Jump to Content
Home
Guides
API Reference
Log In
Guides
Log In
Home
Guides
API Reference
Continuous Compliance
All
Pages
Start typing to search…
First Steps
Getting Started
Gain Visibility
Discovery and Review
Continuous Compliance
How-To
Apply Your License
Choosing a Framework
Define Organizational Units
Enable Serverless Protection
Export Public IP Addresses
Filters and Grouping
Prioritize with Risk Management
Setup Continuous Compliance
Using Webhooks
Best Practice
Automating Compliance
Serverless Security Considerations
aws
Amazon EC2 Instance
Instances outside of Europe region
Instances outside of Brazilian region
Use encrypted storage for instances that might host a database.
Ensure that EC2 instance's volumes are encrypted
Ensure that EC2 instance's custom AMI is encrypted at rest
Ensure that EC2 instance's custom AMI is not publicly shared
Ensure IAM instance roles are used for AWS resource access from instances
Simple Storage Service (S3)
S3 Buckets outside of Europe
Ensure that S3 buckets are not publicly accessible
S3 Buckets outside of Brazil
Ensure that S3 buckets are not publicly accessible without a condition
Ensure that S3 Buckets are encrypted with CMK
Ensure S3 Bucket Policy is set to deny HTTP requests
Ensure all data in Amazon S3 has been discovered, classified and secured when required.
Ensure that S3 Bucket is encrypted at rest
Ensure that S3 bucket ACLs don't allow 'FULL_CONTROL' access for anonymous / AWS authenticated users
Ensure that S3 Bucket policy doesn't have excessive permissions (Allowing all actions)
S3 bucket should not be world-listable from anonymous users
Ensure that S3 bucket ACLs don't allow 'READ' access for anonymous / AWS authenticated users
S3 bucket should not be world-writable from anonymous users
Ensure that S3 bucket ACLs don't allow 'WRITE' access for anonymous / AWS authenticated users
S3 bucket should not have writable permissions from anonymous users
Ensure that S3 bucket ACLs don't allow 'WRITE_ACP' access for anonymous / AWS authenticated users
S3 bucket should not have world-readable permissions from anonymous users
Ensure that S3 bucket ACLs don't allow 'READ_ACP' access for anonymous / AWS authenticated users
S3 bucket should not allow delete actions from all principals without a condition
S3 bucket should not allow get actions from all principals without a condition
S3 bucket should not allow list actions from all principals without a condition
Ensure that S3 Bucket policy doesn't allow actions from all principals without a condition
S3 bucket should not allow put or restore actions from all principals without a condition
S3 buckets should not grant any external privileges via ACL
Ensure MFA Delete is enable on S3 buckets
S3 bucket should not allow delete actions from all principals
S3 bucket should not allow get actions from all principals with a condition
S3 bucket should not allow list actions from all principals
S3 bucket should not allow put or restore actions from all principals
Ensure that S3 Bucket policy doesn't allow actions from all principals (Condition exists)
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible without a condition
S3 bucket CloudTrail logs ACL should not allow public access
S3 bucket should have server access logging enabled
Ensure that your AWS CloudTrail logging bucket has MFA delete enabled
Ensure that object-level logging is enabled for S3 buckets
AWS Lambda
Lambda Functions must have an associated tag
Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK)
Ensure that Lambda Function resource-based policy doesn't have excessive permissions (Contains a wildcard)
Ensure that Lambda Function is not publicly exposed via resource policy without a condition
Ensure that Lambda Function URL is secured with IAM authentication
Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role
Ensure that Lambda Function execution role policy doesn't have an overly permissive scope (Contains a wildcard)
Ensure that Lambda Function execution role policy doesn't have excessive permissions (Contains a wildcard)
Amazon Elastic File System (EFS)
Amazon EFS must have an associated tag
Ensure that your Amazon EFS file systems are encrypted
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys
AWS EcrRepository
Ensure that ECR image tags are immutable.
Ensure that ECR image scan on push is enabled.
Ensure that ECR repositories are encrypted.
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone.
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone, even with a condition.
