Professional Documents
Culture Documents
AWs Coud Security Checklist
AWs Coud Security Checklist
Cloud
Security
Checklist
AWS Cloud Security
Checklist
services name findings name description
Ensure Multi-Factor
IAM (Identity and MFA is not enabled for Authentication (MFA) is
Access Management) Root Account enabled for the AWS
root account.
p
Ensure Multi-Factor
Authentication (MFA) is
u
MFA is not enabled for
enabled for all AWS
IAM Users
IAM users with AWS
o
Console access.
gr
Detects when a
Multiple Access Keys
canary token access
exists for IAM Users
key has been used
eh Ensure cross-account
i
Cross-Account Access IAM roles use either
Lacks External ID and MFA or external IDs to
v
MFA secure the access to
AWS resources.
@
Ensure AWS IAM access
keys are rotated on a
Lack of Access Key
periodic basis as a
Rotation
security best practice
(90 Days).
p
Ensure that all your
SSL/TLS certificates
u
Weak IAM Server are using either 2048
Certificate in use or 4096 bit RSA keys
o
instead of 1024-bit
r
keys.
g
Ensure AWS IAM policies
IAM Role Policy are Too
attached to IAM roles
h
Permissive
are not too permissive.
ie
Ensure that IAM
Access Analyzer
v
IAM Access Analyzer is feature is enabled to
not Enabled maintain access
security to your AWS
@
resources.
p
practices.
u
Ensure SSL/TLS
o
SSL/TLS Certificate is certificates are
about to Expire renewed before their
r
expiration.
g
Ensure security
h
challenge questions
Security Challenge are enabled and
e
Question not Enabled configured to improve
i
the security of your
AWS account.
v Ensure alternate
@
Security Contact
contacts are set to
Information is not
improve the security
Registered
of your AWS account.
p
Ensure Termination
u
EC2 Instance Protection feature is
Termination Protection enabled for EC2
o
is not Enabled instances that are
r
not part of ASGs.
g
Ensure your Amazon
AMIs are Publicaly Machine Images (AMIs)
h
Shared are not accessible to
all AWS accounts.
ie
v
Ensure all AWS EC2
Golden/Approved AMIs instances are
not in Use launched from
approved AMIs.
p
Ensure EBS volumes
are encrypted with
KMS Customer Master
u
KMS CMKs in order to
Keys is not used for
have full control
EBS Volume Encryption
o
over data encryption
and decryption.
h
Weak Cryptographic
are using the latest
Controls for ELB
predefined security
e
policy.
Ensure Deletion
Protection feature is
ELB Deletion enabled for your AWS
Protection Disabled load balancers to
follow security best
practices.
services name findings name description
p
Cloud (VPC) Flow Logs
Virtual Private
VPC Flow Logs Disabled feature is enabled in
Cloud(VPC)
u
all applicable AWS
regions.
ro
Ensure that your AWS
Simple Storage Service Overbroad S3 Access S3 buckets are not
g
(S3) Control publicly exposed to
the Internet.
eh
Ensure Amazon S3
i
buckets do not allow
Cross-Account Access
unknown cross
for S3 Buckets
v
account access via
bucket policies.
@
Ensure AWS S3 buckets
Server-Side Encryption
enforce Server-Side
is not Enabled for S3
Encryption (SSE)
up Access Logging
Ensure AWS S3 buckets
have server access
o
logging enabled to
Disabled for S3
track access
r
requests.
g
Ensure AWS S3 buckets
h
Secure Transport is
enforce SSL to secure
Not Enabled on S3
data in transit
ie
Ensure your AWS
v
CloudTrail logs are
CloudTrail Log
Cloud Trail encrypted using AWS
Encryption Disabled
KMS–Managed Keys
@
(SSE-KMS).
p
CloudWatch Alarm exist for AWS Incident Alarms are
Services created in CloudWatch
r
RDS Database instance instances are not
Relational Database
are Publicly publicly accessible
Service (RDS)
g
accessible and prone to security
risks.
eh
Ensure Deletion
i
Deletion protection is Protection feature is
not Enabled for RDS enabled for your AWS
v
Instance RDS database
instances.
@
Ensure that
RDS Automated Backup Automated Backups
is not enabled are created for the
RDS Instances
p
Ensure that AWS RDS
snapshots are
RDS Snapshots
u
encrypted to meet
Encryption is not
security and
Enabled
o
compliance
requirements.
h
RDS Snapshots Publicly
snapshots are not
accessible
accessible to all AWS
e
accounts.
vi
Ensure Log Exports
RDS Log Exports is not feature is enabled for
Enabled (RDS MySQL, your AWS RDS MySQL,
@
Aurora and MariaDB) Aurora and MariaDB
database instances.
p
is not enabled Automated Backups
feature enabled.
r
Server instances have
is not Enabled (SQL
Transport Encryption
Server, PostgreSQL)
g
feature enabled.
h
Ensure AWS RDS
e
instances have
RDS Backup Retention
i
sufficient backup
Period is not enough
retention period for
v
compliance purposes.
