Skip to content

AWS Security Policies

The Security Policies view provides a list of all security policies within the Cloudneeti application. Following is the security policies within the Cloudneeti application for different cloud account types, please refer Release Notes for latest updates.

AWS Security Policies

Category Name Policy Title
AWS - Audit and Logging Ensure CloudTrail is enabled in all regions
AWS - Audit and Logging Ensure CloudTrail log file validation is enabled
AWS - Audit and Logging Ensure AWS Config is enabled in all regions
AWS - Audit and Logging Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
AWS - Audit and Logging Ensure CloudTrail logs are encrypted at rest using KMS CMKs
AWS - Audit and Logging Ensure VPC flow logging is enabled in all VPCs
AWS - Audit and Logging Ensure S3 bucket access logging is enabled
AWS - Audit and Logging Ensure CloudTrail trails are integrated with CloudWatch Logs
AWS - Audit and Logging Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
AWS - Audit and Logging Ensure Global resources are included into Amazon Config service configuration
AWS - Audit and Logging Ensure that the log files (history files and snapshots) generated by AWS Config are delivered without any failures to designated S3 bucket
AWS - Audit and Logging Ensure AWS Config service is using an active SNS topic to monitor configuration changes
AWS - Audit and Logging Ensure AWS Config service is using an active S3 bucket to store configuration changes files
AWS - Audit and Logging Ensure that Object level write event log is enabled for S3 bucket
AWS - Audit and Logging Ensure that Object level read event log is enabled for S3 bucket
AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS PostgreSQL Instance
AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS MariaDB Instance
AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS Aurora Cluster
AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS Oracle Instances
AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS SQL Server Instances
AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS Aurora SQL Instances
AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS Aurora MySQL Serverless Cluster
AWS - Audit and Logging Ensure Log Exports feature is enabled for RDS Aurora MySQL Serverless Cluster
AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS Aurora PostgreSQL Serverless Cluster
AWS - Audit and Logging Ensure to enable unsafe statement transaction logging for RDS MySQL Instance
AWS - Audit and Logging Ensure Log Exports feature is enabled for RDS MySQL Instance
AWS - Audit and Logging Ensure Log Exports feature is enabled for RDS Mariadb Instance
AWS - Audit and Logging Ensure Log Exports feature is enabled for Aurora cluster
AWS - Audit and Logging Ensure Log Exports feature is enabled for Oracle instances
AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS MySQL Instance
AWS - Audit and Logging Ensure that CloudTrail trail have logging enabled
AWS - Audit and Logging Ensure that Cloudwatch detailed monitoring is enabled in ASG launch configurations
AWS - Audit and Logging Ensure that CloudWatch Log feature is enabled for Amazon API Gateway
AWS - Audit and Logging Ensure that Detailed CloudWatch Metrics feature is enabled for Amazon API Gateway
AWS - Business Continuity Ensure each Auto-Scaling Group is configured for multiple Availability Zones
AWS - Business Continuity Ensure S3 buckets have versioning enabled
AWS - Business Continuity Ensure Amazon Auto Scaling Groups are utilizing cooldown periods
AWS - Business Continuity Ensure Classic Load Balancer has application layer Health Check Configured
AWS - Business Continuity Ensure all CloudFront Distributions require HTTPS between CloudFront and your ELB origin
AWS - Business Continuity Ensure Auto-Scaling Group has an associated Elastic Load Balancer
AWS - Business Continuity Ensure that AWS Redshift Reserved Nodes are renewed in The Next 7 Days
AWS - Business Continuity Configure HTTP to HTTPS redirects with a CloudFront Viewer Protocol Policy
AWS - Business Continuity Ensure that AWS Redshift Reserved Nodes are renewed in The Next 30 Days
AWS - Business Continuity Ensure that Termination Protection feature is enabled for AWS CloudFormation stacks
AWS - Business Continuity Ensure AWS Neptune clusters have a sufficient backup retention period set for compliance purposes
AWS - Business Continuity Ensure Amazon Neptune instances have Auto Minor Version Upgrade feature enabled
AWS - Business Continuity Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery
AWS - Business Continuity Ensure that Amazon Neptune database clusters have the Multi-AZ feature enabled
AWS - Business Continuity Ensure backup retention policy is set for RDS PostgreSQL Instances
AWS - Business Continuity Ensure Auto Minor Version Upgrade feature is Enabled for RDS PostgreSQL Instances
AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS PostgreSQL Instances
AWS - Business Continuity Ensure Multi-AZ feature is Enabled for RDS PostgreSQL Instance
AWS - Business Continuity Ensure backup retention policy is set for RDS MariaDB Instances
AWS - Business Continuity Ensure Auto Minor Version Upgrade feature is Enabled for RDS MariaDB Instances
AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS MariaDB Instances
AWS - Business Continuity Ensure Multi-AZ feature is Enabled for RDS MariaDB Instance
