ap-
PASS northeast- No EC2 instances found
3
Ensures AWS IAM users that are not authorized to edit IAM access policies are
Test Description
decommissioned.
Only authorized IAM users should have permission to edit IAM access policies to prevent any
Additional Info
unauthorized requests.
Recommended Action Update unauthorized IAM users to remove permissions to edit IAM access policies.
arn:aws:iam::922503285322:us IAM user "cloud3-sec" does not have edit access policies
PASS global
er/cloud3-sec permission
arn:aws:iam::922503285322:us IAM user "userbackup" does not have edit access policies
PASS global
er/userbackup permission
Test Description Ensures RDS instances are encrypted with KMS Customer Master Keys(CMKs).
RDS instances should be encrypted with Customer Master Keys in order to have full control
Additional Info
over data encryption and decryption.
RDS does not currently allow modifications to encryption after the instance has been launched,
Recommended Action
so a new instance will need to be created with KMS CMK encryption enabled.
Test Description Ensures RDS SQL Server instances have Transport Encryption enabled.
Parameter group associated with the RDS instance should have transport encryption enabled
Additional Info
to handle encryption and decryption
Recommended Action Update the parameter group associated with the RDS instance to have rds.force_ssl set to true
Test Description Ensures that Amazon SNS topics enforce Server-Side Encryption (SSE)
SNS topics should enforce Server-Side Encryption (SSE) to secure data at rest. SSE protects
Additional Info the contents of messages in Amazon SNS topics using keys managed in AWS Key
Management Service (AWS KMS).
Recommended Action Enable Server-Side Encryption to protect the content of SNS topic messages.
PASS
us-west-1 No SNS topics found
PASS us-west-2 No SNS topics found
ap-
PASS No SNS topics found
northeast-1
ap-
PASS No SNS topics found
northeast-2
ap-
PASS No SNS topics found
southeast-1
ap-
PASS No SNS topics found
southeast-2
ap-
PASS No SNS topics found
northeast-3
Test Description Ensures that SQS queues are not publicly accessible
Additional Info SQS queues should be not be publicly accessible to prevent unauthorized actions.
Recommended Action Update the SQS queue policy to prevent public access.
http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-
Cloud Provider Link
creating-custom-policies.html
Test Description Ensures the SSM agent is configured to automatically update to new versions
To ensure the latest version of the SSM agent is installed, it should be configured to consume
Additional Info
automatic updates.
Recommended Action Update the SSM agent configuration for all managed instances to use automatic updates.
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-
Cloud Provider Link
updates.html
Test Description Ensures Redshift clusters are encrypted using KMS customer master keys (CMKs)
KMS CMKs should be used to encrypt redshift clusters in order to have full control over data
Additional Info
encryption and decryption.
Update Redshift clusters encryption configuration to use KMS CMKs instead of AWS
Recommended Action
managed-keys.
Ensures AWS Redshift non-default parameter group associated with Redshift cluster require
Test Description
SSL connection.
Redshift parameter group associated with Redshift cluster should be configured to require SSL
Additional Info
to secure data in transit.
Recommended Action Update Redshift parameter groups to have require-ssl parameter set to true.
Cloud Provider Link https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html
Test Description Ensures that API Gateway APIs are associated with a Web Application Firewall.
API Gateway APIs should be associated with a Web Application Firewall to ensure API
Additional Info
security.
Recommended Action Associate API Gateway API with Web Application Firewall
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-
Cloud Provider Link
aws-waf.html
Test Description Ensure Data events are included into Amazon CloudTrail trails configuration.
Additional Info AWS CloudTrail trails should be configured to enable Data Events in order to log S3 object-
level API operations.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-
Cloud Provider Link
cloudtrail.html
Test Description Ensures that Amazon CloudTrail trail log files are delivered to destination S3 bucket.
Amazon CloudTrail trail logs should be delivered to destination S3 bucket to be used for
Additional Info
security audits.
Recommended Action Modify CloudTrail trail configurations so that logs are being delivered
Test Description Ensures that AWS CloudTrail trails are not duplicating global services events in log files.
Only one trail should have Include Global Services feature enabled to avoid duplication of
Additional Info
global services events in log files.
Recommended Action Update CloudTrail trails to log global services events enabled for only one trail
PASS global CloudTrail global services event logs are not being duplicated
Test Description Ensure DLM is used to automate EBS volume snapshots management.
Amazon Data Lifecycle Manager (DLM) service enables you to manage the lifecycle of EBS
Additional Info volume snapshots. Using DLM helps in enforcing regular backup schedule, retaining backups,
deleting outdated EBS snapshots
R
es
Result Region o Message
ur
ce
ca-central-
PASS No EBS volumes found
1
eu-central-
PASS No EBS volumes found
1
ap-
PASS northeast- No EBS volumes found
1
ap-
PASS northeast- No EBS volumes found
2
ap-
PASS southeast- No EBS volumes found
1
ap-
PASS southeast- No EBS volumes found
2
ap-
PASS northeast- No EBS volumes found
3
Test Description Ensure that EBS volume snapshots are deleted after defined time period.
EBS volume snapshots older than indicated should be deleted after defined time period for
Additional Info
cost optimization.
Recommended Action Delete the EBS snapshots past their defined expiration date
Test Description Ensure Amazon VPC endpoints are not publicly exposed.
VPC endpoints should not be publicly accessible in order to avoid any unsigned requests
Additional Info
made to the services inside VPC.
Recommended Action Update VPC endpoint access policy in order to stop any unsigned requests
Test Description Ensures that unused AWS Elastic Network Interfaces (ENIs) are removed.
Unused AWS ENIs should be removed to follow best practices and to avoid reaching the
Additional Info
service limit.
ca-central-
PASS No AWS ENIs found
1
eu-central-
PASS No AWS ENIs found
1
ap-
PASS northeast- No AWS ENIs found
1
ap-
PASS northeast- No AWS ENIs found
2
ap-
PASS southeast- No AWS ENIs found
1
ap-
PASS southeast- No AWS ENIs found
2
ap-
PASS northeast- No AWS ENIs found
3
Test Description Ensures that all Amazon Machine Images are in use to ensure cost optimization.
Additional Info All unused/deregistered Amazon Machine Images should be deleted to avoid extraneous cost.
Ensures that unused VPC Internet Gateways and Egress-Only Internet Gateways are
Test Description
removed.
Unused VPC Internet Gateways and Egress-Only Internet Gateways must be removed to
Additional Info
avoid reaching the internet gateway limit.
Recommended Action Remove the unused/detached Internet Gateways and Egress-Only Internet Gateways
ap-
arn:aws:vpc:ap-northeast-1:922503285322:internet- Internet Gateway "igw-
PASS northeast-
gateway/igw-02feaf092bca87cfe 02feaf092bca87cfe" is in use
1
ap-
No Egress-Only Internet Gateways
PASS northeast-
found
1
ap-
arn:aws:vpc:ap-northeast-2:922503285322:internet- Internet Gateway "igw-
PASS northeast-
gateway/igw-002d64d652f4ab249 002d64d652f4ab249" is in use
2
ap-
No Egress-Only Internet Gateways
PASS northeast-
found
2
ap-
No Egress-Only Internet Gateways
PASS southeast-
found
1
ap-
arn:aws:vpc:ap-southeast-2:922503285322:internet- Internet Gateway "igw-
PASS southeast-
gateway/igw-065419b60cd4f20bb 065419b60cd4f20bb" is in use
2
ap-
No Egress-Only Internet Gateways
PASS southeast-
found
2
ap-
arn:aws:vpc:ap-northeast-3:922503285322:internet- Internet Gateway "igw-
PASS northeast-
gateway/igw-0b97885578518f3b8 0b97885578518f3b8" is in use
3
ap-
No Egress-Only Internet Gateways
PASS northeast-
found
3
Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled
Test Description
for high availability (HA).
VPCs should use highly available Managed NAT Gateways in order to enable EC2 instances
Additional Info
to connect to the internet or with other AWS components.
Recommended Action Update VPCs to use Managed NAT Gateways instead of NAT instances
https://aws.amazon.com/blogs/aws/new-managed-nat-network-address-translation-gateway-
Cloud Provider Link
for-aws/
ap-
arn:aws:vpc:ap-northeast- VPC "vpc-030dd710cab63ff8d" is not using
FAIL northeast-
1:922503285322:/vpc/vpc-030dd710cab63ff8d managed NAT Gateway
1
FAIL ap- arn:aws:vpc:ap-northeast- VPC "vpc-0e3a3e30aee7daf8a" is not using
northeast- 2:922503285322:/vpc/vpc-0e3a3e30aee7daf8a managed NAT Gateway
2
ap-
arn:aws:vpc:ap-southeast- VPC "vpc-0e19b6b8f7dfe3c2a" is not using
FAIL southeast-
1:922503285322:/vpc/vpc-0e19b6b8f7dfe3c2a managed NAT Gateway
1
ap-
arn:aws:vpc:ap-southeast- VPC "vpc-01606d90294e3ddf2" is not using
FAIL southeast-
2:922503285322:/vpc/vpc-01606d90294e3ddf2 managed NAT Gateway
2
ap-
arn:aws:vpc:ap-northeast- VPC "vpc-0d6c6d69eecdef2fd" is not using
FAIL northeast-
3:922503285322:/vpc/vpc-0d6c6d69eecdef2fd managed NAT Gateway
3
Test Description Ensures that unused Virtual Private Gateways (VGWs) are removed.
Unused VGWs should be remove to follow best practices and to avoid reaching the service
Additional Info
limit.
Test Description Ensure EFS file systems are encrypted using Customer Master Keys (CMKs).
EFS file systems should use KMS Customer Master Keys (CMKs) instead of AWS managed
Additional Info
keys for encryption in order to have full control over data encryption and decryption.
Encryption at rest key can only be configured during file system creation. Encryption of data in
Recommended Action transit is configured when mounting your file system. 1. Backup your data in not encrypted efs
2. Recreate the EFS and use KMS CMK for encryption of data at rest.
Ensures that there is a minimum number of two healthy target instances associated with each
Test Description
AWS ELBv2 load balancer.
There should be a minimum number of two healthy target instances associated with each AWS
Additional Info
ELBv2 load balancer to ensure fault tolerance.
Recommended Action Associate at least two healthy target instances to AWS ELBv2 load balancer
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-
Cloud Provider Link
groups.html
Test Description Ensures that AWS Network Load Balancers have secured listener configured.
AWS Network Load Balancer should have TLS protocol listener configured to terminate TLS
Additional Info
traffic.
Test Description Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3.
Additional Info EMR cluster logging should be enabled to save log files for troubleshooting purposes.
Test Description Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes.
Additional Info Redshift clusters should be configured to enable audit logging to log cluster usage information.
Ensure that version upgrade is enabled for Redshift clusters to automatically receive upgrades
Test Description
during the maintenance window.
Redshift clusters should be configured to allow version upgrades to get the newest features,
Additional Info
bug fixes or the latest security patches released.
Test Description Ensure that user activity logging is enabled for your Amazon Redshift clusters.
Redshift clusters associated parameter groups should have user activity logging enabled in
Additional Info
order to log user activities performed.
Recommended Action Update Redshift parameter groups to enable user activity logging
Ensures that Amazon API Gateway APIs have certificates with expiration date more than the
Test Description
rotation limit.
API Gateway APIs should have certificates with long term expiry date to avoid API insecurity
Additional Info
after certificate expiration.
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-
Cloud Provider Link
authentication.html
Test Description Ensures that Amazon API Gateway APIs are only accessible through private endpoints.
Additional Info API Gateway APIs should be only accessible through private endpoints to ensure API security.
Test Description Ensures that Amazon API Gateway APIs have content encoding enabled.
API Gateway API should have content encoding enabled to enable compression of response
Additional Info
payload.
Recommended Action Enable content encoding and set minimum compression size of API Gateway API response
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-
Cloud Provider Link
compression-decompression.html
Result Region Resource Message
Test Description Ensures that Amazon API Gateway API stages have tracing enabled for AWS X-Ray.
API Gateway API stages should have tracing enabled to send traces to AWS X-Ray for
Additional Info
enhanced distributed tracing.
Test Description Ensures that API Gateway API stages have detailed CloudWatch metrics enabled.
API Gateway API stages should have detailed CloudWatch metrics enabled to monitor logs
Additional Info
and events.
Recommended Action Add CloudWatch role ARN to API settings and enabled detailed metrics for each stage
Test Description Ensures that Amazon API Gateway API stages use client certificates.
Additional Info API Gateway API stages should use client certificates to ensure API security authorization.
