Amazon Elastic Block Store (EBS) – EBS Volumes Attached To Stopped EC2 Instances
Rule Type: Cost Optimization
Risk Level: High,
Rule ID: KUMO-EBS-005
Explanation: Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes).
AWS Key Management Service (KMS) – Unused Customer Master Key
Rule Type: Cost Optimization
Risk Level: Low,
Rule ID: KUMO-KMS-002
Explanation: Unused Customer Master Key Identify and remove any disabled Customer Master Keys (CMK) to reduce AWS costs.
Amazon Relational Database Service (RDS) – RDS General Purpose SSD
Rule Type: Cost Optimization
Risk Level: Medium,
Rule ID: KUMO-RDS-012
Explanation: Ensure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs.
Amazon Relational Database Service (RDS) – Underutilised RDS Instance
Rule Type: Cost Optimization
Risk Level: High,
Rule ID: KUMO-RDS-015
Explanation: Identify underutilised RDS instances and downsize them in order to optimise your AWS costs.
Amazon EC2 Key Pairs- Unused AWS EC2 Key Pairs
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-037
Explanation: Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices.
Amazon Security Group (SG) – Default Security Groups In Use
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-001
Explanation: Ensure default EC2 security groups are not in use in order to follow AWS security best practices.
Amazon Security Group (SG) – Default Security Group with rules
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-002
Explanation: Ensure default EC2 security groups do not have rules in order to follow AWS security best practises.
Amazon Security Group (SG) – Security Group All Ports Open to All
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-040
Explanation: Ports are open to public access, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups should be open.
Amazon Security Group (SG) – _ARG_0_ port _ARG_2_ open to all
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-EC2-011
Explanation: Rules with source of 0.0.0.0/0 allow all IP addresses to access your instance. We recommend setting security group rules to allow access from known IP addresses only.
Amazon Security Group (SG) – _ARG_0_ port _PORT_ open to all
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-043
Explanation: Non HTTP _ARG_0_ port _PORT_ is open to all, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups should be open.
Amazon Security Group (SG) – Unrestricted network traffic within security group
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-045
Explanation: We recommend that you update your security group rules to allow access from known IP addresses only.
Amazon Security Group (SG) – Security Group All Ports Open to All
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-047
Explanation: All Ports are open, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only required port/s should be open for relevant IP / security groups..
Amazon Security Group (SG) – Security Group Port Range
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-042
Explanation: Ensure there are no EC2 security groups in your AWS account that open range of ports to allow incoming traffic.
Amazon Security Group (SG) – Security Group not in use
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-044
Explanation: This security group is not associated with any service.
Amazon Security Group (SG) – Security Group Rules Counts
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-043
Explanation: Ensure your EC2 security groups do not have an excessive number of rules defined.
Amazon Machine Image (AMI) – Publicly Shared AMI
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-036
Explanation: Ensure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts.
Amazon Machine Image (AMI) – EC2 AMI Too Old
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-033
Explanation: Check for any AMIs older than 180 days available within your AWS account.
Amazon Machine Image (AMI) – AWS AMI Encryption
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-EC2-039
Explanation: Ensure that your existing AMIs are encrypted to meet security and compliance requirements.
Amazon Relational Database Service (RDS) – RDS Encryption Enabled
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-RDS-005
Explanation: Ensure AWS RDS instances are encrypted to meet security and compliance requirements.
Amazon Relational Database Service (RDS) – RDS Auto Minor Version Upgrade
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-RDS-003
Explanation: Ensure AWS RDS instances have the Auto Minor Version Upgrade feature enabled.
Amazon Relational Database Service (RDS) – RDS Postgres with Invalid Certificate
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-RDS-017
Explanation:
Amazon Relational Database Service (RDS) – Unrestricted DB Security Group
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-RDS-016
Explanation: Ensure there aren’t any unrestricted DB security groups assigned to your RDS instances.
Amazon Relational Database Service (RDS) – Amazon RDS Public Snapshots
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-RDS-017
Explanation: Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts.
Amazon Relational Database Service (RDS) – RDS Master Username
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-RDS-013
Explanation: Ensure AWS RDS instances are using secure and unique master usernames for their databases.
Amazon Elastic Compute Cloud (EC2) – EC2 Instance Too Old
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-034
Explanation: Check for running AWS EC2 instances older than 180 days available within your AWS account.
