Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region. AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.

Remediation

Enable Access Analyzer in all regions

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

Access Analyzer is not enabled in any region

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

The account under review contains SSL/TLS certificates that do not have Transparency app.logger enabled. Disabling Transparency Logging may result in browsers not trusting your certificate. As of April 30 2018, Google Chrome no longer trusts public SSL/TLS certificates that are not recorded in a certificate transparency log. Transparency Logging should be enabled as a best practice.

Remediation

Enable Certificate Transparancy Logging on all certificates.

Affected

['arn:aws:acm:eu-west-2:123456789123:certificate/62867c6c-82a8-4e7f-bb60-8c836c833f9f']

Analysis

The affected Certificates do not have transparancy app.logger enabled.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Remediation

Enabled log file validation on all your trails

Affected

['management-events']

Analysis

The affected trails do not have log file validation enabled.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution. Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.

Remediation

Ensure CloudTrail trails are integrated with CloudWatch Logs

Affected

['management-events']

Analysis

The affected trails are not integrated with CloudWatch Logs.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Remediation

Ensure the CloudTrail S3 bucket has access logging is enabled

Affected

['management-events']

Analysis

The affected trails do not have S3 bucket access logging enabled.

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.

Remediation

Configure CloudTrail to use SSE-KMS for encryption at rest.

Affected

['management-events']

Analysis

The affected trails do not encrypt logs at rest.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

Remediation

Enable S3 bucket Object-level logging for write events in CloudTrail

Affected

['123456789123']

Analysis

No trails were found with S3 Object-Level Logging enabled.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.

Remediation

Enable S3 bucket Object-level logging for read events in CloudTrail

Affected

['123456789123']

Analysis

No trails were found with S3 Object-Level Logging enabled.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

Remediation

Create a log metric filter and alarm for unauthorized API calls in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for unauthorized API calls could be found.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA). Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.

Remediation

Create a log metric filter and alarm for Management Console sign-in without MFA in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for Management Console sign-in without MFA could be found.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts. Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.

Remediation

Create a log metric filter and alarm for usage of root account in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for usage of 'root' account could be found.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.

Remediation

Create a log metric filter and alarm for IAM policy changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for IAM policy changes could be found.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.

Remediation

Create a log metric filter and alarm for CloudTrail configuration changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for CloudTrail configuration changes could be found

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.

Remediation

Create a log metric filter and alarm for AWS Management Console authentication failures in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for AWS Management Console authentication failures could be found.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys will no longer be accessible.

Remediation

Create a log metric filter and alarm for disabling or scheduled deletion of customer created CMKs in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for disabling or scheduled deletion of customer created CMKs could be found.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.

Remediation

Create a log metric filter and alarm for S3 bucket policy changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for S3 bucket policy changes could be found.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.

Remediation

Create a log metric filter and alarm for AWS Config configuration changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for AWS Config configuration changes.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.

Remediation

Create a log metric filter and alarm for security group changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for security group changes.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.

Remediation

Create a log metric filter and alarm for changes to Network Access Control Lists (NACL) in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for changes to Network Access Control Lists (NACL).

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.

Remediation

Create a log metric filter and alarm for changes to network gateways in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for changes to network gateways.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.

Remediation

Create a log metric filter and alarm for route table changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for route table changes.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.

Remediation

Create a log metric filter and alarm for route table changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for VPC changes.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account. Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.

Remediation

Create a log metric filter and alarm for route table changes in CloudWatch Logs

Affected

['123456789123']

Analysis

No log metric filter and alarm for AWS Organizations changes.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions. The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.

Remediation

It is recommended AWS Config be enabled in all regions.

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

AWS Config is not enabled in any region

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

With AWS Config, you can track configuration changes to the Lambda functions (including deleted functions), runtime environments, tags, handler name, code size, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations. This gives you a holistic view of the Lambda function’s lifecycle and enables you to surface that data for potential audit and compliance requirements.

Remediation

From the Console: 1. Login to AWS Console using https://console.aws.amazon.com 2. Click All services, click Config under Management & Governance. 3. This will open up the Config dashboard. 4. Click Conformance packs 5. Click on Deploy conformance pack 6. Click on Use sample template 7. Click the down arrow under Sample template 8. Scroll down and click on Operational Best Practices for Serverless 9. Click Next 10. Give it a Conformance pack name Serverless. 11. Click Next 12. Click Deploy conformance pack 13. Click on Deploy conformance pack 14. Click on Use sample template 15. Click the down arrow under Sample template 16. Scroll down and click on Security Best Practices for Lambda 17. Click Next 18. Give it a Conformance pack name LambaSecurity. 19. Click Next 20. Click Deploy conformance pack 21. Repeat steps 2-20 for all regions used.

Affected

['123456789123']

Analysis

No conformance packs in use

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 4.0

CVSS: Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Deletion protection can keep your table from being accidentally deleted. This section describes some best practices for using deletion protection. For all active production tables, the best practice is to turn on the deletion protection setting and protect these tables from accidental deletion. This also applies to global replicas. When serving application development use cases, if the table management workflow includes frequently deleting and recreating development and staging tables then the deletion protection setting can be turned off. This will allow intentional deletion of such tables by authorized IAM principals.

Remediation

You can protect a table from accidental deletion with the deletion protection property. Enabling this property for tables helps ensure that tables do not get accidentally deleted during regular table management operations by your administrators. This will help prevent disruption to your normal business operations. More Information https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.DeletionProtection

Affected

['Campaigns (eu-west-2)', 'Settings (eu-west-2)', 'testdata (eu-west-2)', 'timeData (eu-west-2)']

Analysis

The Affected Dynamo DB Tables do not have Deletion Protection enabled

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Remediation

Delete any unysed Dynamo DB tables.

Affected

['timeData (eu-west-2)']

Analysis

The Affected Dynamo DB Tables have no items and should be remvoed if not in use.