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-
Cloud Provider Link
authentication.html
Result Region Resource Message
Test Description Ensures that Amazon DynamoDB tables have continuous backups enabled.
DynamoDB tables should have Continuous Backups and Point-In-Time Recovery (PITR)
Additional Info
features enabled to protect DynamoDB data against accidental data writes.
Recommended Action Enable Continuous Backups and Point-In-Time Recovery (PITR) features.
https://aws.amazon.com/blogs/aws/new-amazon-dynamodb-continuous-backups-and-point-in-
Cloud Provider Link time-recovery-pitr/
Test Description Ensures that Amazon VPC endpoints do not allow unknown cross account access.
VPC endpoints should not allow unknown cross account access to avoid any unsigned
Additional Info
requests made to the services inside VPC.
Recommended Action Update VPC endpoint access policy in order to remove untrusted cross account access
Ensures that VPC peering communication is only between AWS accounts, members of the
Test Description
same AWS Organization.
VPC peering communication should be only between AWS accounts to keep organization
Additional Info
resources private and isolated.
Update VPC peering connections to allow connections to AWS Accounts, members of the
Recommended Action
same organization
All subnets should have instances associated and unused subnets should be removed to avoid
Additional Info
reaching the limit.
Recommended Action Update VPC subnets and attach instances to it or remove the unused VPC subnets
arn:aws:ec2:us-east-1:922503285322:subnet/subnet-
PASS us-east-1 Subnet has 1 instances attached
15e0e958
arn:aws:ec2:us-east-1:922503285322:subnet/subnet-
PASS us-east-1 Subnet has 1 instances attached
484b322e
arn:aws:ec2:us-east-1:922503285322:subnet/subnet-
PASS us-east-1 Subnet has 2 instances attached
96b3c9c9
arn:aws:ec2:us-east-1:922503285322:subnet/subnet-
PASS us-east-1 Subnet has 2 instances attached
2c07400d
ap-
arn:aws:ec2:ap-northeast-1:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
0f84c166ccc0db45f instance attached
1
ap-
arn:aws:ec2:ap-northeast-1:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
080f510a7524813d8 instance attached
1
ap-
arn:aws:ec2:ap-northeast-1:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
03bfb532abde041c5 instance attached
1
ap-
arn:aws:ec2:ap-northeast-2:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
0d2075fb36c202f61 instance attached
2
ap-
arn:aws:ec2:ap-northeast-2:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
03c4b12b54a770b0b instance attached
2
ap-
FAIL arn:aws:ec2:ap-northeast-2:922503285322:subnet/subnet-
northeast- Subnet does not have any
2 05038cc40cd35b8df instance attached
ap-
arn:aws:ec2:ap-northeast-2:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
02afc97d7216128af instance attached
2
ap-
arn:aws:ec2:ap-southeast-1:922503285322:subnet/subnet- Subnet does not have any
FAIL southeast-
0d3848165a38d1af3 instance attached
1
ap-
arn:aws:ec2:ap-southeast-1:922503285322:subnet/subnet- Subnet does not have any
FAIL southeast-
021a96d5112e1d79b instance attached
1
ap-
arn:aws:ec2:ap-southeast-1:922503285322:subnet/subnet- Subnet does not have any
FAIL southeast-
07a0dd415c6839163 instance attached
1
ap-
arn:aws:ec2:ap-southeast-2:922503285322:subnet/subnet- Subnet does not have any
FAIL southeast-
0dde3ef370d3997f7 instance attached
2
ap-
arn:aws:ec2:ap-southeast-2:922503285322:subnet/subnet- Subnet does not have any
FAIL southeast-
0b3ce4e612ee12376 instance attached
2
ap-
arn:aws:ec2:ap-southeast-2:922503285322:subnet/subnet- Subnet does not have any
FAIL southeast-
090e1f95ff328dc1f instance attached
2
ap-
arn:aws:ec2:ap-northeast-3:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
001a282e5e5f8a00a instance attached
3
ap-
arn:aws:ec2:ap-northeast-3:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
0607800a95005dc33 instance attached
3
ap-
arn:aws:ec2:ap-northeast-3:922503285322:subnet/subnet- Subnet does not have any
FAIL northeast-
006ca8371dba18eef instance attached
3
Test Description Ensures that no Amazon Network ACL allows outbound/egress traffic to all ports.
Amazon Network ACL should not allow outbound/egress traffic to all ports to avoid
Additional Info
unauthorized access at the subnet level.
Recommended Action Update Network ACL to allow outbound/egress traffic to specific port ranges only
ap-
arn:aws:ec2:ap-northeast-2:922503285322:network- Network ACL "acl-003f4e69722f9cf0d"
FAIL northeast-
acl/acl-003f4e69722f9cf0d allows unrestricted access
2
ap- arn:aws:ec2:ap-southeast-
Network ACL "acl-0ed7fcbb6dbada4b9"
FAIL southeast- 1:922503285322:network-acl/acl-
allows unrestricted access
1 0ed7fcbb6dbada4b9
ap- arn:aws:ec2:ap-southeast-
Network ACL "acl-0792f69e88328ba37"
FAIL southeast- 2:922503285322:network-acl/acl-
allows unrestricted access
2 0792f69e88328ba37
ap-
arn:aws:ec2:ap-northeast-3:922503285322:network- Network ACL "acl-093350ee90e5d88a4"
FAIL northeast-
acl/acl-093350ee90e5d88a4 allows unrestricted access
3
Ensures EKS clusters are configured to enable envelope encryption of Kubernetes secrets
Test Description
using KMS.
Amazon EKS clusters should be configured to enable envelope encryption for Kubernetes
Additional Info
secrets to adhere to security best practice for applications that store sensitive data.
Recommended Action Modify EKS clusters to enable envelope encryption for Kubernetes secrets
https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-
Cloud Provider Link
encryption-for-secrets-with-aws-kms/
Test Description Ensure IAM Master and IAM Manager roles are active within your AWS account.
IAM roles should be split into IAM Master and IAM Manager roles to work in two-person rule
Additional Info
manner for best prectices.
Create the IAM Master and IAM Manager roles for an efficient IAM administration and
Recommended Action
permission management within your AWS account
Test Description Ensures that only trusted cross-account IAM roles can be used.
Additional Info IAM roles should be configured to allow access to trusted account IDs.
Recommended Action Delete the IAM roles that are associated with untrusted account IDs.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-
Cloud Provider Link
accounts.html
arn:aws:iam::922503285322:role/aws-service-
IAM Role "AWSServiceRoleForSupport" does
PASS global role/support.amazonaws.com/AWSServiceRole
not contain cross-account statements
ForSupport
arn:aws:iam::922503285322:role/aws-service- IAM Role "AWSServiceRoleForTrustedAdvisor"
PASS global role/trustedadvisor.amazonaws.com/AWSServic does not contain cross-account statements
eRoleForTrustedAdvisor
Test Description Ensures S3 bucket is origin to only one distribution and allows only that distribution.
Access to CloudFront origins should only happen via ClouFront URL and not from S3 URL or
Additional Info
any source in order to restrict access to private data.
Review the access policy for S3 bucket which is an origin to a CloudFront distribution. Make
sure the S3 bucket is origin to only one distribution. Modify the S3 bucket access policy to
Recommended Action
allow CloudFront OAI for only the associated CloudFront distribution and restrict access from
any other source.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-
Cloud Provider Link
restricting-access-to-s3.html
Ensures that S3 buckets have transfer acceleration enabled to increase the speed of data
Test Description
transfers.
S3 buckets should have transfer acceleration enabled to increase the speed of data transfers
Additional Info
in and out of Amazon S3 using AWS edge network.
FAIL us-east-1 arn:aws:s3:::siscor-trails S3 bucket siscor-trails does not have transfer acceleration enabled
Test Description Ensures that S3 buckets have DNS complaint bucket names.
S3 bucket names must be DNS-compliant and not contain period "." to enable S3 Transfer
Additional Info
Acceleration and to use buckets over SSL.
Recommended Action Recreate S3 bucket to use "-" instead of "." in S3 bucket names.
PASS us-east-1 arn:aws:s3:::siscor-backups S3 bucket name is compliant with DNS naming requirements
PASS us-east-1 arn:aws:s3:::siscor-trails S3 bucket name is compliant with DNS naming requirements
PASS us-east-1 arn:aws:s3:::siscor-transfer S3 bucket name is compliant with DNS naming requirements
Test Description Ensures that each Amazon SQS queue has Dead Letter Queue configured.
Amazon SQS queues should have dead letter queue configured to avoid data loss for
Additional Info
unprocessed messages.
Recommended Action Update Amazon SQS queue and configure dead letter queue.
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-
Cloud Provider Link
dead-letter-queues.html
Test Description Ensures that Amazon SQS queue has not reached unprocessed messages limit.
Amazon SQS queues should have unprocessed messages less than the limit to be highly
Additional Info
available and responsive.
Set up appropriate message polling time and set up dead letter queue for Amazon SQS queue
Recommended Action
to handle messages in time
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/working-
Cloud Provider Link
with-messages.html
Result Region Resource Message
Test Description Ensures no Lambda function available in your AWS account has admin privileges.
AWS Lambda Function should have most-restrictive IAM permissions for Lambda security best
Additional Info
practices.
Modify IAM role attached with Lambda function to provide the minimal amount of access
Recommended Action
required to perform its tasks
Cloud Provider Link https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html
Test Description Ensures AWS Lambda functions have active tracing for X-Ray.
AWS Lambda functions should have active tracing in order to gain visibility into the functions
Additional Info
execution and performance.
Recommended Action Modify Lambda functions to activate tracing
Test Description Ensures that the CloudWatch Log retention period is set above a specified length of time.
Retention settings can be used to specify how long log events are kept in CloudWatch Logs.
Additional Info Expired log events get deleted automatically.
Recommended Action Ensure CloudWatch logs are retained for at least 90 days.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-
Cloud Provider Link
streams.html
UNKN eu-south-1 Unable to query CloudWatch Logs log groups: Unable to obtain data
UNKN ap-east-1 Unable to query CloudWatch Logs log groups: Unable to obtain data
UNKN me-south-1 Unable to query CloudWatch Logs log groups: Unable to obtain data
UNKN af-south-1 Unable to query CloudWatch Logs log groups: Unable to obtain data
UNKN ap-southeast-3 Unable to query CloudWatch Logs log groups: Unable to obtain data
Test Description Ensures that Amazon Redshift clusters are launched within a Virtual Private Cloud (VPC).
Amazon Redshift clusters should be launched within a Virtual Private Cloud (VPC) to ensure
Additional Info
cluster security.
Ensures that Amazon Redshift clusters are not using port "5439" (default port) for database
Test Description
access.
Amazon Redshift clusters should not use the default port for database access to ensure cluster
Additional Info
security.
Ensures that Amazon Redshift clusters are not using "awsuser" (default master username) for
Test Description
database access.
Amazon Redshift clusters should not use default master username for database access to
Additional Info
ensure cluster security.
Test Description Ensures that retention period is set for Amazon Redshift automated snapshots.
Amazon Redshift clusters should have retention period set for automated snapshots for data
Additional Info
protection and to avoid unexpected failures.
Recommended Action Modify Amazon Redshift cluster to set snapshot retention period
Ensures that each AWS region has not reached the limit set for the number of Redshift cluster
Test Description
nodes.
The number of provisioned Amazon Redshift cluster nodes must be less than the provided
Additional Info
nodes limit to avoid reaching the limit and exceeding the set budget.
https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#working-with-
Cloud Provider Link
clusters-overview
Test Description Ensures that Amazon Redshift Reserved Nodes are being utilized.
Additional Info Amazon Redshift reserved nodes must be utilized to avoid unnecessary billing.
Recommended Action Provision new Redshift clusters matching the criteria of reserved nodes
AWS WorkSpaces should have volume encryption enabled in order to protect data from
Additional Info
unauthorized access.
Checking the existence of IP Access control on Workspaces and ensuring that no Workspaces
Additional Info
are open
https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-ip-access-
Cloud Provider Link
control-groups.html
Test Description Ensures that AWS CloudFormation stacks are not in a drifted state.
AWS CloudFormation stack should not be in drifted state to ensure that stack template is
Additional Info
aligned with the resources.
Recommended Action Resolve CloudFormation stack drift by importing drifted resource back to the stack.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-resolve-
Cloud Provider Link
drift.html
Test Description Ensures that Amazon API Gateway API stages have Amazon CloudWatch Logs enabled.
