AWS Security Best Practices
Scan information
Date
Fri Mar 25 08:16:43 2022 UTC
AWS Account
Number
123456789110
Policy Compliance
50
All
42
Non-Compliant
8
Compliant
* Failed Policies Based on Severity
4
Critical
5
High
26
Medium
7
Low
IAM Security
Policy Id
Description
Status
Severity
Comments/Recommendations
1.4
Ensure no root account access key exists
Passed
Critical
Removing access keys associated with the root account limits
vectors that the account can be compromised.
1.5
Ensure MFA is enabled for the root account
Failed
Critical
Root account not using MFA
1.6
Ensure hardware MFA is enabled for the root account
Failed
Critical
Protect the root account with a hardware MFA. A hardware MFA
has a smaller attack surface than a virtual MFA.
1.7
Avoid the use of the root account
Passed
Low
Minimizing the use of root account and adopting the
principle of least privilege for access management reduces
the risk of accidental changes and unintended disclosure of
highly privileged credentials.
1.8
Ensure IAM password policy requires minimum length of 14 or
greater
Passed
Medium
Setting a password complexity policy increases account
resiliency against brute force login attempts.
1.9
Ensure IAM password policy prevents password reuse
Failed
Low
Preventing password reuse increases account resiliency
against brute force login attempts, usage of stolen
passwords.
1.10
Ensure multi-factor authentication (MFA) is enabled for all
IAM users that have a console password
Failed
Medium
Enabling MFA provides increased security for console access
because it requires the authenticating principal to possess
a device that emits a time-sensitive key and have knowledge
of a credential.
NonCompliantLists :: ['arn:aws:iam::123456789110:user/xyz','arn:aws:iam::123456789110:user/abc','arn:aws:iam::123456789110:user/asd']
NonCompliantLists :: ['arn:aws:iam::123456789110:user/xyz','arn:aws:iam::123456789110:user/abc','arn:aws:iam::123456789110:user/asd']
1.11
Do not setup access keys during initial user setup for all
IAM users that have a console password
Passed
Low
Requiring the additional steps be taken by the user for
programmatic access after their profile has been created
will give a stronger indication of intent that access keys
are necessary for their work and once the access key is
established on an account, the keys may be in use somewhere
in the organization.
1.12
Ensure credentials unused for 90 days or greater are
disabled
Failed
Low
Remove or deactivate all credentials that have been unused
in 90 days or more.
NonCompliantLists :: ['arn:aws:iam::123456789110:user/xyz:key2','arn:aws:iam::123456789110:user/abc:key1','arn:aws:iam::123456789110:user/asd':key2']
NonCompliantLists :: ['arn:aws:iam::123456789110:user/xyz:key2','arn:aws:iam::123456789110:user/abc:key1','arn:aws:iam::123456789110:user/asd':key2']
1.13
Ensure there is only one active access key available for any
single IAM user
Failed
Medium
One of the best ways to protect your account is to not allow
users to have multiple access keys.
NonCompliantLists :: ['user : ABC, access_key_ids: AKXCQGHJ44IDUJZX7GS,AKIAQEEISEGHDJCZLN32', 'user : tr, access_key_ids: AKIAAWEEIJ44IBYSEDEY5H,AAWSIAEIJ44IC7ITWVOF']
NonCompliantLists :: ['user : ABC, access_key_ids: AKXCQGHJ44IDUJZX7GS,AKIAQEEISEGHDJCZLN32', 'user : tr, access_key_ids: AKIAAWEEIJ44IBYSEDEY5H,AAWSIAEIJ44IC7ITWVOF']
1.14
Ensure access keys are rotated every 90 days or less
Failed
Medium
Rotating access keys reduces the chance for an access key
that is associated with a compromised or terminated account
to be used. Rotate access keys to ensure that data can't be
accessed with an old key that might have been lost, cracked,
or stolen.
NonCompliantLists :: ['arn:aws:iam::123456789110:user/axisecu1:unrotated key1', ]
NonCompliantLists :: ['arn:aws:iam::123456789110:user/axisecu1:unrotated key1', ]
1.15
IAM users should not have IAM policies attached
Failed
Low
IAM users must inherit permissions from IAM groups or
roles.
NonCompliantLists :: [''arn:aws:iam::123456789110:user/xyz','arn:aws:iam::123456789110:user/abc','arn:aws:iam::123456789110:user/asd']
NonCompliantLists :: [''arn:aws:iam::123456789110:user/xyz','arn:aws:iam::123456789110:user/abc','arn:aws:iam::123456789110:user/asd']
1.16
Ensure IAM policies that allow full administrative
privileges are not created
Failed
Critical
Providing full administrative privileges instead of
restricting to the minimum set of permissions that the user
is required to do exposes the resources to potentially
unwanted actions.
