Scan Results

Account ID:

123456789123

Scan Completed at:

2024-05-24 13:49:36.757538

Scan Role/User:

arn:aws:sts::123456789123:assumed-role/Snotra_Cross_Account/snotra

CIS Benchmark
Checks
85
PASSED
31
FAILED
43
INFO
10
Identity and Access Management
ID Level Name Result
1.1 1 Maintain current contact details (CIS)

INFO

1.2 1 Ensure security contact information is registered (CIS)

INFO

1.3 1 Ensure security questions are registered in the AWS account (CIS)

INFO

1.4 1 Ensure no root user account access key exists (CIS)

PASS

1.5 1 Ensure MFA is enabled for the root user account (CIS)

FAIL

1.6 2 Ensure hardware MFA is enabled for the root user account (CIS)

FAIL

1.7 1 Eliminate use of the 'root' user for administrative and daily tasks (CIS)

INFO

1.8 1 Ensure IAM password policy requires minimum length of 14 or greater (CIS)

PASS

1.9 1 Ensure IAM password policy prevents password reuse (CIS)

FAIL

1.10 1 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (CIS)

FAIL

1.11 1 Do not setup access keys during initial user setup for all IAM users that have a console password (CIS)

PASS

1.12 1 Ensure credentials unused for 45 days or greater are disabled (CIS)

FAIL

1.13 1 Ensure there is only one active access key available for any single IAM user (CIS)

FAIL

1.14 1 Ensure access keys are rotated every 90 days or less (CIS)

FAIL

1.15 1 Ensure IAM Users Receive Permissions Only Through Groups (CIS)

FAIL

1.16 1 Ensure Custom IAM policies that allow full *:* administrative privileges are not attached (CIS)

PASS

1.17 1 Ensure a support role has been created to manage incidents with AWS Support (CIS)

FAIL

1.19 1 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (CIS)

INFO

1.21 2 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (CIS)

INFO

1.22 1 Ensure access to AWSCloudShellFullAccess is restricted (CIS)

PASS

Storage
ID Level Name Result
2.1.1 2 Ensure S3 Bucket Policy is set to deny HTTP requests (CIS)

FAIL

2.1.2 2 Ensure MFA Delete is enable on S3 buckets (CIS)

FAIL

2.1.3 2 Ensure all data in Amazon S3 has been discovered classified and secured when required (CIS)

INFO

2.1.4 1 Ensure that S3 Buckets are configured with Block public access (bucket settings) (CIS)

FAIL

Logging
ID Level Name Result
3.1 1 Ensure CloudTrail is enabled in all regions (CIS)

PASS

3.2 2 Ensure CloudTrail log file validation is enabled (CIS)

FAIL

3.4 1 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (CIS)

FAIL

3.5 2 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (CIS)

FAIL

3.8 2 Ensure that Object-level logging for write events is enabled for S3 bucket (CIS)

FAIL

3.9 2 Ensure that Object-level logging for read events is enabled for S3 bucket (CIS)

FAIL

Monitoring
ID Level Name Result
4.1 2 Ensure unauthorized API calls are monitored (CIS)

FAIL

4.2 1 Ensure management console sign-in without MFA is monitored (CIS)

FAIL

4.3 1 Ensure usage of 'root' account is monitored (CIS)

FAIL

4.4 1 Ensure IAM policy changes are monitored (CIS)

FAIL

4.5 1 Ensure CloudTrail configuration changes are monitored (CIS)

FAIL

4.6 1 Ensure AWS Management Console authentication failures are monitored (CIS)

FAIL

4.7 1 Ensure disabling or scheduled deletion of customer created CMKs is monitored (CIS)

FAIL

4.8 1 Ensure S3 bucket policy changes are monitored (CIS)

FAIL

4.9 2 Ensure AWS Config configuration changes are monitored (CIS)

FAIL

4.10 2 Ensure security group changes are monitored (CIS)

FAIL

4.11 2 Ensure Network Access Control Lists (NACL) changes are monitored (CIS)

FAIL

4.12 1 Ensure changes to network gateways are monitored (CIS)

FAIL

4.13 1 Ensure route table changes are monitored (CIS)

FAIL

4.14 1 Ensure VPC changes are monitored (CIS)

FAIL

4.15 1 Ensure AWS Organizations changes are monitored (CIS)

FAIL

Networking / EC2
ID Level Name Result
2.2.1 1 Ensure EBS Volume Encryption is Enabled in all Regions (CIS)

FAIL

5.1 1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (CIS)

FAIL

5.2 1 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (CIS)

PASS

5.4 2 Ensure the default security group of every VPC restricts all traffic (CIS)

FAIL

5.5 2 Ensure routing tables for VPC peering are least access (CIS)(Manual)

PASS

2.2.2 1 Ensure there are no Public EBS Snapshots (CIS)

PASS

2.10 1 Unused Network Interfaces (CIS)

PASS

2.5 2 Ensure running instances are not more than 180 days old (CIS)

PASS

2.8 2 Ensure EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required (CIS)

PASS

2.9 2 EC2 Instances Not Managed By AWS Systems Manager (CIS)

PASS

2.2.3 1 Unencrypted EBS Snapshots (CIS)

FAIL

5.3 1 Ensure no security groups allow ingress from ::/0 to remote server administration ports (CIS)

PASS

2.13 1 Ensure Secrets and Sensitive Data are not stored directly in EC2 User Data (CIS)(Manual)

PASS

2.6 2 EC2 Instances Without Detailed Monitoring Enabled (CIS)

PASS

2.11 1 Stopped EC2 Instances (CIS)

PASS

2.1.1 1 Ensure Consistent Naming Convention is used for Organizational AMI (CIS)

INFO

2.1.2 1 Ensure Images (AMI's) are encrypted (CIS)

FAIL

2.2.4 1 Ensure unused EBS volumes are removed (CIS)

PASS

2.7 1 Ensure Default EC2 Security groups are not being used (CIS)

PASS

2.12 1 Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination (CIS)

PASS

Lambda
ID Level Name Result
4.9 1 Ensure there are no Lambda functions with admin privileges within your AWS account (CIS)

PASS

4.2 1 Ensure Cloudwatch Lambda insights is enabled (CIS)

FAIL

4.5 1 Ensure every Lambda function has its own IAM Role (CIS)

PASS

4.6 1 Ensure Lambda functions are not exposed to everyone (CIS)

PASS

4.8 1 Ensure that Code Signing is enabled for Lambda functions (CIS)

FAIL

4.10 1 Ensure Lambda functions do not allow unknown cross account access via permission policies (CIS)

PASS

Elastic Beanstalk
ID Level Name Result
6.1 1 Ensure Managed Platform updates is configured (CIS)

PASS

6.2 1 Ensure Persistent logs is setup and configured to S3 (CIS)

PASS

Filter

Access Analyzer


Ensure that IAM Access analyzer is enabled for all regions (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.

Remediation

Enable Access Analyzer in all regions

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

Access Analyzer is not enabled in any region

AutoScaling


Ensure EC2 Auto Scaling Groups Propagate Tags to EC2 Instances that it launches (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Tags can help with managing, identifying, organizing, searching for, and filtering resources. Additionally, tags can help with security and compliance. Tags can be propagated from an Auto Scaling group to the EC2 instances that it launches. Without tags, EC2 instances created via Auto Scaling can be without tags and could be out of compliance with security policy.

Remediation

AWS Console 1. Login to AWS Console using https://console.aws.amazon.com 2. Click All services and click EC2 under Compute. 3. Select Auto Scaling Groups. 4. Click Edit for each Auto Scaling Group. 5. Check the Tag new instances Box for the Auto Scaling Group. 6. Click Update. 7. Repeat Steps 1-6 for each AWS Region used

Affected

['123456789123']

Analysis

No failing auto scaling groups found

Resource Group Stagging API


Ensure Tags Do Not Contain Sensitive or PII Data

Impact: MEDIUM

Probability: LOW

Status: INFO

CVSS: Score: 5.9

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

This check lists all the tags being used in your account. It is possible to attackers to enumerate valid Tag keys and their corresponding values, therefore tags should not be used to store PII, confidential or otherwise sensitive information.

Remediation

Review the in use tags and remove any that contain sensitive information

Affected

['123456789123']

Analysis

Name

['npk-us-west-2', 'npk-us-west-2-com.amazonaws.us-west-2.s3', 'npk-us-west-2-subnet-us-west-2a', 'npk-us-west-2-subnet-us-west-2b', 'npk-us-west-2-subnet-us-west-2c', 'npk-us-west-2-subnet-us-west-2d']

Environment

[]

Terraform

[]

name

[]

project

[]

alpha.eksctl.io/cluster-name

[]

alpha.eksctl.io/cluster-oidc-enabled

[]

alpha.eksctl.io/eksctl-version

[]

aws:cloudformation:logical-id

[]

aws:cloudformation:stack-id

[]

aws:cloudformation:stack-name

[]

eksctl.cluster.k8s.io/v1alpha1/cluster-name

[]

owner

[]
All Resources

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

A list of all resources (ARNs) in the account

Remediation

Affected

['123456789123']

Analysis

  • arn:aws:ec2:ap-south-1:123456789123:internet-gateway/igw-0a56e92b5654d178c
  • arn:aws:ec2:ap-south-1:123456789123:subnet/subnet-0a6c3031fec65a32c
  • arn:aws:ec2:ap-south-1:123456789123:vpc/vpc-0ce0a3b1d6f5d72b2
  • arn:aws:ec2:ap-south-1:123456789123:vpc-endpoint/vpce-12345678912345612
  • arn:aws:events:ap-south-1:123456789123:rule/npkSpotInterruptCatcher
  • arn:aws:ec2:ap-south-1:123456789123:route-table/rtb-078cffe6b9d0a7694
  • arn:aws:ec2:ap-south-1:123456789123:subnet/subnet-0c4c0e7bca4f2d206
  • arn:aws:ec2:ap-south-1:123456789123:subnet/subnet-07227702fcd0749f0
  • arn:aws:ec2:eu-north-1:123456789123:route-table/rtb-0042bad8a50f3e137
  • arn:aws:ec2:eu-north-1:123456789123:security-group/sg-0ff1440d5afff01b8
  • arn:aws:ec2:eu-north-1:123456789123:subnet/subnet-0d85864b4af236599
  • arn:aws:ec2:eu-north-1:123456789123:vpc/vpc-06037f8f319b7a581
  • arn:aws:ec2:eu-north-1:123456789123:route-table/rtb-00ac6f36e53835c81
  • arn:aws:ec2:eu-north-1:123456789123:subnet/subnet-0707f26182698d1bd
  • arn:aws:ec2:eu-north-1:123456789123:vpc/vpc-020c281870a0300dc
  • arn:aws:ec2:eu-north-1:123456789123:internet-gateway/igw-0a9f4de58ee6cb00a
  • arn:aws:ec2:eu-north-1:123456789123:route-table/rtb-0ca097e0967b1a83d
  • arn:aws:ec2:eu-north-1:123456789123:route-table/rtb-0f575b4574f8e0840
  • arn:aws:ec2:eu-north-1:123456789123:route-table/rtb-09541f134ed3392b5
  • arn:aws:ec2:eu-north-1:123456789123:security-group/sg-04de967a6ef313d71
  • arn:aws:events:eu-north-1:123456789123:rule/npkSpotInterruptCatcher
  • arn:aws:ec2:eu-north-1:123456789123:internet-gateway/igw-04dab8d948476ec62
  • arn:aws:ec2:eu-north-1:123456789123:subnet/subnet-04ed3fd71cc383f78
  • arn:aws:ec2:eu-west-3:123456789123:subnet/subnet-0b4c345af4e1f81f7
  • arn:aws:ec2:eu-west-3:123456789123:route-table/rtb-0afa8b1f17c772006
  • arn:aws:ec2:eu-west-3:123456789123:subnet/subnet-04066fc77f94ba66f
  • arn:aws:ec2:eu-west-3:123456789123:internet-gateway/igw-0a5def68ccbebf7f7
  • arn:aws:ec2:eu-west-3:123456789123:subnet/subnet-011730457a7dfdf90
  • arn:aws:ec2:eu-west-3:123456789123:vpc-endpoint/vpce-12345678912345612
  • arn:aws:events:eu-west-3:123456789123:rule/npkSpotInterruptCatcher
  • arn:aws:ec2:eu-west-2:123456789123:network-insights-path/nip-03018ca41f5adf21b
  • arn:aws:ec2:eu-west-2:123456789123:subnet/subnet-0a9f1954e96f6c175
  • arn:aws:events:eu-west-2:123456789123:rule/AutoScalingManagedRule
  • arn:aws:ec2:eu-west-2:123456789123:elastic-ip/eipalloc-02aa13ed539df61f4
  • arn:aws:ec2:eu-west-2:123456789123:network-insights-path/nip-01cfcb69ce89040e8
  • arn:aws:ec2:eu-west-2:123456789123:route-table/rtb-03b1d30a450424917
  • arn:aws:rbin:eu-west-2:123456789123:rule/xdJ6XgRizT9
  • arn:aws:ec2:eu-west-2:123456789123:image/ami-0e079aaa08a0156d6
  • arn:aws:ec2:eu-west-2:123456789123:internet-gateway/igw-052bd8eed5b146ace
  • arn:aws:ec2:eu-west-2:123456789123:route-table/rtb-0df14d6ac0f6f9f28
  • arn:aws:ec2:eu-west-2:123456789123:subnet/subnet-08d0e60b7c9438c18
  • arn:aws:ec2:us-west-2:123456789123:subnet/subnet-03a3c57f7403c8053

