• AWS EC2

Monitor and audit EC2 instances to ensure security, availability, reliability is not compromised.

Security

Public Snapshots
Ensure that your EC2 instance snapshots are not publicly accessible. This is to avoid exposing your private data.

Non-public EC2 AMI
AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data.

Encrypted AMI
Amazon Machine Images (AMIs) should be encrypted to fulfill compliance requirements for data-at-rest encryption.

No Blacklisted AMI
Blacklist all those AMI to prevent certain security issues to attack your application.

Default VPC Not In Use
It is recommended not to using the default VPC.

Description for Security Groups
Your security groups should have descriptions associated with them to help you run your operations smoothly. It serves as a documentation and guidance in future.

No EC2 Classic
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html

Scheduled Events
There are EC2 instances scheduled for retirement and/or maintenance. Kindly take the necessary steps (reboot, restart or re-launch).

Multiple Security Groups
Checks if EC2 instances have several Security Groups attached. Ideally there should be just 1 security group attach to an EC2 instance.

Unrestricted Netbios Access
No AWS EC2 security group should allow unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS).

Unrestricted Outbound Access
EC2 security groups should not allow unrestricted outbound/egress access.

EC2 IAM Roles
Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your EC2 instances.

Restrict data-tier subnet connectivity to VPC NAT Gateway
Ensuring that the Amazon VPC route table associated with the data-tier subnets has no default route configured to allow access to an AWS NAT Gateway in order to restrict Internet connectivity for the EC2 instances available within the data tier.

Unrestricted CIFS Access
No AWS EC2 security group should allow unrestricted inbound access to TCP port 445 and (CIFS).

Unrestricted ICMP Access
No security group should allow unrestricted inbound access using Internet Control Message Protocol (ICMP).

Unrestricted Inbound Access on All Uncommon Ports
No EC2 security group should allow unrestricted inbound access to any uncommon ports.

Unrestricted MongoDB Access
No security group should allow unrestricted ingress access to MongoDB port 27017.

Unrestricted MsSQL Access
No security group should allow unrestricted inbound access to TCP port 1433 (MSSQL)

Unrestricted MySQL Access
No security group should allow unrestricted inbound access to TCP port 3306 (MySQL).

Unrestricted Oracle Access
No security group should allow unrestricted inbound access to TCP port 1521 (Oracle Database).

Security Group Port Range
Security groups should not have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks.

Unrestricted PostgreSQL Access
No security group should allow unrestricted inbound access to TCP port 5432 (PostgreSQL Database).

Unrestricted RDP Access
No AWS EC2 security group should allow unrestricted inbound access to TCP port 3389 (RDP).

Unrestricted RPC Access
No security group should allow unrestricted inbound access to TCP port 135 (RPC).

Unrestricted SMTP Access
No security group should allow unrestricted inbound access to TCP port 25 (SMTP).

Default Security Group Unrestricted
Default security groups should restrict all public traffic to follow AWS security best practices.

Unrestricted Telnet Access
No security group should allow unrestricted inbound access to TCP port 23 (Telnet).

Unrestricted SSH Access
No security group should allow unrestricted inbound access to TCP port 22 (SSH).

Unrestricted Elasticsearch Access
No security group should allow unrestricted inbound access to TCP port 9200 (Elasticsearch).

Unrestricted FTP Access
No security group should allow unrestricted inbound access to TCP ports 20 and 21 (FTP).

Security Group Excessive Counts
Your AWS account should not have excessive number of security groups per region.

Security Group Name Prefixed With launch-wizard
EC2 security groups prefixed with launch-wizard should not be in use in order to follow AWS security best practices.

EC2 Instance Counts
Your AWS account should not reached the limit set for the number of EC2 instances.

Security Group Rules Counts
EC2 security groups should not have an excessive number of rules defined.

Security Group RFC 1918
No EC2 security group should allow inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices.

EC2 Instance Not In Public Subnet
No backend EC2 instances should be running in public subnets.

Unrestricted DNS Access
No security group should allow unrestricted inbound access to TCP and UDP port 53 (DNS).