API Gateway API stages should have Amazon CloudWatch Logs enabled to help debug issues
Additional Info
related to request execution or client access to your API.
Recommended Action Modify API Gateway API stages to enable CloudWatch Logs
Test Description Ensures that AWS CloudTrail trails are configured to log management events.
AWS CloudTrail trails should be configured to log management events to record management
Additional Info
operations that are performed on resources in your AWS account.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-
Cloud Provider Link
cloudtrail.html
Test Description Ensures that AWS ELBs have cross-zone load balancing enabled.
AWS ELBs should have cross-zone load balancing enabled to distribute the traffic evenly
Additional Info
across the registered instances in all enabled Availability Zones.
Recommended Action Update AWS ELB to enable cross zone load balancing
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-
Cloud Provider Link
lb.html
Ensures that HTTP/HTTPS applications are using Application Load Balancer instead of
Test Description
Classic Load Balancer.
HTTP/HTTPS applications should use Application Load Balancer instead of Classic Load
Additional Info
Balancer for cost and web traffic distribution optimization.
Detach Classic Load balancer from HTTP/HTTPS applications and attach Application Load
Recommended Action
Balancer to those applications
Test Description Ensures that AWS ELBs have connection draining enabled.
Connection draining should be used to ensure that a Classic Load Balancer stops sending
Additional Info requests to instances that are de-registering or unhealthy, while keeping the existing
connections open.
Test Description Ensures that AWS ELBv2 target groups have deregistration delay configured.
AWS ELBv2 target groups should have deregistration delay configured to help in-flight
Additional Info
requests to the target to complete.
Recommended Action Update ELBv2 target group attributes and set the deregistration delay value
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-
Cloud Provider Link
groups.html#deregistration-delay
PASS
eu-west-3 No Application/Network load balancer target groups found
PASS eu-north-1 No Application/Network load balancer target groups found
Ensures IAM Database Authentication is enabled for RDS database instances to manage
Test Description
database access
AWS Identity and Access Management (IAM) can be used to authenticate to your RDS DB
Additional Info
instances.
Modify the PostgreSQL and MySQL type RDS instances to enable IAM database
Recommended Action
authentication.
Test Description Ensures deletion protection is enabled for RDS database instances.
Deletion protection prevents Amazon RDS instances from being deleted accidentally by any
Additional Info
user.
https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-
Cloud Provider Link
deletion-protection/
Additional Info EBS volumes should have backups in the form of snapshots.
https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/new-ebs-volume-
Cloud Provider Link
backups.html
ap-northeast-
PASS No EBS Volumes found
1
ap-northeast-
PASS No EBS Volumes found
2
ap-
PASS No EBS Volumes found
southeast-1
ap-
PASS No EBS Volumes found
southeast-2
ap-northeast-
PASS No EBS Volumes found
3
Test Description Ensure that Load Balancers has SSL certificate configured for SSL terminations.
SSL termination or SSL offloading decrypts and verifies data on the load balancer instead of
Additional Info the application server which spares the server of having to organize incoming connections and
prioritize on other tasks like loading web pages. This helps increase server speed.
Recommended Action Attach SSL certificate with the listener to AWS Elastic Load Balancer
Test Description Ensure that IAM Access analyzer is enabled for all regions.
Access Analyzer allow you to determine if an unintended user is allowed, making it easier for
Additional Info administrators to monitor least privileges access. It analyzes only policies that are applied to
resources in the same AWS region.
Additional Info Deprecated Amazon Machine Images should not be used to make an instance.
Allowing unrestricted access of ES clusters will cause data leaks and data loss. This can be
Additional Info prevented by restricting access only to the trusted entities by implementing the appropriate
access policies.
Recommended Action Restrict the access to ES clusters to allow only trusted accounts.
http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-gsg-configure-
Cloud Provider Link
access.html
Test Description Ensure that ElasticSearch clusters are healthy, i.e status is green.
Unhealthy Amazon ES clusters with the status set to "Red" is crucial for availability of
Additional Info
ElasticSearch applications.
Recommended Action Configure alarms to send notification if cluster status remains red for more than a minute.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/cloudwatch-
Cloud Provider Link
alarms.html
Test Description Ensure that Amazon Elasticsearch domains are using dedicated master nodes.
Using Elasticsearch dedicated master nodes to separate management tasks from index and
Additional Info search requests will improve the clusters ability to manage easily different types of workload
and make them more resilient in production.
http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-
Cloud Provider Link
createupdatedomains.html
Test Description Ensure ElasticSearch domain is using the latest security policy to only allow TLS v1.2
ElasticSearch domains should be configured to enforce TLS version 1.2 for all clients to
Additional Info
ensure encryption of data in transit with updated features.
Recommended Action Update elasticsearch domain to set TLSSecurityPolicy to contain TLS version 1.2.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/infrastructure-
Cloud Provider Link
security.html
Test Description Ensure that AWS ElasticSearch domains have encryption enabled.
Additional Info ElasticSearch domains should be encrypted to ensure that data is secured.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-
Cloud Provider Link
rest.html
Ensure that EventBridge event bus is configured to allow access to whitelisted AWS account
Test Description
principals.
EventBridge event bus policy should be configured to allow access only to whitelisted/trusted
Additional Info
cross-account principals.
Configure EventBridge event bus policies that allow access to whitelisted/trusted cross-
Recommended Action
account principals.
Ensures that an IAM role, group or user exists with specific permissions to access support
Test Description
center.
AWS provides a support center that can be used for incident notification and response, as well
Additional Info as technical support and customer services. An IAM Role should be present to allow
authorized users to manage incidents with AWS Support.
Recommended Action Ensure that an IAM role has permission to access support center.
Test Description Ensure that IAM user accounts are not being actively used.
Additional Info IAM users, roles, and groups should not be used for day-to-day account management.
Recommended Action Delete IAM user accounts which are being actively used.
FAIL global arn:aws:iam::922503285322:user/cloud3 IAM user was last used 0 days ago
FAIL global arn:aws:iam::922503285322:user/cloud3-sec IAM user was last used 0 days ago
FAIL global arn:aws:iam::922503285322:user/userbackup IAM user was last used 1 days ago
Route53 Domain Privacy Protection
1 0 0 0
Test Description Ensure that Privacy Protection feature is enabled for your Amazon Route 53 domains.
Enabling the Privacy Protection feature protects against receiving spams and sharing contact
Additional Info
information in response of WHOIS queries.
Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your
Test Description
AWS Route 53 domain.
The Sender Policy Framework enables AWS Route 53 registered domain to publicly state the
Additional Info
mail servers that are authorized to send emails on its behalf.
Ensure that Route 53 hosted zones have a DNS record containing Sender Policy Framework
Test Description
(SPF) value set for each MX record available.
The SPF record enables Route 53 registered domains to publicly state the mail servers that
Additional Info
are authorized to send emails on its behalf.
Ensure that AWS Transfer for SFTP server endpoints are configured to use VPC endpoints
Test Description
powered by AWS PrivateLink.
PrivateLink provides secure and private connectivity between VPCs and other AWS resources
Additional Info
using a dedicated network.
Recommended Action Configure the SFTP server endpoints to use endpoints powered by PrivateLink.
Test Description Ensure that S3 Glacier Vault public access block is enabled for the account.
Blocking S3 Glacier Vault public access at the account level ensures objects are not
Additional Info
accidentally exposed.
Recommended Action Add access policy for the S3 Glacier Vault to block public access for the AWS account.
Ensure that at least one IAM user exists so that access to your AWS services and resources is
Test Description
made only through IAM users instead of the root account.
To protect your AWS root account and adhere to IAM security best practices, create individual
Additional Info
IAM users to access your AWS environment.
Recommended Action Create IAM user(s) and use them to access AWS services and resources.
Test Description Ensure that SSM service has block public sharing setting enabled.
Public documents can be viewed by all AWS accounts. To prevent unwanted access to your
Additional Info
documents, turn on the block public access sharing setting.
Recommended Action Enable block public sharing setting under SSM documents preferences.
MQ MQ Deployment Mode
17 0 0 0
Ensure that for high availability, your AWS MQ brokers are using the active/standby
Test Description
deployment mode instead of single-instance
With the active/standby deployment mode as opposed to the single-broker mode (enabled by
Additional Info default), you can achieve high availability for your Amazon MQ brokers as the service provides
failure proof no risk.
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/active-standby-broker-
Cloud Provider Link
deployment.html
Test Description Ensure that Amazon MQ brokers have the Auto Minor Version Upgrade feature enabled.
As AWS MQ deprecates minor engine version periodically and provides new versions for
Additional Info upgrade, it is highly recommended that Auto Minor Version Upgrade feature is enabled to
apply latest upgrades.
Recommended Action Enabled Auto Minor Version Upgrade feature for MQ brokers
Test Description Ensure that Amazon MQ brokers have the Log Exports feature enabled.
Amazon MQ has a feature of AWS CloudWatch Logs, a service of storing, accessing and
Additional Info
monitoring your log files from different sources within your AWS account.
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-
Cloud Provider Link
monitoring.html
Ensure that there are no unused AWS WorkSpaces instances available within your AWS
Test Description
account.
PASS
ap-southeast-1 No WorkSpaces instance connection status found
Test Description Ensure that the images in ECR repository are encrypted using desired encryption level.
By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption
keys which encrypts your data at rest using an AES-256 encryption algorithm. Use customer-
Additional Info
managed keys instead, in order to gain more granular control over encryption/decryption
process.
Test Description Ensure that the Kendra index is encrypted using desired encryption level.
Amazon Kendra encrypts your data at rest with AWS-manager keys by default. Use customer-
Additional Info managed keys instead in order to gain more granular control over encryption/decryption
process.
Res
Result Region our Message
ce
ap-
Unable to query Kendra Indices: User: arn:aws:sts::922503285322:assumed-
UNKN southeast-
role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kendra:ListIndices
1
ap-
Unable to query Kendra Indices: User: arn:aws:sts::922503285322:assumed-
UNKN southeast-
role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: kendra:ListIndices
2
Test Description Ensure that AWS Proton environment template is encrypted with desired level.
AWS Proton encrypts sensitive data in your template bundles at rest in the S3 bucket where
Additional Info you store your template bundles using AWS-managed keys. Use customer-managed keys
(CMKs) in order to meet regulatory compliance requirements within your organization.
Recommended Action Create Proton environment template with customer-manager keys (CMKs)
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that your AWS ElastiCache Redis clusters have encryption in-transit enabled.
Amazon ElastiCache in-transit encryption is an optional feature that allows you to increase the
Additional Info security of your data at its most vulnerable points—when it is in transit from one location to
another.
Ensure that S3 buckets having versioning enabled also have liecycle policy configured for non-
Test Description
current objects.
Recommended Action Configure lifecycle rules for buckets which have versioning enabled
https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-set-lifecycle-configuration-
Cloud Provider Link
intro.html
Ensure that Amazon SES email messages are encrypted before delivering them to specified
Test Description
buckets.
Amazon SES email messages should be encrypted in case they are being delivered to S3
Additional Info
bucket to meet regulatory compliance requirements within your organization.
Recommended Action Enable encryption for SES email messages if they are being delivered to S3 in active rule-set .
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that AWS QLDB ledger is encrypted using desired encryption level
QLDB encryption at rest provides enhanced security by encrypting all ledger data at rest using
Additional Info encryption keys in AWS Key Management Service (AWS KMS).Use customer-managed keys
(CMKs) instead in order to gain more granular control over encryption/decryption process.
Re
so
Result Region Message
ur
ce
Amazon MWAA encrypts data saved to persistent media with AWS-manager keys by default.
Additional Info Use customer-managed keys instead in order to gain more granular control over
encryption/decryption process.
R
e
s
Result Region o Message
ur
c
e
Ensure that your AWS Neptune database instances are encrypted with KMS Customer Master
Test Description
Keys (CMKs) instead of AWS managed-keys.
MQ MQ Broker Encrypted
17 0 0 0
Test Description Ensure that Amazon MQ brokers have data ecrypted at-rest feature enabled.
Amazon MQ encryption at rest provides enhanced security by encrypting your data using
Additional Info
encryption keys stored in the AWS Key Management Service (KMS).
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/data-protection.html#data-
Cloud Provider Link
protection-encryption-at-rest
Test Description Ensure that AWS Connect Customer Profiles domains are using desired encryption level.
Customer profiles domain is a container for all data, such as customer profiles, object types,
Additional Info profile keys, and encryption keys. To encrypt this data, use a KMS key with desired encrypted
level to meet regulatory compliance requirements within your organization.