API Gateway


API Gateways In Use

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Remediation

Affected

['123456789123']

Analysis

rest_apis

{'eu-west-2': [{'id': 'eaj7tpkm0g', 'name': 'API', 'createdDate': '2023-06-29 18:57:57+00:00', 'binaryMediaTypes': ['application/vnd.openxmlformats-officedocument.wordprocessingml.document'], 'apiKeySource': 'HEADER', 'endpointConfiguration': {'types': ['REGIONAL']}, 'disableExecuteApiEndpoint': False, 'rootResourceId': '0csr90tg8j'}, {'id': 'eojlncbp61', 'name': 'FulScopingForm', 'createdDate': '2023-06-30 12:39:06+00:00', 'binaryMediaTypes': ['application/vnd.openxmlformats-officedocument.wordprocessingml.document'], 'apiKeySource': 'HEADER', 'endpointConfiguration': {'types': ['REGIONAL']}, 'disableExecuteApiEndpoint': False, 'rootResourceId': 'cnuzcwano8'}, {'id': 'jfhns8hruj', 'name': 'timeData-API', 'description': 'Created by AWS Lambda', 'createdDate': '2023-08-03 13:59:30+00:00', 'apiKeySource': 'HEADER', 'endpointConfiguration': {'types': ['REGIONAL']}, 'disableExecuteApiEndpoint': False, 'rootResourceId': 'h4yd7pq0w4'}, {'id': 'jqtk7cfz4h', 'name': 'NRGlog', 'createdDate': '2023-07-06 13:41:17+00:00', 'apiKeySource': 'HEADER', 'endpointConfiguration': {'types': ['REGIONAL']}, 'disableExecuteApiEndpoint': False, 'rootResourceId': 'tv02mqg82e'}, {'id': 'uivu79mc1e', 'name': 'WebAppScoping', 'createdDate': '2023-07-04 14:15:54+00:00', 'binaryMediaTypes': ['vnd.openxmlformats-officedocument.wordprocessingml.document'], 'apiKeySource': 'HEADER', 'endpointConfiguration': {'types': ['REGIONAL']}, 'disableExecuteApiEndpoint': False, 'rootResourceId': 'lp6z3t89ob'}]}
API Gateways Using Lambda Authorizers

Impact: INFO

Probability: INFO

Status:

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Remediation

Affected

['123456789123']

Analysis

No API Gateway Authorizers in use

ACM


ACM Certificate with Transparency Logging Set to Disabled

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

The account under review contains SSL/TLS certificates that do not have Transparency app.logger enabled. Disabling Transparency Logging may result in browsers not trusting your certificate. As of April 30 2018, Google Chrome no longer trusts public SSL/TLS certificates that are not recorded in a certificate transparency log. Transparency Logging should be enabled as a best practice.

Remediation

Enable Certificate Transparancy Logging on all certificates.

Affected

['arn:aws:acm:eu-west-2:123456789123:certificate/62867c6c-82a8-4e7f-bb60-8c836c833f9f']

Analysis

The affected Certificates do not have transparancy app.logger enabled.

Expired ACM Certificates

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

The account under review contains SSL/TLS certificates that have expired. Expired certificates will often result in users not being able to connect to your service resulting in loss of availability.

Remediation

Monitor certificate expiration and take action to renew; replace or remove expired certificates as requried. AWS Config can be used to monitor your account for expired certificates with the managed rule acm-certificate-expiration-check.

Affected

['123456789123']

Analysis

No expired certificates found.

Athena


Ensure that encryption at rest is enabled for Amazon Athena query results stored in Amazon S3

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Ensure that encryption at rest is enabled for Amazon Athena query results stored in Amazon S3 in order to secure data and meet compliance requirements for data-at-rest encryption. If not enabled sensitive information at rest is not protected.

Remediation

Enable Encryption for the affected Work Groups

Affected

['123456789123']

Analysis

No Athena Work Groups found that do not utilise encryption

Cloud Formation


CloudFormation Stacks Output (Check For Secrets)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Remediation

Affected

['123456789123']

Analysis

Indexes are enabled in all regions

CloudFormation Stacks Do Not Have Termination Protection Enabled

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected Cloudformation stacks do not have termination protection enabled. Without termination protection critical cloudformation stacks can be accidently deleted resulting in potential loss of data integrity and availability

Remediation

Ensure termination protection is enabled for the cloudFormation stacks. More Information https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html

Affected

['123456789123']

Analysis

All Stacks have termination protection enabled

Role Passed To CLoud Formation Stack

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Passing a role to CloudFormation stacks may result in privilege escalation because IAM users with privileges within the CloudFormation scope implicitly inherit the stack's role's permissions. Consequently, it should be ensured that the IAM privileges assigned to the stack's role follow the principle of least privilege.

Remediation

Review the affected roles and ensure the principal of least privilege has been applied

Affected

['123456789123']

Analysis

All Stacks have termination protection enabled

CloudTrail


Ensure CloudTrail is enabled in all regions (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).

Remediation

Enable CloudTrail in all regions

Affected

['management-events']

Analysis

The affected trails are multi region enabled.

Ensure CloudTrail log file validation is enabled (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Remediation

Enabled log file validation on all your trails

Affected

['management-events']

Analysis

The affected trails do not have log file validation enabled.

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs. Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.

Remediation

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

Affected

['123456789123']

Analysis

No public cloud trail buckets found.

Ensure CloudTrail trails are integrated with CloudWatch Logs

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution. Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.

Remediation

Ensure CloudTrail trails are integrated with CloudWatch Logs

Affected

['management-events']

Analysis

The affected trails are not integrated with CloudWatch Logs.

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Remediation

Ensure the CloudTrail S3 bucket has access logging is enabled

Affected

['management-events']

Analysis

The affected trails do not have S3 bucket access logging enabled.

Ensure CloudTrail logs are encrypted at rest using KMS CMKs (CIS)

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.

Remediation

Configure CloudTrail to use SSE-KMS for encryption at rest.

Affected

['management-events']

Analysis

The affected trails do not encrypt logs at rest.

Ensure that Object-level logging for write events is enabled for S3 bucket (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

Remediation

Enable S3 bucket Object-level logging for write events in CloudTrail

Affected

['123456789123']

Analysis

No trails were found with S3 Object-Level Logging enabled.

Ensure that Object-level logging for read events is enabled for S3 bucket (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.

Remediation

Enable S3 bucket Object-level logging for read events in CloudTrail

Affected

['123456789123']

Analysis

No trails were found with S3 Object-Level Logging enabled.

CloudWatch


Ensure unauthorized API calls are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

Remediation

Create a log metric filter and alarm for unauthorized API calls in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for unauthorized API calls could be found.

Ensure management console sign-in without MFA is monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA). Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.

Remediation

Create a log metric filter and alarm for Management Console sign-in without MFA in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for Management Console sign-in without MFA could be found.

Ensure usage of 'root' account is monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts. Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.

Remediation

Create a log metric filter and alarm for usage of root account in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for usage of 'root' account could be found.

Ensure IAM policy changes are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.

Remediation

Create a log metric filter and alarm for IAM policy changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for IAM policy changes could be found.

Ensure CloudTrail configuration changes are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.

Remediation

Create a log metric filter and alarm for CloudTrail configuration changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for CloudTrail configuration changes could be found

Ensure AWS Management Console authentication failures are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.

Remediation

Create a log metric filter and alarm for AWS Management Console authentication failures in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for AWS Management Console authentication failures could be found.

Ensure disabling or scheduled deletion of customer created CMKs is monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys will no longer be accessible.

Remediation

Create a log metric filter and alarm for disabling or scheduled deletion of customer created CMKs in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for disabling or scheduled deletion of customer created CMKs could be found.

Ensure S3 bucket policy changes are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.

Remediation

Create a log metric filter and alarm for S3 bucket policy changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for S3 bucket policy changes could be found.

Ensure AWS Config configuration changes are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.

Remediation

Create a log metric filter and alarm for AWS Config configuration changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for AWS Config configuration changes.

Ensure security group changes are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.

Remediation

Create a log metric filter and alarm for security group changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for security group changes.

Ensure Network Access Control Lists (NACL) changes are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.

Remediation

Create a log metric filter and alarm for changes to Network Access Control Lists (NACL) in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for changes to Network Access Control Lists (NACL).

Ensure changes to network gateways are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.

Remediation

Create a log metric filter and alarm for changes to network gateways in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for changes to network gateways.

Ensure route table changes are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.

Remediation

Create a log metric filter and alarm for route table changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for route table changes.

Ensure VPC changes are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.

Remediation

Create a log metric filter and alarm for route table changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for VPC changes.

Ensure AWS Organizations changes are monitored (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account. Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.

Remediation

Create a log metric filter and alarm for route table changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for AWS Organizations changes.

CloudWatch Alarms with no actions

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The account under review contains CloudWatch alarms that have not been configured with any actions. To enable effective active monitoring of the account for suspicious activities all alarms should be configured with at least one action, normally raising a notification via the AWS SNS.

Remediation

Ensure all CloudWatch alarms are configured with at least one action. More Information: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html

Affected

['123456789123']

Analysis

All CloudWatch alarms have actions configured.

CodeBuild


Codebuild Projects Environment Variables (Check For Secrets)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Remediation

Affected

['123456789123']

Analysis

No Code Build Projects or Environment Variables in use

Config


Ensure AWS Config is enabled in all regions (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Remediation

It is recommended AWS Config be enabled in all regions.

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

AWS Config is not enabled in any region

Ensure AWS Config is Enabled for Lambda and Serverless (CIS)(Manual)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

With AWS Config, you can track configuration changes to the Lambda functions (including deleted functions), runtime environments, tags, handler name, code size, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations. This gives you a holistic view of the Lambda function’s lifecycle and enables you to surface that data for potential audit and compliance requirements.

Remediation

From the Console: 1. Login to AWS Console using https://console.aws.amazon.com 2. Click All services, click Config under Management & Governance. 3. This will open up the Config dashboard. 4. Click Conformance packs 5. Click on Deploy conformance pack 6. Click on Use sample template 7. Click the down arrow under Sample template 8. Scroll down and click on Operational Best Practices for Serverless 9. Click Next 10. Give it a Conformance pack name Serverless. 11. Click Next 12. Click Deploy conformance pack 13. Click on Deploy conformance pack 14. Click on Use sample template 15. Click the down arrow under Sample template 16. Scroll down and click on Security Best Practices for Lambda 17. Click Next 18. Give it a Conformance pack name LambaSecurity. 19. Click Next 20. Click Deploy conformance pack 21. Repeat steps 2-20 for all regions used.

Affected

['123456789123']

Analysis

No conformance packs in use

DynamoDB


Dynamo DB Tables Without Deletion Protection Enabled

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 4.0

CVSS: Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Deletion protection can keep your table from being accidentally deleted. This section describes some best practices for using deletion protection. For all active production tables, the best practice is to turn on the deletion protection setting and protect these tables from accidental deletion. This also applies to global replicas. When serving application development use cases, if the table management workflow includes frequently deleting and recreating development and staging tables then the deletion protection setting can be turned off. This will allow intentional deletion of such tables by authorized IAM principals.

Remediation

You can protect a table from accidental deletion with the deletion protection property. Enabling this property for tables helps ensure that tables do not get accidentally deleted during regular table management operations by your administrators. This will help prevent disruption to your normal business operations. More Information https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.DeletionProtection

Affected

['Campaigns (eu-west-2)', 'Settings (eu-west-2)', 'testdata (eu-west-2)', 'timeData (eu-west-2)']

Analysis

The Affected Dynamo DB Tables do not have Deletion Protection enabled

Unused Dynamo DB Tables

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Remediation

Delete any unysed Dynamo DB tables.

Affected

['timeData (eu-west-2)']

Analysis

The Affected Dynamo DB Tables have no items and should be remvoed if not in use.

Dynamo DB Tables Without Point In Time Recovery Enabled

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 4.0

CVSS: Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Point-in-time recovery helps protect your DynamoDB tables from accidental write or delete operations. With point-in-time recovery, you don't have to worry about creating, maintaining, or scheduling on-demand backups. For example, suppose that a test script writes accidentally to a production DynamoDB table. With point-in-time recovery, you can restore that table to any point in time during the last 35 days. DynamoDB maintains incremental backups of your table.

Remediation

Consider enabled Point In Time Recovery for important Tables. More Informaiton https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery_Howitworks.html

Affected

['Campaigns (eu-west-2)', 'Settings (eu-west-2)', 'timeData (eu-west-2)']

Analysis

The Affected Dynamo DB Tables have no items and should be remvoed if not in use.

EC2


Ensure IAM instance roles are used for AWS resource access from instances

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. AWS Access means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it. Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials

Remediation

Discontinue the use of hard coded access keys for EC2 instance and use IAM Roles via Instance Profiles instead. IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.

