Skip links

Amazon Elastic Block Store (EBS) – EBS Volumes Attached To Stopped EC2 Instances

Rule Type: Cost Optimization
Risk Level: High,
Rule ID: KUMO-EBS-005

Explanation: Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes).

AWS Key Management Service (KMS) – Unused Customer Master Key

Rule Type: Cost Optimization
Risk Level: Low,
Rule ID: KUMO-KMS-002

Explanation: Unused Customer Master Key Identify and remove any disabled Customer Master Keys (CMK) to reduce AWS costs. 

Amazon Relational Database Service (RDS) – RDS General Purpose SSD

Rule Type: Cost Optimization
Risk Level: Medium,
Rule ID: KUMO-RDS-012

Explanation: Ensure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs.

Amazon Relational Database Service (RDS) – Underutilised RDS Instance

Rule Type: Cost Optimization
Risk Level: High,
Rule ID: KUMO-RDS-015

Explanation: Identify underutilised RDS instances and downsize them in order to optimise your AWS costs.

Amazon EC2 Key Pairs- Unused AWS EC2 Key Pairs

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-037

Explanation: Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices.

Amazon Security Group (SG) – Default Security Groups In Use

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-001

Explanation: Ensure default EC2 security groups are not in use in order to follow AWS security best practices.

Amazon Security Group (SG) – Default Security Group with rules

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-002

Explanation: Ensure default EC2 security groups do not have rules in order to follow AWS security best practises.

Amazon Security Group (SG) – Security Group All Ports Open to All

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-040

Explanation: Ports are open to public access, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups should be open.

Amazon Security Group (SG) – _ARG_0_ port _ARG_2_ open to all

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-EC2-011

Explanation: Rules with source of 0.0.0.0/0 allow all IP addresses to access your instance. We recommend setting security group rules to allow access from known IP addresses only.

Amazon Security Group (SG) – _ARG_0_ port _PORT_ open to all

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-043

Explanation: Non HTTP _ARG_0_ port _PORT_ is open to all, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups should be open.

Amazon Security Group (SG) – Unrestricted network traffic within security group

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-045

Explanation: We recommend that you update your security group rules to allow access from known IP addresses only.

Amazon Security Group (SG) – Security Group All Ports Open to All

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-047

Explanation: All Ports are open, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only required port/s should be open for relevant IP / security groups..

Amazon Security Group (SG) – Security Group Port Range

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-042

Explanation: Ensure there are no EC2 security groups in your AWS account that open range of ports to allow incoming traffic.

Amazon Security Group (SG) – Security Group not in use

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-044

Explanation: This security group is not associated with any service.

Amazon Security Group (SG) – Security Group Rules Counts

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-043

Explanation: Ensure your EC2 security groups do not have an excessive number of rules defined.

Amazon Machine Image (AMI) – Publicly Shared AMI

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-036

Explanation: Ensure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts.

Amazon Machine Image (AMI) – EC2 AMI Too Old

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-033

Explanation: Check for any AMIs older than 180 days available within your AWS account.

Amazon Machine Image (AMI) – AWS AMI Encryption

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-EC2-039

Explanation: Ensure that your existing AMIs are encrypted to meet security and compliance requirements.

Amazon Relational Database Service (RDS) – RDS Encryption Enabled

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-RDS-005

Explanation: Ensure AWS RDS instances are encrypted to meet security and compliance requirements.

Amazon Relational Database Service (RDS) – RDS Auto Minor Version Upgrade

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-RDS-003

Explanation: Ensure AWS RDS instances have the Auto Minor Version Upgrade feature enabled.

Amazon Relational Database Service (RDS) – RDS Postgres with Invalid Certificate

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-RDS-017

Explanation:

Amazon Relational Database Service (RDS) – Unrestricted DB Security Group

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-RDS-016

Explanation: Ensure there aren’t any unrestricted DB security groups assigned to your RDS instances.

Amazon Relational Database Service (RDS) – Amazon RDS Public Snapshots

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-RDS-017

Explanation: Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts.

Amazon Relational Database Service (RDS) – RDS Master Username

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-RDS-013

Explanation: Ensure AWS RDS instances are using secure and unique master usernames for their databases.

Amazon Elastic Compute Cloud (EC2) – EC2 Instance Too Old

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-034

Explanation: Check for running AWS EC2 instances older than 180 days available within your AWS account.

