EC2 Audit

​

Checks Performed

• AMI Age Should Not Exceed the Configured Age
• EC2 AMIs Should Be Encrypted
• Autoscaling Groups Health Checks Should Be Checked
• Autoscaling Hop Limit Should Be Checked
• VPN Tunnel Should Be Up
• Backup Plan Should Have Retention Period
• Backup Manual Deletion Should Be Disabled
• Recovery Point Retention Should Be Reviewed
• Ensure Access Logging Is Enabled For Elastic Beanstalk Load Balancer
• Ensure Enhanced Health Reporting Is Enabled For Elastic Beanstalk Environments
• Enforce HTTPS For Elastic Beanstalk Load Balancers
• Ensure Managed Platform Updates Are Enabled For Elastic Beanstalk Environment
• Enable Alert Notifications For Elastic Beanstalk Events
• Ensure Persistent Logs Are Enabled For Elastic Beanstalk Environments
• Ensure X-Ray Tracing Is Enabled For Elastic Beanstalk Environments
• Patch Installation Should Be Done On Systems Manager
• AWS Client VPN Authorization Rules Should Be Enabled Authorizing All Clients
• Default Security Group Should Not Allow Unrestricted Public Traffic
• Restrict data-tier subnet connectivity to VPC NAT Gateway
• EBS volume encrypted
• EC2 AMIs Should Not Be Public
• Enforce HTTPS For Elastic Beanstalk Load Balancers
• EC2-Classic Elastic IP Address Limit Should Not Be Reached
• EC2 Instance Should Be of Desired Type
• Detailed Monitoring for EC2 Instances Should Be Enabled
• Scheduled Events for EC2 Instances
• EC2 Instances With Multiple Security Groups
• AWS EC2 Hibernation Should Be Enabled
• EC2 IAM Roles Should Be Used
• EC2 IAM Roles Should Be Used
• EC2 Instances Should Use Latest Generation
• EC2 Uses Multiple Elastic Network Interfaces
• Scheduled Events for EC2 Instances
• EC2 Instance Tenancy
• Require IMDSv2 For EC2 Instances
• Elastic Compute Cloud Should Have Recovery Point
• EC2 Instances Should Not Reach vCPU Limit
• None Specified Applications Should Be Installed On Instance
• Specified Applications Should Be Installed On Instance
• Status OF Managed Instance Compliance Should Be Checked
• EC2 Systems Manager Are Configured To Collect Blacklisted Inventory
• EC2 Instance Should Not Be In Public Subnet
• Long Running Instances Should Be Re-launched
• Virtualization Type Of EC2 Instance Is Paravirtual
• EC2 Instances Should Have Backup Plan Protection
• Termination Protection Should Be Enabled
• EC2 Hop Limit Check
• EC2-VPC Elastic IP Address Limit Should Not Be Reached
• Elastic File System Should Be In Backup Plan
• Elastic File System Should Have Recovery Point
• Enable Volume Encryption
• Non-Empty Stateless Network Firewall Rule Groups Should Not Be Present
• FSx Should Have Recovery Point
• FSx Should Have Backup Plan
• EC2 Instances Should Not Be Idle
• Instance Should Be Launched In Auto Scaling Group
• Internet Gateways Should Be Attached To Authorized Virtual Private Clouds
• Network Firewall Deletion Protection Should Be Enabled
• Network Firewall Logging Should Be Enabled
• Network Firewalls Deployed Across Multiple Availability Zones
• Network Firewall Rule Groups Should Be Stateless Or Stateful
• Blacklisted AMIs Should Not Be Used
• EC2 Instances Should Not Have Blacklisted Instance Types
• Default VPC Should Not Be In Use
• EC2 Classic Should Not Be Used
• EC2 Instances Should Not Be Overutilized
• Network Firewall Policy Default Action Should Be Set For Fragmented Packets
• Network Firewall Policy Default Action Should Be Set For Full Packets
• Reserved Instance Lease Expiration In The Next 7 Days
• Reserved Instance Lease Expiration In The Next 30 Days
• EC2 Reserved Instances Should Not Have Payment Failed
• EC2 Reserved Instances Should Not Have Payment Pending
• EC2 Reserved Instances Recent Purchases Should Be Reviewed
• Non-Default Security Groups Should Be Attached To Elastic Network Interface
• Security Group Excessive Counts
• Security Group Name Prefixed With launch-wizard Should Not Be Used
• Security Group Port Range
• Security Groups Should Not Allow Inbound Traffic From RFC 1918
• Security Group Rules Counts
• Security Groups Should Have Descriptions
• SSM Document Should Not Be Public
• EC2 Instances Should Be Managed By SSM
• SSM Parameters Should Be Encrypted
• SSM Session Length Should Be Minimum
• Storage Gateway Volume Last Backup Recovery Point Should Be Created Within Specified Duration
• Storage Gateway Recovery Point Should Be Created
• Storage Gateway Volumes Should Have Backup Plan
• Unassociated Elastic IP Addresses Should Be Removed
• EC2 Instances Should Not Be Underutilized
• Unrestricted CIFS Access Should Not Be Allowed
• Unrestricted DNS Access Should Not Be Allowed
• Unrestricted Elasticsearch Access Should Not Be Allowed
• Unrestricted FTP Access Should Not Be Allowed
• Unrestricted HTTP Access Should Not Be Allowed
• Unrestricted HTTPS Access Should Not Be Allowed
• Unrestricted ICMP Access Should Not Be Allowed
• Unrestricted Inbound Access on All Uncommon Ports Should Not Be Allowed
• Unrestricted MongoDB Access Should Not Be Allowed
• Unrestricted MsSQL Access Should Not Be Allowed
• Unrestricted MySQL Access Should Not Be Allowed
• Unrestricted Netbios Access Should Not Be Allowed
• Unrestricted Oracle Access Should Not Be Allowed
• Unrestricted Outbound Access Should Not Be Allowed
• Unrestricted PostgreSQL Access Should Not Be Allowed
• Unrestricted RDP Access Should Not Be Allowed
• Unrestricted RPC Access Should Not Be Allowed
• Unrestricted SMTP Access Should Not Be Allowed
• Unrestricted SSH Access Should Not Be Allowed
• Unrestricted Telnet Access Should Not Be Allowed
• Unused AMIs Should Be Removed
• Unused Elastic Network Interfaces Should Be Removed
• Unused AWS EC2 Key Pairs Should Be Removed
• Reserved Instances Should Not Be Unused
• VPC Flow Logs Should Be Enabled
• Accepter/Requester VPC To Private IP Should Be Enabled