Amazon Elastic Compute Cloud (EC2) – Security Group Name Prefixed With ‘launch-wizard
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-EC2-046
Explanation: Ensure EC2 security groups prefixed with ‘launch-wizard’ are not in use in order to follow AWS security best practices.
Amazon Elastic Compute Cloud (EC2) – EC2 Instance Using IAM Roles
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EC2-035
Explanation: Use Instance Profiles/IAM Roles to appropriately grant permissions to applications running on amazon EC2 instances.
Amazon Elastic Block Store (EBS) – EBS Encrypted
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-EBS-001
Explanation: Ensure that existing Elastic Block Store (EBS) attached volumes are encrypted to meet security and compliance requirements.
Amazon Elastic Block Store (EBS) – Amazon EBS Public Snapshots
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-EBS-007
Explanation: Ensure that your EBS volume snapshots are not public.
Amazon Elastic Block Store (EBS) – EBS Snapshot Encrypted
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-EBS-008
Explanation: Ensure that the AWS EBS volume snapshots that hold sensitive and critical data are encrypted to fulfill compliance requirements for data-at-rest encryption.
Amazon Virtual Private Cloud (VPC) – Unrestricted Network ACL Inbound Traffic
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-VPC-001
Explanation: Ensure no Amazon Network ACL allows inbound/ingress traffic from all ports.
Amazon Virtual Private Cloud (VPC) – Unrestricted Network ACL Outbound Traffic
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-VPC-002
Explanation: Ensure no Amazon Network ACL allows outbound/egress traffic to all ports.
AWS Identity and Access Management (IAM) – Root Account Access Keys Present
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-019
Explanation: Ensure that your AWS account (root) is not using access keys as a security best practice.
AWS Identity and Access Management (IAM) – Root Account Active Signing Certificates
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-018
Explanation: Ensure that your AWS root account user is not using X.509 certificates to validate API requests.
AWS Identity and Access Management (IAM) – Root Account Usage
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-016
Explanation: Ensure root account credentials have not been used recently to access your AWS account.
AWS Identity and Access Management (IAM) – Root MFA Enabled
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-017
Explanation: Ensure Multi-Factor Authentication (MFA) is enabled for the AWS root account.
AWS Identity and Access Management (IAM) – IAM User Password Expiry 7 Days
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-014
Explanation: Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (7 Days)
AWS Identity and Access Management (IAM) – IAM User Password Expiry 30 Days
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-014
Explanation: Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)
AWS Identity and Access Management (IAM) – IAM User Password Expiry 45 Days
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-IAM-014
Explanation: Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)
AWS Identity and Access Management (IAM) – Credentials Last Used – Access Key
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-005
Explanation: Ensure that unused AWS IAM credentials are decommissioned to follow security best practices.
AWS Identity and Access Management (IAM) – Credentials Last Used – Password
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-004
Explanation: Ensure that unused AWS IAM credentials are decommissioned to follow security best practices.
AWS Identity and Access Management (IAM) – Unused IAM User
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-030
Explanation: Ensure unused IAM users are removed from AWS account to follow security best practice.
AWS Identity and Access Management (IAM) – Access Keys Rotated 30 Days
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-003
Explanation: Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (30 Days)
AWS Identity and Access Management (IAM) – Access Keys Rotated 45 Days
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-003
Explanation: Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (45 Days)
AWS Identity and Access Management (IAM) – Access Keys Rotated 90 Days
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-003
Explanation: Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (90 Days)
AWS Identity and Access Management (IAM) – Hardware MFA for AWS Root Account
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-009
Explanation: Ensure hardware MFA is enabled for your Amazon Web Services root account.
AWS CloudTrail – cloudtrail Enabled
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-001
Explanation: Ensure AWS CloudTrail trails are enabled for all AWS regions.
AWS CloudTrail – AWS CloudTrail Configuration Changes
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-007
Explanation: CloudTrail configuration changes have been detected within your Amazon Web Services account.
AWS CloudTrail – CloudTrail Global Services Enabled
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-008
Explanation: Ensure AWS CloudTrail trails track API calls for global services such as IAM, STS and CloudFront.
AWS CloudTrail – CloudTrail Global Services Logging Duplicated
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-009
Explanation: Ensure AWS CloudTrail trails are not duplicating global services events in their log files.
AWS CloudTrail – CloudTrail Integrated With CloudWatch
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CT-006
Explanation: Ensure CloudTrail event monitoring with CloudWatch is enabled.