Affected

['123456789123']

Analysis

No failing instances found

Ensure EBS Volume Encryption is Enabled in all Regions (CIS)

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Remediation

Ensure EBS default volume encryption is enabled in all regions

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

Default Encryption is not enabled in any region

Ensure VPC flow logging is enabled in all VPCs

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet Rejects for VPCs. VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

Remediation

Enable VPC Flow Logs on all VPCs

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

VPC Flow logging is not enabled in any region

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Remediation

Apply the principle of least privilege and only allow RDP and SSH traffic from a whitelist of trusted IP addresses

Affected

['acl-009261248c2068dad(ap-south-1)', 'acl-00fd0c2abc745d599(ap-south-1)', 'acl-0fa7cf03586df4fbd(eu-north-1)', 'acl-0edd528d851029ee2(eu-north-1)', 'acl-09a7bb84d2d813d2d(eu-north-1)', 'acl-03ab0b83248df1db4(eu-west-3)', 'acl-0658341e62a6a3008(eu-west-3)', 'acl-03f88bd77b1e0c8eb(eu-west-2)', 'acl-039ae4ef70bdfbb4c(eu-west-2)', 'acl-69e1dd10(eu-west-1)', 'acl-0f323d82c53f1c55b(eu-west-1)', 'acl-0076f692d6f02b233(ap-northeast-3)', 'acl-0a0d00b5348439c9d(ap-northeast-3)', 'acl-02322020865cb5ddf(ap-northeast-2)', 'acl-0f8290aa730284aa2(ap-northeast-2)', 'acl-04f27c2c2044622ad(ap-northeast-1)', 'acl-0a4d409aa68832e54(ap-northeast-1)', 'acl-013159bc9af1810e7(ca-central-1)', 'acl-0106179f82200f732(ca-central-1)', 'acl-06e952edc85182cb0(sa-east-1)', 'acl-0d8ff5a2d3de992bb(sa-east-1)', 'acl-013ee4263d55da66e(ap-southeast-1)', 'acl-0421bbc8cc1c75463(ap-southeast-1)', 'acl-07e1a2e94c46be744(ap-southeast-2)', 'acl-0356c746944726c78(ap-southeast-2)', 'acl-0c0709414ffeb80b2(eu-central-1)', 'acl-0e42587a316eac77b(us-east-1)', 'acl-010aad66b557b746f(us-east-1)', 'acl-0ab22d463207e7e64(us-east-2)', 'acl-c190cdaa(us-east-2)', 'acl-0bd54c6fa95af227e(us-west-1)', 'acl-0a81c996659043a0f(us-west-1)', 'acl-0c8ce55a7b81c9f5c(us-west-2)', 'acl-0ff543073cd09b8a6(us-west-2)']

Analysis

the affected Network ACLs allow admin ingress traffic from 0.0.0.0/0.

Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389 . Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Remediation

Apply the principle of least privilege and only allow RDP and SSH traffic from a whitelist of trusted IP addresses

Affected

['123456789123']

Analysis

No security groups that allow remote server administration ingress traffic from 0.0.0.0/0 found

Ensure the default security group of every VPC restricts all traffic (CIS)

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups. Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.

Remediation

Configure default security groups in all VPCs to be default deny and restrict all traffic

Affected

['sg-0a314816aa895132b(ap-south-1)', 'sg-0af38847cb19cb563(ap-south-1)', 'sg-081482b88ebb7988e(eu-north-1)', 'sg-08b1777543fa4637b(eu-north-1)', 'sg-03a069f290ea50715(eu-north-1)', 'sg-0439395f5e411b756(eu-west-3)', 'sg-023b2be245242e7b3(eu-west-3)', 'sg-058b0a66dc798b698(eu-west-2)', 'sg-05ff04e4e29ddaeaf(eu-west-2)', 'sg-0c7775e31da6d7fa4(eu-west-1)', 'sg-4426f36d(eu-west-1)', 'sg-00274a6cc0eefb35d(ap-northeast-3)', 'sg-05080cb113855f12f(ap-northeast-3)', 'sg-0870e37a58908be1f(ap-northeast-2)', 'sg-0fd644190b02c4f69(ap-northeast-2)', 'sg-0f3e361c425b87e43(ap-northeast-1)', 'sg-0ab180b5ba4a6b6b7(ap-northeast-1)', 'sg-0c63ee71b7f31d854(ca-central-1)', 'sg-05abad2dcff4b48ca(ca-central-1)', 'sg-099a28c4e0d6e32eb(sa-east-1)', 'sg-0c164af0da7d4714e(sa-east-1)', 'sg-03213efa34d340d1c(ap-southeast-1)', 'sg-0760e9733c202522b(ap-southeast-1)', 'sg-0a2e50217af254790(ap-southeast-2)', 'sg-0c80e5e6c50445153(ap-southeast-2)', 'sg-0eadba3b286877302(eu-central-1)', 'sg-0637e217be731a014(us-east-1)', 'sg-0f03c4cef60faae65(us-east-1)', 'sg-1368005f(us-east-2)', 'sg-0d92b948131edc5aa(us-east-2)', 'sg-0fdff4d2881f8f232(us-west-1)', 'sg-039c25f686a5da83d(us-west-1)', 'sg-06dafc607ac6af8f1(us-west-2)', 'sg-09f1d0dc8f70f3d74(us-west-2)']

Analysis

The affected default security groups have inbound rules configured.

Ensure routing tables for VPC peering are least access (CIS)(Manual)

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection. Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.

Remediation

Configure routing tables for VPC perring following the principle of least access

Affected

['123456789123']

Analysis

VPC Peering not in use

Unused Security Groups

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected security groups have not been applied to any instances and therefore not in use. To maintain the hygiene of the environment, make maintenance and auditing easier and reduce the risk of security groups erroneously being used and inadvertently granting more access than required, all old unused security groups should be removed.

Remediation

Ensure all security groups that are temporary and not being used are deleted when no longer required.

Affected

['sg-0d5cd845019f9ae74(ap-south-1)', 'sg-04de967a6ef313d71(eu-north-1)', 'sg-04f06b71a2a87a5d6(eu-north-1)', 'sg-0a07ed63d2b9c0495(eu-north-1)', 'sg-0ff1440d5afff01b8(eu-north-1)', 'sg-0c829af8101892d40(eu-west-3)', 'sg-03e816df63093b265(eu-west-2)', 'sg-0e888c944f859af1c(eu-west-2)', 'sg-071678c9b60e6f706(eu-west-2)', 'sg-093a6be443e114daa(eu-west-2)', 'sg-0ca4f3b2d087bf5ed(eu-west-2)', 'sg-0b65e6cdde143cb54(eu-west-2)', 'sg-033d7c8214374d8f1(eu-west-2)', 'sg-001917fa35b9f2f43(eu-west-2)', 'sg-09a36d3672abf2a6d(eu-west-2)', 'sg-0eef0c895a9c79bb5(eu-west-2)', 'sg-07d72de4bf1ffe86a(eu-west-2)', 'sg-094b3687fc4081c0d(eu-west-2)', 'sg-04f5bdb7e88066202(eu-west-2)', 'sg-0810126de1550c2c1(eu-west-2)', 'sg-0fc65db2957e0cf22(eu-west-2)', 'sg-045c745509861283c(eu-west-2)', 'sg-056fa4cad847376c8(eu-west-2)', 'sg-068996079947df8b9(eu-west-2)', 'sg-0be246f3ded8f622d(eu-west-2)', 'sg-06c629b3fb677e3cb(eu-west-2)', 'sg-053b7de777367801d(eu-west-1)', 'sg-04f9fe0852ef9d5e1(eu-west-1)', 'sg-0d4614b2322e49863(eu-west-1)', 'sg-02378e479910ac2dd(eu-west-1)', 'sg-094e289964a5deef8(eu-west-1)', 'sg-0337a2cffd2be0f74(ap-northeast-3)', 'sg-0048294aba4c3710f(ap-northeast-2)', 'sg-05c4f35c00ea1f0dc(ap-northeast-1)', 'sg-0dae91ee2dc09c002(ca-central-1)', 'sg-0a41cda207237d040(sa-east-1)', 'sg-081d891221ff00a34(ap-southeast-1)', 'sg-01cfab9854bfdc1b7(ap-southeast-2)', 'sg-0d3ddc4a57a4bae5c(us-east-1)', 'sg-0808450a16c5dddc5(us-east-1)', 'sg-0fcf4f56839bbdb8b(us-east-1)', 'sg-0fc1d7aee53296e5e(us-east-2)', 'sg-0c35ffc160add986f(us-west-1)', 'sg-0643fb8141dd8aca1(us-west-2)']

Analysis

The affected security groups are not attached to any resources and therefore are not being used

Unused Elastic IPs

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Although not a security risk, Amazon Web Services enforce a small hourly charge if an Elastic IP (EIP) address within your account is not associated with a running EC2 instance or an Elastic Network Interface (ENI). To ensure account hygiene and saves costs on your month bill it is recommended to release any elastic IPs that are no longer required.

Remediation

To release an Elastic IP address using the console: 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Elastic IPs. 3. Select the Elastic IP address, choose Actions, and then select Release addresses. Choose Release when prompted. More information: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

Affected

['1.2.3.4(eu-west-2)']

Analysis

the affected elastic IPs are not associated with any network interfaces and are therefore not being used

Ensure there are no Public EBS Snapshots (CIS)

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

EBS Snapshots that are public are accessible by all AWS principals, and therefore anyone with an AWS account. To reduce the risk of sensitive data being exposed to unauthorised bearers only share EBS snapshots with trusted accounts.

Remediation

Remove public access from your EBS snapshots and only share them with trusted accounts.

Affected

['123456789123']

Analysis

No Public EBS Snapshots found

Ensure there are no Public EC2 AMIs

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The reviewed AWS account contains an AWS AMI that is publicly accessible. When you make your AMIs publicly accessible, these become available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. AMIs can contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised. Ensure that your AWS AMIs are not publicly shared with the other AWS accounts in order to avoid exposing sensitive data. If required, you can share your images with specific AWS accounts without making them public

Remediation

Remove public access from your EC2 AMIs and only share them with trusted accounts.

Affected

['123456789123']

Analysis

No Public AMIs found

Ensure no security groups allow ingress from 0.0.0.0/0 to database ports

Impact: MEDIUM

Probability: MEDIUM

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no Security Groups allows unrestricted ingress access to database ports, such as MySQL to port 3306, PostgreSQL to port 5432 and MSSQL to port 1433. Public access to remote database ports increases resource attack surface and unnecessarily raises the risk of resource compromise.

Remediation

Apply the principle of least privilege and only allow direct database traffic from a whitelist of trusted IP addresses

Affected

['123456789123']

Analysis

No security groups that allow database ingress traffic from 0.0.0.0/0 found

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to database ports

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to database ports, such as MySQL to port 3306, PostgreSQL to port 5432 and MSSQL to port 1433. Public access to databse ports increases resource attack surface and unnecessarily raises the risk of resource compromise.

Remediation

Apply the principle of least privilege and only allow database traffic from a whitelist of trusted IP addresses

Affected

['acl-009261248c2068dad(ap-south-1)', 'acl-00fd0c2abc745d599(ap-south-1)', 'acl-0fa7cf03586df4fbd(eu-north-1)', 'acl-0edd528d851029ee2(eu-north-1)', 'acl-09a7bb84d2d813d2d(eu-north-1)', 'acl-03ab0b83248df1db4(eu-west-3)', 'acl-0658341e62a6a3008(eu-west-3)', 'acl-03f88bd77b1e0c8eb(eu-west-2)', 'acl-039ae4ef70bdfbb4c(eu-west-2)', 'acl-69e1dd10(eu-west-1)', 'acl-0f323d82c53f1c55b(eu-west-1)', 'acl-0076f692d6f02b233(ap-northeast-3)', 'acl-0a0d00b5348439c9d(ap-northeast-3)', 'acl-02322020865cb5ddf(ap-northeast-2)', 'acl-0f8290aa730284aa2(ap-northeast-2)', 'acl-04f27c2c2044622ad(ap-northeast-1)', 'acl-0a4d409aa68832e54(ap-northeast-1)', 'acl-013159bc9af1810e7(ca-central-1)', 'acl-0106179f82200f732(ca-central-1)', 'acl-06e952edc85182cb0(sa-east-1)', 'acl-0d8ff5a2d3de992bb(sa-east-1)', 'acl-013ee4263d55da66e(ap-southeast-1)', 'acl-0421bbc8cc1c75463(ap-southeast-1)', 'acl-07e1a2e94c46be744(ap-southeast-2)', 'acl-0356c746944726c78(ap-southeast-2)', 'acl-0c0709414ffeb80b2(eu-central-1)', 'acl-0e42587a316eac77b(us-east-1)', 'acl-010aad66b557b746f(us-east-1)', 'acl-0ab22d463207e7e64(us-east-2)', 'acl-c190cdaa(us-east-2)', 'acl-0bd54c6fa95af227e(us-west-1)', 'acl-0a81c996659043a0f(us-west-1)', 'acl-0c8ce55a7b81c9f5c(us-west-2)', 'acl-0ff543073cd09b8a6(us-west-2)']

Analysis

The affected Network ACLs allow database ingress traffic from 0.0.0.0/0.

Ensure default Network ACLs are not default allow

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Network Access Control Lists (NACLs) are stateless firewalls that allow you to control traffic flow in and out of your VPCs at the subnet layer. By default, NACLs are configured to allow all inbound and outbound traffic. NACLs provide a first line of defence against malicious network traffic and can provide defence in depth when used alongside strict security groups. Configuring NACLs can minimise the risk of a misconfigured security group or weak default security group exposing sensitive or vulnerable services to the internet and can provide a separation of responsibilities between developers and architecture teams. All Network Access Control Lists within the tested account are currently configured to allow all inbound and outbound traffic on all ports.