Recommended Action Enabled data encryption feature for Connect Customer Profiles
R
e
s
Result Region o Message
ur
c
e
Test Description Ensure that the CloudWatch Log groups are encrypted using desired encryption level.
Log group data is always encrypted in CloudWatch Logs. You can optionally use AWS Key
Management Service for this encryption. After you associate a customer managed key with a
Additional Info log group, all newly ingested data for the log group is encrypted using this key. This data is
stored in encrypted format throughout its retention period. CloudWatch Logs decrypts this data
whenever it is requested.
Recommended Action Ensure CloudWatch Log groups have encryption enabled with desired AWS KMS key
Ensure that AWS Timestream databases are encrypted with KMS Customer Master Keys
Test Description
(CMKs) instead of AWS managed-keys.
Timestream encryption at rest provides enhanced security by encrypting all your data at rest
using encryption keys. This functionality helps reduce the operational burden and complexity
Additional Info involved in protecting sensitive data. With encryption at rest using customer-managed keys,
you can build security-sensitive applications that meet strict encryption compliance and
regulatory requirements.
Recommended Action Modify Timestream database encryption configuration to use desired encryption key
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that your Amazon MemoryDB cluster is encrypted with desired encryption level.
To help keep your data secure, MemoryDB at-rest encryption is always enabled to increase
data security by encrypting persistent data using AWS-managed KMS keys. Use AWS
Additional Info
customer-managed Keys (CMKs) instead in order to have a fine-grained control over data-at-
rest encryption/decryption process and meet compliance requirements.
Recommended Action Modify MemoryDB cluster encryption configuration to use desired encryption key
R
e
s
Result Region o Message
u
r
c
e
Ensure that Amazon Managed Streaming for Kafka (MSK) clusters are using desired
Test Description
encryption key for at-rest encryption.
Amazon MSK encrypts all data at rest using AWS-managed KMS keys by default. Use AWS
Additional Info customer-managed Keys (CMKs) instead in order to have a fine-grained control over data-at-
rest encryption/decryption process and meet compliance requirements.
Recommended Action Modify MSK cluster encryption configuration to use desired encryption key
R
es
Result Region o Message
ur
ce
Test Description Ensure that your Amazon ElastiCache Redis clusters are encrypted to increase data security.
Amazon ElastiCache provides an optional feature to encrypt your data saved to persistent
Additional Info media. Enable this feature and use customer-managed keys In order to protect it from
unauthorized access and fulfill compliance requirements within your organization.
Test Description Ensure that AWS App Runner service is encrypted using using desired encryption level.
To protect your application's data at rest, App Runner encrypts all stored copies of your
application source image or source bundle using AWS-managed key by default.Use customer-
Additional Info
managed keys (CMKs) instead in order to gain more granular control over
encryption/decryption process.
Recommended Action Create App Runner Service with customer-manager keys (CMKs)
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that AWS FinSpace Environments are using desired encryption level.
Amazon FinSpace is a fully managed data management and analytics service that makes it
easy to store, catalog, and prepare financial industry data at scale.To encrypt this data, use a
Additional Info
KMS key with desired encrypted level to meet regulatory compliance requirements within your
organization.
R
e
s
Result Region o Message
ur
c
e
Test Description Ensure that your AWS CodeBuild project artifacts are encrypted with desired encryption level.
AWS CodeBuild encrypts artifacts such as a cache, logs, exported raw test report data files,
Additional Info and build results by default using AWS managed keys. Use customer-managed key instead, in
order to to gain more granular control over encryption/decryption process.
Encrypt them using customer-managed keys to gain more control over data encryption and
Recommended Action
decryption process.
Ensure that AWS CodePipeline is using desired encryption level to encrypt pipeline artifacts
Test Description
being stored in S3.
CodePipeline creates an S3 artifact bucket and default AWS managed key when you create a
pipeline.By default, these artifacts are encrypted using default AWS-managed S3 key. Use
Additional Info
customer-managed key for encryption in order to to gain more granular control over
encryption/decryption process.
Recommended Action Ensure customer-manager keys (CMKs) are being used for CodePipeline pipeline artifacts.
Cloud Provider Link https://docs.aws.amazon.com/codepipeline/latest/userguide/S3-artifact-encryption.html
Test Description Ensure that AWS HealthLake Data Store is using desired encryption level.
R
e
s
o
Result Region Message
u
r
c
e
Ensures that AWS CodeArtifact domains have encryption enabled with desired encryption
Test Description
level.
R
e
s
o
Result Region Message
u
r
c
e
Unable to list CodeArtifact domains: User: arn:aws:sts::922503285322:assumed-
UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: codeartifact:ListDomains
on resource: * because no identity-based policy allows the codeartifact:ListDomains action
Test Description Ensure that all data in Audit Manager is encrypted with desired encryption level.
All resource in AWS Audit Manager such as assessments, controls, frameworks, evidence are
encrypted under a customer managed key or an AWS owned key, depending on your selected
Additional Info settings. If you don’t provide a customer managed key, AWS Audit Manager uses an AWS
owned key to encrypt your content. Encrypt these resources using customer-managed keys in
order to gain more granular control over encryption/decryption process.
Modify Audit Manager data encryption settings and choose desired encryption key for data
Recommended Action
encryption
R
e
s
Result Region o Message
ur
c
e
Test Description Ensure that your Amazon AppFlow flows are encrypted with desired encryption level.
Amazon AppFlow encrypts your access tokens, secret keys, and data in transit and data at
Additional Info rest with AWS-manager keys by default. Encrypt them using customer-managed keys in order
to gain more granular control over encryption/decryption process.
R
es
Result Region o Message
ur
ce
Ensure that Elastic Transcoder pipelines have encryption enabled with desired encryption level
Test Description
to encrypt your data.
Amazon Elastic Transcoder pipelines use AWS-managed KMS keys to encrypt your data.You
Additional Info should use customer-managed keys in order to gain more granular control over
encryption/decryption process
Recommended Action Modify Elastic Transcoder pipelines encryption settings to use custom KMS key
R
e
s
o
Result Region Message
u
r
c
e
Ensure that Elastic Transcoder jobs have encryption enabled to encrypt your data before
Test Description
saving on S3.
Amazon Elastic Transcoder jobs saves th result output on S3. If you don't configure encryption
parameters, these job will save the file unencrypted. You should enabled encryption for output
Additional Info
files and use customer-managed keys for encryption in order to gain more granular control
over encryption/decryption process
R
e
s
o
Result Region Message
u
r
c
e
Ensure that your Amazon Translate jobs have CMK encryption enabled for output data residing
Test Description
on S3.
Amazon Translate encrypts your output data with AWS-manager keys by default. Encrypt your
Additional Info files using customer-managed keys in order to gain more granular control over
encryption/decryption process.
Ensure that AWS Glue DataBrew jobs have encryption enabled for output files with desired
Test Description
encryption level.
AWS Glue DataBrew jobs should have encryption enabled to encrypt S3 targets i.e. output
Additional Info
files to meet regulatory compliance requirements within your organization.
Recommended Action Modify Glue DataBrew jobs to set desired encryption configuration
R
es
Result Region o Message
ur
ce
Ensure that members created in Amazon Managed Blockchain are encrtypted using desired
Test Description
encryption level.
Amazon Managed Blockchain encrypts the network member data at-rest by default with AWS-
Additional Info managed keys. Use your own key (CMK) to encrypt this data to meet regulatory compliance
requirements within your organization
Recommended Action Ensure members in Managed Blockchain are using desired encryption level for encryption
https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/managed-
Cloud Provider Link
blockchain-encryption-at-rest.html
R
e
s
o
Result Region Message
u
r
c
e
Ensure that data at-rest in encrypted in AWS DocumentDB clusters using desired encryption
Test Description
level.
Amazon DocumentDB integrates with AWS KMS and uses a method known as envelope
Additional Info encryption to protect your data. This gives you an extra layer of data security and help meet
security compliance and regulations within your organization.
Recommended Action Modify DocumentDB cluster at-rest encryption configuration to use desired encryption key
Ensure that Amazon Connect instances have encryption enabled for media streams being
Test Description
saved on Kinesis Video Stream.
In Amazon Connect, you can capture customer audio during an interaction with your contact
center by sending the audio to a Kinesis video stream. All data put into a Kinesis video stream
Additional Info
is encrypted at rest using AWS-managed KMS keys. Use customer-managed keys instead, in
order to meet regulatory compliance requirements within your organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for media streams
R
e
s
Result Region o Message
ur
c
e
Ensure that Amazon Connect instances have encryption enabled for chat transcripts being
Test Description
saved on S3.
You can configure Amazon Connect instance to save transcripts for chats to be saved on S3.
Additional Info When you save such data on S3, enable encryption for the data and use a KMS key with
desired encrypted level to meet regulatory compliance requirements within your organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for chat transcripts
R
e
s
Result Region o Message
ur
c
e
Ensure that Amazon Connect instances have encryption enabled for exported reports being
Test Description
saved on S3.
You can configure Amazon Connect instance to save exported reports on S3. When you save
Additional Info such data on S3, enable encryption for the data and use a KMS key with desired encrypted
level to meet regulatory compliance requirements within your organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for exported reports
R
e
s
Result Region o Message
ur
c
e
Ensure that Amazon Connect instances have encryption enabled for call recordgins being
Test Description
saved on S3.
You can configure Amazon Connect instance to save recordings for incoming call to be saved
on S3. When you save such data on S3, enable encryption for the data and use a KMS key
Additional Info
with desired encrypted level to meet regulatory compliance requirements within your
organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for call recordings
R
e
s
Result Region o Message
ur
c
e
Ensure that Amazon Connect instances have encryption enabled for attachments being saved
Test Description
on S3.
You can configure Amazon Connect instance to save attachments on S3. When you save such
Additional Info data on S3, enable encryption for the data and use a KMS key with desired encrypted level to
meet regulatory compliance requirements within your organization.
Recommended Action Modify Connect instance data storage configuration and enable encryption for attachments
R
e
s
Result Region o Message
ur
c
e
Unable to query Connect instances: User: arn:aws:sts::922503285322:assumed-
UNKN us-east-1 role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: connect:ListInstances on
resource: arn:aws:connect:us-east-1:922503285322:/instance
Ensure that your Amazon Backup vaults are using AWS KMS Customer Master Keys instead
Test Description
of AWS managed-keys (i.e. default encryption keys).
When you encrypt AWS Backup using your own AWS KMS Customer Master Keys (CMKs) for
Additional Info enhanced protection, you have full control over who can use the encryption keys to access
your backups.
R
e
s
o
Result Region Message
ur
c
e
Ensure that Amazon Elastic Beanstalk (EB) environments have enhanced health reporting
Test Description
feature enabled.
Enhanced health reporting is a feature that you can enable on your environment to allow AWS
Elastic Beanstalk to gather additionalinformation about resources in your environment. Elastic
Additional Info Beanstalk analyzes the information gathered to provide a better picture of overallenvironment
health and aid in the identification of issues that can cause your application to become
unavailable.
Recommended Action Modify Elastic Beanstalk environmentsand enable enhanced health reporting.
Ensure that your Amazon Elastic Beanstalk environment is configured to save logs for load
Test Description
balancer associated with the application environment.
Elastic Load Balancing provides access logs that capture detailed information about requests
sent to your load balancer. Each log contains information such as the time the request was
Additional Info
received, the client's IP address, latencies, request paths, and server responses. You can use
these access logs to analyze traffic patterns and troubleshoot issues.
Go to specific environment, select Configuration, edit Load Balancer category, and enable
Recommended Action
Store logs
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-
Cloud Provider Link
logs.html
Test Description Ensure that AWS Elastic Beanstalk environment logs are retained and saved on S3.
Elastic Beanstalk environment logs should be retained in order to keep the logging data for
Additional Info future audits, historical purposes or to track and analyze the EB application environment
behavior for a long period of time.
Go to specific environment, select Configuration, edit Software category, and enable Log
Recommended Action
streaming
Test Description Ensure that EKS clusters are using latest platform version.
Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control
plane, such as which Kubernetes API server flags are enabled, as well as the current
Additional Info
Kubernetes patch version.Clusters should be kept up to date of latest platforms to ensure
Kubernetes security patches are applied.
Recommended Action Check for the version on all EKS clusters to be the latest platform version.
Ensure that the number of EMR cluster instances provisioned in your AWS account has not
Test Description
reached the desired threshold established by your organization.
Setting threshold for the number of EMR cluster instances provisioned within your AWS
Additional Info account will help to manage EMR compute resources andprevent unexpected charges on your
AWS bill.