AWS - Business Continuity Ensure Multi-AZ feature is Enabled for RDS Aurora Cluster
AWS - Business Continuity Ensure backup retention policy is set for RDS Aurora Cluster
AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS Aurora Cluster
AWS - Business Continuity Ensure that backtracking is enabled for RDS Aurora Cluster
AWS - Business Continuity Ensure Auto Minor Version Upgrade feature is Enabled for RDS Oracle Instances
AWS - Business Continuity Ensure backup retention policy is set for RDS Oracle Instances
AWS - Business Continuity Ensure Multi-AZ feature is Enabled for RDS Oracle Instances
AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS Oracle Instances
AWS - Business Continuity Ensure Auto Minor Version Upgrade feature is Enabled for RDS SQL Server Instances
AWS - Business Continuity Ensure backup retention policy is set for RDS SQL Server Instance
AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS SQL Server Instances
AWS - Business Continuity Ensure Multi-AZ feature is Enabled for RDS SQL Server Instances
AWS - Business Continuity Ensure Auto Minor Version Upgrade feature is Enabled for RDS Aurora SQL Instances
AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS Aurora MySQL Serverless Cluster
AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS Aurora PostgreSQL Serverless Cluster
AWS - Business Continuity Ensure Auto Minor Version Upgrade feature is Enabled for RDS MySQL Instances
AWS - Business Continuity Ensure backup retention policy is set for RDS MySQL Instances
AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS MySQL Instances
AWS - Business Continuity Ensure Multi-AZ feature is Enabled for RDS MySQL Instance
AWS - Business Continuity Ensure that autoscaling group has a healthcheck type set to ELB
AWS - Business Continuity Ensure that termination policy for instances in an ASG is in place
AWS - Business Continuity Ensure that MaxInstanceLifetime of instances in an ASG is set
AWS - Business Continuity Ensure that DeleteOnTermination is enabled for EBS volumes in ASG launch configurations
AWS - Compute Ensure all AWS EC2 instances are launched from approved AMIs
AWS - Compute Ensure that EC2 instances have no Elastic or Public IP addresses associated
AWS - Compute Ensure that tracing is enabled for your AWS Lambda functions
AWS - Compute Ensure default EC2 security groups are not in use in order to follow AWS security best practices
AWS - Compute Ensure that detailed monitoring is enabled for the AWS EC2 instances that you need to monitor closely
AWS - Compute Ensure no backend EC2 instances are running in public subnets
AWS - Compute Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices
AWS - Compute Ensure EC2 instances are launched using the EC2-VPC platform instead of EC2-Classic outdated platform
AWS - Compute Ensure that there are no AWS EC2 instances that have scheduled events
AWS - Compute Ensure that the security group(s) associated with an EC2 instance does not have an excessive number of rules defined
AWS - Compute Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs
AWS - Compute Ensure there are no running AWS EC2 instances older than 180 days available within your AWS account
AWS - Compute Ensure Instance Profiles/IAM Roles are used to appropriately grant permissions to applications running on amazon EC2 instances
AWS - Compute Ensure no EC2 security group allows inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices
AWS - Compute Ensure that your existing AMIs are encrypted to meet security and compliance requirements
AWS - Compute Ensure that there are no AMIs older than 180 days available within your AWS account
AWS - Compute Ensure that unused Amazon Machine Images (AMIs) are identified and removed in order to follow AWS security best practices
AWS - Compute Ensure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts
AWS - Compute Ensure that none of your AWS EC2 Reserved Instance purchases have been failed
AWS - Compute Ensure that none of your AWS EC2 Reserved Instance purchases are pending
AWS - Compute Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration (less than 30 days)
AWS - Compute Ensure that the latest execution environment is used for your AWS Lambda functions
AWS - Compute Ensure that EC2 instances provisioned in your AWS account are not associated with security groups that have their name prefixed with 'launch-wizard'
AWS - Compute Ensure that EBS optimized instances are launched using ASG launch configurations
AWS - Compute Ensure that AWS X-Ray Tracing feature is enabled for Amazon API Gateway
AWS - Compute Ensure SSL/TLS certificates are renewed 45 days before their expiration
AWS - Compute Ensure SSL/TLS certificates are renewed 30 days before their expiration
AWS - Compute Ensure SSL/TLS certificates are renewed 7 days before their expiration
AWS - Compute Ensure that your server certificates are not vulnerable to Heartbleed security bug
AWS - Compute Ensure expired SSL/TLS certificates are removed from AWS IAM
AWS - Compute Ensure that wildcard certificates issued by Amazon Certificate Manager (ACM) or imported to ACM are not in use
AWS - Compute Ensure there are no failed SSL/TLS certificates in the AWS Certificate Manager (ACM)
AWS - Compute Ensure expired SSL/TLS certificates are removed from AWS Certificate Manager (ACM)
AWS - Compute Ensure that all the requests made during SSL/TLS certificate issue or renewal process are validated