Remediation

Configure all NACLs applying the principle of least privilege and only allows the traffic required for the application or service to function. NOTE: Because NACLs are stateless return traffic on ephemeral unprivileged ports will need to be accounted for. More Information http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

Affected

['acl-009261248c2068dad(ap-south-1)', 'acl-00fd0c2abc745d599(ap-south-1)', 'acl-0fa7cf03586df4fbd(eu-north-1)', 'acl-0edd528d851029ee2(eu-north-1)', 'acl-09a7bb84d2d813d2d(eu-north-1)', 'acl-03ab0b83248df1db4(eu-west-3)', 'acl-0658341e62a6a3008(eu-west-3)', 'acl-03f88bd77b1e0c8eb(eu-west-2)', 'acl-039ae4ef70bdfbb4c(eu-west-2)', 'acl-69e1dd10(eu-west-1)', 'acl-0f323d82c53f1c55b(eu-west-1)', 'acl-0076f692d6f02b233(ap-northeast-3)', 'acl-0a0d00b5348439c9d(ap-northeast-3)', 'acl-02322020865cb5ddf(ap-northeast-2)', 'acl-0f8290aa730284aa2(ap-northeast-2)', 'acl-04f27c2c2044622ad(ap-northeast-1)', 'acl-0a4d409aa68832e54(ap-northeast-1)', 'acl-013159bc9af1810e7(ca-central-1)', 'acl-0106179f82200f732(ca-central-1)', 'acl-06e952edc85182cb0(sa-east-1)', 'acl-0d8ff5a2d3de992bb(sa-east-1)', 'acl-013ee4263d55da66e(ap-southeast-1)', 'acl-0421bbc8cc1c75463(ap-southeast-1)', 'acl-07e1a2e94c46be744(ap-southeast-2)', 'acl-0356c746944726c78(ap-southeast-2)', 'acl-0c0709414ffeb80b2(eu-central-1)', 'acl-0e42587a316eac77b(us-east-1)', 'acl-010aad66b557b746f(us-east-1)', 'acl-0ab22d463207e7e64(us-east-2)', 'acl-c190cdaa(us-east-2)', 'acl-0bd54c6fa95af227e(us-west-1)', 'acl-0a81c996659043a0f(us-west-1)', 'acl-0c8ce55a7b81c9f5c(us-west-2)', 'acl-0ff543073cd09b8a6(us-west-2)']

Analysis

The affected default Network ACLs allow all traffic.

Ensure custom Network ACLs do not allow all traffic

Impact: MEDIUM

Probability: MEDIUM

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Network Access Control Lists (NACLs) are stateless firewalls that allow you to control traffic flow in and out of your VPCs at the subnet layer. By default, NACLs are configured to allow all inbound and outbound traffic. NACLs provide a first line of defence against malicious network traffic and can provide defence in depth when used alongside strict security groups. Configuring NACLs can minimise the risk of a misconfigured security group or weak default security group exposing sensitive or vulnerable services to the internet and can provide a separation of responsibilities between developers and architecture teams. All Network Access Control Lists within the tested account are currently configured to allow all inbound and outbound traffic on all ports.

Remediation

Configure all NACLs applying the principle of least privilege and only allows the traffic required for the application or service to function. NOTE: Because NACLs are stateless return traffic on ephemeral unprivileged ports will need to be accounted for. More Information http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

Affected

['123456789123']

Analysis

No Custom Network ACLs found.

Unused Network Interfaces (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected Network Interfaces, are not attached to any instances and therefore are not being used. To maintain the hygiene of the environment, make maintenance and auditing easier and reduce cost, all old and temporary network interfaces should be removed.

Remediation

remove network interfaces that are not in use and no longer required.

Affected

['123456789123']

Analysis

No unused Network Interfaces found.

Ensure running instances are not more than 180 days old (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The account under review contains running EC2 instances that were launched more than 180 days ago. One of the biggest benefits of cloud based infrastructure is to have mutable and short lived infrastructure that can scale and shrink with demand. Instances should be reprovisioned and rebooted periodically to ensure software and hardware resources are up to date and subject to the latest security patches. Additionally, long lived instances may no longer be adequately sized or no longer required, consuming resources and generating a cost to the company.

Remediation

Review the list of instances and ensure they subject to a regular patching policy and lifecycle management.

Affected

['123456789123']

Analysis

No instances older than 365 days found.

Ensure EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required (CIS)

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The account under review contains EC2 instances that do not enforce the use of IMDSv2. To help protect against Server Side Request Forgery (SSRF) and related vulnerabilities, which could be leveraged by an attacker to query the metadata service to steal the AWS API credentials associated with the instance profile for the running EC2 instance, AWS introduced IMDSv2 which now protects all requests with additional session authentication.

Remediation

Configure IMDSv2 on all affected EC2 instances. See the following link for more information on how to transition to version 2 of the metadata service. More Information https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/configuring-instance-metadata-service.html

Affected

['123456789123']

Analysis

No failing instances found.

EC2 Instances Not Managed By AWS Systems Manager (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The account under review contains running EC2 instances that are not managed by AWS Systems Manager. Systems Manager simplifies resource and application management, shortens the time to detect and resolve operational problems, and makes it easier to operate and manage your infrastructure at scale. AWS Systems Manager helps maintain security and compliance by scanning your instances against your patch, configuration, and custom policies. You can define patch baselines, maintain up-to-date anti-virus definitions, and enforce firewall policies. You can also remotely manage your servers at scale without manually logging in to each server. Systems Manager also provides a centralized store to manage your configuration data, whether it's plain text, such as database strings, or secrets, such as passwords. This allows you to separate your secrets and configuration data from code.

Remediation

It is recommended to configure all EC2 instances to be monitored by Systems Manager by installing and registering the SSM agent on the affected hosts. More Information https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started.html

Affected

['123456789123']

Analysis

No failing instances found.

Unencrypted EBS Volumes

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

To ensure the privacy of any data stored and processed by your EC2 instances it is recommended to enable encryption on EBS volumes. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: - Data at rest inside the volume - All data moving between the volume and the instance - All snapshots created from the volume - All volumes created from those snapshots

Remediation

There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes. You can also apply a new encryption status while copying a snapshot: More information https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

Affected

['123456789123']

Analysis

All EBS Volumes are encrypted.

Unencrypted EBS Snapshots (CIS)

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

To ensure the privacy of any data stored and processed by your EC2 instances it is recommended to enable encryption on EBS volumes. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: - Data at rest inside the volume - All data moving between the volume and the instance - All snapshots created from the volume - All volumes created from those snapshots

Remediation

There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes. You can also apply a new encryption status while copying a snapshot: More information https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

Affected

['snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-central-1)', 'snap-12345612345612345(us-east-1)', 'snap-12345612345612345(us-east-1)', 'snap-12345612345612345(us-east-1)']

Analysis

The affected Snapshots are not encrypted.

Snapshots Older Than 30 days

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

With an active EBS backup strategy that takes volume snapshots daily or weekly, your data can grow rapidly and add unexpected charges to your bill. Since AWS EBS volumes snapshots are incremental, deleting previous (older) snapshots do not affect the ability to restore the volume data from later snapshots which allows you keep just the necessary backup data and lower your AWS monthly costs.

Remediation

Delete snapshots that are older than 30 days and consider implementing snapshot lifecycle management in AWS DLM

Affected

['snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(us-east-1)', 'snap-12345612345612345(us-east-1)', 'snap-12345612345612345(us-east-1)']

Analysis

The affected snapshots are older than 30 days.

Default VPCs in use

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Default VPCs created by AWS can be considered overly permissive and it is recommended to create your own VPCs instead. Default VPCs include an internet gateway, default security groups and default allow all NACLs which could result in accidental exposure of EC2 instances and data to the internet.

Remediation

Create you own VPCs as required applying the principle of least privilege to network access controls

Affected

['123456789123']

Analysis

No Default VPCs in use

Overly Permissive VPC Endpoint Policy

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 4.9

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description

VPC endpoint policies within the AWS accounts were configured with permissive default policies which could be exploited by a malicious user to exfiltrate data from the AWS environment. VPC endpoint policies are an AWS networking feature which provide private connections between resources within a VPC to supported AWS services using the backbone network and private APIs of each service. This configuration ensures that resources within a VPC do not require an Internet connection or VPN to communicate with other AWS services, directly supporting the implementation of secure isolated networks which do not require the use of potentially insecure public infrastructure. As an example, using a VPC endpoint, a service on an EC2 instance can make a request to the private API endpoint of an S3 bucket to download required objects, if a VPC endpoint has not been created for the S3 service, traffic will instead require a route via an internet gateway or similar device to the public, internet facing S3 API endpoint. Several VPC endpoint service types include the ability to configure endpoint policies to restrict the communications of resources with the associated AWS services. If no endpoint policy is defined when the endpoint is created, AWS will automatically attach a default policy which provides full, unrestricted access to the associated service. However as the default policy provides full access to the service, a malicious actor with access to the VPC could leverage the configuration to extract data from the AWS environment to write data to an attacker controlled service. For example, an S3 VPC endpoint with the default full access policy would provide full access to the private S3 APIs which could be used to extract sensitive information to an S3 bucket within an attacker controlled AWS account. This could be achieved several ways but a common method would be If a malicious user had access to an EC2 instance within the VPC, they could upload AWS access keys with write permission to an S3 bucket within their own account and use these permissions to exfiltrate data to their S3 bucket via the endpoint. Similar methods could be achieved via other endpoints and services, such as by exfiltrating secrets from AWS Secrets Manager to an attacker controlled resource.

Remediation

It is recommended that VPC endpoints are created for each supported service within each VPC to limit the requirement for internet connectivity. However a custom policy should be created in line with the principal of least privilege for all supported VPC endpoints in use within the AWS environment. These policies should ensure that network connections to AWS services is only accessible to those resources within the internal AWS environment. Care should be taken to restrict resources by name or ARN and minimise the use of wildcards which may provide unintended access to services. Additionally there are several types of VPC endpoints available including Interface endpoints which are a type of network interface providing access to the PrivateLink network for access to services. These Interface endpoints also support the use of security groups to restrict traffic, however it is recommended that these security groups are used in tandem with VPC endpoint policies as a defence-in-depth approach to implementing fine grained access controls. Other VPC endpoint types such as Gateway endpoints which act as route tables do not support the use of security groups and as such a restrictive endpoint policy should be implemented to restrict traffic to external resources. An example policy for the S3 service is provided below: { "Statement": [ { "Action": "S3:*", "Effect": "Allow", "Resource": [ "*:*:*:*:xxxxxxxxxxxx:*", "*:*:*:*:yyyyyyyyyyyy:*" ], "Principal": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-zzzzzzzzzz" } } } ]\,} This example policy ensures that resources in the isolated network can only use the VPC endpoint for S3 if they try to interact with S3 buckets controlled by specific accounts (xxxxxxxxxxxx and yyyyyyyyyyyy) and only if the principal is from your Org (o-zzzzzzzzzz) so an attacker wouldn't be able to use their own access keys.

Affected

['vpce-12345678912345612(ap-south-1)', 'vpce-12345678912345612(eu-north-1)', 'vpce-12345678912345612(eu-west-3)', 'vpce-12345678912345612(eu-west-1)', 'vpce-12345678912345612(ap-northeast-3)', 'vpce-12345678912345612(ap-northeast-2)', 'vpce-12345678912345612(ap-northeast-1)', 'vpce-12345678912345612(ca-central-1)', 'vpce-12345678912345612(sa-east-1)', 'vpce-12345678912345612(ap-southeast-1)', 'vpce-12345678912345612(ap-southeast-2)', 'vpce-12345678912345612(us-east-1)', 'vpce-12345678912345612(us-east-2)', 'vpce-12345678912345612(us-west-1)', 'vpce-12345678912345612(us-west-2)']

Analysis

vpce-12345678912345612

{'Effect': 'Allow', 'Principal': '*', 'Action': '*', 'Resource': '*'}
Ensure no security groups allow ingress from ::/0 to remote server administration ports (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389 . Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Remediation

Apply the principle of least privilege and only allow RDP and SSH traffic from a whitelist of trusted IPv6 addresses

Affected

['123456789123']

Analysis

No security groups that allow remote server administration ingress traffic from 0.0.0.0/0 found

Ensure Secrets and Sensitive Data are not stored directly in EC2 User Data (CIS)(Manual)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

User Data can be specified when launching an ec2 instance. Examples include specifying parameters for configuring the instance or including a simple script. The user data is not protected by authentication or cryptographic methods. Therefore, sensitive data, such as passwords or long-lived encryption keys should not be stored as user data.

Remediation

From the Console 1. Login to AWS Console using https://console.aws.amazon.com 2. Click All services and click EC2 under Compute. 3. Click on Instances. 4. If the instance is currently running, stop the instance first. Note: ensure there is no negative impact from stopping the instance prior to stopping the instance. 5. For each instance, click Actions -> Instance Settings -> Edit user data 6. For each instance, edit the user data to ensure there are no secrets or sensitive data stored. A Secret Management solution such as AWS Secrets Manager can be used here as a more secure mechanism of storing necessary sensitive data. 7. Repeat this remediation for all the other AWS regions. Note: If the ec2 instances are created via automation or infrastructure-as-code, edit the user data in those pipelines and code.

Affected

['123456789123']

Analysis

No user data found

Ensure All Security Group Rules Have A Description

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected Security Groups contain rules which do not have a corresponding description. Setting a description on all rules improves readbility, helps ensure maintainability of the account and will help minimise mistakes when configuring or updating rules.

Remediation

Ensure all rules have a suitable description.

