AWS

Cloud
Security
Checklist
AWS Cloud Security
Checklist
services name findings name description

Ensure Multi-Factor
IAM (Identity and MFA is not enabled for Authentication (MFA) is
Access Management) Root Account enabled for the AWS
root account.

p
Ensure Multi-Factor
Authentication (MFA) is

u
MFA is not enabled for
enabled for all AWS
IAM Users
IAM users with AWS

o
Console access.

gr
Detects when a
Multiple Access Keys
canary token access
exists for IAM Users
key has been used

eh Ensure cross-account

i
Cross-Account Access IAM roles use either
Lacks External ID and MFA or external IDs to

v
MFA secure the access to
AWS resources.

@
Ensure AWS IAM access
keys are rotated on a
Lack of Access Key
periodic basis as a
Rotation
security best practice
(90 Days).

Ensure AWS Identity

and Access
Password Expiration is Management (IAM) user
Disabled passwords are reset
before expiration (90
Days).
services name findings name description

Weak Password Policy (

Ensure AWS account
AWS Default password
has an IAM strong
policy) is set for the
password policy in use
AWS account

p
Ensure that all your
SSL/TLS certificates

u
Weak IAM Server are using either 2048
Certificate in use or 4096 bit RSA keys

o
instead of 1024-bit

r
keys.

g
Ensure AWS IAM policies
IAM Role Policy are Too
attached to IAM roles

h
Permissive
are not too permissive.

ie
Ensure that IAM
Access Analyzer

v
IAM Access Analyzer is feature is enabled to
not Enabled maintain access
security to your AWS

@
resources.

Ensure that your

server certificates
Pre-Heartbleed
are not vulnerable to
Server Certificates
Heartbleed security
bug.

Ensure that your AWS

account (root) is not
Root Account Access
using access keys as a
Keys Present
security best
practice.
services name findings name description

Ensure IAM SSH public

keys are rotated on a
Lack of SSH Public Keys periodic basis to
Rotation adhere to AWS
security best

p
practices.

u
Ensure SSL/TLS

o
SSL/TLS Certificate is certificates are
about to Expire renewed before their

r
expiration.

g
Ensure security

h
challenge questions
Security Challenge are enabled and

e
Question not Enabled configured to improve

i
the security of your
AWS account.

v Ensure alternate

@
Security Contact
contacts are set to
Information is not
improve the security
Registered
of your AWS account.

Set up, organize and

AWS Multi-Account are
manage your AWS
managed centrally via
accounts for optimal
Identity Federation or
security and
AWS Organization
manageability.

Ensure root account

credentials have not
Root Account Recently
been used recently to
used
access your AWS
account.
 services name findings name description

Elastic Compute Cloud Ensure no EC2 security

(EC2) , Elastic Blob Overbroad Ingress group allows
Storage (EBS), Elastic Rules for Security unrestricted inbound
Load Balancer V2 Groups access to any
(ELBv2) uncommon ports.

p
Ensure Termination

u
EC2 Instance Protection feature is
Termination Protection enabled for EC2

o
is not Enabled instances that are

r
not part of ASGs.

g
Ensure your Amazon
AMIs are Publicaly Machine Images (AMIs)

h
Shared are not accessible to
all AWS accounts.

ie
v
Ensure all AWS EC2
Golden/Approved AMIs instances are
not in Use launched from
approved AMIs.

@ Amazon EBS Snapshots

are Publicly
Accessible
Ensure that your
Amazon EBS volume
snapshots are not
accessible to all AWS
accounts.

Ensure that existing

Elastic Block Store
Amazon EBS Volumes (EBS) attached
Encryption is not volumes are encrypted
enabled to meet security and
compliance
requirements.
services name findings name description

Ensure Amazon EBS

snapshots are
Amazon EBS Snapshots
encrypted to meet
Encryption is not
security and
enabled
compliance
requirements.

p
Ensure EBS volumes
are encrypted with
KMS Customer Master

u
KMS CMKs in order to
Keys is not used for
have full control
EBS Volume Encryption

o
over data encryption
and decryption.

gr Ensure AWS Application

Load Balancers (ALBs)

h
Weak Cryptographic
are using the latest
Controls for ELB
predefined security

e
policy.

vi Load Balancer is not

Integrated with AWS
WAF
Ensure that WAF ACL is
integrated with
Elastic Load Balancer

@ ELB uses In-secure

protocols
Ensure that your
Application Load
Balancer (ALB)
listeners are using a
secure protocol such
as HTTPS.

Ensure Deletion
Protection feature is
ELB Deletion enabled for your AWS
Protection Disabled load balancers to
follow security best
practices.
 services name findings name description

Ensure access logging

is enabled for your
Access logging
AWS ALBs to follow
disabled for ELB
security best
practices.

Ensure Virtual Private

p
Cloud (VPC) Flow Logs
Virtual Private
VPC Flow Logs Disabled feature is enabled in
Cloud(VPC)

u
all applicable AWS
regions.

ro
Ensure that your AWS
Simple Storage Service Overbroad S3 Access S3 buckets are not

g
(S3) Control publicly exposed to
the Internet.

eh
Ensure Amazon S3

i
buckets do not allow
Cross-Account Access
unknown cross
for S3 Buckets

v
account access via
bucket policies.