Ensure that the number of running EMR cluster instances matches the expected count. If
Recommended Action
instances are launched above the threshold, investigate to ensure they are legitimate.
PASS global 0 EMR instances in the account are within the global expected count of: 200
Test Description Ensure that Amazon Kinesis Video Streams is using desired encryption level for Data at-rest.
Server-side encryption is always enabled on Kinesis video streams data. If a user-provided key
is not specified when the stream is created, the default key (provided by Kinesis Video
Additional Info Streams) is used. It is recommended to use customer-managed keys (CMKs) for encryption in
order to gain more granular control over encryption/decryption process.
Recommended Action Encrypt Kinesis Video Streams data with customer-manager keys (CMKs).
R
e
s
Result Region o Message
ur
c
e
Test Description Ensure that AWS KMS key grants use the principle of least privileged access.
AWS KMS key grants should be created with minimum set of permissions required by grantee
Additional Info
principal to adhere to AWS security best practices.
eu-central-
PASS No KMS keys found
1
ap-
PASS No KMS keys found
northeast-1
ap-
PASS northeast-2 No KMS keys found
ap-
PASS No KMS keys found
southeast-1
ap-
PASS No KMS keys found
southeast-2
ap-
PASS No KMS keys found
northeast-3
Ensure that AWS KMS keys does not have duplicate grants to adhere to AWS security best
Test Description
practices.
Duplicate grants have the same key ARN, API actions, grantee principal, encryption context,
Additional Info and name. If you retire or revoke the original grant but leave the duplicates, the leftover
duplicate grants constitute unintended escalations of privilege.
eu-central-
PASS No KMS keys found
1
ap-
PASS No KMS keys found
northeast-1
ap-
PASS No KMS keys found
northeast-2
ap-
PASS No KMS keys found
southeast-1
ap-
PASS No KMS keys found
southeast-2
ap-
PASS No KMS keys found
northeast-3
Ensure that all ElastiCache clusters provisioned within your AWS account are using the latest
Test Description
generation of instances
Using the latest generation of Amazon ElastiCache instances instances will benefit clusters for
Additional Info higher hardware performance, better support for latest Memcached and Redis in-memory
engines versions and lower costs.
Recommended Action Upgrade ElastiCache instance generaion to the latest available generation.
Ensure that Amazon ElastiCache clusters are using the stable latest version of Redis cache
Test Description
engine.
ElastiCache clusters with the latest version of Redis cache engine, You will benefit from new
features and enhancements, Using engines prior to version 3.2.6 will not be benefited with
Additional Info
Encryption Options, support for HIPAA compliance and much more. Also engine version 3.2.10
does not support Encryption options.
Recommended Action Upgrade the version of Redis on all ElastiCache clusters to the latest available version.
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-
Cloud Provider Link
versions.html
Ensure that the number of ElastiCache cluster cache nodes has not reached the limit quota
Test Description
established by your organization.
Defining limits for the maximum number of ElastiCache cluster nodes that can be created
Additional Info within your AWS account will help you to better manage your ElastiCache compute resources
and prevent unexpected charges on your AWS bill.
PASS global Region contains "0" provisioned ElastiCache nodes of "200" limit
Ensure that your ElastiCache Redis Cache clusters are using a Multi-AZ deployment
Test Description
configuration to enhance High Availability.
Enabling the Multi-AZ feature for your Redis Cache clusters will improve the fault tolerance in
Additional Info case the read/write primary node becomes unreachable due to loss of network connectivity,
loss of availability in the primary’s AZ, etc.
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-
Cloud Provider Link
ug/AutoFailover.html#AutoFailover.Enable
Test Description Ensure that all Amazon EC2 instances are managed by AWS Systems Manager (SSM).
Systems Manager simplifies AWS cloud resource management, quickly detects and resolve
Additional Info operational problems, and makes it easier to operate and manage your instances securely at
large scale.
arn:aws:ec2:us-east-
EC2 Instance: i-065bb7e431488d139 is not
FAIL us-east-1 1:922503285322:instance/i-
managed by AWS Systems Manager
065bb7e431488d139
arn:aws:ec2:us-east-
EC2 Instance: i-05cf4724e3a4599f0 is not
FAIL us-east-1 1:922503285322:instance/i-
managed by AWS Systems Manager
05cf4724e3a4599f0
arn:aws:ec2:us-east-
EC2 Instance: i-045076929c6d415ad is not
FAIL us-east-1 1:922503285322:instance/i-
managed by AWS Systems Manager
045076929c6d415ad
arn:aws:ec2:us-east-
EC2 Instance: i-08f266f579dc814bc is not
FAIL us-east-1 1:922503285322:instance/i-
managed by AWS Systems Manager
08f266f579dc814bc
arn:aws:ec2:us-east-
EC2 Instance: i-006fe48adf55ff7ad is not managed
FAIL us-east-1 1:922503285322:instance/i-
by AWS Systems Manager
006fe48adf55ff7ad
arn:aws:ec2:us-east-
EC2 Instance: i-05e8cda4ca1cd3f78 is not
FAIL us-east-1 1:922503285322:instance/i-
managed by AWS Systems Manager
05e8cda4ca1cd3f78
ca-central-
PASS No EC2 instances found
1
eu-central-
PASS No EC2 instances found
1
ap-
PASS northeast- No EC2 instances found
1
ap-
PASS northeast- No EC2 instances found
2
ap-
PASS southeast- No EC2 instances found
1
ap-
PASS southeast- No EC2 instances found
2
ap-
PASS northeast- No EC2 instances found
3
Ensure that Wisdom domains created under Amazon Connect instances are using desired
Test Description
KMS encryption level.
All user data stored in Amazon Connect Wisdom is encrypted at rest using encryption keys
Additional Info stored in AWS Key Management Service. Additionally, you can provide customer managed
KMS keys in order to gain more control over encryption/decryption processes.
Recommended Action Ensure that Amazon Connect Wisdom domains have encryption enabled.
R
e
s
Result Region o Message
ur
c
e
Ensure that Voice domains created under Amazon Connect instances are using desired KMS
Test Description
encryption level.
All user data stored in Amazon Connect Voice ID is encrypted at rest using encryption keys
Additional Info stored in AWS Key Management Service. Additionally, you can provide customer managed
KMS keys in order to gain more control over encryption/decryption processes.
Recommended Action Ensure that Amazon Voice ID domains have encryption enabled.
R
e
s
o
Result Region Message
u
r
c
e
Ensure that payments for ElastiCache Reserved Cache Nodes available within your AWS
Test Description
account has been processed completely.
When using ElastiCache Reserved Cache Nodes over standard On-Demand Cache Nodes
savings are up to max that they give when used in steady state, therefore in order to receive
Additional Info
this benefit you need to make sure that all your ElastiCache reservation purchases have been
fully successful.
Recommended Action Identify any pending payments for ElastiCache reserved cache nodes
Ensure that all your AWS ElastiCache reserved nodes have corresponding cache nodes
Test Description
running within the same account of an AWS Organization.
Creating cache nodes for your unused reserved cache clusters will prevent your investment
Additional Info having a negative return. When an Amazon ElastiCache RCN is not in use the investment
made is not properly exploited.
Recommended Action Enable prevention of unused reserved nodes for ElastiCache clusters
Ensure that payments for ElastiCache Reserved Cache Nodes available within your AWS
Test Description
account has been processed completely.
When using ElastiCache Reserved Cache Nodes over standard On-Demand Cache Nodes
savings are up to max that they give when used in steady state, therefore in order to receive
Additional Info
this benefit you need to make sure that all your ElastiCache reservation purchases have been
fully successful.
Recommended Action Identify any failed payments for ElastiCache reserved cache nodes
Ensure that your AWS ElastiCache Reserved Cache Nodes are renewed before expiration in
Test Description
order to get a significant discount.
Reserved Cache Nodes can optimize your Amazon ElastiCache costs based on your expected
Additional Info usage. Since RCNs are not renewed automatically, purchasing another reserved ElastiCache
nodes before expiration will guarantee their billing at a discounted hourly rate.
Recommended Action Enable ElastiCache reserved cache nodes expiration days alert
Test Description Ensure that GurardDuty active/current findings does not exist in your AWS account.
Amazon GuardDuty is a threat detection service that continuously monitors your AWS
accounts and workloads for malicious activity and delivers detailed security findings for
Additional Info visibility and remediation. These findings should be acted upon and archived after they have
been remediated in order to follow security best practices. If a finding had not been archived
after set amount of time, Aqua CSPM plugin will display a FAIL result.
Test Description Ensure that GuardDuty findings export is encrypted using desired KMS encryption level.
GuardDuty data, such as findings, is encrypted at rest using AWS owned customer master
Additional Info keys (CMK). Additionally, you can use your use key (CMKs) in order to gain more control over
data encryption/decryption process.
Recommended Action Encrypt GuardDuty Export Findings with customer-manager keys (CMKs)
Ensure that the number of Amazon WorkSpaces provisioned in your AWS account has not
Test Description
reached set limit.
In order to manage your WorkSpaces compute resources efficiently and prevent unexpected
Additional Info charges on your AWS bill, monitor and configure limits for the maximum number of
WorkSpaces instances provisioned within your AWS account.
Recommended Action Ensure that number of WorkSpaces created within your AWS account is within set limit
Test Description Ensure that your Amazon DocumentDB clusters have set a minimum backup retention period.
DocumentDB cluster provides feature to retain incremental backups between 1 and 35
allowing you to quickly restore to any point within the backup retention period. Ensure that you
Additional Info
have sufficient backup retention period configured in order to restore your data in the event of
failure.
Recommended Action Modify DocumentDb cluster to configure sufficient backup retention period.
Ensure that Amazon Lookout for Equipment datasets are encrypted using desired KMS
Test Description
encryption level
Amazon Lookout for Equipment encrypts your data at rest with AWS owned KMS key by
Additional Info default. It is recommended to use customer-managed keys instead you will gain more granular
control over encryption/decryption process.
Recommended Action Encrypt Amazon LookoutEquipment Dataset with customer-manager keys (CMKs)
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that AWS IoT SiteWise is using desired encryption level for data at-rest.
AWS IoT SiteWise encrypts data such as your asset property values and aggregate values by
Additional Info default.It is recommended to use customer managed keys in order to gain more control over
data encryption/decryption process.
R
e
s
o
Result Region Message
u
r
c
e
Amazon Location Service provides encryption by default to protect sensitive customer data at
Additional Info rest using AWS owned encryption keys. It is recommended to use customer-managed keys
instead in order to gain more granular control over encryption/decryption process.
Recommended Action Encrypt Amazon Location tracker with customer-manager keys (CMKs)
R
es
Result Region o Message
ur
ce
Ensure that Amazon Location geoference collection data is encrypted using desired KMS
Test Description
encryption level.
Amazon Location Service provides encryption by default to protect sensitive customer data at
Additional Info rest using AWS owned encryption keys. It is recommended to use customer-managed keys
instead in order to gain more granular control over encryption/decryption process.
Recommended Action Encrypt Amazon Location geoference collection with customer-manager keys (CMKs)
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that Lookout for Vision model data is encrypted using desired KMS encryption level
By default, trained models and manifest files are encrypted in Amazon S3 using server-side
encryption with KMS keys stored in AWS Key Management Service (SSE-KMS). You can also
Additional Info
use customer-managed keys instead in order to gain more granular control over
encryption/decryption process.
Recommended Action Encrypt LookoutVision model with customer-manager keys (CMKs) present in your account
https://docs.aws.amazon.com/lookout-for-vision/latest/developer-guide/security-data-
Cloud Provider Link
encryption.html
R
e
s
o
Result Region Message
u
r
c
e
ap- Unable to query for Lookout for Vision projects: User: arn:aws:sts::922503285322:assumed-
UNKN northeast- role/Cloud3_AuditRole/cloudsploit_scan is not authorized to perform: lookoutvision:ListProjects
2 on resource: arn:aws:lookoutvision:ap-northeast-2:922503285322:project/* because no
identity-based policy allows the lookoutvision:ListProjects action
Ensure that Amazon LookoutMetrics Anomaly Detector is encrypted using desired KMS
Test Description
encryption level
Amazon Lookout for Metrics encrypts your data at rest with your choice of an encryption key. If
you do not specify an encryption key, your data is encrypted with AWS owned key by default.
Additional Info
So use customer-managed keys instead in order to gain more granular control over
encryption/decryption process.