Affected

['sg-0fc65db2957e0cf22(eu-west-2)', 'sg-04f9fe0852ef9d5e1(eu-west-1)', 'sg-08b1777543fa4637b(eu-north-1)', 'sg-05ff04e4e29ddaeaf(eu-west-2)', 'sg-0439395f5e411b756(eu-west-3)', 'sg-0810126de1550c2c1(eu-west-2)', 'sg-001917fa35b9f2f43(eu-west-2)', 'sg-0808450a16c5dddc5(us-east-1)', 'sg-0fdff4d2881f8f232(us-west-1)', 'sg-0be246f3ded8f622d(eu-west-2)', 'sg-0eadba3b286877302(eu-central-1)', 'sg-0637e217be731a014(us-east-1)', 'sg-0c7775e31da6d7fa4(eu-west-1)', 'sg-093a6be443e114daa(eu-west-2)', 'sg-07d72de4bf1ffe86a(eu-west-2)', 'sg-081482b88ebb7988e(eu-north-1)', 'sg-05abad2dcff4b48ca(ca-central-1)', 'sg-0c63ee71b7f31d854(ca-central-1)', 'sg-0e888c944f859af1c(eu-west-2)', 'sg-0ca4f3b2d087bf5ed(eu-west-2)', 'sg-045c745509861283c(eu-west-2)', 'sg-071678c9b60e6f706(eu-west-2)', 'sg-0ab180b5ba4a6b6b7(ap-northeast-1)', 'sg-0eef0c895a9c79bb5(eu-west-2)', 'sg-0d3ddc4a57a4bae5c(us-east-1)', 'sg-0d92b948131edc5aa(us-east-2)', 'sg-068996079947df8b9(eu-west-2)', 'sg-053b7de777367801d(eu-west-1)', 'sg-0f3e361c425b87e43(ap-northeast-1)', 'sg-039c25f686a5da83d(us-west-1)']

Analysis

The affected security groups contains rules without a description

EC2 Instances Without Detailed Monitoring Enabled (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Enabling detailed monitoring provides enhanced monitoring and granular insights into EC2 instance metrics. Not having detailed monitoring enabled may limit the ability to troubleshoot performance and security related issues effectively. Data is available in 1-minute periods. For the instances where you've enabled detailed monitoring, you can also get aggregated data across groups of similar instances. You are charged per metric that is sent to CloudWatch. You are not charged for data storage. Due to this added cost it is recommended that you only enable this on critical instances.

Remediation

Enable detailed monitoring for appropriate instances. NOTE: Additional costs are incurred when detailed monitoring is enabled.

Affected

['123456789123']

Analysis

No failing instances found

EC2 Instances with a Public IP Address

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Affected Instances have a Public IP Address Attached

Remediation

Review Public IPs to ensure an appropriate Security Group has been applied applying the principle of least privilege.

Affected

['123456789123']

Analysis

No Public IPs found

Stopped EC2 Instances (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected EC2 Instances are currently in a stopped state. To maintain account hygiene and reduce potential storage and Elastic IP costs is recommended to terminate all stopped instances that are no longer required. the CIS benchmark recommends that all instances stopped for 90 days are deleted.

Remediation

Terminate the affected instances if no longer requried.

Affected

['123456789123']

Analysis

No stopped instances found.

Ensure Consistent Naming Convention is used for Organizational AMI (CIS)

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The naming convention for AMI (Amazon Machine Images) should be documented and followed for any AMI's created. The majority of AWS resources can be named and tagged. Most organizations have already created standardize naming conventions, and have existing rules in effect. They simply need to extend that for all AWS cloud resources to include Amazon Machine Images (AMI)

Remediation

If the AMI Name for an AMI doesn't follow Organization policy Perform the following to copy and rename the AMI: From the Console: 1. Login to the EC2 console at https://console.aws.amazon.com/ec2/. 2. In the left pane click Images, click AMIs. 3. Select the AMI that does not comply to the naming policy. 4. Click on Actions. 5. Click on Copy AMI

Affected

['snotra_AMI_Kali', 'snotra_AMI_Kali', 'snotra_AMI_Kali']

Analysis

The affected images were found in your account, review them to ensure a consistent naming convention is in use

Ensure Images (AMI's) are encrypted (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Amazon Machine Images should utilize EBS Encrypted snapshots AMIs backed by EBS snapshots should use EBS encryption. Snapshot volumes can be encrypted and attached to an AMI.

Remediation

Perform the following to encrypt AMI EBS Snapshots: From the Console: 1. Login to the EC2 console at https://console.aws.amazon.com/ec2/. 2. In the left pane click on AMIs. 3. Select the AMI that does not comply to the encryption policy. 4. Click on Actions. 5. Click on Copy AMI.

Affected

['snotra_AMI_Kali', 'snotra_AMI_Kali', 'snotra_AMI_Kali']

Analysis

snotra_AMI_Kali

['snap-12345612345612345']
Ensure unused EBS volumes are removed (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Identify any unused Elastic Block Store (EBS) volumes in your AWS account and remove them. Any Elastic Block Store volume created in your AWS account contains data, regardless of being used or not. If you have EBS volumes (other than root volumes) that are unattached to an EC2 instance they should be removed to prevent unauthorized access or data leak to any sensitive data on these volumes. Once a EBS volume is deleted, the data will be lost. If this is data that you need to archive, create an encrypted EBS snapshot before deleting them.

Remediation

From Console: 1. Login to the EC2 console using https://console.aws.amazon.com/ec2/ 2. Under Elastic Block Store, click Volumes. 3. Find the State column 4. Sort by Available 5. Select the Volume that you want to delete. 6. Click Actions, Delete volume, Yes, Delete Note: EBS volumes can be in different regions. Make sure to review all the regions being utilized.

Affected

['123456789123']

Analysis

No unused volumes found

Ensure Default EC2 Security groups are not being used (CIS)

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

When an EC2 instance is launched a specified custom security group should be assigned to the instance. When an EC2 Instance is launched the default security group is automatically assigned. In error a lot of instances are launched in this way, and if the default security group is configured to allow unrestricted access, it will increase the attack footprint allowing the opportunity for malicious activity.

Remediation

From the Console: 1. Login to EC2 using https://console.aws.amazon.com/ec2/ 2. On the left Click Network & Security, click Security Groups. 3. Select Security Groups 4. Click on the default Security Group you want to review. 5. Click Actions, View details. 6. Select the Inbound rules tab 7. Click on Edit inbound rules 8. Click on Delete for all the rules listed 9. Once there are no rules listed click on 'Save rules` 10. Repeat steps no. 3 – 8 for any other default security groups listed.

Affected

['123456789123']

Analysis

Default security groups are not in use

Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

This rule ensures that Amazon Elastic Block Store volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances are marked for deletion when an instance is terminated. If an Amazon EBS volume isn’t deleted when the instance that it’s attached to is terminated, it may violate the concept of least functionality.

Remediation

From the CLI 1. Run the modify-instance-attribute command using the list of instances collected in the audit. <code>aws ec2 modify-instance-attribute --instance-id i-123456abcdefghi0 --block-device-mappings "[{"DeviceName":"/dev/sda","Ebs":{"DeleteOnTermination":true}}]"</code> 2. Repeat steps no. 1 with the other instances discovered in all AWS regions.

Affected

['123456789123']

Analysis

No EBS volumes without Delete on termination enabled found

ECR


ECR Image Scan on Push is not Enabled

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open source CoreOS Clair project and provides you with a list of scan findings. You can review the scan findings for information about the security of the container images that are being deployed. You can manually scan container images stored in Amazon ECR, or you can configure your repositories to scan images when you push them to a repository. The last completed image scan findings can be retrieved for each image. Amazon ECR sends an event to Amazon EventBridge (formerly called CloudWatch Events) When a new repository is configured to scan on push, all new images pushed to the repository will be scanned. Results from the last completed image scan can then be retrieved.

Remediation

Enable scan on push for all repositories in the affected account. More Information: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#scanning-repository

Affected

['123456789123']

Analysis

No failing repositories found

ECR Image Repositories Do Not Have a LifeCycle Policy Applied

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected Repositories do not have a Lifecycle policy, Amazon ECR repositories run the risk of retaining a larfe number of container images, resulting in unnecessary cost.

Remediation

It is recomended to review the affected repositories and apply a suitable lifecycle policy to minimise storage requirements and costs More Information https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html

Affected

['123456789123']

Analysis

No failing repositories found

EFS


EFS Grants Access To All Clients

Impact: MEDIUM

Probability: LOW

Status:

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

The account being reviewed was found to contain an EFS (elastic File System) that has no File System Policy configured and therefore allows network clients to access all files hosted on the system without any restrictions. To minimise the risk of sensitive date being disclosed to unauthorised network bearers consider implementing IAM policies to control who can access the filesystem and what actions they can perform (read, write, etc).

Remediation

Configure a File System Policy for the affect EFS end points and apply the principle of least privilege. More Information https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html

Affected

['123456789123']

Analysis

No File Systems in use

Ensure that encryption is enabled for EFS file systems (CIS)

Impact: LOW

Probability: LOW

Status:

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

EFS data should be encrypted at rest using AWS KMS (Key Management Service). Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.

Remediation

Enable AWS KMS encryption for all Elastic File Systems.

Affected

['123456789123']

Analysis

No File Systems in use

ELB


Internet Facing Load Balancers

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

internet facing Elastic Load Balancers expose additional attack surface to potentiall malicious actors.

Remediation

Apply Security Groups to your load balancers using the principle of least privilege by only allowing access to services from a white list of trusted IP addresses.

Affected

['123456789123']

Analysis

No internet facing load balancers found

Internet Facing Load Balancers Using Unencrypted HTTP Listeners

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 5.4

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Description

The account under review contains Elastic Load Balancers (ELBs) that accept connection over unencrypted HTTP listeners To protect the Privacy and Integrity of data in transit between end users and your AWS hosted services it is recommended to use encrypted HTTPS listeners.

Remediation

Disable existing HTTP listeners and replace them with HTTPS listeners as required. You can also configure HTTP listeners to redirect to HTTPS if preferred. More information,nhttps://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

Affected

['123456789123']

Analysis

No HTTP listeners found.

ELB Listeners with Weak TLS Configuration

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 7.4

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

The affected ALBs have an SSL/TLS protected listeners which are insufficiently protected against known cryptographic attacks which could allow a Man in the Middle (MitM) attacker to recover plain text from an encrypted SSL/TLS connection. To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victims network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defences such as switched networks are not sufficient to prevent this. An attacker situated in the users ISP or the applications hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internets core infrastructure. Data submitted over an unencrypted connection is vulnerable to interception and can be tampered with. This could result in users sessions being compromised, credentials being captured, and sensitive and/or personal information being exposed.

Remediation

In short, the following summarises SSL/TLS hardening options that should be considered: - Use 2048-bit RSA private keys and 256bit ECDSA private keys - Renew certificates on an annual basis - Use strong certificate signature algorithms (sha256) - Disable SSL v2, SSL v3,TLS v1.0 and TLS v1.1 - support TLS 1.2 and 1.3. - Disable insecure cipher suites (ADH, Null, Export, RC4 and 3DES) - Support Forward Secrecy (ECDHE) - Use strong key exchange algorithms (ECDHE and DHE > 2048-bit) - Ensure the underlying software is patched and up to date - Encrypt everything and eliminate mixed HTTP/HTTPS content - Implement HTTP Strict Transport Security (HSTS) to ensure secure connections cannot be downgraded to an insecure connection. - Support TLS_FALLBACK_SCSV to prevent protocol downgrade attacks - Disable SSL/TLS Compression. Note: Implementing a strong SSL/TLS configuration can result in user agents no longer being able to connect to your site due to lack of compatible cipher suites.

Affected

['123456789123']

Analysis

No TLS issues found.

ALBs Not Configured To Drop Invalid Headers

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The AWS account under review is using Application Load Balancers (ALBs) that do not have protection against HTTP Request Smuggling attacks enabled. HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. Due to the highly distributed and segmented nature of cloud-based applications HTTP request smuggling vulnerabilities have been discovered in AWS services. Although AWS CloudFront will protect against HTTP request Smuggling by default, protection in ALBs is not enabled by default and has to be configured. More information https://portswigger.net/web-security/request-smuggling

Remediation

To help protection against HTTP Request Smuggling attacks enable the "Drop Invalid Header Fields" attribute for all affected ALBs. Note: If your application is using nonstandard headers this may break your applications, It seems AWS considers standard headers to only include alphanumeric characters and hyphens, but it is hard to find exactly what AWS considers to be a standard header as documentation is lacking.

Affected

['123456789123']

Analysis

All Application Load Balancers are configured to drop invalid HTTP headers.

ALB HTTP Desync Mitigation Mode Not Enabled

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The account under review contains classic load balancers that do not have Desync Mitigation mode enabled. To help protect against HTTP Desync attacks it is recommended to enable Desync Mitigation mode and set it to “strictest”. Desync mitigation mode protects your application from issues due to HTTP Desync. The load balancer classifies each request based on its threat level, allows safe requests, and then mitigates risk as specified by the mitigation mode that you specify. The desync mitigation modes are monitor, defensive, and strictest. The default is the defensive mode, which provides durable mitigation against HTTP desync while maintaining the availability of your application. You can switch to strictest mode to ensure that your application receives only requests that comply with RFC 7230.

Remediation

Configured Desync Mitigation Mode to "Strictest" or "Defensive" for all affected ELBs. More Information https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-desync-mitigation-mode.html

Affected

['123456789123']

Analysis

All Application Load Balancers have HTTP desync mitigation mode enabled.