AWS CloudTrail – cloudtrail-no-log-file-validation
Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-002
Explanation: Ensure AWS CloudTrail trails logfile are enabled.
AWS CloudTrail – Enable object lock for cloud trail s3 buckets
Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-010
Explanation: Ensure that AWS CloudTrail S3 buckets use Object Lock for data protection and regulatory compliance.
AWS CloudTrail – Cloud trail s3 bucket
Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-011
Explanation: Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket..
AWS CloudTrail – CloudTrail S3 Bucket Logging Enabled
Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-003
Explanation: Ensure AWS CloudTrail buckets have server access logging enabled.
AWS CloudTrail – CloudTrail Logs Encrypted
Rule Type: Security
Risk Level: Medium,
Rule ID:KUMO-CT-004
Explanation: Ensure your AWS CloudTrail logs are encrypted using AWS KMS–Managed Keys (SSE-KMS).
AWS CloudTrail – CloudTrail Management Events
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CT-012
Explanation: Ensure management events are included into AWS CloudTrail trails configuration.
AWS CloudTrail – CloudTrail Delivery Failing
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CT-013
Explanation: Ensure Amazon CloudTrail trail log files are delivered as expected.
AWS CloudTrail – CloudTrail Bucket MFA Delete Enabled
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-005
Explanation: Ensure AWS CloudTrail logging bucket has MFA Delete feature enabled.
AWS CloudTrail – CloudTrail Bucket Publicly Accessible
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CT-014
Explanation: Ensure CloudTrail trail logging buckets are not publicly accessible.
AWS CloudTrail – CloudTrail Data Events
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-CT-004
Explanation: Ensure Data events are included into Amazon CloudTrail trails configuration.
AWS CloudWatch – AWS Config Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-015
Explanation: Ensure AWS Config configuration changes are being monitored using CloudWatch alarms.
AWS CloudWatch – AWS Console Sign In Without MFA
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-014
Explanation: Monitor for AWS Console Sign-In Requests Without MFA
AWS CloudWatch – AWS Organizations Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-013
Explanation: Ensure Amazon Organizations changes are being monitored using AWS CloudWatch alarms.
AWS CloudWatch – Authorization Failures Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-012
Explanation: Ensure any unauthorized API calls made within your AWS account are being monitored using CloudWatch alarms.
AWS CloudWatch – CMK Disabled or Scheduled for Deletion Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-011
Explanation: Ensure AWS CMK configuration changes are being monitored using CloudWatch alarms.
AWS CloudWatch – CloudTrail Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-010
Explanation: Ensure all AWS CloudTrail configuration changes are being monitored using CloudWatch alarms.
AWS CloudWatch – Console Sign-in Failures Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-009
Explanation: Ensure your AWS Console authentication process is being monitored using CloudWatch alarms.
AWS CloudWatch – EC2 Instance Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-008
Explanation: Ensure AWS EC2 instance changes are being monitored using CloudWatch alarms.
AWS CloudWatch – EC2 Large Instance Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-007
Explanation: Ensure AWS EC2 large instance changes are being monitored using CloudWatch alarms.
AWS CloudWatch – IAM Policy Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-006
Explanation: Ensure AWS IAM policy configuration changes are being monitored using CloudWatch alarms.
AWS CloudWatch – Internet Gateway Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-006
Explanation: Ensure AWS VPC Customer/Internet Gateway configuration changes are being monitored using CloudWatch alarms.
AWS CloudWatch – Network ACL Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-005
Explanation: Ensure AWS Network ACLs configuration changes are being monitored using CloudWatch alarms.
AWS CloudWatch – Root Account Usage Alarm
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-CWL-004
Explanation: Ensure Root Account Usage is being monitored using CloudWatch alarms.
AWS CloudWatch – Route Table Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-003
Explanation: Ensure AWS Route Tables configuration changes are being monitored using CloudWatch alarms.
AWS CloudWatch – S3 Bucket Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-019
Explanation: Ensure AWS S3 Buckets configuration changes are being monitored using CloudWatch alarms.
AWS CloudWatch – Security Group Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-020
Explanation: Ensure AWS security groups configuration changes are being monitored using CloudWatch alarms.
AWS CloudWatch – VPC Changes Alarm
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-CWL-001
Explanation: Ensure AWS VPCs configuration changes are being monitored using CloudWatch alarms.
AWS IAM Certificate – Expired SSL/TLS Certificate
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-IAM-008
Explanation: Ensure expired SSL/TLS certificates are removed from AWS IAM
AWS IAM Certificate – SSL/TLS Certificate Expiry 30 Days
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-IAM-021
Explanation: Ensure SSL/TLS certificates are renewed before their expiration.