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 4.0

CVSS: Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Point-in-time recovery helps protect your DynamoDB tables from accidental write or delete operations. With point-in-time recovery, you don't have to worry about creating, maintaining, or scheduling on-demand backups. For example, suppose that a test script writes accidentally to a production DynamoDB table. With point-in-time recovery, you can restore that table to any point in time during the last 35 days. DynamoDB maintains incremental backups of your table.

Remediation

Consider enabled Point In Time Recovery for important Tables. More Informaiton https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery_Howitworks.html

Affected

['Campaigns (eu-west-2)', 'Settings (eu-west-2)', 'timeData (eu-west-2)']

Analysis

The Affected Dynamo DB Tables have no items and should be remvoed if not in use.

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Remediation

Ensure EBS default volume encryption is enabled in all regions

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

Default Encryption is not enabled in any region

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet Rejects for VPCs. VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

Remediation

Enable VPC Flow Logs on all VPCs

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

VPC Flow logging is not enabled in any region

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Remediation

Apply the principle of least privilege and only allow RDP and SSH traffic from a whitelist of trusted IP addresses

Affected

['acl-009261248c2068dad(ap-south-1)', 'acl-00fd0c2abc745d599(ap-south-1)', 'acl-0fa7cf03586df4fbd(eu-north-1)', 'acl-0edd528d851029ee2(eu-north-1)', 'acl-09a7bb84d2d813d2d(eu-north-1)', 'acl-03ab0b83248df1db4(eu-west-3)', 'acl-0658341e62a6a3008(eu-west-3)', 'acl-03f88bd77b1e0c8eb(eu-west-2)', 'acl-039ae4ef70bdfbb4c(eu-west-2)', 'acl-69e1dd10(eu-west-1)', 'acl-0f323d82c53f1c55b(eu-west-1)', 'acl-0076f692d6f02b233(ap-northeast-3)', 'acl-0a0d00b5348439c9d(ap-northeast-3)', 'acl-02322020865cb5ddf(ap-northeast-2)', 'acl-0f8290aa730284aa2(ap-northeast-2)', 'acl-04f27c2c2044622ad(ap-northeast-1)', 'acl-0a4d409aa68832e54(ap-northeast-1)', 'acl-013159bc9af1810e7(ca-central-1)', 'acl-0106179f82200f732(ca-central-1)', 'acl-06e952edc85182cb0(sa-east-1)', 'acl-0d8ff5a2d3de992bb(sa-east-1)', 'acl-013ee4263d55da66e(ap-southeast-1)', 'acl-0421bbc8cc1c75463(ap-southeast-1)', 'acl-07e1a2e94c46be744(ap-southeast-2)', 'acl-0356c746944726c78(ap-southeast-2)', 'acl-0c0709414ffeb80b2(eu-central-1)', 'acl-0e42587a316eac77b(us-east-1)', 'acl-010aad66b557b746f(us-east-1)', 'acl-0ab22d463207e7e64(us-east-2)', 'acl-c190cdaa(us-east-2)', 'acl-0bd54c6fa95af227e(us-west-1)', 'acl-0a81c996659043a0f(us-west-1)', 'acl-0c8ce55a7b81c9f5c(us-west-2)', 'acl-0ff543073cd09b8a6(us-west-2)']

Analysis

the affected Network ACLs allow admin ingress traffic from 0.0.0.0/0.

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups. Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.

Remediation

Configure default security groups in all VPCs to be default deny and restrict all traffic

Affected

['sg-0a314816aa895132b(ap-south-1)', 'sg-0af38847cb19cb563(ap-south-1)', 'sg-081482b88ebb7988e(eu-north-1)', 'sg-08b1777543fa4637b(eu-north-1)', 'sg-03a069f290ea50715(eu-north-1)', 'sg-0439395f5e411b756(eu-west-3)', 'sg-023b2be245242e7b3(eu-west-3)', 'sg-058b0a66dc798b698(eu-west-2)', 'sg-05ff04e4e29ddaeaf(eu-west-2)', 'sg-0c7775e31da6d7fa4(eu-west-1)', 'sg-4426f36d(eu-west-1)', 'sg-00274a6cc0eefb35d(ap-northeast-3)', 'sg-05080cb113855f12f(ap-northeast-3)', 'sg-0870e37a58908be1f(ap-northeast-2)', 'sg-0fd644190b02c4f69(ap-northeast-2)', 'sg-0f3e361c425b87e43(ap-northeast-1)', 'sg-0ab180b5ba4a6b6b7(ap-northeast-1)', 'sg-0c63ee71b7f31d854(ca-central-1)', 'sg-05abad2dcff4b48ca(ca-central-1)', 'sg-099a28c4e0d6e32eb(sa-east-1)', 'sg-0c164af0da7d4714e(sa-east-1)', 'sg-03213efa34d340d1c(ap-southeast-1)', 'sg-0760e9733c202522b(ap-southeast-1)', 'sg-0a2e50217af254790(ap-southeast-2)', 'sg-0c80e5e6c50445153(ap-southeast-2)', 'sg-0eadba3b286877302(eu-central-1)', 'sg-0637e217be731a014(us-east-1)', 'sg-0f03c4cef60faae65(us-east-1)', 'sg-1368005f(us-east-2)', 'sg-0d92b948131edc5aa(us-east-2)', 'sg-0fdff4d2881f8f232(us-west-1)', 'sg-039c25f686a5da83d(us-west-1)', 'sg-06dafc607ac6af8f1(us-west-2)', 'sg-09f1d0dc8f70f3d74(us-west-2)']

Analysis

The affected default security groups have inbound rules configured.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected security groups have not been applied to any instances and therefore not in use. To maintain the hygiene of the environment, make maintenance and auditing easier and reduce the risk of security groups erroneously being used and inadvertently granting more access than required, all old unused security groups should be removed.

Remediation

Ensure all security groups that are temporary and not being used are deleted when no longer required.