Lack of ELB Access Logging

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

A number of Elastic Load Balancers were identified which do not have access app.logger enabled. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the clients IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues. It is recommended that access app.logger is enabled on all public load balancers.

Remediation

Enable ELB access logs for all affected load balancers. There is no additional cost to enable the creation of ELB access logs, however there is an additional S3 cost to store the logs. More Information https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

Affected

['123456789123']

Analysis

All Application Load Balancers have Access Logging enabled.

Load Balancer Deletion Protection not Configured

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The AWS account under review has Elastic Load Balancers (ELB) in use that do not have deletion protection enabled. For an extra layer of protection against human error by preventing your load balancers from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled.

Remediation

To enable deletion protection using the console 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. On the navigation pane, under LOAD BALANCING, choose Load Balancers. 3. Select the load balancer. 4. On the Description tab, choose Edit attributes. 5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save. 6. Choose Save. To disable deletion protection using the console 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. On the navigation pane, under LOAD BALANCING, choose Load Balancers. 3. Select the load balancer. 4. On the Description tab, choose Edit attributes. 5. On the Edit load balancer attributes page, clear Enable for Delete Protection, and then choose Save. 6. Choose Save. NOTE: If you enable deletion protection for your load balancer, you must disable it before you can delete the load balancer. More Information https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#deletion-protection

Affected

['123456789123']

Analysis

All Application Load Balancers have Deletion Protection enabled.

Organisations


Ensure Tag Policies are Enabled (CIS)

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Tag policies help you standardize tags on all tagged resources across your organization. You can use tag policies to define tag keys (including how they should be capitalized) and their allowed values.

Remediation

From the Console: You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. 1. Login to AWS Organizations using https://console.aws.amazon.com/organizations/ 2. In the Left pane click on Policies 3. Click on Tag policies 4. Click on Enable Tag Policies 5. The page is update with a list of the Available policies and the ability to create one.

Affected

['123456789123']

Analysis

AccessDeniedException

Ensure an Organizational EC2 Tag Policy has been Created (CIS)(Manual)

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

A tag policy enables you to define tag compliance rules to help you maintain consistency in the tags attached to your organization's resources. You can use an EC2 tag policy to enforce your tag strategy across all of your EC2 resources.

Remediation

From the Console: You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. To create a tag policy 1. Login to the AWS Organizations using https://console.aws.amazon.com/organizations/ 2. Left hand side Click on Policies 3. Under Support policy types click on Tag policies 4. Under Available policies click on Create policy 5. Enter policy name 6. Enter policy description (Indicate this is the EC2 tag policy) 7. For New tag key 1, specify the name of a tag key to add. 8. For Tag key capitalization compliance select the box for Use the capitalization to enable this option mandating a specific capitalization for the tag key using this policy. 9. For Resource types to enforce check the box for Prevent non-compliant operations for this tag 10. Click on Specify resource types 11. Expand EC2 12. Select ec2:image, ec2:instance, ec2:reserved-instances 13. Click Save changes 14. Click Create policy

Affected

['123456789123']

Analysis

AccessDeniedException

GuardDuty


GuardDuty Not Enabled In All Regions

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

GuardDuty is an AWS threat detection service that detects compromised access keys, EC2 instances, and more, allowing you to identify malicious activity and unauthorised behaviour within your account.

Remediation

Enable GuardDuty in all AWS regions

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

AWS GuardDuty is not enabled in any region

High Risk GuardDuty findings

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

High Risk Guardduty findings have been found within your AWS account. GuardDuty is an AWS threat detection service that detects compromised access keys, EC2 instances, and more, allowing you to identify malicious activity and unauthorised behaviour within your account.

Remediation

Review all outstanding Guardduty findins and investigate, respond and remediate as required. It is reccomended to review findings on a regular basis.

Affected

['123456789123']

Analysis

No issues found

IAM


Maintain current contact details (CIS)

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.

Remediation

Ensure contact email and telephone details for AWS accounts are current. This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing ).

Affected

['123456789123']

Analysis

Manual Check

Ensure security contact information is registered (CIS)

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided. Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.

Remediation

Ensure security contact information is registered, Note: Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.

Affected

['123456789123']

Analysis

Manual Check

Ensure security questions are registered in the AWS account (CIS)

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. When creating a new AWS account, a default super user is automatically created. This account is referred to as the root user or root account. It is recommended that the use of this account be limited and highly controlled. During events in which the root password is no longer accessible or the MFA token associated with root is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover root user login access.

Remediation

Ensure security questions are registered in the AWS account

Affected

['123456789123']

Analysis

Manual Check

Ensure no root user account access key exists (CIS)

Impact: HIGH

Probability: LOW

Status: PASS

CVSS: Score: 8.1

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root user account be removed. Removing access keys associated with the root user account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.

Remediation

Ensure no root user account access key exists

Affected

['123456789123']

Analysis

No Root Access Keys Found

Ensure MFA is enabled for the root user account (CIS)

Impact: HIGH

Probability: MEDIUM

Status: FAIL

CVSS: Score: 9.1

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. Note: When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. non-personal virtual MFA - This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company. Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.

Remediation

Enable MFA for the root user account. Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.

Affected

['123456789123']

Analysis

Root MFA Not Enabled

Ensure hardware MFA is enabled for the root user account (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides. Note: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.

Remediation

Ensure hardware MFA is enabled for the root user account

Affected

['123456789123']

Analysis

Root MFA Not Enabled

Eliminate use of the 'root' user for administrative and daily tasks (CIS)

Impact: HIGH

Probability: LOW

Status: INFO

CVSS: Score: 8.1

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. The root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.

Remediation

If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user: 1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user. **Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.

Affected

['123456789123', '123456789123']

Analysis

password last used: 2023-07-10T15:05:10+00:00 Access Key 1 last used: N/A Access Key 2 last used: N/A

Ensure IAM password policy requires minimum length of 14 or greater (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: PASS

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. Setting a password complexity policy increases account resiliency against brute force login attempts.

Remediation

Ensure IAM password policy requires minimum length of 14 or greater

Affected

[]

Analysis

Minimum Password Length = 15

Ensure IAM password policy prevents password reuse (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.

Remediation

Ensure IAM password policy prevents password reuse

Affected

['123456789123']

Analysis

Password Reuse Prevention = 5

Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (CIS)

Impact: HIGH

Probability: MEDIUM

Status: FAIL

CVSS: Score: 9.1

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.

Remediation

Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

Affected

['[email protected]', 'hank.rearden']

Analysis

The affected users do not have MFA enabled.

Do not setup access keys during initial user setup for all IAM users that have a console password (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: PASS

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user. Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.

Remediation

Do not setup access keys during initial user setup. Remove any access keys that are no longer required.

Affected

['123456789123']

Analysis

No unused Access Keys found.

Ensure credentials unused for 45 days or greater are disabled (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Remediation

Ensure credentials unused for 45 days or greater are disabled

Affected

['[email protected]', 'john.galt']

Analysis

The affected users have credentials (password or keys) not used in the last 45 days.

Ensure there is only one active access key available for any single IAM user (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK) Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.

Remediation

Ensure there is only one active access key available for any single IAM user

Affected

['[email protected]']

Analysis

The affected users have more than one access key.

Ensure access keys are rotated every 90 days or less (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

Remediation

Ensure access keys are rotated every 90 days or less

Affected

['john.galt']

Analysis

The affected users have access keys that have not been rotated in the last 90 days.

Ensure IAM Users Receive Permissions Only Through Groups (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended. Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Remediation

Ensure IAM Users Receive Permissions Only Through Groups

Affected

['john.galt']

Analysis

The affected users have managed or inline policies directly attached.

Ensure Custom IAM policies that allow full *:* administrative privileges are not attached (CIS)

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 8.1

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. Where Administrator access is required use the AWS Management policy instead of Customer Managed or Inline Policies.

Remediation

Customer Managed and Inline policies that grant full administrative privileges should be removed in favour of AWS Managed policies. Ensure all permissions are applied using the principle of least privilege and remove adminisrtator access from anyone that doesnt require it.

Affected

['123456789123']

Analysis

No custom policies that allow full *:* privileges found.

Ensure a support role has been created to manage incidents with AWS Support (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.

Remediation

Ensure a support role has been created

Affected

['123456789123']

Analysis

AWSSupportAccess Policy is not attached to any entities

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (CIS)

Impact: MEDIUM

Probability: LOW

Status: INFO

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.

Remediation

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

Affected

['123456789123', '123456789123']

Analysis

No server certificates found

Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (CIS)

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations. Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.

Remediation

Manage IAM user centrally and have them assume roles, configured following the priniciple of least privilege, within target accounts when requiring access

Affected

['123456789123']

Analysis

Manual Check

Unused IAM Groups

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected IAM groups, do not contain any users and are therefore not being used. To maintain the hygiene of the environment, make maintenance and auditing easier and reduce the risk of IAM groups erroneously being used and inadvertently granting more access than required, all old unused IAM groups should be removed.

Remediation

Ensure all IAM groups that are temporary and not being used are deleted when no longer required.

Affected

['123456789123']

Analysis

No unused IAM Groups found.

Cross-Account AssumeRole Policy Lacks External ID

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.5

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Description

The affected AWS account has a number of Cross-Account assume role policies which lack an external ID. Policies which lack an external ID are vulnerable to what is known as the Confused Deputy Problem. An assume role policy allow a trust relationship to be set up between two accounts that allows users to assume a role and inherit permissions in other accounts. This is often used to allow third party access to your account to perform specific support roles or tasks like monitoring and maintenance. When the third party requires access to your account they can assume the IAM role and its temporary security credentials without needing to configure IAM users and share long-term credentials (for example, an IAM users access key) . Configuring cross account roles with external IDs and or MFA verification can help ensure that when using the role to access resources in your account they are acting under genuine circumstances and have been confused or socially engineered by a malicious actor to escalate permissions within or perform malicious actions on in your AWS account. Let say Example Corp requires access to certain resources in your AWS account. But in addition to you, Example Corp has other customers and needs a way to access each customers AWS resources. Instead of asking its customers for their AWS account access keys, which are secrets that should never be shared, Example Corp requests a role ARN from each customer. But another Example Corp customer might be able to guess or obtain your role ARN. That customer could then use your role ARN to gain access to your AWS resources by way of Example Corp. This form of permission escalation is known as the confused deputy problem. The external ID is a piece of data that can be passed to the AssumeRole API of the Security Token Service (STS). You can then use the external ID in the condition element in a roles trust policy, allowing the role to be assumed only when a certain value is present in the external ID.

Remediation

All Cross-Account roles which provide a level of privileged access should be configured with a unique and complex external ID as well as performing re authentication via MFA. More Information https://aws.amazon.com/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/ https://en.wikipedia.org/wiki/Confused_deputy_problem

Affected

['conditional_love', 'OrganizationAccountAccessRole', 's3-account-search', 'snotra']

Analysis

conditional_love

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::123456789123:root'}, 'Action': 'sts:AssumeRole', 'Condition': {}}

OrganizationAccountAccessRole

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::987654321987:root'}, 'Action': 'sts:AssumeRole'}

s3-account-search

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::123456789123:root'}, 'Action': 'sts:AssumeRole', 'Condition': {}}

Snotra_Cross_Account

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::243001516183:user/snotra'}, 'Action': 'sts:AssumeRole', 'Condition': {}}
Groups Granting Full Admin Access

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected Groups grant member user full admin "*" access to the account

Remediation

ensure only users that require admin access have it.

Affected

['IAM_Admins']

Analysis

IAM_Admins

['john.galt', '[email protected]']
Group Name does not Indicate Admin Access

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

An AWS principle was found that grants admin privileges within the AWS account. The name of this group does not clearly indicate the level of privilege provided. To make maintaining the account as easy as possible and to reduce the risk of administrative privileges being granted to AWS principles that do not require them by mistake it is recommended to implement a common naming convention for all custom groups, roles and policies which indicates the level of access being granted.

Remediation

Implement a simple naming convention for all custom groups, roles and policies which clearly indicates what permissions they grant and who they should apply to.

Affected

['123456789123']

Analysis

No Admin Groups Found.

Group With Inline Policies

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Ensure that all your IAM principals (Users, Groups, Roles) are using managed policies (AWS and customer managed policies) instead of inline policies (embedded policies) to better control and manage the access permissions to your AWS account. Defining access permissions for your IAM groups using managed policies can offer multiple benefits such as reusability, versioning and rollback, automatic updates, larger policy size and fine-grained control over your policies assignment. Although not directly a security issue having a large number of inline policies increases complexity and could result in users, groups and roles being given more permissions than required and potentially resulting in privilege escalation vectors.

Remediation

Review the affected groups and remove inline policies in favour of AWS and Customer Managed Policies. More Information https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html

Affected

['123456789123']

Analysis

No Issues Found.

Overly permissive Cross Account Assume Role Trust Policy

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.5

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Description

The affected AWS role held a trust policy which was overly permissive and trusted all IAM principals within another account to assume the role and access the privileges it held. The overly permissive role trust policy could be abused by malicious users to escalate privileges and access resources in other accounts within the AWS Organization. When creating IAM policies, administrators should follow the standard security advice of implementing least privilege assignments, by granting principals only the permissions required to perform their tasks. It is recommended that administrators determine what users (and roles) need to do and then starting with a default deny, policies should add the individual permissions that allow them to perform only those tasks. Additional privileges that may be required in future should be implemented through a request system.