@
Ensure AWS S3 buckets
Server-Side Encryption
enforce Server-Side
is not Enabled for S3
Encryption (SSE)

Ensure that Amazon S3

KMS Customer Master
buckets are encrypted
Keys is not used for S3
with customer-
Buckets Encryption
provided AWS KMS CMKs
services name findings name description

Ensure AWS S3 buckets

have the MFA Delete
feature enabled.
Versioning and Multi-
Ensure AWS S3 object
Factor Delete is not
versioning is enabled
Enabled on S3 buckets
for an additional
level of data
protection.

up Access Logging
Ensure AWS S3 buckets
have server access

o
logging enabled to
Disabled for S3
track access

r
requests.

g
Ensure AWS S3 buckets

h
Secure Transport is
enforce SSL to secure
Not Enabled on S3
data in transit

ie
Ensure your AWS

v
CloudTrail logs are
CloudTrail Log
Cloud Trail encrypted using AWS
Encryption Disabled
KMS–Managed Keys

@
(SSE-KMS).

Ensure that KMS

KMS Customer Master
master keys are used
Keys is not used for
for CloudTrail
CloudTrail Encryption
Encryption

Ensure your AWS

CloudTrail Log File CloudTrail trails have
Validation is Disabled log file integrity
validation enabled.
 services name findings name description

CloudTrail is not Ensure CloudTrail

integrated with event monitoring with
CloudWatch CloudWatch is enabled.

No Security Incident Ensure that Security

p
CloudWatch Alarm exist for AWS Incident Alarms are
Services created in CloudWatch

ou Ensure RDS database

r
RDS Database instance instances are not
Relational Database
are Publicly publicly accessible
Service (RDS)

g
accessible and prone to security
risks.

eh
Ensure Deletion

i
Deletion protection is Protection feature is
not Enabled for RDS enabled for your AWS

v
Instance RDS database
instances.

@
Ensure that
RDS Automated Backup Automated Backups
is not enabled are created for the
RDS Instances

Ensure AWS RDS

instances are
RDS Instance
encrypted to meet
Encryption is not
security and
Enabled
compliance
requirements.
services name findings name description

Ensure RDS instances

KMS Customer Master are encrypted with
Keys is not used for KMS CMKs in order to
RDS Instance have full control
Encryption over data encryption
and decryption.

p
Ensure that AWS RDS
snapshots are
RDS Snapshots

u
encrypted to meet
Encryption is not
security and
Enabled

o
compliance
requirements.

gr Ensure that your

Amazon RDS database

h
RDS Snapshots Publicly
snapshots are not
accessible
accessible to all AWS

e
accounts.

vi
Ensure Log Exports
RDS Log Exports is not feature is enabled for
Enabled (RDS MySQL, your AWS RDS MySQL,

@
Aurora and MariaDB) Aurora and MariaDB
database instances.

Ensure IAM Database

IAM Database Authentication
Authentication is not feature is enabled for
Enabled for RDS your AWS RDS MySQL
Instances and PostgreSQL
database instances.

Ensure AWS RDS

instances have the
RDS Auto Minor Version
Auto Minor Version
Upgrade Not Enabled
Upgrade feature
enabled.
services name findings name description

RDS Database Instance Ensure that the RDS

not updated Instance is Updated

Ensure AWS RDS

RDS Automated Backup instances have

p
is not enabled Automated Backups
feature enabled.

ou RDS Secure Transport

Ensure AWS RDS SQL

r
Server instances have
is not Enabled (SQL
Transport Encryption
Server, PostgreSQL)

g
feature enabled.

h
Ensure AWS RDS

e
instances have
RDS Backup Retention

i
sufficient backup
Period is not enough
retention period for

v
compliance purposes.

@
Ensure that RDS
SSL/TLS Certificates
Instance is using the
Already Expired for
updated SSL
RDS
Certificate

Ensure AWS RDS

RDS not using Multi-AZ clusters have the
deployment Multi-AZ feature
enabled.
 services name findings name description

Ensure Amazon SNS

Simple Notification Cross-Account Access topics do not allow
Service (SNS) for SNS Topics unknown cross
account access.

Ensure that AWS

Simple Notification

p
SNS Topics Exposed to
Service (SNS) topics
Everyone
are not exposed to

u
everyone.

o
Ensure that Amazon

r
Server-Side Encryption
SNS topics enforce
is Not Enabled for AWS
Server-Side Encryption

g
SNS Topics
(SSE).

h
Ensure that Amazon

e
KMS Customer Master SNS topics are

i
Keys is not used for encrypted with KMS
SNS Topics Encryption Customer Master Keys

v
(CMKs).

Ensure KMS key

@
rotation feature is
Key Management Lack of KMS Key
enabled for all your
Service (KMS) Rotation
Customer Master Keys
(CMK).