Affected

['sg-0d5cd845019f9ae74(ap-south-1)', 'sg-04de967a6ef313d71(eu-north-1)', 'sg-04f06b71a2a87a5d6(eu-north-1)', 'sg-0a07ed63d2b9c0495(eu-north-1)', 'sg-0ff1440d5afff01b8(eu-north-1)', 'sg-0c829af8101892d40(eu-west-3)', 'sg-03e816df63093b265(eu-west-2)', 'sg-0e888c944f859af1c(eu-west-2)', 'sg-071678c9b60e6f706(eu-west-2)', 'sg-093a6be443e114daa(eu-west-2)', 'sg-0ca4f3b2d087bf5ed(eu-west-2)', 'sg-0b65e6cdde143cb54(eu-west-2)', 'sg-033d7c8214374d8f1(eu-west-2)', 'sg-001917fa35b9f2f43(eu-west-2)', 'sg-09a36d3672abf2a6d(eu-west-2)', 'sg-0eef0c895a9c79bb5(eu-west-2)', 'sg-07d72de4bf1ffe86a(eu-west-2)', 'sg-094b3687fc4081c0d(eu-west-2)', 'sg-04f5bdb7e88066202(eu-west-2)', 'sg-0810126de1550c2c1(eu-west-2)', 'sg-0fc65db2957e0cf22(eu-west-2)', 'sg-045c745509861283c(eu-west-2)', 'sg-056fa4cad847376c8(eu-west-2)', 'sg-068996079947df8b9(eu-west-2)', 'sg-0be246f3ded8f622d(eu-west-2)', 'sg-06c629b3fb677e3cb(eu-west-2)', 'sg-053b7de777367801d(eu-west-1)', 'sg-04f9fe0852ef9d5e1(eu-west-1)', 'sg-0d4614b2322e49863(eu-west-1)', 'sg-02378e479910ac2dd(eu-west-1)', 'sg-094e289964a5deef8(eu-west-1)', 'sg-0337a2cffd2be0f74(ap-northeast-3)', 'sg-0048294aba4c3710f(ap-northeast-2)', 'sg-05c4f35c00ea1f0dc(ap-northeast-1)', 'sg-0dae91ee2dc09c002(ca-central-1)', 'sg-0a41cda207237d040(sa-east-1)', 'sg-081d891221ff00a34(ap-southeast-1)', 'sg-01cfab9854bfdc1b7(ap-southeast-2)', 'sg-0d3ddc4a57a4bae5c(us-east-1)', 'sg-0808450a16c5dddc5(us-east-1)', 'sg-0fcf4f56839bbdb8b(us-east-1)', 'sg-0fc1d7aee53296e5e(us-east-2)', 'sg-0c35ffc160add986f(us-west-1)', 'sg-0643fb8141dd8aca1(us-west-2)']

Analysis

The affected security groups are not attached to any resources and therefore are not being used

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Although not a security risk, Amazon Web Services enforce a small hourly charge if an Elastic IP (EIP) address within your account is not associated with a running EC2 instance or an Elastic Network Interface (ENI). To ensure account hygiene and saves costs on your month bill it is recommended to release any elastic IPs that are no longer required.

Remediation

To release an Elastic IP address using the console: 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Elastic IPs. 3. Select the Elastic IP address, choose Actions, and then select Release addresses. Choose Release when prompted. More information: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

Affected

['1.2.3.4(eu-west-2)']

Analysis

the affected elastic IPs are not associated with any network interfaces and are therefore not being used

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to database ports, such as MySQL to port 3306, PostgreSQL to port 5432 and MSSQL to port 1433. Public access to databse ports increases resource attack surface and unnecessarily raises the risk of resource compromise.

Remediation

Apply the principle of least privilege and only allow database traffic from a whitelist of trusted IP addresses

Affected

['acl-009261248c2068dad(ap-south-1)', 'acl-00fd0c2abc745d599(ap-south-1)', 'acl-0fa7cf03586df4fbd(eu-north-1)', 'acl-0edd528d851029ee2(eu-north-1)', 'acl-09a7bb84d2d813d2d(eu-north-1)', 'acl-03ab0b83248df1db4(eu-west-3)', 'acl-0658341e62a6a3008(eu-west-3)', 'acl-03f88bd77b1e0c8eb(eu-west-2)', 'acl-039ae4ef70bdfbb4c(eu-west-2)', 'acl-69e1dd10(eu-west-1)', 'acl-0f323d82c53f1c55b(eu-west-1)', 'acl-0076f692d6f02b233(ap-northeast-3)', 'acl-0a0d00b5348439c9d(ap-northeast-3)', 'acl-02322020865cb5ddf(ap-northeast-2)', 'acl-0f8290aa730284aa2(ap-northeast-2)', 'acl-04f27c2c2044622ad(ap-northeast-1)', 'acl-0a4d409aa68832e54(ap-northeast-1)', 'acl-013159bc9af1810e7(ca-central-1)', 'acl-0106179f82200f732(ca-central-1)', 'acl-06e952edc85182cb0(sa-east-1)', 'acl-0d8ff5a2d3de992bb(sa-east-1)', 'acl-013ee4263d55da66e(ap-southeast-1)', 'acl-0421bbc8cc1c75463(ap-southeast-1)', 'acl-07e1a2e94c46be744(ap-southeast-2)', 'acl-0356c746944726c78(ap-southeast-2)', 'acl-0c0709414ffeb80b2(eu-central-1)', 'acl-0e42587a316eac77b(us-east-1)', 'acl-010aad66b557b746f(us-east-1)', 'acl-0ab22d463207e7e64(us-east-2)', 'acl-c190cdaa(us-east-2)', 'acl-0bd54c6fa95af227e(us-west-1)', 'acl-0a81c996659043a0f(us-west-1)', 'acl-0c8ce55a7b81c9f5c(us-west-2)', 'acl-0ff543073cd09b8a6(us-west-2)']

Analysis

The affected Network ACLs allow database ingress traffic from 0.0.0.0/0.