AWS - Compute Ensure Amazon Certificate Manager (ACM) certificates are renewed 7 days before their expiration
AWS - Compute Ensure Amazon Certificate Manager (ACM) certificates are renewed 45 days before their expiration
AWS - Compute Ensure Amazon Certificate Manager (ACM) certificates are renewed 30 days before their expiration
AWS - Compute Ensure unused SSL/TLS certificates are removed from AWS Certificate Manager (ACM) in order to follow AWS best practices
AWS - Compute Ensure that AWS Neptune instances enforce data-at-rest encryption using KMS CMKs
AWS - Compute Ensure that Amazon Neptune graph database instances are encrypted
AWS - Compute Ensure EBS volumes are encrypted with KMS CMKs in order to have full control over data encryption and decryption
AWS - Compute Ensure that encryption with KMS key implemented for each SNS topic
AWS - Compute Ensure that KMS CMK is used to encrypt SQS queue
AWS - Compute Ensure that Transport Encryption feature enabled for RDS SQL Server Instances
AWS - Data Protection Ensure that existing Elastic Block Store (EBS) attached volumes are encrypted
AWS - Data Protection Ensure unattached Elastic Block Store volumes should be removed to improve security of data
AWS - Data Protection Ensure Amazon EBS snapshots are encrypted to meet security and compliance requirement
AWS - Data Protection Ensure Simple Notification Service are not using HTTP as delivery protocol in subscription
AWS - Data Protection Ensure that AWS Simple Notification Service topics are not exposed to everyone
AWS - Data Protection Ensure that AWS Simple Queue Service queues is not exposed to everyone
AWS - Data Protection Ensure that Server-Side Encryption is enabled for Amazon SQS queues
AWS - Data Protection Ensure Deletion Protection feature is enabled for RDS PostgreSQL Instances
AWS - Data Protection Ensure that encryption is enabled for RDS PostgreSQL Instances
AWS - Data Protection Ensure Performance Insights feature is enabled for RDS PostgreSQL Instances
AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for each RDS PostgreSQL Instance
AWS - Data Protection Ensure Deletion Protection feature is enabled for RDS MariaDB Instances
AWS - Data Protection Ensure that encryption is enabled for RDS MariaDB Instances
AWS - Data Protection Ensure Performance Insights feature is enabled for RDS MariaDB Instances
AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for each RDS MariaDB Instance
AWS - Data Protection Ensure that Deletion Protection feature is enabled for RDS Aurora Cluster
AWS - Data Protection Ensure Deletion Protection feature is enabled for RDS Oracle Instances
AWS - Data Protection Ensure that encryption is enabled for RDS Oracle Instances
AWS - Data Protection Ensure Performance Insights feature is enabled for RDS Oracle Instances
AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for each RDS Oracle Instances
AWS - Data Protection Ensure Deletion Protection feature is enabled for RDS SQL Server Instances
AWS - Data Protection Ensure that encryption is enabled for RDS SQL Server Instances
AWS - Data Protection Ensure Performance Insights feature is enabled for RDS SQL Server Instances
AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for each RDS SQL Server Instances
AWS - Data Protection Ensure that encryption is enabled for RDS Aurora SQL Instances
AWS - Data Protection Ensure Performance Insights feature is enabled for Aurora SQL Instances
AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for RDS Aurora MySQL Serverless Cluster
AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for RDS Aurora SQL Instances
AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for RDS Aurora PostgreSQL Serverless Cluster
AWS - Data Protection Ensure that Deletion Protection feature is enabled for RDS Aurora MySQL Serverless Cluster
AWS - Data Protection Ensure that latest block encryption algorithms is used for RDS MySQL Instance
AWS - Data Protection Ensure that Deletion Protection feature is enabled for RDS Aurora PostgreSQL Serverless Cluster
AWS - Data Protection Ensure to enable FIPS standards on the server side for RDS MySQL Instance
AWS - Data Protection Ensure that server loads the validate password plugin at startup for RDS MySQL Instance
AWS - Data Protection Ensure Performance Insights feature is enabled for RDS MySQL Instances
AWS - Data Protection Ensure Deletion Protection feature is enabled for RDS MySQL Instances
AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for each RDS MySQL Instance
AWS - Data Protection Ensure that encryption is enabled for RDS MySQL Instances
AWS - Data Protection Ensure that SSL certificates attached with Amazon API Gateway to verify HTTP requests made to backend system are from API Gateway service
AWS - Data Protection Ensure that encrypted EBS volume is being used in ASG launch configurations
AWS - Data Protection Ensure that API Gateway client-side SSL certificate is renewed before expiration
AWS - Data Protection Windows 2016 - Ensure 'Audit Credential Validation' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Account Lockout' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Special Logon' is set to 'Success'
AWS - Data Protection Windows 2016 - Ensure 'Audit Removable Storage' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Authorization Policy Change' is set to 'Success'