Ensure Amazon KMS

AWS Keys Exposed to
master keys are not
Everyone
exposed to everyone.
services name findings name description

Cross-Account Access Cross-Account Access

for KMS Service for KMS Service

Ensure that Code

Code Signing is not
Signing is enabled for

p
Lambda Enabled for Lambda
your Amazon Lambda
Functions
functions.

ou Ensure that the

r
Lambda Runtime latest version of the
Environment Version is runtime environment is

g
not Latest used for your AWS
Lambda functions.

eh
Ensure AWS Lambda

i
Cross-Account Access functions do not allow
for Lambda Functions unknown cross

v
Queues account access via
permission policies.

@
Ensure that your
Lambda Function Amazon Lambda
Exposed to Everyone functions are not
exposed to everyone.

Ensure encryption is
Lambda Environment enabled for the AWS
Variables are not Lambda environment
Encrypted variables that store
sensitive information.
services name findings name description

Ensure Lambda
environment variables
KMS Customer Master are encrypted with
Keys is not used for KMS Customer Master
Lambda Environment Keys (CMKs) to gain
Variables Encryption full control over
data encryption and
decryption.

up Ensure AWS Config is

enabled in all regions

o
to get the optimal
AWS Config AWS Config Not Used
visibility of the

r
activity on your
account.

hg Validate AWS Config

Validate the AWS
Config Rules and check

e
Rules for NonCompliant

i
Rules

v
Ensure Amazon
GuardDuty is enabled

@
AWS GuardDuty Not to help you protect
AWS GuardDuty
Used your AWS accounts and
workloads against
security threats.

Always validate the

Validate the AWS
findings that are
GuardDuty Findings
reported by GuardDuty

Ensure your domain

Route 53 Domain names have the
Route 53 Transfer Lock is not Transfer Lock feature
Enabled enabled in order to
keep them secure.
 services name findings name description

Ensure there is an SPF

record set for each
SPF Record not
MX DNS record in order
Present
to stop spammers from
spoofing your domains.

p
Ensure expired AWS
Route53 Domains
Route 53 domains names
Already Expired

u
are restored.

ro
Ensure AWS Route 53
domain names are

g
Route53 Domains are
renewed before their
about to Expire
expiration (90 days

h
before expiration).

ie
Ensure that DNSSEC
DNSSEC Signing for
signing is enabled for

v
Route 53 Hosted Zones
your Amazon Route 53
is not Enabled
Hosted Zones.

@
Ensure that envelope
encryption of
Elastic Kubernetes EKS Secret Encryption
Kubernetes secrets
Service (EKS) is not Enabled
using Amazon KMS is
enabled.

Ensure that EKS

Kubernetes Cluster control plane logging
Logging is not Enabled is enabled for your
Amazon EKS clusters.
 services name findings name description

Ensure that the

latest version of
Kubernetes Cluster
Kubernetes is
Version is not Updated
installed on your
Amazon EKS clusters.

Ensure that AWS EKS

p
cluster endpoint
Cluster Endpoints are
access is not public
Publicly accessible

u
and prone to security
risks.

ro
Ensure Amazon SQS
Server-Side Encryption
Simple Queue Service queues enforce

g
is not Enabled for SQS
(SQS) Server-Side Encryption
Queues
(SSE).

eh
Ensure SQS queues are

i
encrypted with KMS
KMS Customer Master
CMKs to gain full
Keys is not used for

v
control over data
SQS Queue Encryption
encryption and
decryption.

@
Ensure that AWS
SQS Queue Exposed to Simple Queue Service
Everyone (SQS) queues are not
exposed to everyone.

Ensure AWS Simple

Queue Service (SQS)
Cross-Account Access
queues do not allow
for SQS Queues
unknown cross
account access.
services name findings name description

Continuous Backup is Ensure that continous

DynamoDB Not Enabled for backup is enabld for
DynamoDB all the DynamoDB

Ensure that for all

KMS Customer Master
the DynamoDB tables
Keys is not used for

p
are using KMS
DynamoDB Table
Customers Master Keys
Encryption

u
for encryption

o
Ensure that

r
AWS Backup Vault is
Accidental Deletion is
AWS Backups Not Prevented from
enabled for AWS

g
Accidental Deletion
Backup Vault

eh
Ensure that Redshift
Redshift Cluster is

i
RedShift Cluster is not publicly
publicly accessible
accessible

v
@
Ensure that the
Workspaces Volume
volume encryption is
WorkSpaces Encryption is not
enabled for all the
Enabled
Workspaces

Ensure that you are

not using an older
Older Version of
version of elasticache
ElastiCache ElastiCache Engine in
and use the latest
Use
version that is
available
 services name findings name description

Ensure that redis

ElastiCache Redis
clusters data In-
cluster In-Transit and
transit and At-rest
At-rest Encryption
encryptions are
not enabled
enabled

p
Access logging Ensure that access
CloudFront disabled for logging is enabled for

u
CloudFront Cloudfront

ro
Ensure that WAF is
WAF is Not Enabled in
enabled for all the

g
CloudFront
available Cloudfront

h
Ensure that you are

e
TLSv1.0 Supported by
using latest TLS

i
CloudFront
version for all
Distribution
Cloudfront

v
@

Note: The above content is taken from securitycipher.com, special thanks to Piyush
Kumawat