Skip links

Amazon Web Services Best Practice Rules

Kumolus covers the following rules

Amazon Elastic Block Store (EBS)
1.EBS Volumes Attached To Stopped EC2 Instances
Description:Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes).
AWS Key Management Service (KMS)
1.Unused Customer Master Key
Description:Unused Customer Master Key Identify and remove any disabled Customer Master Keys (CMK) to reduce AWS costs.
Amazon Relational Database Service (RDS)
1.RDS General Purpose SSD
Description:Ensure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs.
2.Underutilised RDS Instance
Description:Identify underutilised RDS instances and downsize them in order to optimise your AWS costs.
Amazon EC2 Key Pairs
1.Unused AWS EC2 Key Pairs
Description:Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices.
Amazon Virtual Private Cloud (VPC)
1.Unrestricted Network ACL Inbound Traffic
Description:Ensure no Amazon Network ACL allows inbound/ingress traffic from all ports.
2.Unrestricted Network ACL Outbound Traffic
Description:Ensure no Amazon Network ACL allows outbound/egress traffic to all ports.
AWS Organizations
1.AWS Organizations In Use
Description:Ensure Amazon Organizations is in use to consolidate all your AWS accounts into an organization.
2.AWS Organizations Enable All Features
Description:Ensure AWS Organizations All Features is enabled for fine-grained control over which services and actions the member accounts of an organization can access.
Amazon Machine Image (AMI)
1.Publicly Shared AMI
Description:Ensure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts.
2.EC2 AMI Too Old
Description:Check for any AMIs older than 180 days available within your AWS account.
3.AWS AMI Encryption
Description:Ensure that your existing AMIs are encrypted to meet security and compliance requirements.
Amazon Elastic Compute Cloud (EC2)
1.EC2 Instance Too Old
Description:Check for running AWS EC2 instances older than 180 days available within your AWS account.
2.Security Group Name Prefixed With ‘launch-wizard
Description: Ensure EC2 security groups prefixed with ‘launch-wizard’ are not in use in order to follow AWS security best practices.
3.EC2 Instance Using IAM Roles
Description:Use Instance Profiles/IAM Roles to appropriately grant permissions to applications running on amazon EC2 instances
Amazon Elastic Block Store (EBS)
1.EBS Encrypted
Description:Ensure that existing Elastic Block Store (EBS) attached volumes are encrypted to meet security and compliance requirements.
2.Amazon EBS Public Snapshots
Description:Ensure that your EBS volume snapshots are not public.
3.EBS Snapshot Encrypted
Description:Ensure that the AWS EBS volume snapshots that hold sensitive and critical data are encrypted to fulfill compliance requirements for data-at-rest encryption.
AWS Key Management Service (KMS)
1.KMS Customer Master Key Pending Deletion
Description:Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.
2.Key Rotation Enabled
Description:Key Exposed Ensure Amazon KMS master keys are not exposed to everyone.
3.Kms Key Exposed
Description:KMS master keys are not exposed to everyone
Amazon Elastic Load Balancing (ELB)
1.ELB Listener Security
Description:Ensure that your AWS ELBs listeners are using a secure protocol (HTTPS or SSL).
2.ELB Security Group
Description:Ensure there are valid security groups associated with your Elastic Load Balancer.
3.Internet Facing ELBs (Not Scored)
Description:Ensure Amazon internet-facing ELBs are regularly reviewed for security purposes (informational).
4.ELB Instances Distribution Across AZs
Description:Ensure even distribution of backend instances registered to an ELB across Availability Zones.
AWS IAM Certificate
1.Expired SSL/TLS Certificate
Description:Ensure expired SSL/TLS certificates are removed from AWS IAM
2.SSL/TLS Certificate Expiry 30 Days
Description:Ensure SSL/TLS certificates are renewed before their expiration.
3.SSL/TLS Certificate Expiry 45 Days
Description:Ensure SSL/TLS certificates are renewed before their expiration.
4.SSL/TLS Certificate Expiry 7 Days
Description:Ensure SSL/TLS certificates are renewed before their expiration.