Amazon Elastic Compute Cloud (EC2) – Security Group Name Prefixed With ‘launch-wizard

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-046

Explanation: Ensure EC2 security groups prefixed with ‘launch-wizard’ are not in use in order to follow AWS security best practices.

Amazon Elastic Compute Cloud (EC2) – EC2 Instance Using IAM Roles

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-035

Explanation: Use Instance Profiles/IAM Roles to appropriately grant permissions to applications running on amazon EC2 instances.

Amazon Elastic Block Store (EBS) – EBS Encrypted

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-EBS-001

Explanation: Ensure that existing Elastic Block Store (EBS) attached volumes are encrypted to meet security and compliance requirements.

Amazon Elastic Block Store (EBS) – Amazon EBS Public Snapshots

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-EBS-007

Explanation: Ensure that your EBS volume snapshots are not public.

Amazon Elastic Block Store (EBS) – EBS Snapshot Encrypted

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EBS-008

Explanation: Ensure that the AWS EBS volume snapshots that hold sensitive and critical data are encrypted to fulfill compliance requirements for data-at-rest encryption.

Amazon Virtual Private Cloud (VPC) – Unrestricted Network ACL Inbound Traffic

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-VPC-001

Explanation: Ensure no Amazon Network ACL allows inbound/ingress traffic from all ports.

Amazon Virtual Private Cloud (VPC) – Unrestricted Network ACL Outbound Traffic

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-VPC-002

Explanation: Ensure no Amazon Network ACL allows outbound/egress traffic to all ports.

AWS Identity and Access Management (IAM) – Root Account Access Keys Present

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-019

Explanation: Ensure that your AWS account (root) is not using access keys as a security best practice.

AWS Identity and Access Management (IAM) – Root Account Active Signing Certificates

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-018

Explanation: Ensure that your AWS root account user is not using X.509 certificates to validate API requests.

AWS Identity and Access Management (IAM) – Root Account Usage

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-016

Explanation: Ensure root account credentials have not been used recently to access your AWS account.

AWS Identity and Access Management (IAM) – Root MFA Enabled

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-017

Explanation: Ensure Multi-Factor Authentication (MFA) is enabled for the AWS root account.

AWS Identity and Access Management (IAM) – IAM User Password Expiry 7 Days

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-014

Explanation: Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (7 Days)

AWS Identity and Access Management (IAM) – IAM User Password Expiry 30 Days

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-014

Explanation: Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)

AWS Identity and Access Management (IAM) – IAM User Password Expiry 45 Days

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-IAM-014

Explanation: Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)

AWS Identity and Access Management (IAM) – Credentials Last Used – Access Key

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-005

Explanation: Ensure that unused AWS IAM credentials are decommissioned to follow security best practices.

AWS Identity and Access Management (IAM) – Credentials Last Used – Password

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-004

Explanation: Ensure that unused AWS IAM credentials are decommissioned to follow security best practices.

AWS Identity and Access Management (IAM) – Unused IAM User

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-030

Explanation: Ensure unused IAM users are removed from AWS account to follow security best practice.

AWS Identity and Access Management (IAM) – Access Keys Rotated 30 Days

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-003

Explanation: Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (30 Days)

AWS Identity and Access Management (IAM) – Access Keys Rotated 45 Days

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-003

Explanation: Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (45 Days)

AWS Identity and Access Management (IAM) – Access Keys Rotated 90 Days

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-003

Explanation: Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (90 Days)

AWS Identity and Access Management (IAM) – Hardware MFA for AWS Root Account

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-009

Explanation: Ensure hardware MFA is enabled for your Amazon Web Services root account.

AWS CloudTrail – cloudtrail Enabled

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-001

Explanation: Ensure AWS CloudTrail trails are enabled for all AWS regions.

AWS CloudTrail – AWS CloudTrail Configuration Changes

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-007

Explanation: CloudTrail configuration changes have been detected within your Amazon Web Services account.

AWS CloudTrail – CloudTrail Global Services Enabled

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-008

Explanation: Ensure AWS CloudTrail trails track API calls for global services such as IAM, STS and CloudFront.

AWS CloudTrail – CloudTrail Global Services Logging Duplicated

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-009

Explanation: Ensure AWS CloudTrail trails are not duplicating global services events in their log files.

