Security & Compliance Monitoring Rules
Hundreds of Rules, Based on Best Practices & Frameworks
Continually monitor your cloud to ensure complete cloud security and compliance, designed to help you comply with key frameworks, including CIS, NIST, NIST 800-53, NIST 800-171, AWS Well-Architected, HIPAA, PCI DSS, & FedRAMP:
- Hyperglance is shipped with hundreds of customizable rules, tailored to AWS & Azure
- New rules are added regularly in Hyperglance updates
- Automatically fix problems as they arise
- Trigger SNS, EventGrid, Slack, Teams, Jira & SMTP notifications
AWS Rules
API Gateway
API Gateways that are not associated with an AWS Web Application Firewall (WAF)
Checks for any API Gateways that are not associated with an AWS Web Application Firewall (WAF).
• NIST 800-53
API Gateways without a Client Certificate
Checks for any API Gateways without a Client Certificate.
• NIST 800-53
API Gateways with content encoding not enabled
Checks for any API Gateways with content encoding not enabled.
• NIST 800-53
API Gateways with invalid Endpoint types
Customize this rule to control Amazon API Gateway types allowed in your environment and to ensure network integrity.
• NIST 800-171
API Gateways with X-Ray Tracing disabled
Checks for any API Gateways with X-Ray Tracing disabled.
• NIST 800-53
Public API Gateways
These API Gateways are accessible via the Internet. It's advised to use VPC endpoints to secure them.
• NIST 800-53
API Gateway Stage
API Gateway Stages with cache disabled or not encrypted
To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
API Gateway Stages with logging disabled
API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Application Load Balancer
Application Load Balancers listening on insecure Protocol
To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Application Load Balancers with Access Logs Disabled
Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to the ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Application Load Balancers with Deletion Protection Disabled
This rule ensures that Elastic Load Balancing has deletion protection enabled. Use this feature to prevent your load balancer from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Security)
Internet Facing Application Load Balancers
It is recommended that you review all Internet facing Load Balancers to ensure validity
• NIST 800-53
• PCI DSS
Application Load Balancer + Classic Load Balancer + Network Load Balancer
Internet facing Load Balancers
It is recommended that you review all Internet facing Load Balancers to ensure validity
• NIST 800-53
• PCI DSS
Load Balancers with Cross-Zone Load Balancing Disabled
Cross-zone load balancing helps maintain adequate capacity and availability. It reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances.
• NIST 800-53
• NIST 800-171
• FedRAMP
• AWS Well-Architected (Reliability)
Aurora DB Cluster
Amazon Aurora Clusters with Logging Not Enabled
Checks for any Amazon Aurora Clusters with Logging Not Enabled.
Amazon Aurora DB Clusters with cluster deletion protection turned off
Use deletion protection to prevent your Amazon RDS instances from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.
• NIST 800-53
• NIST 800-171
• FedRAMP
• AWS Well-Architected (Security)
Classic Load Balancer
Classic Load Balancers Listening on Insecure Protocol
Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.
• NIST 800-53
• NIST 800-171
• FedRAMP
• AWS Well-Architected (Security)
Classic Load Balancers without SSL Certificate
To help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Internet Facing Classic Load Balancers
It is recommended that you review all Internet facing Load Balancers to ensure validity
• NIST 800-53
• PCI DSS
DynamoDB Accelerator
DynamoDB Accelerator encryption disabled
Checks for any DynamoDB Accelerator encryption disabled.
• NIST 800-53
• HIPAA
• PCI DSS
• GDPR
DynamoDB Table
DynamoDB Point in time recovery not enabled
Maintains the backups by ensuring that point-in-time recovery is enabled in Amazon DynamoDB.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Reliability)
DynamoDB Tables Not Encrypted Using A Customer-Owned KMS Key
Enable encryption at rest because sensitive data can exist at rest in these tables. By default, DynamoDB tables are encrypted with an AWS owned customer master key (CMK).