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Network Access Control Lists (NACLs) are stateless firewalls that allow you to control traffic flow in and out of your VPCs at the subnet layer. By default, NACLs are configured to allow all inbound and outbound traffic. NACLs provide a first line of defence against malicious network traffic and can provide defence in depth when used alongside strict security groups. Configuring NACLs can minimise the risk of a misconfigured security group or weak default security group exposing sensitive or vulnerable services to the internet and can provide a separation of responsibilities between developers and architecture teams. All Network Access Control Lists within the tested account are currently configured to allow all inbound and outbound traffic on all ports.

Remediation

Configure all NACLs applying the principle of least privilege and only allows the traffic required for the application or service to function. NOTE: Because NACLs are stateless return traffic on ephemeral unprivileged ports will need to be accounted for. More Information http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

Affected

['acl-009261248c2068dad(ap-south-1)', 'acl-00fd0c2abc745d599(ap-south-1)', 'acl-0fa7cf03586df4fbd(eu-north-1)', 'acl-0edd528d851029ee2(eu-north-1)', 'acl-09a7bb84d2d813d2d(eu-north-1)', 'acl-03ab0b83248df1db4(eu-west-3)', 'acl-0658341e62a6a3008(eu-west-3)', 'acl-03f88bd77b1e0c8eb(eu-west-2)', 'acl-039ae4ef70bdfbb4c(eu-west-2)', 'acl-69e1dd10(eu-west-1)', 'acl-0f323d82c53f1c55b(eu-west-1)', 'acl-0076f692d6f02b233(ap-northeast-3)', 'acl-0a0d00b5348439c9d(ap-northeast-3)', 'acl-02322020865cb5ddf(ap-northeast-2)', 'acl-0f8290aa730284aa2(ap-northeast-2)', 'acl-04f27c2c2044622ad(ap-northeast-1)', 'acl-0a4d409aa68832e54(ap-northeast-1)', 'acl-013159bc9af1810e7(ca-central-1)', 'acl-0106179f82200f732(ca-central-1)', 'acl-06e952edc85182cb0(sa-east-1)', 'acl-0d8ff5a2d3de992bb(sa-east-1)', 'acl-013ee4263d55da66e(ap-southeast-1)', 'acl-0421bbc8cc1c75463(ap-southeast-1)', 'acl-07e1a2e94c46be744(ap-southeast-2)', 'acl-0356c746944726c78(ap-southeast-2)', 'acl-0c0709414ffeb80b2(eu-central-1)', 'acl-0e42587a316eac77b(us-east-1)', 'acl-010aad66b557b746f(us-east-1)', 'acl-0ab22d463207e7e64(us-east-2)', 'acl-c190cdaa(us-east-2)', 'acl-0bd54c6fa95af227e(us-west-1)', 'acl-0a81c996659043a0f(us-west-1)', 'acl-0c8ce55a7b81c9f5c(us-west-2)', 'acl-0ff543073cd09b8a6(us-west-2)']

Analysis

The affected default Network ACLs allow all traffic.

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

To ensure the privacy of any data stored and processed by your EC2 instances it is recommended to enable encryption on EBS volumes. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: - Data at rest inside the volume - All data moving between the volume and the instance - All snapshots created from the volume - All volumes created from those snapshots

Remediation

There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes. You can also apply a new encryption status while copying a snapshot: More information https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

Affected

['snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-central-1)', 'snap-12345612345612345(us-east-1)', 'snap-12345612345612345(us-east-1)', 'snap-12345612345612345(us-east-1)']

Analysis

The affected Snapshots are not encrypted.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

With an active EBS backup strategy that takes volume snapshots daily or weekly, your data can grow rapidly and add unexpected charges to your bill. Since AWS EBS volumes snapshots are incremental, deleting previous (older) snapshots do not affect the ability to restore the volume data from later snapshots which allows you keep just the necessary backup data and lower your AWS monthly costs.

Remediation

Delete snapshots that are older than 30 days and consider implementing snapshot lifecycle management in AWS DLM

Affected

['snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-2)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(eu-west-1)', 'snap-12345612345612345(us-east-1)', 'snap-12345612345612345(us-east-1)', 'snap-12345612345612345(us-east-1)']

Analysis

The affected snapshots are older than 30 days.

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 4.9

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description

VPC endpoint policies within the AWS accounts were configured with permissive default policies which could be exploited by a malicious user to exfiltrate data from the AWS environment. VPC endpoint policies are an AWS networking feature which provide private connections between resources within a VPC to supported AWS services using the backbone network and private APIs of each service. This configuration ensures that resources within a VPC do not require an Internet connection or VPN to communicate with other AWS services, directly supporting the implementation of secure isolated networks which do not require the use of potentially insecure public infrastructure. As an example, using a VPC endpoint, a service on an EC2 instance can make a request to the private API endpoint of an S3 bucket to download required objects, if a VPC endpoint has not been created for the S3 service, traffic will instead require a route via an internet gateway or similar device to the public, internet facing S3 API endpoint. Several VPC endpoint service types include the ability to configure endpoint policies to restrict the communications of resources with the associated AWS services. If no endpoint policy is defined when the endpoint is created, AWS will automatically attach a default policy which provides full, unrestricted access to the associated service. However as the default policy provides full access to the service, a malicious actor with access to the VPC could leverage the configuration to extract data from the AWS environment to write data to an attacker controlled service. For example, an S3 VPC endpoint with the default full access policy would provide full access to the private S3 APIs which could be used to extract sensitive information to an S3 bucket within an attacker controlled AWS account. This could be achieved several ways but a common method would be If a malicious user had access to an EC2 instance within the VPC, they could upload AWS access keys with write permission to an S3 bucket within their own account and use these permissions to exfiltrate data to their S3 bucket via the endpoint. Similar methods could be achieved via other endpoints and services, such as by exfiltrating secrets from AWS Secrets Manager to an attacker controlled resource.