Recommended Action Encrypt Amazon LookoutMetrics Anomaly Detector with customer-manager keys (CMKs)
https://docs.aws.amazon.com/lookoutmetrics/latest/dev/security-dataprotection.html#security-
Cloud Provider Link
privacy-atrest
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that Amazon Lex audio logs are encrypted using desired KMS encryption level
For audio logs you use default encryption on your S3 bucket or specify an AWS KMS key to
Additional Info encrypt your audio objects. Even if your S3 bucket uses default encryption you can still specify
a different AWS KMS key to encrypt your audio objects for enhanced security.
Recommended Action Encrypt Lex audio logs with customer-manager keys (CMKs) present in your account
Re
so
Result Region Message
ur
ce
Test Description Ensure that AWS Forecast datasets are using desired KMS key for data encryption.
Datasets contain the data used to train a predictor. You create one or more Amazon Forecast
datasets and import your training data into them. Make sure to enable encryption for these
Additional Info
datasets using customer-managed keys (CMKs) in order to gain more granular control over
encryption/decryption process.
Recommended Action Create Forecast datasets using customer-manager KMS keys (CMKs).
R
e
s
Result Region o Message
ur
c
e
Ensure that AWS Forecast exports have encryption enabled before they are being saved on
Test Description
S3.
In AWS Forecast, you can save forecast reports on S3 in CSV format. Make sure to encrypt
Additional Info these export before writing them to the bucket in order to follow your organizations's security
and compliance requirements.
R
e
s
o
Result Region Message
u
r
c
e
Ensure that Amazon FSx for Windows File Server file systems are encrypted using desired
Test Description
KMS encryption level.
If your organization is subject to corporate or regulatory policies that require encryption of data
Additional Info
and metadata at rest, AWS recommends creating encrypted file systems.
Recommended Action Enable encryption for file systems created under Amazon FSx for Windows File Server
Ensure that AWS Web Application Firewall V2 (WAFV2) is in use to achieve availability and
Test Description
security for AWS-powered web applications.
Using WAF for your web application running in AWS environment can help you against
Additional Info
common web-based attacks, SQL injection attacks, DDOS attacks and more.
Recommended Action Create one or more WAF ACLs with proper actions and rules
Ensure that AWS Web Application Firewall (WAF) is in use to achieve availability and security
Test Description
for AWS-powered web applications.
Using WAF for your web application running in AWS environment can help against common
Additional Info
web-based attacks, SQL injection attacks, DDOS attacks and more.
Recommended Action Create one or more WAF ACLs with proper actions and rules
Ensure that Origin Failover feature is enabled for your CloudFront distributions in order to
Test Description
improve the availability of the content delivered to your end users.
With Origin Failover capability, you can setup two origins for your CloudFront web distributions
Additional Info primary and secondary. In the event of primary origin failure, your content is automatically
served from the secondary origin, maintaining the distribution high reliability.
Recommended Action Modify CloudFront distributions and configure origin group instead of a single origin
https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_OriginGroupFailoverCriteria.
Cloud Provider Link
html
Ensure that geo-restriction feature is enabled for your CloudFront distribution to allow or block
Test Description
location-based access.
AWS CloudFront geo restriction feature can be used to assist in mitigation of Distributed Denial
Additional Info of Service (DDoS) attacks. Also you have the ability to block IP addresses based on Geo IP
from reaching your distribution and your web application content delivered by the distribution.
Recommended Action Enable CloudFront geo restriction to whitelist or block location-based access.
Ensure that your Amazon Cloudfront distributions are configured to automatically compress
Test Description
files(object).
Cloudfront data transfer is based on the total amount of data served, sending compressed files
to the viewers is much less expensive than sending uncompressed files. To optimise your AWS
Additional Info
cloud costs and speed up your web applications, configure your Cloudfront distributions to
compress the web content served with compression enabled.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressed
Cloud Provider Link
Files.html
Test Description Ensure that Amazon Database Migration Service (DMS) instances are not publicly accessible.
An AWS DMS replication instance can have one public IP address and one private IP address.
Additional Info If you uncheck (disable) the box for Publicly accessible, then the replication instance has only
a private IP address. that prevents from exposure of data to other users
Recommended Action Ensure that DMS replication instances have only private IP address and not public IP address
https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.h
Cloud Provider Link
tml
Result Region Resource Message
Ensure that your Amazon Database Migration Service (DMS) replication instances are using
Test Description
Multi-AZ deployment configurations.
AWS Database Migration Service (AWS DMS) helps you migrate databases to AWS quickly
Additional Info and securely. In a Multi-AZ deployment, AWS DMS automatically provisions and maintains a
synchronous standby replica of the replication instance in a different Availability Zone.
Recommended Action Enable Multi-AZ deployment feature in order to get high availability and failover support
Cloud Provider Link https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html
Ensure that your Amazon Database Migration Service (DMS) replication instances have the
Test Description
Auto Minor Version Upgrade feature enabled
AWS Database Migration Service (AWS DMS) helps you migrate databases to AWS quickly
Additional Info and securely. The DMS service releases engine version upgrades regularly to introduce new
software features, bug fixes, security patches and performance improvements.
Enable Auto Minor Version Upgrade feature in order to automatically receive minor engine
Recommended Action
upgrades for improved performance and security
Keeping the number of security groups to a minimum makes the management easier and
Additional Info
helps to avoid reaching the service limit.
Recommended Action Remove security groups that are not being used.
Ensure that your Amazon Elastic MapReduce (EMR) clusters are provisioned using the AWS
Test Description
VPC platform instead of EC2-Classic platform.
AWS EMR clusters using VPC platform instead of EC2-Classic can bring multiple advantages
Additional Info
such as better networking infrastructure, much more flexible control over access security .
Ensures Firehose delivery stream are encrypted using AWS KMS key of desired encryption
Test Description
level.
Data sent through Firehose delivery streams can be encrypted using KMS server-side
encryption. Existing delivery streams can be modified to add encryption with minimal
Additional Info
overhead. Use customer-managed keys instead in order to gain more granular control over
encryption/decryption process.
Recommended Action Enable encryption using desired level for all Firehose Delivery Streams.
Test Description Ensures Kinesis data streams are encrypted using AWS KMS key of desired encryption level.
Data sent to Kinesis data streams can be encrypted using KMS server-side encryption.
Existing streams can be modified to add encryption with minimal overhead. Use customer-
Additional Info
managed keys instead in order to gain more granular control over encryption/decryption
process.
Recommended Action Enable encryption using desired level for all Kinesis streams
Test Description Ensure that your ElastiCache clusters are provisioned within the AWS VPC platform.
Creating Amazon ElastiCache clusters inside Amazon VPC can bring multiple advantages
Additional Info
such as better networking infrastructure and flexible control over access security .
Ensure that the Amazon ElastiCache cluster nodes provisioned in your AWS account have the
Test Description
desired node type established within your organization based on the workload deployed.
Setting limits for the type of Amazon ElastiCache cluster nodes will help you address internal
Additional Info
compliance requirements and prevent unexpected charges on your AWS bill.
Test Description Ensure that Amazon SageMaker Notebook instances are launched within a VPC.
Launching instances can bring multiple advantages such as better networking infrastructure,
Additional Info much more flexible control over access security. Also it makes it possible to access VPC-only
resources such as EFS file systems.
https://docs.aws.amazon.com/sagemaker/latest/dg/API_CreateNotebookInstance.html#API_Cr
Cloud Provider Link
eateNotebookInstance_RequestSyntax
Test Description Ensure SQS queues are encrypted using keys of desired encryption level
Messages sent to SQS queues can be encrypted using KMS server-side encryption. Existing
Additional Info queues can be modified to add encryption with minimal overhead.Use customer-managed
keys instead in order to gain more granular control over encryption/decryption process.
Recommended Action Enable encryption using KMS Customer Master Keys (CMKs) for all SQS queues.
http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-
Cloud Provider Link
server-side-encryption.html
Ensure that Amazon Secrets Manager service is being used in your account to manage all the
Test Description
credentials.
Amazon Secrets Manager helps you protect sensitive information needed to access your cloud
Additional Info applications, services and resources. Users and apps can use secrets manager to get the
secrets stored with a call to Secrets Manager API, enhancing access security.
Recommended Action Use Secrets Manager service to store sensitive information in your AWS account.
Ensure that Amazon Fraud Detector has encryption enabled for data at rest with desired KMS
Test Description
encryption level.
Amazon Fraud Detector encrypts your data at rest with AWS-managed KMS key. Use
Additional Info customer-manager KMS keys (CMKs) instead in order to follow your organizations's security
and compliance requirements.
Recommended Action Enable encryption for data at rest using PutKMSEncryptionKey API
R
e
s
Result Region o Message
u
r
c
e
Ensure that IAM Access analyzer findings are reviewed and resolved by taking all necessary
Test Description
actions.
IAM Access Analyzer helps you evaluate access permissions across your AWS cloud
environment and gives insights into intended access to your resources. It can monitor the
Additional Info access policies associated with S3 buckets, KMS keys, SQS queues, IAM roles and Lambda
functions for permissions changes. You can view IAM Access Analyzer findings at any time.
Work through all of the findings in your account until you have zero active findings.
Investigate into active findings in your account and do the needful until you have zero active
Recommended Action
findings.
Ensure that ACM single domain name certificates are used instead of wildcard certificates
Test Description
within your AWS account.
Using wildcard certificates can compromise the security of all sites i.e. domains and
Additional Info subdomains if the private key of a certificate is hacked. So it is recommended to use ACM
single domain name certificates instead of wildcard certificates.
Recommended Action Configure ACM managed certificates to use single name domain instead of wildcards.
Test Description Ensure that your Amazon App Mesh virtual gateways have access logging enabled.
Enabling access logging feature for App Mesh virtual gateways lets you track application mesh
Additional Info user access, helps you meet compliance regulations, and gives insight into security audits and
investigations.
To enable access logging, modify virtual gateway configuration settings and configure the file
Recommended Action
path to write access logs to.
Test Description Ensure that response caching is enabled for your Amazon API Gateway REST APIs.
A REST API in API Gateway is a collection of resources and methods that are integrated with
backend HTTP endpoints, Lambda functions, or other AWS services.You can enable API
Additional Info caching in Amazon API Gateway to cache your endpoint responses. With caching, you can
reduce the number of calls made to your endpoint and also improve the latency of requests to
your API.
Recommended Action Modify API Gateway API stages to enable API cache
Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached
Test Description
responses.
It is strongly recommended to enforce encryption for API cached responses in order to protect
Additional Info
your data from unauthorized access.
Recommended Action Modify API Gateway API stages to enable encryption on cache data
https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-
Cloud Provider Link
encryption.html
Ensure that Amazon App Mesh virtual nodes have egress only access to other defined
Test Description
resources available within the service mesh.
Amazon App Mesh gives you controls to choose whether or not to allow App Mesh services to
Additional Info communicate with outside world. If you choose to deny external traffic, the proxies will not
forward traffic to external services not defined in the mesh. The traffic to the external services
should be denied to adhere to cloud security best practices and minimize the security risks.
Test Description Ensure that AWS App Mesh virtual gateway listeners only accepts TLS enabled connections.
In App Mesh, Transport Layer Security (TLS) encrypts communication between the envoy
Additional Info proxies deployed on compute resources that are represented in App Mesh by mesh endpoints,
such as Virtual nodes and Virtual gateways.
Recommended Action Restrict AWS App Mesh virtual gateway listeners to accept only TLS enabled connections.
Test Description Ensure that your AWS Auto Scaling Groups are configured to use a cool down period.
Additional Info A scaling cool down helps you prevent your Auto Scaling group from launching or terminating
additional instances before the effects of previous activities are visible.
Implement proper cool down period for Auto Scaling groups to temporarily suspend any
Recommended Action
scaling actions.
A launch configuration is an instance configuration template that an Auto Scaling group uses to
launch EC2 instances. When you create a launch configuration, you specify information for the
Additional Info
instances. Every unused Launch Configuration template should be removed for a better
management of your AWS Auto Scaling components.
Identify and remove any Auto Scaling Launch Configuration templates that are not associated
Recommended Action
anymore with ASGs available in the selected AWS region.
PASS
sa-east-1 No Auto Scaling launch configurations found
CloudFront CloudFront Distribution Field-Level Encryption
1 0 0 0
Test Description Ensure that field-level encryption is enabled for your Amazon CloudFront web distributions.
With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by
using HTTPS. Field-level encryption adds an additional layer of security that lets you protect
Additional Info specific data throughout system processing so that only certain applications can see it.Field-
level encryption allows you to enable users to securely upload sensitive information to web
servers.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-
Cloud Provider Link
encryption.html
Test Description Ensure that AWS CloudFront service is used within your AWS account.