5.Pre-Heartbleed Server Certificates
Description:Ensure that your server certificates are not vulnerable to Heartbleed security bug.
Amazon Relational Database Service (RDS)
1.RDS Encryption Enabled
Description:Ensure AWS RDS instances are encrypted to meet security and compliance requirements.
2.RDS Auto Minor Version Upgrade
Description:Ensure AWS RDS instances have the Auto Minor Version Upgrade feature enabled.
4.Unrestricted DB Security Group
Description:Ensure there aren’t any unrestricted DB security groups assigned to your RDS instances.
5.Amazon RDS Public Snapshots
Description:Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts.
6.RDS Master Username
Description:Ensure AWS RDS instances are using secure and unique master usernames for their databases.
Amazon Security Group (SG)
1.Default Security Groups In Use
Description:Ensure default EC2 security groups are not in use in order to follow AWS security best practices.
2.Default Security Group with rules
Description:Ensure default EC2 security groups do not have rules in order to follow AWS security best practises.
3.Security Group All Ports Open to All
Description:Ports are open to public access, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups should be open.
4._ARG_0_ port _ARG_2_ open to all
Description:Rules with source of 0.0.0.0/0 allow all IP addresses to access your instance. We recommend setting security group rules to allow access from known IP addresses only.
5._ARG_0_ port _PORT_ open to all
Description:Non HTTP _ARG_0_ port _PORT_ is open to all, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups should be open.
6._ARG_0_ port _PORT_ open to all
Description:Non HTTP _ARG_0_ port _PORT_ is open to all, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups should be open.
7._ARG_0_ port _ARG_2_ open to all
Description:Rules with source of 0.0.0.0/0 allow all IP addresses to access your instance. We recommend setting security group rules to allow access from known IP addresses only.
8.Unrestricted network traffic within security group
Description:We recommend that you update your security group rules to allow access from known IP addresses only.
9.Security Group All Ports Open to All
Description:All Ports are open, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only required port/s should be open for relevant IP / security groups..
10.Security Group Port Range
Description:Ensure there are no EC2 security groups in your AWS account that open range of ports to allow incoming traffic.
11.Security Group not in use
Description:This security group is not associated with any service.
12.Security Group Rules Counts
Description:Ensure your EC2 security groups do not have an excessive number of rules defined.
Amazon Simple Storage Service (S3)
1.S3 Bucket Logging Enabled
Description:Ensure AWS S3 buckets have server access logging enabled to track access requests.
4._ARG_2_
Description:We recommend not to enable _ARG_2_
5._ARG_2_
Description:We recommend not to enable _ARG_2_
6._ARG_2_
Description:We recommend not to enable _ARG_2_
7._ARG_2_
Description:We recommend not to enable _ARG_2_
8._ARG_2_
Description:We recommend not to enable _ARG_2_
9._ARG_2_
Description:We recommend not to enable _ARG_2_
10._ARG_2_
Description:We recommend not to enable _ARG_2_
11._ARG_2_
Description:We recommend not to enable _ARG_2_
12._ARG_2_
Description:We recommend not to enable _ARG_2_
13._ARG_2_
Description:We recommend not to enable _ARG_2_
AWS Identity and Access Management (IAM)
1.Root Account Access Keys Present
Description:Ensure that your AWS account (root) is not using access keys as a security best practice.
2.Root Account Active Signing Certificates
Description:Ensure that your AWS root account user is not using X.509 certificates to validate API requests.
3.Root Account Usage
Description:Ensure root account credentials have not been used recently to access your AWS account.
4.Root MFA Enabled
Description:Ensure Multi-Factor Authentication (MFA) is enabled for the AWS root account.
5.IAM User Password Expiry 7 Days
Description:Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (7 Days)
6.IAM User Password Expiry 30 Days
Description:Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)
7.IAM User Password Expiry 45 Days
Description:Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)
8.Credentials Last Used – Access Key
Description:Ensure that unused AWS IAM credentials are decommissioned to follow security best practices.