Remediation

It is recommended that VPC endpoints are created for each supported service within each VPC to limit the requirement for internet connectivity. However a custom policy should be created in line with the principal of least privilege for all supported VPC endpoints in use within the AWS environment. These policies should ensure that network connections to AWS services is only accessible to those resources within the internal AWS environment. Care should be taken to restrict resources by name or ARN and minimise the use of wildcards which may provide unintended access to services. Additionally there are several types of VPC endpoints available including Interface endpoints which are a type of network interface providing access to the PrivateLink network for access to services. These Interface endpoints also support the use of security groups to restrict traffic, however it is recommended that these security groups are used in tandem with VPC endpoint policies as a defence-in-depth approach to implementing fine grained access controls. Other VPC endpoint types such as Gateway endpoints which act as route tables do not support the use of security groups and as such a restrictive endpoint policy should be implemented to restrict traffic to external resources. An example policy for the S3 service is provided below: { "Statement": [ { "Action": "S3:*", "Effect": "Allow", "Resource": [ "*:*:*:*:xxxxxxxxxxxx:*", "*:*:*:*:yyyyyyyyyyyy:*" ], "Principal": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-zzzzzzzzzz" } } } ]\,} This example policy ensures that resources in the isolated network can only use the VPC endpoint for S3 if they try to interact with S3 buckets controlled by specific accounts (xxxxxxxxxxxx and yyyyyyyyyyyy) and only if the principal is from your Org (o-zzzzzzzzzz) so an attacker wouldn't be able to use their own access keys.

Affected

['vpce-12345678912345612(ap-south-1)', 'vpce-12345678912345612(eu-north-1)', 'vpce-12345678912345612(eu-west-3)', 'vpce-12345678912345612(eu-west-1)', 'vpce-12345678912345612(ap-northeast-3)', 'vpce-12345678912345612(ap-northeast-2)', 'vpce-12345678912345612(ap-northeast-1)', 'vpce-12345678912345612(ca-central-1)', 'vpce-12345678912345612(sa-east-1)', 'vpce-12345678912345612(ap-southeast-1)', 'vpce-12345678912345612(ap-southeast-2)', 'vpce-12345678912345612(us-east-1)', 'vpce-12345678912345612(us-east-2)', 'vpce-12345678912345612(us-west-1)', 'vpce-12345678912345612(us-west-2)']

Analysis

vpce-12345678912345612

{'Effect': 'Allow', 'Principal': '*', 'Action': '*', 'Resource': '*'}

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected Security Groups contain rules which do not have a corresponding description. Setting a description on all rules improves readbility, helps ensure maintainability of the account and will help minimise mistakes when configuring or updating rules.

Remediation

Ensure all rules have a suitable description.

Affected

['sg-0fc65db2957e0cf22(eu-west-2)', 'sg-04f9fe0852ef9d5e1(eu-west-1)', 'sg-08b1777543fa4637b(eu-north-1)', 'sg-05ff04e4e29ddaeaf(eu-west-2)', 'sg-0439395f5e411b756(eu-west-3)', 'sg-0810126de1550c2c1(eu-west-2)', 'sg-001917fa35b9f2f43(eu-west-2)', 'sg-0808450a16c5dddc5(us-east-1)', 'sg-0fdff4d2881f8f232(us-west-1)', 'sg-0be246f3ded8f622d(eu-west-2)', 'sg-0eadba3b286877302(eu-central-1)', 'sg-0637e217be731a014(us-east-1)', 'sg-0c7775e31da6d7fa4(eu-west-1)', 'sg-093a6be443e114daa(eu-west-2)', 'sg-07d72de4bf1ffe86a(eu-west-2)', 'sg-081482b88ebb7988e(eu-north-1)', 'sg-05abad2dcff4b48ca(ca-central-1)', 'sg-0c63ee71b7f31d854(ca-central-1)', 'sg-0e888c944f859af1c(eu-west-2)', 'sg-0ca4f3b2d087bf5ed(eu-west-2)', 'sg-045c745509861283c(eu-west-2)', 'sg-071678c9b60e6f706(eu-west-2)', 'sg-0ab180b5ba4a6b6b7(ap-northeast-1)', 'sg-0eef0c895a9c79bb5(eu-west-2)', 'sg-0d3ddc4a57a4bae5c(us-east-1)', 'sg-0d92b948131edc5aa(us-east-2)', 'sg-068996079947df8b9(eu-west-2)', 'sg-053b7de777367801d(eu-west-1)', 'sg-0f3e361c425b87e43(ap-northeast-1)', 'sg-039c25f686a5da83d(us-west-1)']

Analysis

The affected security groups contains rules without a description

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Amazon Machine Images should utilize EBS Encrypted snapshots AMIs backed by EBS snapshots should use EBS encryption. Snapshot volumes can be encrypted and attached to an AMI.

Remediation

Perform the following to encrypt AMI EBS Snapshots: From the Console: 1. Login to the EC2 console at https://console.aws.amazon.com/ec2/. 2. In the left pane click on AMIs. 3. Select the AMI that does not comply to the encryption policy. 4. Click on Actions. 5. Click on Copy AMI.

Affected

['snotra_AMI_Kali', 'snotra_AMI_Kali', 'snotra_AMI_Kali']

Analysis

snotra_AMI_Kali

['snap-12345612345612345']

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

GuardDuty is an AWS threat detection service that detects compromised access keys, EC2 instances, and more, allowing you to identify malicious activity and unauthorised behaviour within your account.

Remediation

Enable GuardDuty in all AWS regions

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

AWS GuardDuty is not enabled in any region

Impact: HIGH

Probability: MEDIUM

Status: FAIL

CVSS: Score: 9.1

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. Note: When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. non-personal virtual MFA - This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company. Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.

Remediation

Enable MFA for the root user account. Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.

Affected

['123456789123']

Analysis

Root MFA Not Enabled

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA. A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides. Note: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.