AWS CloudTrail – CloudTrail Integrated With CloudWatch

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CT-006

Explanation: Ensure CloudTrail event monitoring with CloudWatch is enabled.

AWS CloudTrail – cloudtrail-no-log-file-validation

Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-002

Explanation: Ensure AWS CloudTrail trails logfile are enabled.

AWS CloudTrail – Enable object lock for cloud trail s3 buckets

Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-010

Explanation: Ensure that AWS CloudTrail S3 buckets use Object Lock for data protection and regulatory compliance.

AWS CloudTrail – Cloud trail s3 bucket

Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-011

Explanation: Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket..

AWS CloudTrail – CloudTrail S3 Bucket Logging Enabled

Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-003

Explanation: Ensure AWS CloudTrail buckets have server access logging enabled.

AWS CloudTrail – CloudTrail Logs Encrypted

Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-004

Explanation: Ensure your AWS CloudTrail logs are encrypted using AWS KMS–Managed Keys (SSE-KMS).

AWS CloudTrail – CloudTrail Management Events

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CT-012

Explanation: Ensure management events are included into AWS CloudTrail trails configuration.

AWS CloudTrail – CloudTrail Delivery Failing

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CT-013

Explanation: Ensure Amazon CloudTrail trail log files are delivered as expected.

AWS CloudTrail – CloudTrail Bucket MFA Delete Enabled

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-005

Explanation: Ensure AWS CloudTrail logging bucket has MFA Delete feature enabled.

AWS CloudTrail – CloudTrail Bucket Publicly Accessible

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-014

Explanation: Ensure CloudTrail trail logging buckets are not publicly accessible.

AWS CloudTrail – CloudTrail Data Events

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-CT-004

Explanation: Ensure Data events are included into Amazon CloudTrail trails configuration.

AWS CloudWatch – AWS Config Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-015

Explanation: Ensure AWS Config configuration changes are being monitored using CloudWatch alarms.

AWS CloudWatch – AWS Console Sign In Without MFA

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-014

Explanation: Monitor for AWS Console Sign-In Requests Without MFA

AWS CloudWatch – AWS Organizations Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-013

Explanation: Ensure Amazon Organizations changes are being monitored using AWS CloudWatch alarms.

AWS CloudWatch – Authorization Failures Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-012

Explanation: Ensure any unauthorized API calls made within your AWS account are being monitored using CloudWatch alarms.

AWS CloudWatch – CMK Disabled or Scheduled for Deletion Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-011

Explanation: Ensure AWS CMK configuration changes are being monitored using CloudWatch alarms.

AWS CloudWatch – CloudTrail Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-010

Explanation: Ensure all AWS CloudTrail configuration changes are being monitored using CloudWatch alarms.

AWS CloudWatch – Console Sign-in Failures Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-009

Explanation: Ensure your AWS Console authentication process is being monitored using CloudWatch alarms.

AWS CloudWatch – EC2 Instance Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-008

Explanation: Ensure AWS EC2 instance changes are being monitored using CloudWatch alarms.

AWS CloudWatch – EC2 Large Instance Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-007

Explanation: Ensure AWS EC2 large instance changes are being monitored using CloudWatch alarms.

AWS CloudWatch – IAM Policy Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-006

Explanation: Ensure AWS IAM policy configuration changes are being monitored using CloudWatch alarms.

AWS CloudWatch – Internet Gateway Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-006

Explanation: Ensure AWS VPC Customer/Internet Gateway configuration changes are being monitored using CloudWatch alarms.

AWS CloudWatch – Network ACL Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-005

Explanation: Ensure AWS Network ACLs configuration changes are being monitored using CloudWatch alarms.

AWS CloudWatch – Root Account Usage Alarm

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CWL-004

Explanation: Ensure Root Account Usage is being monitored using CloudWatch alarms.

AWS CloudWatch – Route Table Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-003

Explanation: Ensure AWS Route Tables configuration changes are being monitored using CloudWatch alarms.

AWS CloudWatch – S3 Bucket Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-019

Explanation: Ensure AWS S3 Buckets configuration changes are being monitored using CloudWatch alarms.

AWS CloudWatch – Security Group Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-020

Explanation: Ensure AWS security groups configuration changes are being monitored using CloudWatch alarms.

AWS CloudWatch – VPC Changes Alarm

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-001

Explanation: Ensure AWS VPCs configuration changes are being monitored using CloudWatch alarms.