9.Credentials Last Used – Password
Description:Ensure that unused AWS IAM credentials are decommissioned to follow security best practices.
10.Unused IAM User
Description:Ensure unused IAM users are removed from AWS account to follow security best practice
11.Access Keys Rotated 30 Days
Description:Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (30 Days)
12.Access Keys Rotated 45 Days
Description:Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (45 Days)
13.Access Keys Rotated 90 Days
Description:Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (90 Days)
14.Hardware MFA for AWS Root Account
Description:Ensure hardware MFA is enabled for your Amazon Web Services root account.
AWS CloudTrail
1.cloudtrail Enabled
Description:Ensure AWS CloudTrail trails are enabled for all AWS regions.
2.AWS CloudTrail Configuration Changes
Description:CloudTrail configuration changes have been detected within your Amazon Web Services account.
3.CloudTrail Global Services Enabled
Description:Ensure AWS CloudTrail trails track API calls for global services such as IAM, STS and CloudFront.
4.CloudTrail Global Services Logging Duplicated
Description:Ensure AWS CloudTrail trails are not duplicating global services events in their log files.
5.CloudTrail Integrated With CloudWatch
Description:Ensure CloudTrail event monitoring with CloudWatch is enabled.
6.cloudtrail-no-log-file-validation
Description:Ensure AWS CloudTrail trails logfile are enabled .
7.Enable object lock for cloud trail s3 buckets
Description:Ensure that AWS CloudTrail S3 buckets use Object Lock for data protection and regulatory compliance.
8.CloudTrail S3 Bucket Logging Enabled
Description:Ensure AWS CloudTrail buckets have server access logging enabled.
9.Cloud trail s3 bucket
Description:Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket..
10.CloudTrail Management Events
Description:Ensure management events are included into AWS CloudTrail trails configuration.
11.CloudTrail Logs Encrypted
Description:Ensure your AWS CloudTrail logs are encrypted using AWS KMS–Managed Keys (SSE-KMS).
12.CloudTrail Delivery Failing
Description:Ensure Amazon CloudTrail trail log files are delivered as expected.
13.CloudTrail Bucket MFA Delete Enabled
Description:Ensure AWS CloudTrail logging bucket has MFA Delete feature enabled.
14.CloudTrail Bucket Publicly Accessible
Description:Ensure CloudTrail trail logging buckets are not publicly accessible.
15.CloudTrail Data Events
Description:Ensure Data events are included into Amazon CloudTrail trails configuration.
AWS CloudWatch
1.AWS Config Changes Alarm
Description:Ensure AWS Config configuration changes are being monitored using CloudWatch alarms.
2.AWS Console Sign In Without MFA
Description:Monitor for AWS Console Sign-In Requests Without MFA
3.AWS Organizations Changes Alarm
Description:Ensure Amazon Organizations changes are being monitored using AWS CloudWatch alarms.
4.Authorization Failures Alarm
Description:Ensure any unauthorized API calls made within your AWS account are being monitored using CloudWatch alarms.
5.CMK Disabled or Scheduled for Deletion Alarm
Description:Ensure AWS CMK configuration changes are being monitored using CloudWatch alarms.
6.CloudTrail Changes Alarm
Description:Ensure all AWS CloudTrail configuration changes are being monitored using CloudWatch alarms.
7.Console Sign-in Failures Alarm
Description:Ensure your AWS Console authentication process is being monitored using CloudWatch alarms.
8.EC2 Instance Changes Alarm
Description:Ensure AWS EC2 instance changes are being monitored using CloudWatch alarms.
9.EC2 Large Instance Changes Alarm
Description:Ensure AWS EC2 large instance changes are being monitored using CloudWatch alarms.
10.IAM Policy Changes Alarm
Description:Ensure AWS IAM policy configuration changes are being monitored using CloudWatch alarms.
11.Internet Gateway Changes Alarm
Description:Ensure AWS VPC Customer/Internet Gateway configuration changes are being monitored using CloudWatch alarms.
12.Network ACL Changes Alarm
Description:Ensure AWS Network ACLs configuration changes are being monitored using CloudWatch alarms.