Amazon CloudFront is a web service that speeds up distribution of your static and dynamic
Additional Info web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your
content through a worldwide network of data centers called edge locations.
Test Description Ensures no AWS CloudFormation stacks available in your AWS account has admin privileges.
A service role is an AWS Identity and Access Management (IAM) role that allows AWS
Additional Info CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM
role that allows AWS CloudFormation to create, update, or delete your stack resources
Modify IAM role attached with AWS CloudFormation stack to provide the minimal amount of
Recommended Action
access required to perform its tasks
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-
Cloud Provider Link
servicerole.html
AWS CloudFormation is a service that helps you model and set up your AWS resources so
that you can spend less time managing those resources and more time focusing on your
Additional Info applications that run in AWS. A stack is a collection of AWS resources that you can manage as
a single unit. In other words, you can create, update, or delete a collection of resources by
creating, updating, or deleting stacks.
FAIL
sa-east-1 CloudFormation service is not being used
CloudTrail CloudTrail Notifications Enabled
16 0 1 0
Ensure that Amazon CloudTrail trails are using active Simple Notification Service (SNS) topics
Test Description
to deliver notifications.
CloudTrail trails should reference active SNS topics to notify for log files delivery to S3 buckets.
Additional Info
Otherwise, you will lose the ability to take immediate actions based on log information.
Make sure that CloudTrail trails are using active SNS topics and that SNS topics have not
Recommended Action
been deleted after trail creation.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-
Cloud Provider Link
cloudtrail.html
ap-northeast-
PASS No CloudTrail trails found
1
ap-northeast-
PASS No CloudTrail trails found
2
ap-southeast-
PASS No CloudTrail trails found
1
ap-southeast-
PASS No CloudTrail trails found
2
ap-northeast-
PASS No CloudTrail trails found
3
Ensures that all the evaluation results returned from the Amazon Config rules created within
Test Description
your AWS account are compliant.
AWS Config provides AWS managed rules, which are predefined customizable rules that AWS
Additional Info
Config uses to evaluate whether your AWS resources comply with common best practices.
Recommended Action Enable the AWS Config Service rules for compliance checks and close security gaps.
Ensure that the AWS Config log files are delivered to the S3 bucket in order to store logging
Test Description
data for auditing purposes without any failures.
Amazon Config keep record of the changes within the configuration of your AWS resources
Additional Info
and it regularly stores this data to log files that are send to an S3 bucket specified by you.
Recommended Action Configure AWS Config log files to be delivered without any failures to designated S3 bucket.
PASS
ap-northeast-2 No Config Service configuration recorder statuses found
Ensure that Amazon Config service is pointing an S3 bucket that is active in your account in
Test Description
order to save configuration information
Amazon Config tracks changes within the configuration of your AWS resources and it regularly
sends updated configuration details to an S3 bucket that you specify. When AWS Config is not
Additional Info referencing an active S3 bucket, the service is unable to send the recorded information to the
designated bucket, therefore you lose the ability to audit later the configuration changes made
within your AWS account.
Ensure that Amazon Config service is referencing an active S3 bucket in order to save
Recommended Action
configuration information.
Test Description Ensures that Amazon DynamoDB tables are using on-demand backups.
With AWS Backup, you can configure backup policies and monitor activity for your AWS
resources and on-premises workloads in one place. Using DynamoDB with AWS Backup, you
Additional Info can copy your on-demand backups across AWS accounts and regions, add cost allocation
tags to on-demand backups, and transition on-demand backups to cold storage for lower
costs.
Ensure AWS ElastiCache clusters are not using the default ports set for Redis and
Test Description
Memcached cache engines.
ElastiCache clusters should be configured not to use the default assigned port value for Redis
Additional Info
(6379) and Memcached (11211).
Test Description Ensure that EventBridge event bus is configured to prevent exposure to public access.
The default event bus in your Amazon account only allows events from one account. You can
Additional Info
grant additional permissions to an event bus by attaching a resource-based policy to it.
Configure EventBridge event bus policies that allow access to whitelisted/trusted account
Recommended Action
principals but not public access.
Ensure that Amazon EventBridge Events service is in use in order to enable you to react
Test Description
selectively and efficiently to system events.
Amazon EventBridge Events delivers a near real-time stream of system events that describe
Additional Info changes in Amazon Web Services (AWS) resources. Using simple rules that you can quickly
set up, you can match events and route them to one or more target functions or streams.
Create EventBridge event rules to meet regulatory and compliance requirement within your
Recommended Action
organization.
Ensure that all active sessions in the AWS Session Manager do not exceed the duration set in
Test Description
the settings.
The session manager gives users the ability to either open a shell in a EC2 instance or
Additional Info execute commands in a ECS task. This can be useful for when debugging issues in a
container or instance.
Recommended Action Terminate all the sessions which exceed the specified duration mentioned in settings.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-max-
Cloud Provider Link
timeout.html
Ensure that an AWS CloudWatch alarm exists and configured for metric filter attached with
Test Description
VPC flow logs CloudWatch group.
A metric alarm watches a single CloudWatch metric or the result of a math expression based
on CloudWatch metrics. The alarm performs one or more actions based on the value of the
Additional Info
metric or expression relative to a threshold over a number of time periods. The action can be
sending a notification to an Amazon SNS topic.
Create a CloudWatch group, attached metric filter to log VPC flow logs changes and create an
Recommended Action
CloudWatch alarm for the metric filter.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.ht
Cloud Provider Link
ml
Ensure that TLS encryption within the cluster feature is enabled for your Amazon MSK
Test Description
clusters.
Amazon MSK in-transit encryption is an optional feature which encrypts data in transit within
Additional Info
your MSK cluster. You can override this default at the time you create the cluster.
Recommended Action Enable TLS encryption within the cluster for all MSK clusters
R
e
s
Result Region o Message
ur
c
e
Ensure that Amazon Backup is integrated with Amazon Relational Database Service in order
Test Description
to manage RDS database instance snapshots
Amazon RDS creates and saves automated backups of your DB instance during the backup
Additional Info window of your DB instance. With Amazon Backup, you can centrally configure backup
policies and rules, and monitor backup activity for AWS RDS database instances.
Recommended Action Enable RDS database instance snapshots to improve the reliability of your backup strategy.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedB
Cloud Provider Link
ackups.html
Ensure that Amazon Backup vaults send notifications via Amazon SNS for each failed backup
Test Description
job event.
AWS Backup can take advantage of the robust notifications delivered by Amazon Simple
Additional Info Notification Service (Amazon SNS). You can configure Amazon SNS to notify you of AWS
Backup events from the Amazon SNS console.
Recommended Action Configure Backup vaults to sent notifications alert for failed backup job events.
R
e
s
Result Region o Message
ur
c
e
Ensure that an Amazon Backup vault access policy is configured to prevent the deletion of
Test Description
AWS backups in the backup vault.
With AWS Backup, you can assign policies to backup vaults and the resources they contain.
Additional Info Assigning policies allows you to do things like grant access to users to create backup plans
and on-demand backups, but limit their ability to delete recovery points after they are created.
Add a statement in Backup vault access policy which denies global access to action:
Recommended Action
backup:DeleteRecoveryPoint
R
e
s
Result Region o Message
ur
c
e
Ensure that a compliant lifecycle configuration is enabled for your Amazon Backup plans in
Test Description
order to meet compliance requirements when it comes to security and cost optimization.
The AWS Backup lifecycle configuration contains an array of transition objects specifying how
Additional Info
long in days before a recovery point transitions to cold storage or is deleted.
Recommended Action Enable compliant lifecycle configuration for your Amazon Backup plans
R
e
s
Result Region o Message
ur
c
e
Ensure that Compute Optimizer does not have active recommendation summaries for over-
Test Description
provisioned or under-provisioned EC2 instances.
An EC2 instance is considered optimized when all specifications of an instance, such as CPU,
memory, and network, meet the performance requirements of your workload, and the instance
Additional Info
is not over-provisioned. For optimized instances, Compute Optimizer might sometimes
recommend a new generation instance type.
R
e
s
o
Result Region Message
u
r
c
e
Ensure that Compute Optimizer does not have active recommendation summaries for
Test Description
unoptimized Lambda Functions.
AWS Compute Optimizer generates memory size recommendations for AWS Lambda
functions. A Lambda function is considered optimized when Compute Optimizer determines
Additional Info
that its configured memory or CPU power (which is proportional to the configured memory) is
correctly provisioned to run your workload.
https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-lambda-
Cloud Provider Link
recommendations.html
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that Compute Optimizer is enabled for your AWS account.
AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of
your AWS resources. It reports whether your resources are optimal, and generates
Additional Info
optimization recommendations to reduce the cost and improve the performance of your
workloads.
Recommended Action Enable Compute Optimizer Opt In options for current of all AWS account in your organization.
R
e
s
o
Result Region Message
u
r
c
e
Ensure that Compute Optimizer does not have active recommendation summaries for
Test Description
unoptimized EBS Volumes.
An EBS volume is considered optimized when Compute Optimizer determines that the volume
is correctly provisioned to run your workload, based on the chosen volume type, volume size,
Additional Info
and IOPS specification. For optimized resources, Compute Optimizer might sometimes
recommend a new generation volume type.
R
e
s
o
Result Region Message
u
r
c
e
Ensure that Compute Optimizer does not have active recommendation summaries for
Test Description
unoptimized Auto Scaling groups.
An Auto Scaling group is considered optimized when Compute Optimizer determines that the
group is correctly provisioned to run your workload, based on the chosen instance type. For
Additional Info
optimized Auto Scaling groups, Compute Optimizer might sometimes recommend a new
generation instance type.
Recommended Action Resolve Compute Optimizer recommendations for Auto Scaling groups.
R
e
s
o
Result Region Message
u
r
c
e
Ensure that only TLS encryption between the client and broker feature is enabled for your
Test Description
Amazon MSK clusters.
Amazon MSK in-transit encryption is an optional feature which encrypts data in transit between
Additional Info the client and brokers. Select the Transport Layer Security (TLS) protocol to encrypt data as it
travels between brokers and clients within the cluster.
Recommended Action Enable only TLS encryption between the client and broker for all MSK clusters
R
e
s
Result Region o Message
ur
c
e
Test Description Ensure that public access feature within the cluster is disabled for your Amazon MSK clusters.
Amazon MSK gives you the option to turn on public access to the brokers of MSK clusters
running Apache Kafka 2.6.0 or later versions. For security reasons, you cannot turn on public
Additional Info
access while creating an MSK cluster. However, you can update an existing cluster to make it
publicly accessible.
Recommended Action Check for public access feature within the cluster for all MSK clusters
R
e
s
Result Region o Message
ur
c
e
Amazon MSK authenticates clients to allow or deny Apache Kafka actions. Alternatively, TLS
Additional Info or SASL/SCRAM can be used to authenticate clients, and Apache Kafka ACLs to allow or
deny actions.
Recommended Action Ensure that MSK clusters does not have unauthenticated access enabled.
R
e
s
Result Region o Message
ur
c
e
Test Description Ensure that Image Builder infrastructure configurations have SNS notifications enabled.
Infrastructure configurations allow you to specify the infrastructure within which to build and
Additional Info
test your EC2 Image Builder image.
Enable SNS notification in EC2 Image Builder infrastructure configurations to get notified of
Recommended Action
any changes in the service.
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that Image Recipe dockerfile templates are encrypted.
Image Builder now offers a managed service for building Docker images. With Image Builder,
you can automatically produce new up-to-date container images and publish them to specified
Additional Info
Amazon Elastic Container Registry (Amazon ECR) repositories after running stipulated tests.
Custom components are encrypted with your KMS key or a KMS key owned by Image Builder.
Ensure that container recipe docker file templates are encrypted using AWS keys or customer
Recommended Action
managed keys in Imagebuilder service
R
e
s
o
Result Region Message
u
r
c
e
Test Description Ensure that Image Recipe storage ebs volumes are encrypted.
EC2 Image Builder is a fully managed AWS service that makes it easier to automate the
creation, management, and deployment of customized, secure, and up-to-date server images
Additional Info
that are pre-installed and pre-configured with software and settings to meet specific IT
standards.
Ensure that storage volumes for ebs are encrypted using AWS keys or customer managed
Recommended Action
keys in Image recipe
R
e
s
o
Result Region Message
u
r
c
e
Build components contain software, settings, and configurations that are installed or applied
during the process of building custom images. Tests are run after a custom image is built to
Additional Info
validate functionality, security, performance, etc. Custom components are encrypted with your
KMS key or a KMS key owned by Image Builder.