AWS IAM Certificate – SSL/TLS Certificate Expiry 45 Days
Rule Type: Security
Risk Level: Low,
Rule ID: KUMO-IAM-021
Explanation: Ensure SSL/TLS certificates are renewed before their expiration.
AWS IAM Certificate – SSL/TLS Certificate Expiry 7 Days
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-021
Explanation: Ensure Ensure SSL/TLS certificates are renewed before their expiration.
AWS IAM Certificate – Pre-Heartbleed Server Certificates
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-IAM-101
Explanation: Ensure that your server certificates are not vulnerable to Heartbleed security bug.
Amazon Elastic Load Balancing (ELB) – ELB Listener Security
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-ELB-005
Explanation: Ensure that your AWS ELBs listeners are using a secure protocol (HTTPS or SSL).
Amazon Elastic Load Balancing (ELB) – ELB Security Group
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-ELB-007
Explanation: Ensure there are valid security groups associated with your Elastic Load Balancer.
Amazon Elastic Load Balancing (ELB) – Internet Facing ELBs (Not Scored)
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-ELB-008
Explanation: Ensure Amazon internet-facing ELBs are regularly reviewed for security purposes (informational).
Amazon Elastic Load Balancing (ELB) – ELB Instances Distribution Across AZs
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-ELB-001
Explanation: Ensure even distribution of backend instances registered to an ELB across Availability Zones.
AWS Organizations – AWS Organizations In Use
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-ORG-001
Explanation: Ensure Amazon Organizations is in use to consolidate all your AWS accounts into an organization.
AWS Organizations – AWS Organizations Enable All Features
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-ORG-002
Explanation: Ensure AWS Organizations All Features is enabled for fine-grained control over which services and actions the member accounts of an organization can access.
AWS Key Management Service (KMS) – KMS Customer Master Key Pending Deletion
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-KMS-001
Explanation: Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.
AWS Key Management Service (KMS) – Key Rotation Enabled
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-KMS-003
Explanation: Key Exposed Ensure Amazon KMS master keys are not exposed to everyone.
AWS Key Management Service (KMS) – Kms Key Exposed
Rule Type: Security
Risk Level: High,
Rule ID: KUMO-KMS-004
Explanation: KMS master keys are not exposed to everyone.
Amazon Simple Storage Service (S3) – S3 Bucket Logging Enabled
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-S3-001
Explanation: Ensure AWS S3 buckets have server access logging enabled to track access requests.
Amazon Simple Storage Service (S3) – Versioned bucket without MFA delete
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-S3-010
Explanation:
Amazon Simple Storage Service (S3) – S3 Buckets with static website enabled
Rule Type: Security
Risk Level: Medium,
Rule ID: KUMO-S3-004
Explanation:
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-006
Explanation: We recommend not to enable _ARG_2
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-007
Explanation: We recommend not to enable _ARG_2
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-008
Explanation: We recommend not to enable _ARG_2
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-009
Explanation: We recommend not to enable _ARG_2
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-002
Explanation: We recommend not to enable _ARG_2
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-002
Explanation: We recommend not to enable _ARG_2
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-012
Explanation: We recommend not to enable _ARG_2
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-008
Explanation: We recommend not to enable _ARG_2
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-011
Explanation: We recommend not to enable _ARG_2
Amazon Simple Storage Service (S3) – _ARG_2_
Rule Type: Security
Risk Level: Very High,
Rule ID: KUMO-S3-013
Explanation: We recommend not to enable _ARG_2
Amazon Elastic Block Store (EBS) – EBS Volumes Attached To Stopped EC2 Instances
Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-EBS-005
Explanation: Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes).
AWS Auto Scaling Group (ASG) – Auto Scaling Group Referencing Missing ELB
Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-ASG-002
Explanation: Ensure Amazon Auto Scaling Groups are utilizing active Elastic Load Balancers.
Elastic Network Interface (NIC) – Unused Elastic Network Interfaces
Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-EC2-038
Explanation: Ensure unused AWS Elastic Network Interfaces (ENIs) are removed to follow best practices.
Launch Configuration (LC) – Launch Configuration Referencing Missing AMI
Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-ASG-004
Explanation: Ensure AWS Launch Configurations are utilizing active Amazon Machine Images.