AWS - Data Protection Windows 2016 - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Group Membership' is set to 'Success'
AWS - Data Protection Windows 2016 - Ensure 'Audit User Account Management' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Logoff' is set to 'Success'
AWS - Data Protection Windows 2016 - Ensure 'Audit Logon' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Other System Events' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Security State Change' is set to 'Success'
AWS - Data Protection Windows 2016 - Ensure 'Audit IPsec Driver' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Application Group Management' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit PNP Activity' is set to 'Success'
AWS - Data Protection Windows 2016 - Ensure 'Audit Authentication Policy Change' is set to 'Success'
AWS - Data Protection Windows 2016 - Ensure 'Audit Distribution Group Management' is set to 'Success and Failure' (DC only)
AWS - Data Protection Windows 2016 - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'
AWS - Data Protection Windows 2016 - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'
AWS - Data Protection Windows 2016 - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
AWS - Data Protection Windows 2016 - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
AWS - Data Protection Windows 2016 - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'
AWS - Data Protection Windows 2016 - Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'
AWS - Data Protection Windows 2016 - Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
AWS - Data Protection Windows 2016 - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
AWS - Data Protection Windows 2016 - Ensure 'Audit Computer Account Management' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Security Group Management' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Process Creation' is set to 'Success'
AWS - Data Protection Windows 2016 - Ensure 'Audit Audit Policy Change' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit Security System Extension' is set to 'Success and Failure'
AWS - Data Protection Windows 2016 - Ensure 'Audit System Integrity' is set to 'Success and Failure'
AWS - Governance Ensure Amazon RDS Reserved Instances contract are renewed before expiration in 7 days
AWS - Governance Ensure Amazon RDS Reserved Instances contract are renewed before expiration in 30 days
AWS - Governance Ensure Amazon Organization is in use to consolidate all AWS accounts into an organization
AWS - Governance Ensure that there are no publicly accessible AWS Lambda functions
AWS - Governance Ensure there is a Dead Letter Queue configured for each Amazon SQS queue
AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS PostgreSQL Instances
AWS - Governance Ensure that unique master user name is used for each RDS PostgreSQL Instance
AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS MariaDB Instances
AWS - Governance Ensure that unique master user name is used for each RDS MariaDB Instance
AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS Aurora Cluster
AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS Oracle Instances
AWS - Governance Ensure that unique master user name is used for each RDS Oracle Instances
AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS SQL Server Instances
AWS - Governance Ensure that unique master user name is used for each RDS SQL Server Instances
AWS - Governance Ensure that unique master user name is used for RDS Aurora SQL Instances
AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS Aurora MySQL Serverless Cluster
AWS - Governance Ensure that unique master user name is used for RDS Aurora MySQL Serverless Cluster
AWS - Governance Ensure that AutoPause feature is enabled for RDS Aurora MySQL Serverless Cluster
AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS Aurora PostgreSQL Serverless Cluster
AWS - Governance Ensure that AutoPause feature is enabled for RDS Aurora PostgreSQL Serverless Cluster
AWS - Governance Ensure that unique master user name is used for RDS Aurora PostgreSQL Serverless Cluster
AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS MySQL Instances
AWS - Governance Ensure that unique master user name is used for each RDS MySQL Instance
AWS - Key Management Ensure rotation for customer created CMKs is enabled
AWS - Key Management Ensure that there are no disabled Customer Master Keys (CMK) in your AWS account in order to follow AWS best practices
AWS - Key Management Ensure Amazon KMS master keys are not exposed to everyone
AWS - Key Management Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion
AWS - Monitoring Ensure a log metric filter and alarm exist for unauthorized API calls
AWS - Monitoring Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
AWS - Monitoring Ensure a log metric filter and alarm exist for usage of 'root' account
AWS - Monitoring Ensure a log metric filter and alarm exist for IAM policy changes
AWS - Monitoring Ensure a log metric filter and alarm exist for CloudTrail configuration changes
AWS - Monitoring Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
AWS - Monitoring Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
AWS - Monitoring Ensure a log metric filter and alarm exist for S3 bucket policy changes
AWS - Monitoring Ensure a log metric filter and alarm exist for AWS Config configuration changes