AWS IAM Certificate – Expired SSL/TLS Certificate

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-IAM-008

Explanation: Ensure expired SSL/TLS certificates are removed from AWS IAM

AWS IAM Certificate – SSL/TLS Certificate Expiry 30 Days

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-021

Explanation: Ensure SSL/TLS certificates are renewed before their expiration.

AWS IAM Certificate – SSL/TLS Certificate Expiry 45 Days

Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-IAM-021

Explanation: Ensure SSL/TLS certificates are renewed before their expiration.

AWS IAM Certificate – SSL/TLS Certificate Expiry 7 Days

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-021

Explanation: Ensure Ensure SSL/TLS certificates are renewed before their expiration.

AWS IAM Certificate – Pre-Heartbleed Server Certificates

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-101

Explanation: Ensure that your server certificates are not vulnerable to Heartbleed security bug.

Amazon Elastic Load Balancing (ELB) – ELB Listener Security

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-ELB-005

Explanation: Ensure that your AWS ELBs listeners are using a secure protocol (HTTPS or SSL).

Amazon Elastic Load Balancing (ELB) – ELB Security Group

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-ELB-007

Explanation: Ensure there are valid security groups associated with your Elastic Load Balancer.

Amazon Elastic Load Balancing (ELB) – Internet Facing ELBs (Not Scored)

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-ELB-008

Explanation: Ensure Amazon internet-facing ELBs are regularly reviewed for security purposes (informational).

Amazon Elastic Load Balancing (ELB) – ELB Instances Distribution Across AZs

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-ELB-001

Explanation: Ensure even distribution of backend instances registered to an ELB across Availability Zones.

AWS Organizations – AWS Organizations In Use

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-ORG-001

Explanation: Ensure Amazon Organizations is in use to consolidate all your AWS accounts into an organization.

AWS Organizations – AWS Organizations Enable All Features

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-ORG-002

Explanation: Ensure AWS Organizations All Features is enabled for fine-grained control over which services and actions the member accounts of an organization can access.

AWS Key Management Service (KMS) – KMS Customer Master Key Pending Deletion

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-KMS-001

Explanation: Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.

AWS Key Management Service (KMS) – Key Rotation Enabled

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-KMS-003

Explanation: Key Exposed Ensure Amazon KMS master keys are not exposed to everyone.

AWS Key Management Service (KMS) – Kms Key Exposed

Rule Type: Security
Risk Level: High,
Rule ID: KUMO-KMS-004

Explanation: KMS master keys are not exposed to everyone.

Amazon Simple Storage Service (S3) – S3 Bucket Logging Enabled

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-S3-001

Explanation: Ensure AWS S3 buckets have server access logging enabled to track access requests.

Amazon Simple Storage Service (S3) – Versioned bucket without MFA delete

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-S3-010

Explanation:

Amazon Simple Storage Service (S3) – S3 Buckets with static website enabled

Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-S3-004

Explanation:

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-006

Explanation: We recommend not to enable _ARG_2

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-007

Explanation: We recommend not to enable _ARG_2

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-008

Explanation: We recommend not to enable _ARG_2

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-009

Explanation: We recommend not to enable _ARG_2

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-002

Explanation: We recommend not to enable _ARG_2

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-002

Explanation: We recommend not to enable _ARG_2

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-012

Explanation: We recommend not to enable _ARG_2

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-008

Explanation: We recommend not to enable _ARG_2

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-011

Explanation: We recommend not to enable _ARG_2

Amazon Simple Storage Service (S3) – _ARG_2_

Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-013

Explanation: We recommend not to enable _ARG_2

Amazon Elastic Block Store (EBS) – EBS Volumes Attached To Stopped EC2 Instances

Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-EBS-005

Explanation: Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes).

AWS Auto Scaling Group (ASG) – Auto Scaling Group Referencing Missing ELB

Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-ASG-002

Explanation: Ensure Amazon Auto Scaling Groups are utilizing active Elastic Load Balancers.

Elastic Network Interface (NIC) – Unused Elastic Network Interfaces

Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-EC2-038

Explanation: Ensure unused AWS Elastic Network Interfaces (ENIs) are removed to follow best practices.

Launch Configuration (LC) – Launch Configuration Referencing Missing AMI

Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-ASG-004

Explanation: Ensure AWS Launch Configurations are utilizing active Amazon Machine Images.