NonCompliantLists :: ['arn:aws:iam::123456789110:policy/Region_Restrict_Policy', 'arn:aws:iam::123456789110:policy/test']
NonCompliantLists :: ['arn:aws:iam::123456789110:policy/Region_Restrict_Policy', 'arn:aws:iam::123456789110:policy/test']
1.17
Ensure a support role has been created to manage incidents
with AWS Support
Failed
Low
Assigning privileges at the group or role level reduces the
complexity of access management as the number of users grow.
1.19
Ensure that all the expired SSL/TLS certificates stored in
AWS IAM are removed
Passed
Low
Removing expired SSL/TLS certificates eliminates the risk
that an invalid certificate will be deployed accidentally to
a resource such as AWS Elastic Load Balancer (ELB), which
can damage the credibility of the application/website behind
the ELB.
1.20
Ensure that S3 Buckets are configured with 'Block Public
Access'.
Failed
Medium
Amazon S3 public access block is designed to provide
controls across an entire AWS account or at the individual
S3 bucket level to ensure that objects never have public
access.
NonCompliantS3 :: ['token-generator', 'gxieuf6r8']
NonCompliantS3 :: ['token-generator', 'gxieuf6r8']
1.21
Ensure that IAM Access analyzer is enabled.
Passed
Low
AWS IAM Access Analyzer helps you identify the resources in
your organization and accounts, such as Amazon S3 buckets or
IAM roles, that are shared with an external entity.This lets
you identify unintended access to your resources and data.
Storage
Policy Id
Description
Status
Severity
Comments/Recommendations
2.1.1
Ensure all S3 buckets employ encryption-at-rest.
Failed
Medium
S3 Buckets should be configured with server-side encryption
to protect data at rest. Buckets other than the ones used
for 'Server Access Log' can use SSE-KMS to encrypt, the
server access log buckets should be encrypted with SS-S3
default encryption.
NonCompliantS3 :: ['token-generator', 'frontend', 'aibucket']
NonCompliantS3 :: ['token-generator', 'frontend', 'aibucket']
2.1.2
Ensure S3 Bucket Policy allows HTTPS requests.
Failed
Medium
S3 buckets should have policies that require all requests to
only accept transmission of data over HTTPS
NonCompliantS3 :: ['token-generator', 'frontend', 'aibucket']
NonCompliantS3 :: ['token-generator', 'frontend', 'aibucket']
2.2
Ensure EBS volume encryption is enabled.
Failed
Medium
Encrypting data at rest reduces the likelihood that it is
unintentionally exposed and can nullify the impact of
disclosure if the encryption remains unbroken.No EBS Volumes
Found in the region : eu-north-1No EBS Volumes Found in the
region : eu-west-3No EBS Volumes Found in the region :
eu-west-2No EBS Volumes Found in the region : eu-west-1No
EBS Volumes Found in the region : ap-northeast-3No EBS
Volumes Found in the region : ap-northeast-2No EBS Volumes
Found in the region : ap-northeast-1No EBS Volumes Found in
the region : sa-east-1No EBS Volumes Found in the region :
ca-central-1No EBS Volumes Found in the region :
ap-southeast-1No EBS Volumes Found in the region :
ap-southeast-2No EBS Volumes Found in the region :
eu-central-1
NonCompliant EBS Volumes :: ['Region : ap-southeast-1 VolumeIds : vol-087438csdervvbe7,vol-0345fyy4b39d1d1405b
', 'Region : us-east-1 VolumeIds : vol-087438csdervvbe7,vol-0345fyy4b39d1d1405b
','Region : us-east-2 VolumeIds : vol-087438csdervvbe7,vol-0345fyy4b39d1d1405b
','Region : us-west-1 VolumeIds : vol-04820cdeae832364b,vol-09f40ffb06e57e650
', 'Region : us-west-2 ]
NonCompliant EBS Volumes :: ['Region : ap-southeast-1 VolumeIds : vol-087438csdervvbe7,vol-0345fyy4b39d1d1405b
', 'Region : us-east-1 VolumeIds : vol-087438csdervvbe7,vol-0345fyy4b39d1d1405b
','Region : us-east-2 VolumeIds : vol-087438csdervvbe7,vol-0345fyy4b39d1d1405b
','Region : us-west-1 VolumeIds : vol-04820cdeae832364b,vol-09f40ffb06e57e650
', 'Region : us-west-2 ]
Logging
Policy Id
Description
Status
Severity
Comments/Recommendations
3.1
Ensure CloudTrail is enabled in all regions
Passed
Critical
Cloud Trail enables security analysis, resource change
tracking, and compliance auditing.