• NIST 800-53
• NIST 800-171
• FedRAMP
• GDPR
• AWS Well-Architected (Security)
DynamoDB Tables with invalid Encryption Status
Ensure that encryption is enabled for your Amazon DynamoDB tables because sensitive data can exist at rest in these tables,
• PCI DSS
EBS Snapshot
EBS snapshots that are not encrypted
Ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) Snapshots because senstive data can exist in these snapshots.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
EBS Volume
EBS Volumes Not Marked For Delete On Terminate
If an Amazon EBS volume isn't deleted when the instance that it's attached to is terminated, it may violate the concept of least functionality.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
EBS Volumes that are not encrypted
Ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes because senstive data can exist in these volumes.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
EBS Volumes with disabled backup plan
To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.
• NIST 800-53
• NIST 800-171
• FedRAMP
• GDPR
• AWS Well-Architected (Reliability)
Unattached EBS Volumes
If an Amazon EBS volume isn't deleted when the instance that it's attached to is terminated, it may violate the concept of least functionality.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
EC2 Instance
EC2 Instances not in a VPC
Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet for ICMP via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On Port 53 (DNS) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Ports 20 or 21 (FTP) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 135 (RPC) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 1433 (MsSQL) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 1521 (Oracle) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 22 (SSH) via an Internet Gateway
Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 23 (Telnet) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 25 (SMTP) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 27017 (MongoDB) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 3306 (MySQL) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 3389 (RDP) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 443 (HTTPS) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 445 (CIFS) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 5432 (PostgeSQL) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 80 (HTTP) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances Open To The Entire Internet On TCP Port 9200 (Elasticsearch) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances stopped for more than 30 days
Enable this rule to help with the baseline configuration of Amazon Elastic Compute Cloud (Amazon EC2) instances by checking whether Amazon EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
EC2 instances that are open to the entire Internet (on any port) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet (on any port) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances that are Open to the Entire Internet (on any port) via a Transit Gateway and a NAT Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on port 53 (DNS) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 135 (RPC) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 1433 (MsSQL) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 1521 (Oracle) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 20 or 21 (FTP) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 22 (SSH) via a Transit Gateway and an Internet Gateway
Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 23 (Telnet) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 25 (SMTP) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 27017 (MongoDB) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 3306 (MySQL) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 3389 (RDP) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 443 (HTTPS) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 445 (CIFS) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 5432 (PostgreSQL) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 80 (HTTP) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are open to the Entire internet on TCP port 9200 (Elasticsearch) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are partially open to the internet (on any port) via an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 instances that are partially open to the internet (on any port) via a Transit Gateway and an Internet Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances that are partially open to the Internet (on any port) via a Transit Gateway and a NAT Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EC2 Instances with detailed monitoring disabled
Enabling detailed monitoring of your Amazon Elastic Compute Cloud (Amazon EC2) instances allows the AWS console to display monitoring graphs with a fine-grain 1-minute period.
• NIST 800-53
• FedRAMP
EC2 Instances with EBS Optimization Disabled
An optimized instance in Amazon Elastic Block Store (Amazon EBS) provides additional, dedicated capacity for Amazon EBS I/O operations. This optimization provides the most efficient performance for your EBS volumes by minimizing contention between Amazon EBS I/O operations and other traffic from your instance.
• NIST 800-171
EC2 Instance not configured to use only Instance Metadata Service Version 2
Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata. The IMDSv2 method uses session-based controls. With IMDSv2, controls can be implemented to restrict changes to instance metadata.
• NIST 800-53
• FedRAMP
• AWS Well-Architected (Security)
EC2 Instances With Public IP
Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
EKS Cluster
EKS allows something other than port 443 0.0.0.0/0
Checks for any EKS allows something other than port 443 0.0.0.0/0.
• PCI DSS
EKS Cluster Endpoints Publicly Accessible
Checks for any EKS Cluster Endpoints Publicly Accessible.
• HIPAA
• PCI DSS
• GDPR
Elastic IP Address
Unattached Elastic IP Addresses
Checks whether all EIP addresses allocated to a VPC are attached to EC2 instances or are in-use.
• CIS
• NIST 800-171
• PCI DSS
IAM User
Accounts with no IAM Password Policy set
Checks for any accounts with no IAM Password Policy set.
• CIS
• NIST 800-53
• PCI DSS
Active IAM Access Keys older than 30 days
The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised.
• CIS
• NIST 800-53
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Active IAM Access Keys older than 45 days
The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised.
• CIS
• NIST 800-53
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Active IAM Access Keys older than 90 days
The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised.