AWS - Monitoring Ensure a log metric filter and alarm exist for security group changes
AWS - Monitoring Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
AWS - Monitoring Ensure a log metric filter and alarm exist for changes to network gateways
AWS - Monitoring Ensure a log metric filter and alarm exist for route table changes
AWS - Monitoring Ensure a log metric filter and alarm exist for VPC changes
AWS - Monitoring Ensure to integrate Simple Notification Service with AWS CloudFormation stack
AWS - Monitoring Ensure a log metric filter and alarm exist for S3 bucket object read operations
AWS - Monitoring Ensure a log metric filter and alarm exist for S3 bucket object write operations
AWS - Monitoring Ensure that Block all public access is turned on for S3 buckets
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to TCP ports 20 and 21 (FTP)
AWS - Networking Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 23 (Telnet)
AWS - Networking Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 25 (SMTP)
AWS - Networking Ensure no security group allows unrestricted inbound access to TCP port 1521 (Oracle Database)
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to TCP port 3306 (MySQL)
AWS - Networking Ensure no security group allows unrestricted inbound access to TCP port 5432 (PostgreSQL Database)
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to TCP and UDP port 53 (DNS)
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to TCP port 1433 (MSSQL)
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to TCP port 445 and (CIFS)
AWS - Networking Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS)
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to Internet Control Message Protocol (ICMP)
AWS - Networking Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC)
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB port 27017
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to port 9200 (Elasticsearch)
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to port 80 (HTTP)
AWS - Networking Ensure no security groups allow ingress from 0.0.0.0/0 to port 443 (HTTPS)
AWS - Networking Ensure no security group allows unrestricted inbound access to TCP port 110 (Pop3 Database)
AWS - Networking Ensure your EC2 security groups do not have an excessive number of rules defined
AWS - Networking Ensure your AWS account does not have an excessive number of security groups per region
AWS - Networking Ensure routing tables for VPC peering are "least access"
AWS - Networking Ensure the default security group of every VPC restricts all traffic
AWS - Networking Ensure that your AWS ELBs listeners are using a secure protocol (HTTPS or SSL)
AWS - Networking Ensure Application Load Balancer (ALB) with administrative service: Remote Desktop (TCP:3389) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with unencrypted Mongo (TCP:27017) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with HTTP (Port:80) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with administrative service: SSH (TCP:22) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'SNMP' (UDP:161) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with HTTPS (Port:443) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'NetBios Datagram Service' (UDP:138) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'NetBios Session Service' (UDP:139) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'Known internal web port' (TCP:8080) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'NetBIOS Name Service' (UDP:137) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'NetBios Session Service' (TCP:139) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'Known internal web port' (TCP:8000) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'NetBIOS Name Service' (TCP:137) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'NetBios Datagram Service' (TCP:138) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with unencrypted LDAP (TCP:389) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer (ALB) with service 'Prevalent known internal port' (TCP:3000) is not exposed to the public internet
AWS - Networking Ensure that all Application Load Balancers (ALBs) available in your AWS account are associated with valid and secure security groups
AWS - Networking Ensure no security group allows unrestricted inbound access using Internet Control Message Protocol v6 (ICMPv6)
AWS - Networking Ensure no security group allows unrestricted inbound access to all TCP traffic
AWS - Networking Ensure no security group allows unrestricted inbound access to all UDP traffic
AWS - Networking Ensure AWS Application Load Balancers (ALBs) are using the latest predefined security policy
AWS - Networking Ensure no security group allows unrestricted inbound access to all traffic
AWS - Networking Ensure Deletion Protection feature is enabled for your AWS Application load balancers to follow security best practices
AWS - Networking Ensure that there are no unused Application Load Balancers in your AWS account in order to follow AWS best practices
AWS - Networking Ensure that your Application Load Balancer (ALB) listeners are using a secure protocol such as HTTPS
AWS - Networking Ensure access logging is enabled for your AWS ALBs to follow security best practices
AWS - Networking Ensure AWS Network Load Balancers (NLBs) are using the latest predefined security policy