Unrestricted HTTP Access
No security group should allow unrestricted inbound access to TCP port 80 (HTTP).

Unrestricted HTTPS Access
No security group should allow unrestricted inbound access to TCP port 443 (HTTPS).

Check for EC2 Instances with Blacklisted Instance Types
Your AWS account should not have any EC2 instance with the instance type blacklisted.

Unused AWS EC2 Key Pairs
Unused AWS EC2 key pairs should be decommissioned to follow best practices.

EC2 Instance Tenancy
EC2 instances should have the required tenancy for security and regulatory compliance requirements.

Reliability

Older Instances Running
EC2 instance running indefinitely in your AWS your account could increase the risk of potential issues.

Termination Protection
Ensuring Termination Protection feature is enabled for EC2 instances that are not part of ASGs.

Enable AWS EC2 Hibernation
The Hibernation feature should be enabled for EBS-backed EC2 instances to retain memory state across instance stop/start cycles.

Instance In Auto Scaling Group
Every EC2 instance should be launched inside an Auto Scaling Group (ASG) in order to follow the best AWS reliability and security practices.

Operational Maturity

EC2 Instances vCPU Limit
Monitoring vCPU-based limits for on-demand EC2 instances avoids resource starvation. Service Quotas is an AWS service that enables you to view and manage your quotas from a central location. Quotas, also referred to as limits, are the maximum value for your resources, actions, and items in your AWS account.

AMI Age
Your AMI age should be more than configured number of days. This ensures that your EC2 instances deployed are secure and reliable.

Desired Instance Type
EC2 instance launched should be from an approved list of instance types.

Operational Efficiency

Detailed Monitoring
Detailed monitoring should be enabled on EC2 instances.

Cost optimisation

EC2 Reserved Instance Payment Failed
To ensure that none of your AWS EC2 Reserved Instance purchases have failed.

EC2 Reserved Instance Payment Pending
To ensure that none of your AWS EC2 Reserved Instance purchases are pending.

EC2 Reserved Instance Recent Purchases
For regularly reviewing your EC2 Reserved Instance purchases for cost optimization (informational).

Reserved Instance Lease Expiration In The Next 30 Days
Lists all EC2 reserved instances expiring in the next 30 days.

Reserved Instance Lease Expiration In The Next 7 Days
Lists all EC2 reserved instances expiring in the next 7 days.

Unused AMI
Unused AMIs should be removed to follow best practices.

Unused AWS EC2 Key Pairs
AWS EC2 Reserved Instances should be fully utilized.

Performance Efficiency

EC2-Classic Elastic IP Address Limit
Your account should not reach the limit set by AWS for the number of allocated Elastic IPs.

EC2-VPC Elastic IP Address Limit
Your account should not reach the limit set by AWS for the number of Elastic IPs.

EC2 Instance Generation
Your AWS servers should be using the latest generation of EC2 instances for price-performance improvements.

Unused Elastic Network Interfaces
Unused AWS Elastic Network Interfaces (ENIs) should be removed to follow best practices.

Overutilized AWS EC2 Instances
Overutilized EC2 instances should be upgraded to optimize application response time.

Cost Optimisation

Unassociated Elastic IP Addresses
Identify and remove any unassociated Elastic IP (EIP) addresses for cost optimization.

Cost optimization

Idle EC2 Instance
Idle AWS EC2 instances should be stopped or terminated in order to optimize AWS costs.

Underutilized EC2 Instance
Underutilized EC2 instances should be downsized in order to optimize your AWS costs.

Sources

https://www.cloudanix.com/recipelist/aws/ec2monitoring
https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
https://docs.aws.amazon.com/servicequotas/latest/userguide/intro.html
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/update-security-group-rule-descriptions-ingress.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html
Ensure VPC is used for EC2 instances instead of using EC2 Classic. VPCs are the latest and more secure method of launching AWS resources.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instances-status-check_sched.html
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

Help Us Improve!

If you have any suggestions to improve this checklist, please let us know by filling out this form.