3.2
Ensure CloudTrail log file validation is enabled
Failed
Low
CloudTrails without log file validation discovered
NonCompliantLists :: ['arn:aws:cloudtrail:ap-southeast-1:123456789110:trail/codepipeline-source-trail']
NonCompliantLists :: ['arn:aws:cloudtrail:ap-southeast-1:123456789110:trail/codepipeline-source-trail']
3.3
Ensure the S3 bucket CloudTrail logs is not publicly
accessible
Failed
Critical
Missing permissions to verify bucket ACL.
NonCompliantLists :: ['arn:aws:cloudtrail:ap-southeast-1:123456789110:trail/codepipeline-source-trail:AccessDenied']
NonCompliantLists :: ['arn:aws:cloudtrail:ap-southeast-1:123456789110:trail/codepipeline-source-trail:AccessDenied']
3.4
Ensure CloudTrail trails are integrated with CloudWatch Logs
Failed
Low
Unable to Fetch CloudTrails Integrated with CloudWatch Logs
Status
for:arn:aws:cloudtrail:ap-southeast-1:123456789110:trail/codepipeline-source-trail
3.5
Ensure AWS Config is enabled in all regions
Passed
Medium
Unable to Fetch Config details:: eu-north-1
Config enabled in all regions, capturing all/global events or delivery channel errors
Config enabled in all regions, capturing all/global events or delivery channel errors
3.6
Ensure S3 bucket access logging is enabled on the CloudTrail
S3 bucket
Failed
Low
Unable to Fetch the CloudTrail S3 bucket Status for :
Trail:arn:aws:cloudtrail:us-east-1:123456789110:trail/test_trail
- S3Bucket:test-aws
NonCompliantLists :: ['arn:aws:cloudtrail:ap-southeast-1:123456789110:trail/codepipeline-source-trail']
NonCompliantLists :: ['arn:aws:cloudtrail:ap-southeast-1:123456789110:trail/codepipeline-source-trail']
3.7
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Failed
Medium
CloudTrail not using KMS CMK for encryption discovered
NonCompliantLists :: ['Trail:arn:aws:cloudtrail:ap-southeast-1:123456789110:trail/codepipeline-source-trail', 'Trail:arn:aws:cloudtrail:us-east-1:123456789110:trail/test_trail']
NonCompliantLists :: ['Trail:arn:aws:cloudtrail:ap-southeast-1:123456789110:trail/codepipeline-source-trail', 'Trail:arn:aws:cloudtrail:us-east-1:123456789110:trail/test_trail']
3.8
Ensure rotation for customer created CMKs is enabled
Failed
High
KMS CMK rotation not enabled
NonCompliantLists :: ['Key:arn:aws:kms:us-east-2:123456789110:key/sdfggf57-de41-4417-831f-9ec24efgf8abc11', 'Key:arn:aws:kms:us-east-2:123456789110:key/5ggdfd9-0396-4128-8ac3-7a8wsdca92e6']
NonCompliantLists :: ['Key:arn:aws:kms:us-east-2:123456789110:key/sdfggf57-de41-4417-831f-9ec24efgf8abc11', 'Key:arn:aws:kms:us-east-2:123456789110:key/5ggdfd9-0396-4128-8ac3-7a8wsdca92e6']
3.9
Ensure VPC flow logging is enabled in all VPCs
Failed
High
VPC without active VPC Flow Logs found
NonCompliantLists :: ['us-west-2 : vpc-004504567i88fe41', 'us-west-2 : vpc-0ec2d456543d26', 'us-west-2 : vpc-06d5f345666e57ce']
NonCompliantLists :: ['us-west-2 : vpc-004504567i88fe41', 'us-west-2 : vpc-0ec2d456543d26', 'us-west-2 : vpc-06d5f345666e57ce']
3.10
Ensure that Object-level logging for write events is enabled
for S3 bucket.
Failed
Medium
Enabling object-level logging will help you meet data
compliance requirements within your organization, perform
comprehensive security analysis, monitor specific patterns
of user behavior in your AWS account or take immediate
actions on any object-level API activity within your S3
Buckets using Amazon CloudWatch Events.