AWS - Networking Ensure no Network Load Balancer allows unrestricted inbound access to all Traffic
AWS - Networking Ensure Deletion Protection feature is enabled for your AWS Network load balancers to follow security best practices
AWS - Networking Ensure there are no unused Network Load Balancers in your AWS account in order to follow AWS best practices
AWS - Networking Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS
AWS - Networking Ensure access logging is enabled for your AWS NLBs to follow security best practices
AWS - Networking Ensure Network Load Balancer with unencrypted LDAP (TCP:389) is not exposed to the public internet
AWS - Networking Ensure that all Network Load Balancers (NLBs) available in your AWS account are associated with valid and secure security groups
AWS - Networking Ensure Network Load Balancer with service 'NetBIOS Name Service' (TCP:137) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'Prevalent known internal port' (TCP:3000) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'NetBios Session Service' (TCP:139) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'NetBios Datagram Service' (TCP:138) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'Known internal web port' (TCP:8080) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'Known internal web port' (TCP:8000) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'NetBios Datagram Service' (UDP:138) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'NetBIOS Name Service' (UDP:137) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'SNMP' (UDP:161) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'NetBios Session Service' (UDP:139) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with HTTP (Port:80) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with HTTPS (Port:443) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with administrative service: Remote Desktop (TCP:3389) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with administrative service: SSH (TCP:22) is not exposed to the public internet
AWS - Networking Ensure that there are no unused Classic Load Balancers in your AWS account in order to follow AWS best practices
AWS - Networking Ensure Network Load Balancer with unencrypted Mongo DB (TCP:27017) is not exposed to the public internet
AWS - Networking Ensure Connection Draining is enabled for your AWS Classic Load Balancer
AWS - Networking Ensure there are valid security groups associated with your Classic Load Balancer
AWS - Networking Ensure access logging is enabled for your AWS Classic Load Balancer to follow security best practices
AWS - Networking Ensure Classic Load Balancer with unencrypted LDAP (TCP:389) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'Prevalent known internal port' (TCP:3000) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'NetBIOS Name Service' (TCP:137) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'NetBios Datagram Service' (TCP:138) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'NetBios Session Service' (TCP:139) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'Known internal web port' (TCP:8000) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'Known internal web port' (TCP:8080) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'NetBIOS Name Service' (UDP:137) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'NetBios Datagram Service' (UDP:138) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'NetBios Session Service' (UDP:139) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'SNMP' (UDP:161) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with HTTPS (Port:443) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with HTTP (Port:80) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with administrative service: SSH (TCP:22) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with administrative service: Remote Desktop (TCP:3389) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with unencrypted Mongo (TCP:27017) is not exposed to the public internet
AWS - Networking Ensure no Classic Load Balancer allows unrestricted inbound access using Internet Control Message Protocol v6 (ICMPv6)
AWS - Networking Ensure no Classic Load Balancer allows unrestricted inbound access using Internet Control Message Protocol (ICMP)
AWS - Networking Ensure no Classic Load Balancer allows unrestricted inbound access to all UDP traffic
AWS - Networking Ensure no Network Load Balancer allows unrestricted inbound access to all TCP traffic
AWS - Networking Ensure that your EC2 security groups do not allow unrestricted outbound/egress access
AWS - Networking Ensure AWS EC2 security group rules have descriptive text for organization and documentation
AWS - Networking Ensure no Classic Load Balancer allows unrestricted inbound access to all traffic
AWS - Networking Ensure no Classic Load Balancer allows unrestricted inbound access to all TCP traffic
AWS - Networking Ensure Elastic IPs for NAT gateways are allocated
AWS - Networking Ensure AWS default Virtual Private Cloud (VPC) is not being used
AWS - Networking Ensure that a specific Internet/NAT gateway is attached to a specific VPC
AWS - Networking Ensure Amazon VPC endpoints are not exposed to everyone
AWS - Networking Ensure no Application Load Balancer allows unrestricted inbound access using Internet Control Message Protocol v6 (ICMPv6)
AWS - Networking Ensure no Application Load Balancer allows unrestricted inbound access using Internet Control Message Protocol (ICMP)