Remediation

Ensure hardware MFA is enabled for the root user account

Affected

['123456789123']

Analysis

Root MFA Not Enabled

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts.

Remediation

Ensure IAM password policy prevents password reuse

Affected

['123456789123']

Analysis

Password Reuse Prevention = 5

Impact: HIGH

Probability: MEDIUM

Status: FAIL

CVSS: Score: 9.1

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.

Remediation

Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

Affected

['[email protected]', 'hank.rearden']

Analysis

The affected users do not have MFA enabled.

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Remediation

Ensure credentials unused for 45 days or greater are disabled

Affected

['[email protected]', 'john.galt']

Analysis

The affected users have credentials (password or keys) not used in the last 45 days.

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK) Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.

Remediation

Ensure there is only one active access key available for any single IAM user

Affected

['[email protected]']

Analysis

The affected users have more than one access key.

Impact: MEDIUM

Probability: MEDIUM

Status: FAIL

CVSS: Score: 5.6

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

Remediation

Ensure access keys are rotated every 90 days or less

Affected

['john.galt']

Analysis

The affected users have access keys that have not been rotated in the last 90 days.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended. Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Remediation

Ensure IAM Users Receive Permissions Only Through Groups

Affected

['john.galt']

Analysis

The affected users have managed or inline policies directly attached.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.

Remediation

Ensure a support role has been created

Affected

['123456789123']

Analysis

AWSSupportAccess Policy is not attached to any entities

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.5

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Description

The affected AWS account has a number of Cross-Account assume role policies which lack an external ID. Policies which lack an external ID are vulnerable to what is known as the Confused Deputy Problem. An assume role policy allow a trust relationship to be set up between two accounts that allows users to assume a role and inherit permissions in other accounts. This is often used to allow third party access to your account to perform specific support roles or tasks like monitoring and maintenance. When the third party requires access to your account they can assume the IAM role and its temporary security credentials without needing to configure IAM users and share long-term credentials (for example, an IAM users access key) . Configuring cross account roles with external IDs and or MFA verification can help ensure that when using the role to access resources in your account they are acting under genuine circumstances and have been confused or socially engineered by a malicious actor to escalate permissions within or perform malicious actions on in your AWS account. Let say Example Corp requires access to certain resources in your AWS account. But in addition to you, Example Corp has other customers and needs a way to access each customers AWS resources. Instead of asking its customers for their AWS account access keys, which are secrets that should never be shared, Example Corp requests a role ARN from each customer. But another Example Corp customer might be able to guess or obtain your role ARN. That customer could then use your role ARN to gain access to your AWS resources by way of Example Corp. This form of permission escalation is known as the confused deputy problem. The external ID is a piece of data that can be passed to the AssumeRole API of the Security Token Service (STS). You can then use the external ID in the condition element in a roles trust policy, allowing the role to be assumed only when a certain value is present in the external ID.

Remediation

All Cross-Account roles which provide a level of privileged access should be configured with a unique and complex external ID as well as performing re authentication via MFA. More Information https://aws.amazon.com/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/ https://en.wikipedia.org/wiki/Confused_deputy_problem

Affected

['conditional_love', 'OrganizationAccountAccessRole', 's3-account-search', 'snotra']

Analysis

conditional_love

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::123456789123:root'}, 'Action': 'sts:AssumeRole', 'Condition': {}}

OrganizationAccountAccessRole

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::987654321987:root'}, 'Action': 'sts:AssumeRole'}

s3-account-search

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::123456789123:root'}, 'Action': 'sts:AssumeRole', 'Condition': {}}

Snotra_Cross_Account

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::243001516183:user/snotra'}, 'Action': 'sts:AssumeRole', 'Condition': {}}

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected Groups grant member user full admin "*" access to the account

Remediation

ensure only users that require admin access have it.

Affected

['IAM_Admins']

Analysis

IAM_Admins

['john.galt', '[email protected]']

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.5

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Description

The affected AWS role held a trust policy which was overly permissive and trusted all IAM principals within another account to assume the role and access the privileges it held. The overly permissive role trust policy could be abused by malicious users to escalate privileges and access resources in other accounts within the AWS Organization. When creating IAM policies, administrators should follow the standard security advice of implementing least privilege assignments, by granting principals only the permissions required to perform their tasks. It is recommended that administrators determine what users (and roles) need to do and then starting with a default deny, policies should add the individual permissions that allow them to perform only those tasks. Additional privileges that may be required in future should be implemented through a request system.

Remediation

It is recommended that you review the role trust policy to determine which entities in external accounts should legitimately be allowed to assume the affected role. The role trust should then be updated to trust only those principals, which would prevent unauthorised individuals from access the highly-privilege policies attached the role. More Information https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Affected

['BashtonAdministrator', 'BashtonReadOnly', 'conditional_love', 'OrganizationAccountAccessRole', 's3-account-search']

Analysis

BashtonAdministrator

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::987654321987:root'}, 'Action': 'sts:AssumeRole', 'Condition': {'StringEquals': {'sts:ExternalId': 'c1eadd44-b7eb-4b83-b70e-d9a7c7150d1e'}, 'Bool': {'aws:MultiFactorAuthPresent': 'true'}}}

BashtonReadOnly

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::987654321987:root'}, 'Action': 'sts:AssumeRole', 'Condition': {'StringEquals': {'sts:ExternalId': 'c67241f2-11c8-4c9b-965e-5cf0d9f3cf0c'}}}

conditional_love

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::123456789123:root'}, 'Action': 'sts:AssumeRole', 'Condition': {}}

OrganizationAccountAccessRole

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::987654321987:root'}, 'Action': 'sts:AssumeRole'}

s3-account-search

{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::123456789123:root'}, 'Action': 'sts:AssumeRole', 'Condition': {}}