Remediation

It is recommended that you review the role trust policy to determine which entities in external accounts should legitimately be allowed to assume the affected role. The role trust should then be updated to trust only those principals, which would prevent unauthorised individuals from access the highly-privilege policies attached the role. More Information https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Affected

['BashtonAdministrator', 'BashtonReadOnly', 'conditional_love', 'OrganizationAccountAccessRole', 's3-account-search']

Analysis

BashtonAdministrator

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::987654321987:root'}, 'Action': 'sts:AssumeRole', 'Condition': {'StringEquals': {'sts:ExternalId': 'c1eadd44-b7eb-4b83-b70e-d9a7c7150d1e'}, 'Bool': {'aws:MultiFactorAuthPresent': 'true'}}}

BashtonReadOnly

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::987654321987:root'}, 'Action': 'sts:AssumeRole', 'Condition': {'StringEquals': {'sts:ExternalId': 'c67241f2-11c8-4c9b-965e-5cf0d9f3cf0c'}}}

conditional_love

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::123456789123:root'}, 'Action': 'sts:AssumeRole', 'Condition': {}}

OrganizationAccountAccessRole

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::987654321987:root'}, 'Action': 'sts:AssumeRole'}

s3-account-search

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::123456789123:root'}, 'Action': 'sts:AssumeRole', 'Condition': {}}
Incorrect policy used to attempt to enforce MFA

Impact: HIGH

Probability: LOW

Status: PASS

CVSS: Score: 8.1

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

AWS had advised incorrect policies for enforcing MFA which allowed an attacker, if they compromised keys that were protected by this policy, to remove the MFA policy from themselves, or remove the existing MFA device and add their own.

Remediation

TBC

Affected

['123456789123']

Analysis

No Issues Found

AmazonEC2RoleforSSM Managed Policy In Use

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 7.1

CVSS: Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

The AWS managed policy AmazonEC2RoleforSSM is in use and is considered overly permissive. By default, this role grants access to all S3 buckets in the account. It is recommended that the role is adjusted by applying the principal of least privilege.

Remediation

It is recommended that the AmazonSSMManagedInstanceCore policy is used instead and privileges are added as needed. More Information: https://www.tripwire.com/state-of-security/security-data-protection/cloud/aws-system-manager-default-permissions/

Affected

['123456789123']

Analysis

No Issues Found

Overly permissive Cross Account Assume Role Trust Policy GitHub OIDC

Impact: HIGH

Probability: HIGH

Status: PASS

CVSS: Score: 8.1

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The affected role is configured to trust the GitHub OIDC Identity Provider but does not enorce any subject conditions, This means an external attacker with knowledge of the role ARN can create a GitHub action that can assume this role and access the affected account.

Remediation

Configure the role trust policy to include aditional subject conditons which only allows the role be assume by trusted gitHub repositores and branches. more information https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/

Affected

['123456789123']

Analysis

No failing roles found.

Insecure Cross-Service Trust

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 4.8

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Several service-roles contained trust policies which allowed AWS services to assume those roles without conditional context restrictions. Without any conditional restrictions, service-roles are vulnerable to the confused deputy problem which could allow other unauthorised services and users to indirectly access the role and the permissions assigned to it. Where service-roles contain privileged access, service impersonation could also enable attackers to escalate privileges and/or gain access to sensitive resources and data. Within AWS, a service-role is an IAM role that allows specific AWS services to interact with resources in an account without requiring access to credentials or access keys. By using cross-service impersonation, administrators can then grant access to the resources they need without having to grant access to users themselves. Using this method, when a service needs to access resources, it requires permission to perform the STS:AssumeRole action which generates temporary credentials that the service principal then uses to access resources permitted by the corresponding IAM policy. When no conditional context restrictions are implemented within the Assume Role policy, the service role can be vulnerable to an attack typically referred to as confused deputy. This attack can allow other services and principals to access resources in your account. As an example, If an administrator needed to allow a lambda function to create objects within an S3 bucket, an execution role must be created with a policy that holds the respective S3 permissions. For the Lambda function to assume the execution role, a role trust policy must be configured to trust the lambda service to temporarily assume the role and gain the privileges within the policy. Typically, a role trust policy for doing so would look like this: <*code*>{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }</*code*> However, one of the main weaknesses of AWS cross-service impersonation is that it can allow attackers to leverage AWS services to gain access to other resources, and accounts in order to escalate their privileges or exfiltrate data. For instance, with the above example policy, if an attacker with no access to S3 had permission to create lambda functions, they could create a function containing malicious code to assume the execution role and gain indirect access to S3 via Lambda. Additionally, because authentication policies may be shared across multiple AWS accounts, an attacker may be able to impersonate a service which already has access to multiple sensitive areas in the wider AWS environment.

Remediation

To prevent attackers from leveraging permissive service role trust to access unauthorised resources it is recommended that role trust policies for services contain conditional access statements. Using conditions and specifying the full ARN of the allowed resources would restrict access to only legitimate resources and reduce the potential for abuse. Specifying the full ARN, including region and resource name, could prevent attackers from creating similar resources in other regions to leverage in attacks. As an example, the following role trust policy could be used to restrict access to a Lambda execution role to only a specific lambda function within an AWS account: { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:lambda:us-east-2:111122223333:function:my-function” } } } } The above policy makes use of the aws:SourceArn global condition context key using the full ARN of an example lambda function. In this example, only the lambda function my-function within the us-east-2 region would have permission to assume the execution policy and access the privileges assigned to it. This would prevent malicious users from creating other lambda functions to gain access to additional privileges. Where appropriate other conditional contexts could also be used following the principal of least privilege to effectively limit the scope of trust policies and prevent unintended access opportunities. Common conditional restrictions for services include, SourceArn SourceAccount PrincipalOrgID Further Information AWS Confused Deputy - https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention

Affected

['Instance-Full-S3', 'StopEC2', 'aws-elasticbeanstalk-service-role', 'lambda_compression_pipe', 'lambda_create_campaign', 'lambda_delete_campaign', 'lambda_execute_campaign', 'lambda_spot_interrupt_catcher', 'lambda_spot_monitor', 'lambda_status_reporter', 'npk-apigateway_cloudwatch', 'npk_cloudwatch_spot_interrupt_20230412133943091200000006', 'npk_cloudwatch_spot_monitor_20230412133935803300000002', 'npk_cloudwatch_spot_monitor_20240119140406243900000009', 'npk_cloudwatch_spot_monitor_20240119162054654000000001', 'npk_ec2_compress', 'npk_fleet_role_20230412133946330000000008', 'npk_instance_role_20230412133938653400000004', 'snotra', 'snotra-role-1yn2s5qh', 'timeData-role-rsawuesr']

Analysis

Instance-Full-S3

{'Effect': 'Allow', 'Principal': {'Service': 'ec2.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

StopEC2

{'Effect': 'Allow', 'Principal': {'Service': 'ec2.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

aws-elasticbeanstalk-service-role

{'Effect': 'Allow', 'Principal': {'Service': 'elasticbeanstalk.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_compression_pipe

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_create_campaign

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_delete_campaign

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_execute_campaign

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_spot_interrupt_catcher

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_spot_monitor

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_status_reporter

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk-apigateway_cloudwatch

{'Effect': 'Allow', 'Principal': {'Service': 'apigateway.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_cloudwatch_spot_interrupt_20230412133943091200000006

{'Effect': 'Allow', 'Principal': {'Service': 'events.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_cloudwatch_spot_monitor_20230412133935803300000002

{'Effect': 'Allow', 'Principal': {'Service': 'events.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_cloudwatch_spot_monitor_20240119140406243900000009

{'Effect': 'Allow', 'Principal': {'Service': 'events.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_cloudwatch_spot_monitor_20240119162054654000000001

{'Effect': 'Allow', 'Principal': {'Service': 'events.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_ec2_compress

{'Effect': 'Allow', 'Principal': {'Service': 'ec2.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_fleet_role_20230412133946330000000008

{'Effect': 'Allow', 'Principal': {'Service': 'spotfleet.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_instance_role_20230412133938653400000004

{'Effect': 'Allow', 'Principal': {'Service': 'ec2.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

snotra

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

snotra-role-1yn2s5qh

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

timeData-role-rsawuesr

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

vpn_kill_switch-role-2o0tr3ml

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}
Users Granted Full Admin Access via Directly Attached Policy

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected Users have been granted full admin "*" access to the account via a permissions policy which directly attached to the user, IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended. Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Remediation

Ensure only users that require admin access have it and to help maintain acount hygiene and minimise the risk of users retaining permissons for longer than required, ensure users only recieve permissions via group membershop and do not have policies attached directly.

Affected

['john.galt']

Analysis

The affected users are granted admin access.

Ensure Access Keys are Protected with MFA

Impact: HIGH

Probability: MEDIUM

Status: PASS

CVSS: Score: 9.1

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

The account does not appear to enforce the use of MFA when authenticating with Access Keys. AWS Access Keys are often exposed to unauthorised parties in source code or via and other poor key management practices, once an attacker has obtained the plain text keys these can be used to access the AWS account without restriction. For greater defence in depth it is recommended to configure an IAM policy which enforces the use of MFA before any administrative actions can be performed.

Remediation

Create an IAM policy for all users which enforces the use of MFA to perform any administrative actions. More Information https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html

Affected

['123456789123']

Analysis

MFA Policy Found

Ensure access to AWSCloudShellFullAccess is restricted (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers. Access to this policy should be restricted as it presents a potential channel for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy which denies file transfer permissions.

Remediation

From Console 1. Open the IAM console at https://console.aws.amazon.com/iam/ 2. In the left pane, select Policies 3. Search for and select AWSCloudShellFullAccess 4. On the Entities attached tab, for each item, check the box and select Detach

Affected

['123456789123']

Analysis

AWSCloudShellFullAccess Policy is not attached to any entities

KMS


Ensure rotation for customer created CMKs is enabled (CIS)

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled. Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.

Remediation

Enable key rotation on all customer created CMKs

Affected

['123456789123']

Analysis

Rotation is enabled on all CMKs.

Lambda


Ensure there are no Lambda functions with admin privileges within your AWS account (CIS)

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 8.1

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Ensure that your Amazon Lambda functions don't have administrative permissions potentially giving the function access to all AWS cloud services and resources. In order to promote the Principle of Least Privilege (POLP) and provide your functions the minimal amount of access required to perform their tasks the right IAM execution role associated with the function should be used. Instead of providing administrative permissions you should grant the role the necessary permissions that the function really needs.

Remediation

From the Console 1. Login in to the AWS Console using https://console.aws.amazon.com/lambda/ 2. In the left column, under AWS Lambda, click Functions. 3. Under Function name click on the name of the function that you want to remediate 4. Click the Configuration tab 5. Click on Permissions in the left column. 6. In the Execution role section, click the Edit 7. Edit basic settings configuration page: - associate the function with an existing, compliant IAM role - click Use an existing role from the Execution role - select the required role from the Existing role dropdown - click Save OR - apply a new execution role to your Lambda function - click Create a new role from AWS policy templates - Provide a name for the new role based on org policy - select only the necessary permission set(s) from the Policy templates - optional dropdown list. - click Save 8. Repeat steps for each Lambda function within the current region that failed the Audit.

Affected

['123456789123']

Analysis

No Admin Lambda Functions Found.

Lambda Function Environment Variables (Check for Secrets)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Remediation

Affected

['123456789123']

Analysis

No environment vars in use

Ensure Cloudwatch Lambda insights is enabled (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Ensure that Amazon CloudWatch Lambda Insights is enabled for your Amazon Lambda functions for enhanced monitoring. Amazon CloudWatch Lambda Insights allows you to monitor, troubleshoot, and optimize your Lambda functions. The service collects system-level metrics and summarizes diagnostic information to help you identify issues with your Lambda functions and resolve them as soon as possible. CloudWatch Lambda Insights collects system-level metrics and emits a single performance log event for every invocation of that Lambda function.

Remediation

From the Console: 1. Login to AWS Console using https://console.aws.amazon.com/lambda/ 2. Click Functions. 3. Click on the name of the function. 4. Click on the Configuration tab 5. Click on 'Monitoring and operations tools'. 6. In the Monitoring and operations tools section click Edit to update the monitoring configuration 7. In the CloudWatch Lambda Insights section click the Enhanced monitoring button to enable ***Note - When you enable the feature using the AWS Management Console, Amazon Lambda adds the required permissions to your function's execution role. 8. Click Save 9. Repeat steps 2-8 for each Lambda function within the current region that fails the Audit. 10. Then repeat the Audit process for all other regions.

Affected

['timeData']

Analysis

The affected Lambda functions do not have CloudWatch Lambda Insights enabled

Ensure every Lambda function has its own IAM Role (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Every Lambda function should have a one to one IAM execution role and the roles should not be shared between functions. The Principle of Least Privilege means that any Lambda function should have the minimal amount of access required to perform its tasks. In order to accomplish this Lambda functions should not share IAM Execution roles.

Remediation

From the Console 1. Login to the AWS console using https://console.aws.amazon.com/lambda/ 2. In the left column, under AWS Lambda, click Functions. 3. Under Function name click on the name of the function that you want to change/update. 4. Click the Configuration tab 5. Under General configuration on the left column, click Permissions. 6. Under the Execution role section, click Edit. 7. Scroll down to Execution role To use an existing IAM role

Affected

['123456789123']

Analysis

No issues found

Ensure Lambda functions are not exposed to everyone (CIS)

Impact: HIGH

Probability: HIGH

Status: PASS

CVSS: Score: 8.1

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

A publicly accessible Amazon Lambda function is open to the public and can be reviewed by anyone. To protect against unauthorized users that are sending requests to invoke these functions they need to be changed so they are not exposed to the public. Allowing anyone to invoke and run your Amazon Lambda functions can lead to data exposure, data loss, and unexpected charges on your AWS bill.