AWS - Networking Ensure no Application Load Balancer allows unrestricted inbound access to all UDP traffic
AWS - Networking Ensure no Application Load Balancer allows unrestricted inbound access to all TCP traffic
AWS - Networking Ensure no Application Load Balancer allows unrestricted inbound access to all traffic
AWS - Networking Ensure no Network Load Balancer allows unrestricted inbound access to all UDP traffic
AWS - Networking Ensure no Network Load Balancer allows unrestricted inbound access using Internet Control Message Protocol (ICMP)
AWS - Networking Ensure no Network Load Balancer allows unrestricted inbound access using Internet Control Message Protocol v6 (ICMPv6)
AWS - Networking Ensure no security group allows unrestricted ingress access to TCP port 8545 (Ethereum)
AWS - Networking Ensure no security group allows unrestricted ingress access to TCP ports 8332 and 8333 (Bitcoin)
AWS - Networking Ensure Network Load Balancer with service 'Ethereum' (TCP Port 8545) is not exposed to the public internet
AWS - Networking Ensure Network Load Balancer with service 'Bitcoin' (TCP Ports 8332 and 8333) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'Ethereum' (Port 8545) is not exposed to the public internet
AWS - Networking Ensure Classic Load Balancer with service 'Bitcoin' (Ports 8332 and 8333) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer with service 'Ethereum' (Port 8545) is not exposed to the public internet
AWS - Networking Ensure Application Load Balancer with service 'Bitcoin' (Ports 8332 and 8333) is not exposed to the public internet
AWS - Networking Ensure that public access is not given to RDS PostgreSQL Instance
AWS - Networking Ensure that public subnets are not assigned to RDS PostgreSQL Instances
AWS - Networking Ensure that public access is not given to RDS MariaDB Instance
AWS - Networking Ensure that public subnets are not assigned to RDS MariaDB Instances
AWS - Networking Ensure that public access is not given to RDS Oracle Instances
AWS - Networking Ensure that public subnets are not assigned to RDS Oracle Instances
AWS - Networking Ensure that public access is not given to RDS SQL Server Instances
AWS - Networking Ensure that public subnets are not assigned to RDS SQL Server Instances
AWS - Networking Ensure that public access is not given to RDS Aurora SQL Instances
AWS - Networking Ensure that public subnets are not assigned to RDS Aurora SQL Instances
AWS - Networking Ensure that public subnets are not assigned to RDS Aurora MySQL Serverless Cluster
AWS - Networking Ensure that public subnets are not assigned to RDS Aurora PostgreSQL Serverless Cluster
AWS - Networking Ensure that public access is not given to RDS MySQL Instance
AWS - Networking Ensure that public subnets are not assigned to RDS MySQL Instances
AWS - Networking Ensure that security group in ASG launch configuration does not have SSH port open to the internet
AWS - Networking Ensure that security group in ASG launch configuration does not have RDP port open to the internet
AWS - Networking Ensure that Access-Control-Allow-Origin is not set to all sources for HTTP APIs
AWS - Networking Ensure that Access-Control-Allow-Methods is set to specific methods and not * for HTTP APIs
AWS - Networking Ensure that Access-Control-Allow-Headers is set to specific Header and not * for HTTP APIs
AWS - Networking Ensure that Access-Control-Allow-Credentials is set to True for HTTP APIs
AWS - Networking Ensure that Data Trace logging is enabled for WebSocket APIs
AWS - Networking Ensure that Access logging is enabled for WebSocket APIs
AWS - Networking Ensure that Amazon API Gateway APIs accessible only through private API endpoints
AWS - Networking Ensure that AWS WAF is integrated with Amazon API Gateway to protect APIs from common web exploits
AWS - Storage and Databases Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket
AWS - Storage and Databases Ensure AWS S3 buckets have the MFA Delete feature enabled
AWS - Storage and Databases Ensure AWS S3 buckets do not allow public access via bucket policies
AWS - Storage and Databases Ensure AWS S3 buckets enforce SSL to secure data in transit
AWS - Storage and Databases Ensure Amazon S3 buckets have Default Encryption feature enabled
AWS - Storage and Databases Ensure that Amazon S3 buckets access is limited only to specific IP addresses
AWS - Storage and Databases Ensure that your AWS S3 buckets are not publicly exposed to the Internet
AWS - Storage and Databases Ensure AWS S3 buckets do not allow public READ access
AWS - Storage and Databases Ensure AWS S3 buckets do not allow public READ_ACP access
AWS - Storage and Databases Ensure AWS S3 buckets do not allow public WRITE_ACP access
AWS - Storage and Databases Ensure AWS S3 buckets do not allow public WRITE access
AWS - Storage and Databases Ensure that your AWS S3 buckets are using DNS-compliant bucket names
AWS - Storage and Databases Ensure Amazon S3 buckets have lifecycle configuration enabled for security purposes
AWS - Storage and Databases Ensure that Amazon S3 buckets are encrypted with customer-provided AWS KMS CMKs
AWS - Storage and Databases Ensure that Amazon S3 buckets use Transfer Acceleration feature for faster data transfers
AWS - Storage and Databases Ensure that AWS S3 buckets use Object Lock for data protection and/or regulatory compliance