Launch Configuration (LC) – Launch Configuration Referencing Missing Security Groups

Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-ASG-005

Explanation: Ensure AWS Launch Configurations are utilizing active Security Groups.

Amazon Relational Database Service (RDS) – RDS Free Storage Space

Rule Type: Performance
Risk Level: High,
Rule ID: KUMO-RDS-011

Explanation: Identify RDS instances with low free storage space and scale them in order to optimize their performance.

Amazon Internet Gateways (AIG) – Unused VPC Internet Gateways

Rule Type: Performance
Risk Level: Low,
Rule ID: KUMO-VPC-003

Explanation: Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices.

AWS Auto Scaling Group (ASG) – Same Availability Zones In ASG And ELB

Rule Type: Performance
Risk Level: High,
Rule ID: KUMO-ASG-003

Explanation: Ensure AWS Availability Zones used for Auto Scaling Groups and for their Elastic Load Balancers are the same.

Amazon Simple Storage Service (S3) – DNS Compliant S3 Bucket Names

Rule Type: Performance
Risk Level: Low,
Rule ID: KUMO-S3-005

Explanation: Ensure that your AWS S3 buckets are using DNS-compliant bucket names.

Amazon Machine Image (AMI) – EC2 AMI Too Old

Rule Type: Reliability
Risk Level: Low,
Rule ID: KUMO-EC2-033

Explanation: Check for any AMIs older than 180 days available within your AWS account.

Amazon Relational Database Service (RDS) – Automated Backup Disabled

Rule Type: Reliability
Risk Level: High,
Rule ID: KUMO-RDS-004

Explanation: A backup retention of zero days will disable automated backups and delete all existing automated snapshots of this DB instance. We recommend back retention period should be as high as possible, maximum 35 days.

Amazon Relational Database Service (RDS) – RDS Sufficient Backup Retention Period

Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-RDS-014

Explanation: Ensure AWS RDS instances have sufficient backup retention period for compliance purposes.

Amazon Relational Database Service (RDS) – Short backup retention period

Rule Type: Reliability
Risk Level: High,
Rule ID: KUMO-RDS-014

Explanation: We recommend Backup retention period to be more than 30 days.

Amazon Relational Database Service (RDS) – RDS Multi-AZ

Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-RDS-006

Explanation: Ensure AWS RDS clusters have the Multi-AZ feature enabled.

Amazon Relational Database Service (RDS) – RDS Postgres with Invalid Certificate

Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-RDS-017

Explanation:

Amazon Elastic Compute Cloud (EC2) – EC2 Instance Termination Protection

Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-EC2-004

Explanation: Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs.

Amazon Elastic Compute Cloud (EC2) – EC2 Instance Too Old

Rule Type: Reliability
Risk Level: Low,
Rule ID: KUMO-EC2-034

Explanation: Check for running AWS EC2 instances older than 180 days available within your AWS account.

Amazon Elastic Block Store (EBS) – EBS Volumes Recent Snapshots

Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-EBS-006

Explanation: Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery.

AWS Auto Scaling Group (ASG) – Auto Scaling Group Cooldown Period

Rule Type: Reliability
Risk Level: High,
Rule ID: KUMO-ASG-001

Explanation: Ensure Amazon Auto Scaling Groups are utilizing cooldown periods.

Amazon Simple Storage Service (S3) – S3 Bucket Versioning Enabled

Rule Type: Reliability
Risk Level: Low,
Rule ID: KUMO-S3-003

Explanation: We recommend to enable versioning on your bucket.It is additional backup layer for retrieving your data when you accidentally delete data on your s3 bucket.

Amazon Elastic Load Balancing (ELB) – ELB Connection Draining Enabled

Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-ELB-003

Explanation: With Connection Draining feature enabled, if an EC2 backend instance fails health checks the Elastic Load Balancer will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to complete for the duration of the configured timeout..

Amazon Elastic Load Balancing (ELB) – ELB Cross-Zone Load Balancing Enabled

Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-ELB-004

Explanation: Ensure high availability for your ELBs by using Cross-Zone Load Balancing with multiple subnets in different AZs.

Amazon Elastic Load Balancing (ELB) – ELB Minimum Number Of EC2 Instances

Rule Type: Reliability
Risk Level: High,
Rule ID: KUMO-ELB-006

Explanation: Ensure there is a minimum number of two healthy backend instances associated with each ELB.