• CIS
• NIST 800-53
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Expired SSL/TLS IAM certificates
Checks for any expired SSL/TLS IAM certificates.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• PCI DSS
• AWS Well-Architected (Security)
IAM access keys not used in the last 90 days
AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period. If these unused credentials are identified, you should disable and/or remove the credentials, as this may violate the principle of least privilege.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
IAM Root Access Keys Exist
Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role. Ensure that the root access keys are deleted. Instead, create and use role-based AWS accounts to help to incorporate the principle of least functionality.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
IAM root users that are not MFA protected
Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
IAM root user login in the past 30 days
With the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks
• CIS
• NIST 800-53
IAM users with a password age over 90 days
Checks for any IAM users with a password age over 90 days.
• CIS
• NIST 800-53
• PCI DSS
IAM user password last used more than 90 days ago
Consider removing this user if they do not need the access as this may violate the principle of least privilege.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
IAM user password reuse enabled
Ensure IAM password policy prevents password reuse.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
IAM User with Console Password and MFA disabled
Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. MFA adds an extra layer of protection on top of a user name and password. By requiring MFA for IAM users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
IAM user with direct inline policy
This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. Assigning privileges at the group or the role level helps to reduce opportunity for an identity to receive or retain excessive privileges.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
IAM User with Password and Access Keys configured
Try to minimise privileges to reduce impact if any one of these is compromised
• NIST 800-53
Weak IAM password policy
Checks whether a weak account password policy is in use for IAM users.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Internet Gateway
Detached Internet Gateways
Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC). Internet gateways allow bi-directional internet access to and from the Amazon VPC that can potentially lead to unauthorized access to Amazon VPC resources.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Lambda Function
Lambda Functions not In a VPC
Deploy AWS Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC. With this configuration, there is no requirement for an internet gateway, NAT device, or VPN connection. All the traffic remains securely within the AWS Cloud.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Lambda Functions with no Dead Letter Queue
You should use a dead-letter queue to notify the appropriate personnel through Amazon Simple Queue Service (Amazon SQS) or Amazon Simple Notification Service (Amazon SNS) when a function has failed.
• NIST 800-171
• HIPAA
Lambda Functions with old Runtime Environment
Lambda Functions using outdated runtime environments.
• NIST 800-53
• PCI DSS
Network ACL
Network ACLs that includes remote admin ports
Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to admin ports on your resources help you restricting remote access.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Network Interface
Unattached Elastic Network Interfaces
Checks for any unattached Elastic Network Interfaces.
• NIST 800-53
Network Load Balancer
Internet Facing Network Load Balancers
It is recommended that you review all Internet facing Load Balancers to ensure validity
• NIST 800-53
• PCI DSS
Network Load Balancers not listening on TLS
Checks for any Network Load Balancers not listening on TLS.
• PCI DSS
Network Load Balancers with Logs Disabled
Checks for any Network Load Balancers with Logs Disabled.
Policy
IAM full admin policies that are attached
AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
IAM support policy is attached to a support role
AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.
• CIS
RDS DB Instance
AWS RDS instances with Auto Minor Version Upgrade not enabled
Checks for any AWS RDS instances with Auto Minor Version Upgrade not enabled.
• NIST 800-53
Publicly Accessible RDS Instances
Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
RDS instances that are not Multi-AZ
Multi-AZ support in Amazon Relational Database Service (Amazon RDS) provides enhanced availability and durability for database instances. When you provision a Multi-AZ database instance, Amazon RDS automatically creates a primary database instance, and synchronously replicates the data to a standby instance in a different Availability Zone. Each Availability Zone runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby so that you can resume database operations as soon as the failover is complete.
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Reliability)
RDS Instances without backups enabled
To help with data backup processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Reliability)
RDS Instances with a backup retention period less than 7 days
Checks for any RDS Instances with a backup retention period less than 7 days.
• NIST 800-53
RDS Instances with default master username
Checks for any RDS Instances with default master username.
• PCI DSS
RDS Instances With Enhanced Monitoring Disabled
Enhanced monitoring provides detailed visibility into the health of your Amazon RDS database instances. When the Amazon RDS storage is using more than one underlying physical device, Enhanced Monitoring collects the data for each device. Also, when the Amazon RDS database instance is running in a Multi-AZ deployment, the data for each device on the secondary host is collected, and the secondary host metrics.
