AWS Misconfigurations
EC2 Audit
Checks Performed
- AMI Age Should Not Exceed the Configured Age
- EC2 AMIs Should Be Encrypted
- Autoscaling Groups Health Checks Should Be Checked
- Autoscaling Hop Limit Should Be Checked
- VPN Tunnel Should Be Up
- Backup Plan Should Have Retention Period
- Backup Manual Deletion Should Be Disabled
- Recovery Point Retention Should Be Reviewed
- Ensure Access Logging Is Enabled For Elastic Beanstalk Load Balancer
- Ensure Enhanced Health Reporting Is Enabled For Elastic Beanstalk Environments
- Enforce HTTPS For Elastic Beanstalk Load Balancers
- Ensure Managed Platform Updates Are Enabled For Elastic Beanstalk Environment
- Enable Alert Notifications For Elastic Beanstalk Events
- Ensure Persistent Logs Are Enabled For Elastic Beanstalk Environments
- Ensure X-Ray Tracing Is Enabled For Elastic Beanstalk Environments
- Patch Installation Should Be Done On Systems Manager
- AWS Client VPN Authorization Rules Should Be Enabled Authorizing All Clients
- Default Security Group Should Not Allow Unrestricted Public Traffic
- Restrict data-tier subnet connectivity to VPC NAT Gateway
- EBS volume encrypted
- EC2 AMIs Should Not Be Public
- Enforce HTTPS For Elastic Beanstalk Load Balancers
- EC2-Classic Elastic IP Address Limit Should Not Be Reached
- EC2 Instance Should Be of Desired Type
- Detailed Monitoring for EC2 Instances Should Be Enabled
- Scheduled Events for EC2 Instances
- EC2 Instances With Multiple Security Groups
- AWS EC2 Hibernation Should Be Enabled
- EC2 IAM Roles Should Be Used
- EC2 IAM Roles Should Be Used
- EC2 Instances Should Use Latest Generation
- EC2 Uses Multiple Elastic Network Interfaces
- Scheduled Events for EC2 Instances
- EC2 Instance Tenancy
- Require IMDSv2 For EC2 Instances
- Elastic Compute Cloud Should Have Recovery Point
- EC2 Instances Should Not Reach vCPU Limit
- None Specified Applications Should Be Installed On Instance
- Specified Applications Should Be Installed On Instance
- Status OF Managed Instance Compliance Should Be Checked
- EC2 Systems Manager Are Configured To Collect Blacklisted Inventory
- EC2 Instance Should Not Be In Public Subnet
- Long Running Instances Should Be Re-launched
- Virtualization Type Of EC2 Instance Is Paravirtual
- EC2 Instances Should Have Backup Plan Protection
- Termination Protection Should Be Enabled
- EC2 Hop Limit Check
- EC2-VPC Elastic IP Address Limit Should Not Be Reached
- Elastic File System Should Be In Backup Plan
- Elastic File System Should Have Recovery Point
- Enable Volume Encryption
- Non-Empty Stateless Network Firewall Rule Groups Should Not Be Present
- FSx Should Have Recovery Point
- FSx Should Have Backup Plan
- EC2 Instances Should Not Be Idle
- Instance Should Be Launched In Auto Scaling Group
- Internet Gateways Should Be Attached To Authorized Virtual Private Clouds
- Network Firewall Deletion Protection Should Be Enabled
- Network Firewall Logging Should Be Enabled
- Network Firewalls Deployed Across Multiple Availability Zones
- Network Firewall Rule Groups Should Be Stateless Or Stateful
- Blacklisted AMIs Should Not Be Used
- EC2 Instances Should Not Have Blacklisted Instance Types
- Default VPC Should Not Be In Use
- EC2 Classic Should Not Be Used
- EC2 Instances Should Not Be Overutilized
- Network Firewall Policy Default Action Should Be Set For Fragmented Packets
- Network Firewall Policy Default Action Should Be Set For Full Packets
- Reserved Instance Lease Expiration In The Next 7 Days
- Reserved Instance Lease Expiration In The Next 30 Days
- EC2 Reserved Instances Should Not Have Payment Failed
- EC2 Reserved Instances Should Not Have Payment Pending
- EC2 Reserved Instances Recent Purchases Should Be Reviewed
- Non-Default Security Groups Should Be Attached To Elastic Network Interface
- Security Group Excessive Counts
- Security Group Name Prefixed With launch-wizard Should Not Be Used
- Security Group Port Range
- Security Groups Should Not Allow Inbound Traffic From RFC 1918
- Security Group Rules Counts
- Security Groups Should Have Descriptions
- SSM Document Should Not Be Public
- EC2 Instances Should Be Managed By SSM
- SSM Parameters Should Be Encrypted
- SSM Session Length Should Be Minimum
- Storage Gateway Volume Last Backup Recovery Point Should Be Created Within Specified Duration
- Storage Gateway Recovery Point Should Be Created
- Storage Gateway Volumes Should Have Backup Plan
- Unassociated Elastic IP Addresses Should Be Removed
- EC2 Instances Should Not Be Underutilized
- Unrestricted CIFS Access Should Not Be Allowed
- Unrestricted DNS Access Should Not Be Allowed
- Unrestricted Elasticsearch Access Should Not Be Allowed
- Unrestricted FTP Access Should Not Be Allowed
- Unrestricted HTTP Access Should Not Be Allowed
- Unrestricted HTTPS Access Should Not Be Allowed
- Unrestricted ICMP Access Should Not Be Allowed
- Unrestricted Inbound Access on All Uncommon Ports Should Not Be Allowed
- Unrestricted MongoDB Access Should Not Be Allowed
- Unrestricted MsSQL Access Should Not Be Allowed
- Unrestricted MySQL Access Should Not Be Allowed
- Unrestricted Netbios Access Should Not Be Allowed
- Unrestricted Oracle Access Should Not Be Allowed
- Unrestricted Outbound Access Should Not Be Allowed
- Unrestricted PostgreSQL Access Should Not Be Allowed
- Unrestricted RDP Access Should Not Be Allowed
- Unrestricted RPC Access Should Not Be Allowed
- Unrestricted SMTP Access Should Not Be Allowed
- Unrestricted SSH Access Should Not Be Allowed
- Unrestricted Telnet Access Should Not Be Allowed
- Unused AMIs Should Be Removed
- Unused Elastic Network Interfaces Should Be Removed
- Unused AWS EC2 Key Pairs Should Be Removed
- Reserved Instances Should Not Be Unused
- VPC Flow Logs Should Be Enabled
- Accepter/Requester VPC To Private IP Should Be Enabled