Elastic Load Balancing (ELB)
ELB is setup with HTTPS for secure communication
Remove Weak Ciphers for ELB
ELB - Recommended SSL/TLS protocol version
ELB secured listener certificate expires in one week
ELB secured listener certificate expires in one month
ELB is created with Access logs enabled
Amazon RDS
Ensure that encryption is enabled for RDS Instances
Ensures that AWS RDS databases are encrypted using Customer Managed Keys
Ensure AWS RDS instances have Automatic Backup set up
Ensure AWS RDS instances have Multi-Availability Zone enabled
Ensure AWS RDS retention policy is at least 7 days
IAM Server Certificate
SSL/TLS certificates expire in one week
SSL/TLS certificates expire in one month
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
SSL/TLS certificates expire in 45 days
Ensure IAM server certificate was not uploaded before the Heartbleed security bug fix
Application Load Balancer
ALB secured listener certificate expires in one week
ALB secured listener certificate about to expire in one month
Enable ALB Elastic Load Balancer v2 (ELBv2) access log
Amazon Redshift
Use KMS CMK customer-managed keys for Redshift clusters
Ensure AWS Redshift instances are encrypted
Amazon CloudFront
Use secure ciphers in CloudFront distribution
Use encrypted connection between CloudFront and origin server
Ensure that the Viewer Protocol policy is compliant to only use the HTTPS protocol
Amazon Elastic Container Service - Cluster
ECS Cluster At-Rest Encryption
Prefer using IAM roles for tasks rather than using IAM roles for an instance
Amazon Kinesis
Ensure AWS Kinesis Streams Keys are rotated
AWS Kinesis streams are encrypted with customer managed CMK
AWS Kinesis data streams have server side encryption (SSE) enabled
Amazon ElastiCache
Ensure ElastiCache for Memcached is not used in AWS PCI DSS environments
Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements
Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled
Ensure AWS ElastiCache Redis clusters have in-transit encryption enabled
AWS Certificate Manager
Ensure ACM only has certificates with single domain names, and none with wildcard domain names
Ensure the AWS Certificate Manager (ACM) has no unused certificates
Ensure invalid or failed certificates are removed from ACM
Ensure that all the expired SSL/TLS certificates are removed from ACM
ACM has soon to be expired certificates
ACM has a PENDING_VALIDATION Certificate
Ensure ACM certificate was not issued before the Heartbleed security bug fix
Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate
Amazon DynamoDB
Ensure that AWS DynamoDB is encrypted using customer-managed CMK
Ensure Amazon DynamoDB tables have continuous backups enabled
Amazon SageMaker
Ensure SageMaker Notebook Instance Data Encryption is enabled
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled
Amazon API Gateway
Ensure that an API Key is required on a Method Request
Network Load Balancer
Ensure to update the Security Policy of the Network Load Balancer
IAM Group
Ensure that IamGroup does not have Inline policies
Ensure IAM group do not have administrator privileges
Ensure IAM groups have at least one IAM User attached
EMR Cluster
Ensure in-transit and at-rest encryption is enabled for Amazon EMR clusters
Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3
Simple Queue Service (SQS)
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)
Ensure that AWS SQS is encrypted using Customer Managed keys instead of AWS-owned CMKs
Ensure that SQS policy won't allow all actions from all principals without a condition
Ensure that SQS policy won't allow all actions from all principals
Amazon ElasticSearch service
Ensure that encryption of data at rest is enabled on Elasticsearch domains
Ensure that node-to-node encryption is enabled for Elasticsearch service
Ensure OpenSearch should have IAM permissions restricted
SNS Topic
Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
Ensure that AWS SNS topic is encrypted using Customer Managed Keys instead of AWS-owned CMKs
Ensure SNS Topics aren't publicly accessible
Ensure SNS Topics administrative actions aren't publicly executable without a condition
Amazon Secrets Manager
Ensure that AWS Secret Manager Secret rotation is enabled
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
Amazon Systems Manager Parameter
Ensure that sensitive parameters are encrypted
Amazon Elastic Block Storage (EBS)
Ensure EBS volume encryption is enabled
Amazon Route 53
Expired Route 53 Domain Names
Enable AWS Route 53 Domain Auto Renew
Enable AWS Route 53 Domain Transfer Lock
AWS Route 53 Domain Name Renewal (7 days before expiration)
AWS Route 53 Domain Name Renewal (30 days before expiration)
Route53RecordSetGroup
Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint
Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint
IAM User
Avoid the use of the 'root' account
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Ensure credentials unused for 45 days or greater are disabled (First access key)
Ensure credentials unused for 45 days or greater are disabled (Console password)
Ensure credentials unused for 45 days or greater are disabled (Second access key)
Ensure access keys are rotated every 90 days or less (First access key)
Ensure access keys are rotated every 90 days or less (Second access key)
IamUser with Admin or wide permissions without MFA enabled
Ensure no root account access key exists
Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account
Ensure IAM Users Receive Permissions Only Through Groups
Use managed policies instead of inline IAM Policies
Ensure AWS IAM users have no more than one active Access Key
Ensure inactive IAM access keys are deleted
Ensure IAM users have either access key or console password enabled
Ensure 'root' account does not have an active X.509 signing certificate
Ensure inactive user for 90 days or greater are disabled
Ensure second access key is rotated every 45 days or less
Ensure first access key is rotated every 30 days or less
Ensure second access key is rotated every 30 days or less
Ensure first access key is rotated every 45 days or less
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure inactive user for 30 days or greater are disabled
Ensure whether IAM users are members of at least one IAM group
Ensure IAM User do not have administrator privileges
Ensure IAM user password is rotated every 90 days or less
AWS Identity and Access Management (IAM)
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy require at least one lowercase letter
Ensure IAM password policy require at least one symbol
Password Policy must require at least one number
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM password policy prevents password reuse
Ensure IAM password policy expires passwords within 90 days or less
IAM Role
Ensure that custom IAM Role doesn't have an overly permissive scope (Contains a wildcard)
Ensure that Role names cannot be enumerable
Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String
Ensure that IAM Role doesn't have excessive permissions (Allowing all actions)
Unused IAM role more than 90 days
Ensure EKS Node Group IAM role do not have administrator privileges
Ensure cross-account IAM Role uses MFA or external ID as a condition
Amazon Elastic Container Service
Ensure that ECS Service role doesn't have excessive permissions (Contains a wildcard)
Ensure that ECS Service managed role doesn't have an overly permissive scope (Contains a wildcard)
Ensure there are no inline policies attached to the ECS service
ECS Service with Admin Roles
IAM Policy
Ensure a support role has been created to manage incidents with AWS Support
Ensure IAM policies that allow full '*:*' administrative privileges are not created
Ensure AWS IAM policies allow only the required privileges for each role
Ensure AWS IAM policies do not grant 'assume role' permission across all services
Ensure policy attached to IAM identities requires SSL/TLS to manage IAM access keys
Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version
Ensure AWS IAM managed policies do not have 'getObject' or full S3 action permissions
Ensure undedicated AWS IAM managed policies do not have full action permissions
Ensure all IAM policies are in use
Ensure IAM user, group, or role do not have access to create or update login profiles (passwords) for IAM users
Ensure IAM user, group, or role should have IAM access key permissions restricted
Ensure IAM user, group, or role should have MFA permissions restricted
Ensure IAM Policy do not have Effect: 'Allow' with 'NotAction' Element
Amazon VPC Endpoints
Ensure that VPC Endpoint policy does not provide excessive permissions
IAM SAML Identity Provider
Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Region
Ensure that IAM Access analyzer is enabled for all regions
Ensure AWS Config is enabled in all regions
Ensure CloudTrail is enabled in all regions
Ensure VPC Flow Logging is Enabled in all Applicable Regions
CloudTrail
Ensure multi-regions trail exists for each AWS CloudTrail
Ensure CloudTrail log file validation is enabled
Ensure that CloudTrail trails are integrated with CloudWatch Logs
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
AWS Key Management Service (KMS)
Ensure rotation for customer created CMKs is enabled
EKS Cluster
Ensure that AWS EKS Cluster control plane logging is enabled
AWS Network-Firewall
Ensure Network firewall flow logging is enabled
Ensure Network firewall alerts logging is enabled
Amazon VPC
Powered by
Continuous Compliance
Updated 5 months ago
What’s Next
Automating Compliance
Ask AI