NonCompliantTrails :: ['test_trail']
NonCompliantTrails :: ['test_trail']
3.11
Ensure that Object-level logging for read events is enabled
for S3 bucket.
Failed
Medium
Enabling object-level logging will help you meet data
compliance requirements within your organization, perform
comprehensive security analysis, monitor specific patterns
of user behavior in your AWS account or take immediate
actions on any object-level API activity within your S3
Buckets using Amazon CloudWatch Events.
NonCompliantTrails :: ['test_trail']
NonCompliantTrails :: ['test_trail']
Monitoring
Policy Id
Description
Status
Severity
Comments/Recommendations
4.1
Ensure log metric filter unauthorized api calls
Failed
Medium
Incorrect log metric alerts for unauthorized_api_calls.
4.2
Ensure a log metric filter and alarm exist for Management
Console sign-in without MFA
Failed
Medium
Incorrect log metric alerts for management console signin
without MFA
4.3
Ensure a log metric filter and alarm exist for root usage
Failed
Medium
Incorrect log metric alerts for root usage
4.4
Ensure a log metric filter and alarm exist for IAM changes
Failed
Medium
Incorrect log metric alerts for IAM policy changes
4.5
Ensure a log metric filter and alarm exist for CloudTrail
configuration changes
Failed
Medium
Incorrect log metric alerts for CloudTrail configuration
changes
4.6
Ensure a log metric filter and alarm exist for console auth
failures
Failed
Medium
Ensure a log metric filter and alarm exist for console auth
failures
4.7
Ensure a log metric filter and alarm exist for disabling or
scheduling deletion of KMS CMK
Failed
Medium
Ensure a log metric filter and alarm exist for disabling or
scheduling deletion of KMS CMK
4.8
Ensure a log metric filter and alarm exist for S3 bucket
policy changes
Failed
Medium
Ensure a log metric filter and alarm exist for S3 bucket
policy changes
4.9
Ensure a log metric filter and alarm exist for for AWS
Config configuration changes
Failed
Medium
Ensure a log metric filter and alarm exist for for AWS
Config configuration changes
4.10
Ensure a log metric filter and alarm exist for security
group changes
Failed
Medium
Ensure a log metric filter and alarm exist for security
group changes
4.11
Ensure a log metric filter and alarm exist for changes to
Network Access Control Lists (NACL)
Failed
Medium
Ensure a log metric filter and alarm exist for changes to
Network Access Control Lists (NACL)
4.12
Ensure a log metric filter and alarm exist for changes to
network gateways
Failed
Medium
Ensure a log metric filter and alarm exist for changes to
network gateways
4.13
Ensure a log metric filter and alarm exist for route table
changes
Failed
Medium
Ensure a log metric filter and alarm exist for route table
changes
4.14
Ensure a log metric filter and alarm exist for VPC changes
Failed
Medium
Ensure a log metric filter and alarm exist for VPC changes
4.15
Ensure a log metric filter and alarm exists for AWS
Organizations changes.
Failed
Medium
Monitoring AWS Organizations changes can help you prevent
any unwanted, accidental or intentional modifications that
may lead to unauthorized access or other security breaches.
Networking
Policy Id
Description
Status
Severity
Comments/Recommendations
5.1
Ensure no security groups allow ingress from 0.0.0.0/0 to
port 22
Failed
High
Found Security Group with port 22 open to the world
(0.0.0.0/0)
NonCompliant Security Groups :: [' '
Region : us-west-2 Groups : sg-0b31b2a154567e81cb9']
NonCompliant Security Groups :: [' '
Region : us-west-2 Groups : sg-0b31b2a154567e81cb9']
5.2
Ensure no security groups allow ingress from 0.0.0.0/0 to
port 3389
Failed
High
Found Security Group with port 3389 open to the world
(0.0.0.0/0)
NonCompliant Security Groups :: [' '
Region : us-west-2 Groups : sg-0b31b2a56tgbh777b9', '
Region : us-west-2 Groups : sg-0b31b2a3445667hfcb9']
NonCompliant Security Groups :: [' '
Region : us-west-2 Groups : sg-0b31b2a56tgbh777b9', '
Region : us-west-2 Groups : sg-0b31b2a3445667hfcb9']
5.3
Ensure VPC flow logging is enabled in all VPCs
Failed
High
VPC without active VPC Flow Logs found
NonCompliant VPCs :: ['
Region : us-west-2 Groups : sg-0f826e44tr5607f3']
NonCompliant VPCs :: ['
Region : us-west-2 Groups : sg-0f826e44tr5607f3']