@
Ensure that RDS
SSL/TLS Certificates
Instance is using the
Already Expired for
updated SSL
RDS
Certificate
p
SNS Topics Exposed to
Service (SNS) topics
Everyone
are not exposed to
u
everyone.
o
Ensure that Amazon
r
Server-Side Encryption
SNS topics enforce
is Not Enabled for AWS
Server-Side Encryption
g
SNS Topics
(SSE).
h
Ensure that Amazon
e
KMS Customer Master SNS topics are
i
Keys is not used for encrypted with KMS
SNS Topics Encryption Customer Master Keys
v
(CMKs).
@
rotation feature is
Key Management Lack of KMS Key
enabled for all your
Service (KMS) Rotation
Customer Master Keys
(CMK).
p
Lambda Enabled for Lambda
your Amazon Lambda
Functions
functions.
r
Lambda Runtime latest version of the
Environment Version is runtime environment is
g
not Latest used for your AWS
Lambda functions.
eh
Ensure AWS Lambda
i
Cross-Account Access functions do not allow
for Lambda Functions unknown cross
v
Queues account access via
permission policies.
@
Ensure that your
Lambda Function Amazon Lambda
Exposed to Everyone functions are not
exposed to everyone.
Ensure encryption is
Lambda Environment enabled for the AWS
Variables are not Lambda environment
Encrypted variables that store
sensitive information.
services name findings name description
Ensure Lambda
environment variables
KMS Customer Master are encrypted with
Keys is not used for KMS Customer Master
Lambda Environment Keys (CMKs) to gain
Variables Encryption full control over
data encryption and
decryption.
o
to get the optimal
AWS Config AWS Config Not Used
visibility of the
r
activity on your
account.
e
Rules for NonCompliant
i
Rules
v
Ensure Amazon
GuardDuty is enabled
@
AWS GuardDuty Not to help you protect
AWS GuardDuty
Used your AWS accounts and
workloads against
security threats.
p
Ensure expired AWS
Route53 Domains
Route 53 domains names
Already Expired
u
are restored.
ro
Ensure AWS Route 53
domain names are
g
Route53 Domains are
renewed before their
about to Expire
expiration (90 days
h
before expiration).
ie
Ensure that DNSSEC
DNSSEC Signing for
signing is enabled for
v
Route 53 Hosted Zones
your Amazon Route 53
is not Enabled
Hosted Zones.
@
Ensure that envelope
encryption of
Elastic Kubernetes EKS Secret Encryption
Kubernetes secrets
Service (EKS) is not Enabled
using Amazon KMS is
enabled.
p
cluster endpoint
Cluster Endpoints are
access is not public
Publicly accessible
u
and prone to security
risks.
ro
Ensure Amazon SQS
Server-Side Encryption
Simple Queue Service queues enforce
g
is not Enabled for SQS
(SQS) Server-Side Encryption
Queues
(SSE).
eh
Ensure SQS queues are
i
encrypted with KMS
KMS Customer Master
CMKs to gain full
Keys is not used for
v
control over data
SQS Queue Encryption
encryption and
decryption.
@
Ensure that AWS
SQS Queue Exposed to Simple Queue Service
Everyone (SQS) queues are not
exposed to everyone.
p
are using KMS
DynamoDB Table
Customers Master Keys
Encryption
u
for encryption
o
Ensure that
r
AWS Backup Vault is
Accidental Deletion is
AWS Backups Not Prevented from
enabled for AWS
g
Accidental Deletion
Backup Vault
eh
Ensure that Redshift
Redshift Cluster is
i
RedShift Cluster is not publicly
publicly accessible
accessible
v
@
Ensure that the
Workspaces Volume
volume encryption is
WorkSpaces Encryption is not
enabled for all the
Enabled
Workspaces
p
Access logging Ensure that access
CloudFront disabled for logging is enabled for
u
CloudFront Cloudfront
ro
Ensure that WAF is
WAF is Not Enabled in
enabled for all the
g
CloudFront
available Cloudfront
h
Ensure that you are
e
TLSv1.0 Supported by
using latest TLS
i
CloudFront
version for all
Distribution
Cloudfront
v
@
Note: The above content is taken from securitycipher.com, special thanks to Piyush
Kumawat