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 4.8

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Several service-roles contained trust policies which allowed AWS services to assume those roles without conditional context restrictions. Without any conditional restrictions, service-roles are vulnerable to the confused deputy problem which could allow other unauthorised services and users to indirectly access the role and the permissions assigned to it. Where service-roles contain privileged access, service impersonation could also enable attackers to escalate privileges and/or gain access to sensitive resources and data. Within AWS, a service-role is an IAM role that allows specific AWS services to interact with resources in an account without requiring access to credentials or access keys. By using cross-service impersonation, administrators can then grant access to the resources they need without having to grant access to users themselves. Using this method, when a service needs to access resources, it requires permission to perform the STS:AssumeRole action which generates temporary credentials that the service principal then uses to access resources permitted by the corresponding IAM policy. When no conditional context restrictions are implemented within the Assume Role policy, the service role can be vulnerable to an attack typically referred to as confused deputy. This attack can allow other services and principals to access resources in your account. As an example, If an administrator needed to allow a lambda function to create objects within an S3 bucket, an execution role must be created with a policy that holds the respective S3 permissions. For the Lambda function to assume the execution role, a role trust policy must be configured to trust the lambda service to temporarily assume the role and gain the privileges within the policy. Typically, a role trust policy for doing so would look like this: <*code*>{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }</*code*> However, one of the main weaknesses of AWS cross-service impersonation is that it can allow attackers to leverage AWS services to gain access to other resources, and accounts in order to escalate their privileges or exfiltrate data. For instance, with the above example policy, if an attacker with no access to S3 had permission to create lambda functions, they could create a function containing malicious code to assume the execution role and gain indirect access to S3 via Lambda. Additionally, because authentication policies may be shared across multiple AWS accounts, an attacker may be able to impersonate a service which already has access to multiple sensitive areas in the wider AWS environment.

Remediation

To prevent attackers from leveraging permissive service role trust to access unauthorised resources it is recommended that role trust policies for services contain conditional access statements. Using conditions and specifying the full ARN of the allowed resources would restrict access to only legitimate resources and reduce the potential for abuse. Specifying the full ARN, including region and resource name, could prevent attackers from creating similar resources in other regions to leverage in attacks. As an example, the following role trust policy could be used to restrict access to a Lambda execution role to only a specific lambda function within an AWS account: { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:lambda:us-east-2:111122223333:function:my-function” } } } } The above policy makes use of the aws:SourceArn global condition context key using the full ARN of an example lambda function. In this example, only the lambda function my-function within the us-east-2 region would have permission to assume the execution policy and access the privileges assigned to it. This would prevent malicious users from creating other lambda functions to gain access to additional privileges. Where appropriate other conditional contexts could also be used following the principal of least privilege to effectively limit the scope of trust policies and prevent unintended access opportunities. Common conditional restrictions for services include, SourceArn SourceAccount PrincipalOrgID Further Information AWS Confused Deputy - https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention

Affected

['Instance-Full-S3', 'StopEC2', 'aws-elasticbeanstalk-service-role', 'lambda_compression_pipe', 'lambda_create_campaign', 'lambda_delete_campaign', 'lambda_execute_campaign', 'lambda_spot_interrupt_catcher', 'lambda_spot_monitor', 'lambda_status_reporter', 'npk-apigateway_cloudwatch', 'npk_cloudwatch_spot_interrupt_20230412133943091200000006', 'npk_cloudwatch_spot_monitor_20230412133935803300000002', 'npk_cloudwatch_spot_monitor_20240119140406243900000009', 'npk_cloudwatch_spot_monitor_20240119162054654000000001', 'npk_ec2_compress', 'npk_fleet_role_20230412133946330000000008', 'npk_instance_role_20230412133938653400000004', 'snotra', 'snotra-role-1yn2s5qh', 'timeData-role-rsawuesr']

Analysis

Instance-Full-S3

{'Effect': 'Allow', 'Principal': {'Service': 'ec2.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

StopEC2

{'Effect': 'Allow', 'Principal': {'Service': 'ec2.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

aws-elasticbeanstalk-service-role

{'Effect': 'Allow', 'Principal': {'Service': 'elasticbeanstalk.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_compression_pipe

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_create_campaign

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_delete_campaign

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_execute_campaign

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_spot_interrupt_catcher

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_spot_monitor

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

lambda_status_reporter

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk-apigateway_cloudwatch

{'Effect': 'Allow', 'Principal': {'Service': 'apigateway.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_cloudwatch_spot_interrupt_20230412133943091200000006

{'Effect': 'Allow', 'Principal': {'Service': 'events.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_cloudwatch_spot_monitor_20230412133935803300000002

{'Effect': 'Allow', 'Principal': {'Service': 'events.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_cloudwatch_spot_monitor_20240119140406243900000009

{'Effect': 'Allow', 'Principal': {'Service': 'events.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_cloudwatch_spot_monitor_20240119162054654000000001

{'Effect': 'Allow', 'Principal': {'Service': 'events.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_ec2_compress

{'Effect': 'Allow', 'Principal': {'Service': 'ec2.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_fleet_role_20230412133946330000000008

{'Effect': 'Allow', 'Principal': {'Service': 'spotfleet.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

npk_instance_role_20230412133938653400000004

{'Effect': 'Allow', 'Principal': {'Service': 'ec2.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

snotra

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

snotra-role-1yn2s5qh

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

timeData-role-rsawuesr

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

vpn_kill_switch-role-2o0tr3ml

{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected Users have been granted full admin "*" access to the account via a permissions policy which directly attached to the user, IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended. Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Remediation

Ensure only users that require admin access have it and to help maintain acount hygiene and minimise the risk of users retaining permissons for longer than required, ensure users only recieve permissions via group membershop and do not have policies attached directly.

Affected

['john.galt']

Analysis

The affected users are granted admin access.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Ensure that Amazon CloudWatch Lambda Insights is enabled for your Amazon Lambda functions for enhanced monitoring. Amazon CloudWatch Lambda Insights allows you to monitor, troubleshoot, and optimize your Lambda functions. The service collects system-level metrics and summarizes diagnostic information to help you identify issues with your Lambda functions and resolve them as soon as possible. CloudWatch Lambda Insights collects system-level metrics and emits a single performance log event for every invocation of that Lambda function.