Remediation

From the Console 1. Login to the AWS Console using https://console.aws.amazon.com/lambda/. 2. In the left column, under AWS Lambda, click Functions. 3. Under Function name click on the name of the function that you want to review 4. Click the Configuration tab 5. In the left column, click Permissions. 6. In the Resource-based policy section, perform the following actions: • Under Policy statements • Select the policy statement that allows anonymous access • Click Delete to remove the non-compliant statement from the resource-based policy attached • Within the Delete statement confirmation box, click Remove • Click Add permissions to add a new policy statement that grants permissions to a trusted entity only. • On the Add permissions page configure the new policy statement to grant access to another AWS account, IAM user, IAM role, or to another AWS service. • Click Save 7. Repeat steps no. 2 – 6 for each Lambda function that fails the Audit above, within the current region. 8. Repeat this Audit for all the other AWS regions.

Affected

['123456789123']

Analysis

No issues found

Lambda Functions With Resource Based Policies Configured (Manual)

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Lambda supports resource-based permissions policies for Lambda functions and layers. Resource-based policies let you grant usage permission to other AWS accounts or organizations on a per-resource basis. You also use a resource-based policy to allow an AWS service to invoke your function on your behalf.

Remediation

Ensure Resource Based Policies are configured following the principle of least privilege and only allow access from trusted AWS principals

Affected

['timeData']

Analysis

timeData

['{"Version":"2012-10-17","Id":"default","Statement":[{"Sid":"lambda-3b54b7cf-5eee-4926-9190-5a44ac12fe84","Effect":"Allow","Principal":{"Service":"apigateway.amazonaws.com"},"Action":"lambda:InvokeFunction","Resource":"arn:aws:lambda:eu-west-2:123456789123:function:timeData","Condition":{"ArnLike":{"AWS:SourceArn":"arn:aws:execute-api:eu-west-2:123456789123:jfhns8hruj/*/*/timeData"}}}]}']
Ensure that Code Signing is enabled for Lambda functions (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Ensure that all your Amazon Lambda functions are configured to use the Code Signing feature in order to restrict the deployment of unverified code. Code Signing, ensures that the function code is signed by an approved (trusted) source, and that it has not been altered since signing, and that the code signature has not expired or been revoked.

Remediation

Ensure all Lambda code is signed

Affected

['timeData']

Analysis

The affected Lambda functions do not have code signing enabled

Ensure Lambda functions do not allow unknown cross account access via permission policies (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Ensure that all your Amazon Lambda functions are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access. Allowing unknown (unauthorized) AWS accounts to invoke your Amazon Lambda functions can lead to data exposure and data loss. To prevent any unauthorized invocation requests for your Lambda functions, restrict access only to trusted AWS accounts

Remediation

From the Console 1. Login to the AWS Console using https://console.aws.amazon.com/lambda/. 2. In the left column, under AWS Lambda, click Functions. 3. Under Function name click on the name of the function that you want to review 4. Click the Configuration tab 5. In the left column, click Permissions. 6. In the Resource-based policy statements section, select the policy statement that allows the unknown AWS Account cross-account access 7. Click Edit 8. On the Edit permissions page, replace or remove the AWS Account(s) ARN of the unauthorized principal in the Principal box 9. Click Save 10. Repeat steps for each Lambda function that failed the Audit

Affected

['123456789123']

Analysis

No issues found

Ensure that the latest runtime environment versions used for your Lambda functions

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Always using a recent version of the execution environment configured for your Amazon Lambda functions adheres to best practices for the newest software features, the latest security patches and bug fixes, and performance and reliability. When you execute your Lambda functions using recent versions of the implemented runtime environment, you should benefit from new features and enhancements, better security, along with performance and reliability.

Remediation

From the Console 1. Login to the AWS Console using https://console.aws.amazon.com/lambda/. 2. In the left column, under AWS Lambda, click Functions. 3. Under Function name click on the name of the function that you want to review 4. Click Code tab 5. Go to the Runtime settings section. 6. Click Edit 7. On the Edit runtime settings page, select the latest supported version of the runtime environment from the dropdown list. **Note - make sure the correct architecture is also selected. 8. Click Save 9. Select the Code tab 10. Click Test from the Code source section. 11. Once the testing is completed, the execution result of your Lambda function will be listed 12. Repeat steps for each Lambda function that failed the Audit within the current region.

Affected

['timeData']

Analysis

The affected Lambda functions are not using the latest supported runtime.

RDS


Ensure that encryption is enabled for RDS Instances (CIS)

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.

Remediation

Ensure that encryption is enabled for all RDS Instances

Affected

['123456789123']

Analysis

All RDS instances have encryption enabled.

RDS Instances Do Not Have Deletion Protection Enabled (CIS)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

RDS instances were identified which do not have deletion protection enabled. To minimise the risk of data loss it recommended to enabled deletion protection on at least production databases. Amazon RDS enforces deletion protection when you use the console, the CLI, or the API to delete a DB instance. To delete a DB instance that has deletion protection enabled, first modify the instance and disable deletion protection. Enabling or disabling deletion protection doesn't cause an outage.

Remediation

Enable Deletion Protection on all affected RDS instances.

Affected

['123456789123']

Analysis

All RDS instances have deletion protection enabled.

Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances (CIS)

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines. AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.

Remediation

Ensure that Auto Minor Version Upgrade feature is enabled for all RDS Instances

Affected

['123456789123']

Analysis

All RDS instances have Auto Minor Version Upgrade enabled.

Ensure that public access is not given to RDS Instance (CIS)

Impact: MEDIUM

Probability: MEDIUM

Status: PASS

CVSS: Score: 6.5

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance. Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.

Remediation

Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks

Affected

['123456789123']

Analysis

All RDS instances are private.

Resource Explorer


Resource Explorer Indexes Not Found

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS Resource explorer is not enabled. AWS Resource Explorer is a resource search and discovery service. With Resource Explorer, you can explore your resources, such as Amazon Elastic Compute Cloud instances, Amazon Kinesis streams, or Amazon DynamoDB tables, using an internet search engine-like experience. You can search for your resources using resource metadata like names, tags, and IDs. Resource Explorer works across AWS Regions in your account to simplify your cross-Region workloads. Not having Resource Explorer indexes can result in increased complexity and overhead in managing your resources, as well as increased risk of security and compliance issues.

Remediation

Enable Resource Explorer for all regions More Information https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-service-turn-on-region.html

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

The affected regions do not have any active resource explorer indexes

Route 53


Domain Does Not Have Domain Transfer Lock Set

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The AWS account under review contains Route53 domains that do not have Transfer Lock enabled. To avoid having a domain maliciously or erroneously transferred to a third-party, all domains should enable the transfer lock unless actively being transferred. The domain registries for all generic TLDs and many geographic TLDs let you lock a domain to prevent someone from transferring the domain to another registrar without your permission. To determine whether the registry for your domain lets you lock the domain, see Domains That You Can Register with Amazon Route 53.

Remediation

if locking is supported and you want to lock your domain, perform the following procedure. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. In the navigation pane, choose Registered Domains. Choose the name of the domain that you want to update. Choose Enable (to lock the domain) or Disable (to unlock the domain)., Choose Save.

Affected

['123456789123']

Analysis

No failing domains found

Domain Does Not Have Auto Renew Enabled

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The AWS account under review contains Route53 domains that do not have Auto Renew enabled. To ensure you retain control of your domains and associated services including email is recommended that auto renew is enabled for all critical domains.

Remediation

Affected

['123456789123']

Analysis

No failing domains found

S3


Ensure all S3 buckets employ encryption-at-rest

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest. Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Remediation

Ensure all S3 buckets employ encryption-at-rest. S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.

Affected

['123456789123']

Analysis

All buckets have server side encryption enabled.

Ensure S3 Bucket Policy is set to deny HTTP requests (CIS)

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.

Remediation

Enforce HTTPS requests for all buckets within your account

Affected

['bucket']

Analysis

The affected buckets do enforce HTTPS only.

Ensure MFA Delete is enable on S3 buckets (CIS)

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.

Remediation

Configure MFA delete on all S3 buckets within your account.

Affected

['bucket']

Analysis

The affected buckets do not have MFA Delete enabled.

Ensure all data in Amazon S3 has been discovered classified and secured when required (CIS)

Impact: INFO

Probability: INFO

Status: INFO

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets. Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information. Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

Remediation

Enable AWS Macie

Affected

['123456789123']

Analysis

Manual Check

Ensure that S3 Buckets are configured with Block public access (bucket settings) (CIS)

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account. Amazon S3 Block public access (bucket settings) prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 Block public access (account settings) prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.

Remediation

Ensure that S3 Buckets are configured with Block public access

Affected

['bucket']

Analysis

The affected buckets do not block public access.

S3 buckets without object versioning enabled

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The AWS account under review contains S3 buckets that do not have versioning enabled. By preserving a version history of objects in your S3 bucket, versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten. Once you enable Versioning for a bucket, Amazon S3 preserves existing objects anytime you perform a PUT, POST, COPY, or DELETE operation on them. By default, GET requests will retrieve the most recently written version. Older versions of an overwritten or deleted object can be retrieved by specifying a version in the request.

Remediation

Consider enabling versioning for at least buckets that contain important and sensitive information, this is enabled at the bucket level and can be done via the AWS web console. Note: an additional cost will be incurred for the extra storage space versioning will inevitably use. More Information: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html

Affected

['bucket']

Analysis

The affected buckets do not have Object Versioning enabled.

S3 Buckets Grant Public Access Via ACL

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The affected S3 buckets have an Access Control List (ACL) configured which grant public acces to objects. Either list or read access. Public S3 buckets can be accessed without authentication and increase teh risk of senstivie data being exposed to unauthorised network bearers.

Remediation

Review the affected buckets and confirm that public access to objects is required.

Affected

['123456789123']

Analysis

No buckets were found which grant public access via an ACL.

S3 Buckets Grant Public Access Via Policy

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The affected S3 buckets have a bucket policy configured which grants public acces to objects, possibly for S3 static website hosting. Public S3 buckets can be accessed without authentication and increase teh risk of senstivie data being exposed to unauthorised network bearers.

Remediation

Review the affected buckets and confirm that public access to objects is required. and update the bucket policy accordingly

Affected

['bucket']

Analysis

The affected buckets grant public access via a Bucket Policy. Review the buckets to ensure public access is intended.

S3 Buckets with Bucket Policy Attached

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected S3 buckets have a bucket policy configured

Remediation

Review the affected buckets to ensure the bucket policy follows the principle of least privilege.

Affected

['bucket']

Analysis

The affected buckets have a bucket policy attached.

Security Hub


Ensure AWS Security Hub is enabled (CIS)

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products. AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.

Remediation

Consider maintaining a Security Hub subscription to help identify security vulnerabilities within your account, ensure AWS config is enabled in all regions to allow Security hub to audit account configuration.

Affected

['123456789123']

Analysis

No active Security Hub subscriptions found

Security Hub Auto Enable Controls

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyse your security trends and identify the highest priority security issues.

Remediation

It is recomened to auto enable new Security Hub controls as they are added to compliance standards

Affected

['123456789123']

Analysis

No active Security Hub subscriptions found

SNS


SNS Topic Allows Actions To All AWS Principals

Impact: MEDIUM

Probability: LOW

Status: PASS

CVSS: Score: 6.5

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

The AWS account under review contains an AWS Simple Notification Service (SNS) which is configured to allow access from all principals AKA Everybody (*). When an SNS topic policy grants permission to Everyone by using a wildcard, i.e. *, as the Principal value, the topic security can be at risk as any unauthenticated entity can subscribe and receive messages from the topic publishers, update the topic, Publish messages to the topic and even delete topics resulting in potential loss of data availability, privacy and additional account costs.

Remediation

Ensure that your AWS Simple Notification Service (SNS) topics do not allow Everyone to subscribe. The entities that can subscribe to your SNS topics can be: Everyone (anonymous access), users whose endpoint URL, protocol, email address or ARN from a Subscribe request match a certain value, specific AWS users or resources and the topic owner. From this list of topic subscribers, you should make sure that the Everyone entity is not used with any SNS topics created within your AWS account in order to protect the messages published to your topics against attackers or unauthorized personnel.

Affected

['123456789123']

Analysis

No public SNS Topics found.

Unencrypted SNS Topics

Impact: LOW

Probability: LOW

Status: PASS

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The AWS account under review contains an AWS SNS Topic which is not configured to use server side data encryption. When you are using AWS SNS Topics to send and receive messages that contain sensitive data, it is highly recommended to implement encryption to add an additional layer of data confidentiality by making the contents of these messages unavailable to unauthorized users. The encryption and decryption is handled transparently by SQS SSE and does not require any additional action from you or your application

Remediation

Configure the affected SNS Topics to use server side encryption using the Amazon KMS service.

Affected

['123456789123']

Analysis

No unencrypted SNS Topics found.

Secrets Manager


SSM


SSM Parameter Store Parameters (Check For Secrets)

Impact: INFO

Probability: INFO

Status: PASS

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Remediation

Affected

['123456789123']

Analysis

No parameters found