• NIST 800-53
• FedRAMP
RDS Instances with Logging Not Enabled
To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging should be enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.
• NIST 800-53
• NIST 800-171
• FedRAMP
• AWS Well-Architected (Security)
RDS Instances with no Encryption Enabled
To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances. Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
RDS Snapshot
RDS Snapshot with Encryption Disabled
Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots. Because sensitive data can exist at rest, enable encryption at rest to help protect that data.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Security)
Redshift Cluster
Redshift Clusters running on the default port
The default port is vulnerable to brute-force and dictionary attacks. A non-default port is recommended.
• NIST 800-53
• PCI DSS
Redshift Clusters set to Publicly Accessible
Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public. Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
Redshift Clusters that are not encrypted
To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
Redshift Clusters that are not in VPC
VPC deployments bring many advantages including more comprehensive security, more features, better performance and better isolation.
• NIST 800-53
• HIPAA
• PCI DSS
Redshift Clusters that don't allow version upgrades
Checks whether your Amazon Redshift clusters don't allow version upgrades.
• CIS
• NIST 800-53
• PCI DSS
• AWS Well-Architected (Reliability)
Redshift Clusters that don't have maintenance window
Checks whether your Amazon Redshift clusters don't have preferred maintenance windows.
• CIS
• NIST 800-53
• PCI DSS
• AWS Well-Architected (Reliability)
Redshift Clusters using the master username
The master username should be changed to help stop attacks.
• PCI DSS
Redshift Clusters with insufficient retention period
Checks whether your Amazon Redshift clusters don't have sufficient automated snapshot retention periods.
• CIS
• NIST 800-53
• AWS Well-Architected (Reliability)
Region
IAM Access analyzer status is disabled
AWS Security Hub helps to monitor unauthorized personnel, connections, devices, and software. AWS Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple AWS services. Some such services are Amazon Security Hub, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, and AWS Partner solutions.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Regions with volume encryption disabled
To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. Because sensitive data can exist at rest in these volumes, enable encryption at rest to help protect that data.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Security)
S3 Bucket
Public S3 Buckets
Manage access to resources in the AWS Cloud by ensuring that Amazon Amazon S3 buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
S3 Buckets Not Encrypted
To protect data at rest, ensure that encryption is enabled for your Amazon S3 Buckets.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
S3 Buckets Not Encrypted With KMS Key
To protect data at rest, ensure that encryption is enabled for your Amazon S3 Buckets.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
S3 Buckets without Lifecycle Configuration
Checks for any S3 Buckets without Lifecycle Configuration.
• NIST 800-53
S3 Buckets with MFA Delete Disabled
Checks for any S3 Buckets with MFA Delete Disabled.
• NIST 800-53
• HIPAA
• PCI DSS
• GDPR
S3 Bucket Logging Disabled
Amazon Amazon S3 server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request including: The requester, bucket name, request time, request action, response status, and an error code.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
S3 Bucket Replication Disabled
Amazon Amazon S3 Cross-Region Replication (CRR) supports maintaining adequate capacity and availability. CRR enables automatic, asynchronous copying of objects across Amazon S3 buckets to help ensure that data availability is maintained.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Reliability)
S3 Bucket Versioning Off
Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Security Group
AWS Security Groups not attached to a VPC
Checks for any AWS Security Groups not attached to a VPC.
• CIS
• NIST 800-53
• PCI DSS
AWS Security Groups with admin ports wide open
Checks for any AWS Security Groups with admin ports wide open.
AWS Security Group allows all protocols and all ports from 0.0.0.0/0
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
AWS Security Group allows TCP port 22 (SSH) from 0.0.0.0/0
Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
AWS Security Group allows TCP port 3389 (RDP) from 0.0.0.0/0
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
Default Security Group allows 0.0.0.0/0 inbound
Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• PCI DSS
• AWS Well-Architected (Security)
Default Security Group in use
Checks for any default Security Group in use.
• NIST 800-53
Security Groups with a Range of ports enabled
Checks for any Security Groups with a Range of ports enabled.
• NIST 800-53
• HIPAA
• PCI DSS
Security Group has unrestricted outbound for all ports and all protocols for 0.0.0.0/0
Checks for any Security Group has unrestricted outbound for all ports and all protocols for 0.0.0.0/0.