Launch Configuration (LC) – Launch Configuration Referencing Missing Security Groups
Rule Type: Operational
Risk Level: High,
Rule ID: KUMO-ASG-005
Explanation: Ensure AWS Launch Configurations are utilizing active Security Groups.
Amazon Relational Database Service (RDS) – RDS Free Storage Space
Rule Type: Performance
Risk Level: High,
Rule ID: KUMO-RDS-011
Explanation: Identify RDS instances with low free storage space and scale them in order to optimize their performance.
Amazon Internet Gateways (AIG) – Unused VPC Internet Gateways
Rule Type: Performance
Risk Level: Low,
Rule ID: KUMO-VPC-003
Explanation: Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices.
AWS Auto Scaling Group (ASG) – Same Availability Zones In ASG And ELB
Rule Type: Performance
Risk Level: High,
Rule ID: KUMO-ASG-003
Explanation: Ensure AWS Availability Zones used for Auto Scaling Groups and for their Elastic Load Balancers are the same.
Amazon Simple Storage Service (S3) – DNS Compliant S3 Bucket Names
Rule Type: Performance
Risk Level: Low,
Rule ID: KUMO-S3-005
Explanation: Ensure that your AWS S3 buckets are using DNS-compliant bucket names.
Amazon Machine Image (AMI) – EC2 AMI Too Old
Rule Type: Reliability
Risk Level: Low,
Rule ID: KUMO-EC2-033
Explanation: Check for any AMIs older than 180 days available within your AWS account.
Amazon Relational Database Service (RDS) – Automated Backup Disabled
Rule Type: Reliability
Risk Level: High,
Rule ID: KUMO-RDS-004
Explanation: A backup retention of zero days will disable automated backups and delete all existing automated snapshots of this DB instance. We recommend back retention period should be as high as possible, maximum 35 days.
Amazon Relational Database Service (RDS) – RDS Sufficient Backup Retention Period
Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-RDS-014
Explanation: Ensure AWS RDS instances have sufficient backup retention period for compliance purposes.
Amazon Relational Database Service (RDS) – Short backup retention period
Rule Type: Reliability
Risk Level: High,
Rule ID: KUMO-RDS-014
Explanation: We recommend Backup retention period to be more than 30 days.
Amazon Relational Database Service (RDS) – RDS Multi-AZ
Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-RDS-006
Explanation: Ensure AWS RDS clusters have the Multi-AZ feature enabled.
Amazon Relational Database Service (RDS) – RDS Postgres with Invalid Certificate
Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-RDS-017
Explanation:
Amazon Elastic Compute Cloud (EC2) – EC2 Instance Termination Protection
Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-EC2-004
Explanation: Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs.
Amazon Elastic Compute Cloud (EC2) – EC2 Instance Too Old
Rule Type: Reliability
Risk Level: Low,
Rule ID: KUMO-EC2-034
Explanation: Check for running AWS EC2 instances older than 180 days available within your AWS account.
Amazon Elastic Block Store (EBS) – EBS Volumes Recent Snapshots
Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-EBS-006
Explanation: Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery.
AWS Auto Scaling Group (ASG) – Auto Scaling Group Cooldown Period
Rule Type: Reliability
Risk Level: High,
Rule ID: KUMO-ASG-001
Explanation: Ensure Amazon Auto Scaling Groups are utilizing cooldown periods.
Amazon Simple Storage Service (S3) – S3 Bucket Versioning Enabled
Rule Type: Reliability
Risk Level: Low,
Rule ID: KUMO-S3-003
Explanation: We recommend to enable versioning on your bucket.It is additional backup layer for retrieving your data when you accidentally delete data on your s3 bucket.
Amazon Elastic Load Balancing (ELB) – ELB Connection Draining Enabled
Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-ELB-003
Explanation: With Connection Draining feature enabled, if an EC2 backend instance fails health checks the Elastic Load Balancer will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to complete for the duration of the configured timeout..
Amazon Elastic Load Balancing (ELB) – ELB Cross-Zone Load Balancing Enabled
Rule Type: Reliability
Risk Level: Medium,
Rule ID: KUMO-ELB-004
Explanation: Ensure high availability for your ELBs by using Cross-Zone Load Balancing with multiple subnets in different AZs.
Amazon Elastic Load Balancing (ELB) – ELB Minimum Number Of EC2 Instances
Rule Type: Reliability
Risk Level: High,
Rule ID: KUMO-ELB-006
Explanation: Ensure there is a minimum number of two healthy backend instances associated with each ELB.