AWS - Storage and Databases Ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs
AWS - Storage and Databases Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs
AWS - Storage and Databases Ensure AWS S3 buckets do not allow READ_ACP access to AWS authenticated users using ACLs
AWS - Storage and Databases Ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs
AWS - Storage and Databases Ensure S3 buckets do not allow WRITE_ACP access to AWS authenticated users using S3 ACLs
AWS - Storage and Databases Identify and remove any unused AWS DynamoDB tables in your AWS account in order to follow AWS best practices
AWS - Storage and Databases Ensure Amazon DynamoDB tables enforce Server-Side Encryption (SSE)
AWS - Storage and Databases Ensure Amazon DynamoDB tables have continuous backups enabled
AWS - Storage and Databases Ensure that Amazon DynamoDB data is encrypted using AWS-managed Customer Master Keys
AWS - Storage and Databases Ensure on-demand backup and restore functionality is in use for AWS DynamoDB tables
AWS - Storage and Databases Ensure AWS DynamoDB Auto Scaling is enabled to automate capacity management for tables and indexes
AWS - Storage and Databases Ensure in-transit and at-rest encryption is enabled for Amazon EMR clusters
AWS - Storage and Databases Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3
AWS - Storage and Databases Ensure AWS EMR clusters are launched in a Virtual Private Cloud (i.e. are using EC2-VPC platform)
AWS - Storage and Databases Ensure that user activity logging is enabled for your Amazon Redshift clusters
AWS - Storage and Databases Ensure AWS Redshift database clusters are not using 'awsuser' (default master user name) for database access
AWS - Storage and Databases Ensure Redshift clusters are using the latest generation of nodes for performance improvements
AWS - Storage and Databases Ensure Deferred Maintenance feature is enabled for your Amazon Redshift clusters
AWS - Storage and Databases Ensure Amazon Redshift clusters are not using port 5439 (default port) for database access
AWS - Storage and Databases Ensure Redshift clusters are not publicly accessible to minimize security risks
AWS - Storage and Databases Ensure AWS Redshift non-default parameter groups require SSL to secure data in transit
AWS - Storage and Databases Ensure Amazon Redshift clusters are launched within a Virtual Private Cloud (VPC)
AWS - Storage and Databases Ensure Redshift clusters are encrypted with KMS customer master keys (CMKs) in order to have full control over data encryption and decryption
AWS - Storage and Databases Ensure database encryption is enabled for AWS Redshift clusters to protect your data at rest
AWS - Storage and Databases Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes
AWS - Storage and Databases Ensure Version Upgrade is enabled for Redshift clusters to automatically receive upgrades during the maintenance window
AWS - Storage and Databases Ensure that retention period is enabled for Amazon Redshift automated snapshots
AWS - Storage and Databases Ensure AWS Kinesis streams are encrypted with KMS Customer Master Keys (CMKs) for complete control over data encryption and decryption
AWS - Storage and Databases Ensure enhanced monitoring is enabled for your AWS Kinesis streams using shard-level metrics
AWS - Storage and Databases Ensure Amazon Kinesis streams enforce Server-Side Encryption (SSE)
AWS - Storage and Databases Ensure that port number should not be set as default port number for RDS PostgreSQL Instances
AWS - Storage and Databases Ensure that port number should not be set as default port number for RDS MariaDB Instances
AWS - Storage and Databases Ensure that port number should not be set as default port number for RDS Oracle Instances
AWS - Storage and Databases Ensure that port number should not be set as default port number for RDS SQL Server Instances
AWS - Storage and Databases Ensure that port number should not be set as default port number for RDS Aurora SQL Instances
AWS - Storage and Databases Ensure that port number should not be set as default port number for RDS MySQL Instances
AWS - Storage and Databases Ensure that Block public access to buckets and objects granted through new access control lists (ACLs) is turned on for S3 buckets
AWS - Storage and Databases Ensure that Block public access to buckets and objects granted through any access control lists (ACLs) is turned on for S3 buckets
AWS - Storage and Databases Ensure that Block public access to buckets and objects granted through new public bucket or access point policies is turned on for S3 buckets
AWS - Storage and Databases Ensure that Block public and cross-account access to buckets and objects through any public bucket or access point policies are turned on for S3 buckets
AWS - Storage and Databases Ensure that AWS ElastiCache clusters are not using the default ports set for Redis cache engines
AWS - Storage and Databases Ensure that in-transit encryption is enabled for AWS ElastiCache clusters
AWS - Storage and Databases Ensure that at-rest encryption is enabled for AWS ElastiCache clusters
AWS - Storage and Databases Ensure that Amazon ElastiCache clusters are launched within Virtual Private Cloud (VPC)
AWS - Storage and Databases Ensure that Multi-AZ feature is enabled for AWS ElastiCache clusters
AWS - Storage and Databases Ensure that Content Encoding feature is enabled for Amazon API Gateway APIs