Remediation

From the Console: 1. Login to AWS Console using https://console.aws.amazon.com/lambda/ 2. Click Functions. 3. Click on the name of the function. 4. Click on the Configuration tab 5. Click on 'Monitoring and operations tools'. 6. In the Monitoring and operations tools section click Edit to update the monitoring configuration 7. In the CloudWatch Lambda Insights section click the Enhanced monitoring button to enable ***Note - When you enable the feature using the AWS Management Console, Amazon Lambda adds the required permissions to your function's execution role. 8. Click Save 9. Repeat steps 2-8 for each Lambda function within the current region that fails the Audit. 10. Then repeat the Audit process for all other regions.

Affected

['timeData']

Analysis

The affected Lambda functions do not have CloudWatch Lambda Insights enabled

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Ensure that all your Amazon Lambda functions are configured to use the Code Signing feature in order to restrict the deployment of unverified code. Code Signing, ensures that the function code is signed by an approved (trusted) source, and that it has not been altered since signing, and that the code signature has not expired or been revoked.

Remediation

Ensure all Lambda code is signed

Affected

['timeData']

Analysis

The affected Lambda functions do not have code signing enabled

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Always using a recent version of the execution environment configured for your Amazon Lambda functions adheres to best practices for the newest software features, the latest security patches and bug fixes, and performance and reliability. When you execute your Lambda functions using recent versions of the implemented runtime environment, you should benefit from new features and enhancements, better security, along with performance and reliability.

Remediation

From the Console 1. Login to the AWS Console using https://console.aws.amazon.com/lambda/. 2. In the left column, under AWS Lambda, click Functions. 3. Under Function name click on the name of the function that you want to review 4. Click Code tab 5. Go to the Runtime settings section. 6. Click Edit 7. On the Edit runtime settings page, select the latest supported version of the runtime environment from the dropdown list. **Note - make sure the correct architecture is also selected. 8. Click Save 9. Select the Code tab 10. Click Test from the Code source section. 11. Once the testing is completed, the execution result of your Lambda function will be listed 12. Repeat steps for each Lambda function that failed the Audit within the current region.

Affected

['timeData']

Analysis

The affected Lambda functions are not using the latest supported runtime.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS Resource explorer is not enabled. AWS Resource Explorer is a resource search and discovery service. With Resource Explorer, you can explore your resources, such as Amazon Elastic Compute Cloud instances, Amazon Kinesis streams, or Amazon DynamoDB tables, using an internet search engine-like experience. You can search for your resources using resource metadata like names, tags, and IDs. Resource Explorer works across AWS Regions in your account to simplify your cross-Region workloads. Not having Resource Explorer indexes can result in increased complexity and overhead in managing your resources, as well as increased risk of security and compliance issues.

Remediation

Enable Resource Explorer for all regions More Information https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-service-turn-on-region.html

Affected

['ap-south-1', 'eu-north-1', 'eu-west-3', 'eu-west-2', 'eu-west-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-northeast-1', 'ca-central-1', 'sa-east-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']

Analysis

The affected regions do not have any active resource explorer indexes

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.

Remediation

Enforce HTTPS requests for all buckets within your account

Affected

['bucket']

Analysis

The affected buckets do enforce HTTPS only.

Impact: LOW

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.

Remediation

Configure MFA delete on all S3 buckets within your account.

Affected

['bucket']

Analysis

The affected buckets do not have MFA Delete enabled.

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 3.7

CVSS: Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account. Amazon S3 Block public access (bucket settings) prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 Block public access (account settings) prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.

Remediation

Ensure that S3 Buckets are configured with Block public access

Affected

['bucket']

Analysis

The affected buckets do not block public access.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The AWS account under review contains S3 buckets that do not have versioning enabled. By preserving a version history of objects in your S3 bucket, versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten. Once you enable Versioning for a bucket, Amazon S3 preserves existing objects anytime you perform a PUT, POST, COPY, or DELETE operation on them. By default, GET requests will retrieve the most recently written version. Older versions of an overwritten or deleted object can be retrieved by specifying a version in the request.

Remediation

Consider enabling versioning for at least buckets that contain important and sensitive information, this is enabled at the bucket level and can be done via the AWS web console. Note: an additional cost will be incurred for the extra storage space versioning will inevitably use. More Information: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html

Affected

['bucket']

Analysis

The affected buckets do not have Object Versioning enabled.

Impact: MEDIUM

Probability: LOW

Status: FAIL

CVSS: Score: 5.3

CVSS: Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The affected S3 buckets have a bucket policy configured which grants public acces to objects, possibly for S3 static website hosting. Public S3 buckets can be accessed without authentication and increase teh risk of senstivie data being exposed to unauthorised network bearers.

Remediation

Review the affected buckets and confirm that public access to objects is required. and update the bucket policy accordingly

Affected

['bucket']

Analysis

The affected buckets grant public access via a Bucket Policy. Review the buckets to ensure public access is intended.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

The affected S3 buckets have a bucket policy configured

Remediation

Review the affected buckets to ensure the bucket policy follows the principle of least privilege.

Affected

['bucket']

Analysis

The affected buckets have a bucket policy attached.

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products. AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.

Remediation

Consider maintaining a Security Hub subscription to help identify security vulnerabilities within your account, ensure AWS config is enabled in all regions to allow Security hub to audit account configuration.

Affected

['123456789123']

Analysis

No active Security Hub subscriptions found

Impact: INFO

Probability: INFO

Status: FAIL

CVSS: Score: N/A

CVSS: Vector: N/A

Description

AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyse your security trends and identify the highest priority security issues.

Remediation

It is recomened to auto enable new Security Hub controls as they are added to compliance standards

Affected

['123456789123']

Analysis

No active Security Hub subscriptions found