Ensure that components are encrypted using AWS keys or customer managed keys in Image
Recommended Action
Builder service
R
e
s
Result Region o Message
u
r
c
e
Test Description Determine if TCP port 27017 or 27018 or 27019 for MongoDB is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as MongoDB should be restricted to known IP
addresses.
Recommended Action Restrict TCP port 27017 or 27018 or 27019 to known IP addresses
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does not
PASS us-west-1 1:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does not
PASS us-west-2 2:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does not
PASS 1:922503285322:security-group/sg-
1 have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does not
PASS 1:922503285322:security-group/sg-
1 have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does not
PASS eu-west-1 1:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
2:922503285322:security-group/sg- Security group: sg-0ae841762d2749f1a (default) does not
PASS eu-west-2 have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does not
PASS eu-west-3 3:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does not
PASS eu-north-1 1:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does not
PASS northeast- 1:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does not
PASS northeast- 2:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does not
PASS southeast- 1:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does not
PASS southeast- 2:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does not
PASS northeast- 3:922503285322:security-group/sg-
have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does not
PASS ap-south-1 1:922503285322:security-group/sg-
02cb7aa81a32263ad have TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:27017,27018,27019 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 9042 for Cassandra Client is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as Cassandra Client should be restricted to known IP
addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:9042 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:9042 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
1:922503285322:security-group/sg- Security group: sg-2a94e22e (default) does not have
PASS us-east-1
2a94e22e TCP:9042 open to 0.0.0.0/0 or ::0
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:9042 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
us-west-2 2:922503285322:security-group/sg-
PASS 07b897bc45d1e6fe2 not have TCP:9042 open to 0.0.0.0/0 or ::0
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:9042 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:9042 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
PASS northeast- 1:922503285322:security-group/sg- Security group: sg-0a5f4c4f1b5983891 (default) does
1 0a5f4c4f1b5983891 not have TCP:9042 open to 0.0.0.0/0 or ::0
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:9042 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:9042 open to 0.0.0.0/0 or ::0
ffd685b7
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as Cassandra Internode should be restricted to known
IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:7000 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:7000 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:7000 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:7000 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:7000 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:7000 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west- Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg- not have TCP:7000 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:7000 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:7000 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 7199 for Cassandra Monitoring is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as Cassandra Client should be restricted to known IP
addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:7199 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:7199 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:7199 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:7199 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:7199 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:7199 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:7199 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
Test Description Determine if TCP port 9160 for Cassandra Thrift is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as Cassandra Client should be restricted to known IP
addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:9160 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:9160 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:9160 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
PASS us-east-2 2:922503285322:security-group/sg- Security group: sg-35cd9243 (default) does not have
35cd9243 TCP:9160 open to 0.0.0.0/0 or ::0
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:9160 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:9160 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:9160 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:9160 open to 0.0.0.0/0 or ::0
ffd685b7
EC2 Open LDAP
22 0 0 0
Test Description Determine if TCP or UDP port 389 for LDAP is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as LDAP should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux) does
PASS us-east-1 1:922503285322:security-group/sg-
not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-2)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
1:922503285322:security-group/sg- Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1
0355558bdeb17eba4 not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does not
PASS eu-west-3 3:922503285322:security-group/sg-
have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does not
PASS northeast- 1:922503285322:security-group/sg-
have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
northeast- Security group: sg-07f8aee861c34413f (default) does not
PASS 2:922503285322:security-group/sg-
2 have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:389, UDP:389 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 636 for LDAP SSL is open to the public
LDAP SSL port 636 is used for Secure LDAP authentication. Allowing Inbound traffic from any
Additional Info IP address to TCP port 636 is vulnerable to DoS attacks. It is a best practice to block port 636
from the public internet.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:636 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:636 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:636 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:636 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:636 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- 1:922503285322:security-group/sg- Security group: sg-09b903e8dd37bee5f (default) does
PASS not have TCP:636 open to 0.0.0.0/0 or ::0
1 09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
PASS arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
ap-south-1 1:922503285322:security-group/sg-
not have TCP:636 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:636 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if UDP port 161 for SNMP is open to the public
SNMP UDP 161 used by various devices and applications for logging events, monitoring and
Additional Info management. Allowing Inbound traffic from any external IP address on port 161 is vulnerable
to DoS attack. It is a best practice to block port 161 completely unless explicitly required.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have UDP:161 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have UDP:161 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
UDP:161 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
UDP:161 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have UDP:161 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have UDP:161 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have UDP:161 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
UDP:161 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP or UDP port 11211 for Memcached is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info properly, more sensitive services such as Memcached should be restricted to known IP
addresses.
Recommended Action Restrict TCP and UDP port 11211 to known IP addresses
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux) does
PASS us-east-1 1:922503285322:security-group/sg-
not have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does not
PASS us-west-2 2:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does not
PASS 1:922503285322:security-group/sg-
1 have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does not
PASS 1:922503285322:security-group/sg-
1 have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does not
PASS eu-west-1 1:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does not
PASS eu-west-2 2:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does not
PASS eu-west-3 3:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does not
PASS eu-north-1 1:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
PASS northeast- 1:922503285322:security-group/sg- Security group: sg-0a5f4c4f1b5983891 (default) does not
1 0a5f4c4f1b5983891 have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does not
PASS northeast- 2:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does not
PASS southeast- 1:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does not
PASS southeast- 2:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does not
PASS northeast- 3:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does not
PASS ap-south-1 1:922503285322:security-group/sg-
have UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
UDP:11211, TCP:11211 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 8080 for internal web is open to the public
Internal web port 8080 is used for web applications and proxy services. Allowing Inbound
Additional Info traffic from any IP address to TCP port 8080 is vulnerable to exploits like backdoor trojan
attacks. It is a best practice to block port 8080 from the public internet.
Recommended Action Restrict TCP port 8080 to known IP addresses
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:8080 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:8080 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:8080 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:8080 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:8080 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:8080 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
04656562bedc2ae6d not have TCP:8080 open to 0.0.0.0/0 or ::0
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:8080 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:8080 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Determine if TCP port 6379 for Redis is open to the public
While some ports such as HTTP and HTTPS are required to be open to the public to function
Additional Info
properly, more sensitive services such as Redis should be restricted to known IP addresses.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-
Cloud Provider Link
instance.html
arn:aws:ec2:us-east-
Security group: sg-031d418a21dd84701 (SG-Linux)
PASS us-east-1 1:922503285322:security-group/sg-
does not have TCP:6379 open to 0.0.0.0/0 or ::0
031d418a21dd84701
arn:aws:ec2:us-east- Security group: sg-0ea00fe2209686e28
PASS us-east-1 1:922503285322:security-group/sg- (Linux_Jumpbox) does not have TCP:6379 open to
0ea00fe2209686e28 0.0.0.0/0 or ::0
arn:aws:ec2:us-east-
Security group: sg-0add6fd8f5e13005e (launch-wizard-
PASS us-east-1 1:922503285322:security-group/sg-
2) does not have TCP:6379 open to 0.0.0.0/0 or ::0
0add6fd8f5e13005e
arn:aws:ec2:us-east-
Security group: sg-2a94e22e (default) does not have
PASS us-east-1 1:922503285322:security-group/sg-
TCP:6379 open to 0.0.0.0/0 or ::0
2a94e22e
arn:aws:ec2:us-east-
Security group: sg-35cd9243 (default) does not have
PASS us-east-2 2:922503285322:security-group/sg-
TCP:6379 open to 0.0.0.0/0 or ::0
35cd9243
arn:aws:ec2:us-west-
Security group: sg-0355558bdeb17eba4 (default) does
PASS us-west-1 1:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
0355558bdeb17eba4
arn:aws:ec2:us-west-
Security group: sg-07b897bc45d1e6fe2 (default) does
PASS us-west-2 2:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
07b897bc45d1e6fe2
arn:aws:ec2:ca-central-
ca-central- Security group: sg-0221abf87bbe12971 (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:6379 open to 0.0.0.0/0 or ::0
0221abf87bbe12971
arn:aws:ec2:eu-central-
eu-central- Security group: sg-09b903e8dd37bee5f (default) does
PASS 1:922503285322:security-group/sg-
1 not have TCP:6379 open to 0.0.0.0/0 or ::0
09b903e8dd37bee5f
arn:aws:ec2:eu-west-
Security group: sg-08b897c32e384acbc (default) does
PASS eu-west-1 1:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
08b897c32e384acbc
arn:aws:ec2:eu-west-
Security group: sg-0ae841762d2749f1a (default) does
PASS eu-west-2 2:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
0ae841762d2749f1a
arn:aws:ec2:eu-west-
Security group: sg-03bc08f1c58bcf815 (default) does
PASS eu-west-3 3:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
03bc08f1c58bcf815
arn:aws:ec2:eu-north-
Security group: sg-04656562bedc2ae6d (default) does
PASS eu-north-1 1:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
04656562bedc2ae6d
ap- arn:aws:ec2:ap-northeast-
Security group: sg-0a5f4c4f1b5983891 (default) does
PASS northeast- 1:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
1 0a5f4c4f1b5983891
ap- arn:aws:ec2:ap-northeast-
Security group: sg-07f8aee861c34413f (default) does
PASS northeast- 2:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
2 07f8aee861c34413f
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0f40a8e2330e64b60 (default) does
PASS southeast- 1:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
1 0f40a8e2330e64b60
ap- arn:aws:ec2:ap-southeast-
Security group: sg-0de72c4ef2c1b7162 (default) does
PASS southeast- 2:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
2 0de72c4ef2c1b7162
ap- arn:aws:ec2:ap-northeast-
Security group: sg-09c1a77d7fa721022 (default) does
PASS northeast- 3:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
3 09c1a77d7fa721022
arn:aws:ec2:ap-south-
Security group: sg-02cb7aa81a32263ad (default) does
PASS ap-south-1 1:922503285322:security-group/sg-
not have TCP:6379 open to 0.0.0.0/0 or ::0
02cb7aa81a32263ad
arn:aws:ec2:sa-east-
Security group: sg-ffd685b7 (default) does not have
PASS sa-east-1 1:922503285322:security-group/sg-
TCP:6379 open to 0.0.0.0/0 or ::0
ffd685b7
Test Description Ensure Virtual Private Gateways are associated with at least one VPC.
Virtual Private Gateways allow communication between cloud infrastructure and the remote
customer network. They help in establishing VPN connection between VPC and the customer
Additional Info
gateway. Make sure virtual private gateways are always associated with a VPC to meet
security and regulatory compliance requirements within your organization.
Test Description Ensure Internet Gateways are associated with at least one available VPC.
Internet Gateways allow communication between instances in VPC and the internet. They
provide a target in VPC route tables for internet-routable traffic and also perform network
Additional Info address translation (NAT) for instances that have been assigned public IPv4 addresses. Make
sure they are always associated with a VPC to meet security and compliance requirements
within your organization.
ap-
arn:aws:vpc:ap-northeast-1:922503285322:internet-gateway/igw- Internet Gateway is associated
PASS northeast-
02feaf092bca87cfe with VPC
1
ap-
arn:aws:vpc:ap-northeast-2:922503285322:internet-gateway/igw- Internet Gateway is associated
PASS northeast-
002d64d652f4ab249 with VPC
2
ap-
arn:aws:vpc:ap-southeast-1:922503285322:internet-gateway/igw- Internet Gateway is associated
PASS southeast-
06f89180a906d735b with VPC
1
ap-
arn:aws:vpc:ap-southeast-2:922503285322:internet-gateway/igw- Internet Gateway is associated
PASS southeast-
065419b60cd4f20bb with VPC
2
ap-
arn:aws:vpc:ap-northeast-3:922503285322:internet-gateway/igw- Internet Gateway is associated
PASS northeast-
0b97885578518f3b8 with VPC
3
Test Description Ensure IAM password policy allows users to change their passwords.
Additional Info Password policy should allow users to rotate their passwords as a security best practice.
Recommended Action Update the password policy for users to change their passwords
Test Description
Ensure that Amazon RDS database snapshots are not publicly exposed.
If an RDS snapshot is exposed to the public, any AWS account can copy the snapshot and
Additional Info create a new database instance from it. It is a best practice to ensure RDS snapshots are not
exposed to the public to avoid any accidental leak of sensitive information.
Ensure Amazon RDS database snapshot is not publicly accessible and available for any AWS
Recommended Action
account to copy or restore it.