• NIST 800-53
• HIPAA
• PCI DSS
Unused AWS Security Groups
This rule ensures the security groups are attached to an Amazon Elastic Compute Cloud (Amazon EC2) instance or to an ENI. This rule helps monitoring unused security groups in the inventory and the management of your environment.
• CIS
• NIST 800-171
• PCI DSS
• AWS Well-Architected (Security)
VPC default security group allows outbound
Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• PCI DSS
• AWS Well-Architected (Security)
Whole RFC1918 subnet allowed
A rule is allowing either 10.0.0.0/0, 172.16.0.0/12 or 192.168.0.0/16. This is usually too permissive.
• NIST 800-53
Virtual Private Gateway
Unused Virtual Private Gateways
Checks for any unused Virtual Private Gateways.
• NIST 800-53
Workspace
Workspaces without Root Volume encryption
To protect data at rest, ensure that encryption is enabled for your Workspace volumes.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
Workspaces without User Volume encryption
To protect data at rest, ensure that encryption is enabled for your Workspace volumes.
• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)
Azure Rules
Application Gateway
Application Gateways listening on insecure Protocol
Avoid using HTTP and use HTTPS instead
Cosmos DB Account
CosmosDB account accessible to all Azure subscriptions
The server's firewall is configured to accept connections from all Azure resources, including resources not in your subscription.
CosmosDB is accessible from the entire Internet
MySQL Server
MySQL Servers accessible to all Azure subscriptions
The server's firewall is configured to accept connections from all Azure resources, including resources not in your subscription.
MySQL Servers accessible to the entire Internet
MySQL Servers with SSL connections not enforced
PostgreSQL Server
PostgreSQL Servers Accessible To All Azure Subscriptions
The server's firewall is configured to accept connections from all Azure resources, including resources not in your subscription.
PostgreSQL Servers Accessible To the Entire Internet
PostgreSQL Servers With SSL Connections Not Enforced
SQL Data Warehouse
SQL Data Warehouses with Transparent Data Encryption turned off
SQL Database
SQL Databases With Transparent Data Encryption Turned Off
SQL Server
SQL Servers Accessible To All Azure Subscriptions
The server's firewall is configured to accept connections from all Azure resources, including resources not in your subscription.
SQL Servers Accessible To The Entire Internet
Virtual Machine
Virtual Machines Open To The Entire Internet On Port 135 (RPC)
Virtual Machines Open To The Entire Internet On Port 1433 (MsSQL)
Virtual Machines Open To The Entire Internet On Port 1521 (Oracle)
Virtual Machines Open To The Entire Internet On Port 20 or 21 (FTP)
Virtual Machines Open To The Entire Internet On Port 22 (SSH)
Virtual Machines Open To The Entire Internet On Port 23 (Telnet)
Virtual Machines Open To The Entire Internet On Port 25 (SMTP)
Virtual Machines Open To The Entire Internet On Port 27017 (MongoDB)
Virtual Machines Open To The Entire Internet On Port 3306 (MySQL)
Virtual Machines Open To The Entire Internet On Port 3389 (RDP)
Virtual Machines Open To The Entire Internet On Port 443 (HTTPS)
Virtual Machines Open To The Entire Internet On Port 445 (CIFS)
Virtual Machines Open To The Entire Internet On Port 53 (DNS)
Virtual Machines Open To The Entire Internet On Port 5432 (PostgeSQL)
Virtual Machines Open To The Entire Internet On Port 80 (HTTP)
Virtual Machines Open To The Entire Internet On Port 9200 (Elasticsearch)
Virtual Machines that are open to the entire Internet
Our Latest Thinking
Guides, tips, and product updates from our blog.
Why is Hyperglance More Secure Than Other Cloud Management Tools?
A Safer SaaS Alternative Keeping your cloud environment secure is more important than ever. What else is increasingly essential? Third-party apps to...
NEW! Group Your AWS, Azure & GCP Tags
Contents New in v7.5: Business Tags Feature Spotlight Why group your cloud resource tags using Business Tags? Release Details New in Hyperglance...
Cloud Compliance & Security Standards
What's in this post? What is Cloud Compliance? Who is Responsible for Cloud Compliance & Security? Key Components of a Cloud Compliance...