13.Root Account Usage Alarm
Description:Ensure Root Account Usage is being monitored using CloudWatch alarms.
14.Route Table Changes Alarm
Description:Ensure AWS Route Tables configuration changes are being monitored using CloudWatch alarms.
15.S3 Bucket Changes Alarm
Description:Ensure AWS S3 Buckets configuration changes are being monitored using CloudWatch alarms.
16.Security Group Changes Alarm
Description:Ensure AWS security groups configuration changes are being monitored using CloudWatch alarms.
17.VPC Changes Alarm
Description:Ensure AWS VPCs configuration changes are being monitored using CloudWatch alarms.
Amazon Elastic Block Store (EBS)
1.EBS Volumes Attached To Stopped EC2 Instances
Description:Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes).
AWS Auto Scaling Group (ASG)
1.Auto Scaling Group Referencing Missing ELB
Description:Ensure Amazon Auto Scaling Groups are utilizing active Elastic Load Balancers.
Elastic Network Interface (NIC)
1.Unused Elastic Network Interfaces
Description:Ensure unused AWS Elastic Network Interfaces (ENIs) are removed to follow best practices.
Launch Configuration (LC)
1.Launch Configuration Referencing Missing AMI
Description:Ensure AWS Launch Configurations are utilizing active Amazon Machine Images.
2.Launch Configuration Referencing Missing Security Groups
Description:Ensure AWS Launch Configurations are utilizing active Security Groups.
Amazon Relational Database Service (RDS)
1.RDS Free Storage Space
Description:Identify RDS instances with low free storage space and scale them in order to optimize their performance.
Amazon Internet Gateways (AIG)
1.Unused VPC Internet Gateways
Description:Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices.
AWS Auto Scaling Group (ASG)
1.Same Availability Zones In ASG And ELB
Description:Ensure AWS Availability Zones used for Auto Scaling Groups and for their Elastic Load Balancers are the same.
Amazon Simple Storage Service (S3)
1.DNS Compliant S3 Bucket Names
Description:Ensure that your AWS S3 buckets are using DNS-compliant bucket names.
Amazon Machine Image (AMI)
1.EC2 AMI Too Old
Description:Check for any AMIs older than 180 days available within your AWS account.
Amazon Elastic Block Store (EBS)
1.EBS Volumes Recent Snapshots
Description: Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery.
AWS Auto Scaling Group (ASG)
1.Auto Scaling Group Cooldown Period
Description:Ensure Amazon Auto Scaling Groups are utilizing cooldown periods.
Amazon Simple Storage Service (S3)
1.S3 Bucket Versioning Enabled
Description:We recommend to enable versioning on your bucket.It is additional backup layer for retrieving your data when you accidentally delete data on your s3 bucket.
Amazon Elastic Compute Cloud (EC2)
1.EC2 Instance Termination Protection
Description:Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs.
2.EC2 Instance Too Old
Description:Check for running AWS EC2 instances older than 180 days available within your AWS account.
Amazon Elastic Load Balancing (ELB)
1.ELB Connection Draining Enabled
Description:With Connection Draining feature enabled, if an EC2 backend instance fails health checks the Elastic Load Balancer will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to complete for the duration of the configured timeout..
2.ELB Cross-Zone Load Balancing Enabled
Description:Ensure high availability for your ELBs by using Cross-Zone Load Balancing with multiple subnets in different AZs.
3.ELB Minimum Number Of EC2 Instances
Description:Ensure there is a minimum number of two healthy backend instances associated with each ELB.
Amazon Relational Database Service (RDS)
1.Automated Backup Disabled
Description:A backup retention of zero days will disable automated backups and delete all existing automated snapshots of this DB instance. We recommend back retention period should be as high as possible, maximum 35 days.
2.RDS Sufficient Backup Retention Period
Description:Ensure AWS RDS instances have sufficient backup retention period for compliance purposes.
3.Short backup retention period
Description:We recommend Backup retention period to be more than 30 days.
4.RDS Multi-AZ
Description:Ensure AWS RDS clusters have the Multi-AZ feature enabled.