Security & Compliance Monitoring Rules

AWS Rules

API Gateway

API Gateways that are not associated with an AWS Web Application Firewall (WAF)

Checks for any API Gateways that are not associated with an AWS Web Application Firewall (WAF).

• NIST 800-53

API Gateways without a Client Certificate

Checks for any API Gateways without a Client Certificate.

• NIST 800-53

API Gateways with content encoding not enabled

Checks for any API Gateways with content encoding not enabled.

• NIST 800-53

API Gateways with invalid Endpoint types

Customize this rule to control Amazon API Gateway types allowed in your environment and to ensure network integrity.

• NIST 800-171

API Gateways with X-Ray Tracing disabled

Checks for any API Gateways with X-Ray Tracing disabled.

• NIST 800-53

Public API Gateways

These API Gateways are accessible via the Internet. It's advised to use VPC endpoints to secure them.

• NIST 800-53

API Gateway Stage

API Gateway Stages with cache disabled or not encrypted

To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

API Gateway Stages with logging disabled

API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Application Load Balancer

Application Load Balancers listening on insecure Protocol

To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Application Load Balancers with Access Logs Disabled

Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to the ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Application Load Balancers with Deletion Protection Disabled

This rule ensures that Elastic Load Balancing has deletion protection enabled. Use this feature to prevent your load balancer from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.

• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Security)

Internet Facing Application Load Balancers

It is recommended that you review all Internet facing Load Balancers to ensure validity

• NIST 800-53
• PCI DSS

Application Load Balancer + Classic Load Balancer + Network Load Balancer

Internet facing Load Balancers

It is recommended that you review all Internet facing Load Balancers to ensure validity

• NIST 800-53
• PCI DSS

Load Balancers with Cross-Zone Load Balancing Disabled

Cross-zone load balancing helps maintain adequate capacity and availability. It reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances.

• NIST 800-53
• NIST 800-171
• FedRAMP
• AWS Well-Architected (Reliability)

Aurora DB Cluster

Amazon Aurora Clusters with Logging Not Enabled

Checks for any Amazon Aurora Clusters with Logging Not Enabled.

Amazon Aurora DB Clusters with cluster deletion protection turned off

Use deletion protection to prevent your Amazon RDS instances from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.

• NIST 800-53
• NIST 800-171
• FedRAMP
• AWS Well-Architected (Security)

Classic Load Balancer

Classic Load Balancers Listening on Insecure Protocol

Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.

• NIST 800-53
• NIST 800-171
• FedRAMP
• AWS Well-Architected (Security)

Classic Load Balancers without SSL Certificate

To help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Internet Facing Classic Load Balancers

It is recommended that you review all Internet facing Load Balancers to ensure validity

• NIST 800-53
• PCI DSS

DynamoDB Accelerator

DynamoDB Accelerator encryption disabled

Checks for any DynamoDB Accelerator encryption disabled.

• NIST 800-53
• HIPAA
• PCI DSS
• GDPR

DynamoDB Table

DynamoDB Point in time recovery not enabled

Maintains the backups by ensuring that point-in-time recovery is enabled in Amazon DynamoDB.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Reliability)

DynamoDB Tables Not Encrypted Using A Customer-Owned KMS Key

Enable encryption at rest because sensitive data can exist at rest in these tables. By default, DynamoDB tables are encrypted with an AWS owned customer master key (CMK).

• NIST 800-53
• NIST 800-171
• FedRAMP
• GDPR
• AWS Well-Architected (Security)

DynamoDB Tables with invalid Encryption Status

Ensure that encryption is enabled for your Amazon DynamoDB tables because sensitive data can exist at rest in these tables,

• PCI DSS

EBS Snapshot

EBS snapshots that are not encrypted

Ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) Snapshots because senstive data can exist in these snapshots.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

EBS Volume

EBS Volumes Not Marked For Delete On Terminate

If an Amazon EBS volume isn't deleted when the instance that it's attached to is terminated, it may violate the concept of least functionality.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP

EBS Volumes that are not encrypted

Ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes because senstive data can exist in these volumes.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

EBS Volumes with disabled backup plan

To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.

• NIST 800-53
• NIST 800-171
• FedRAMP
• GDPR
• AWS Well-Architected (Reliability)

Unattached EBS Volumes

If an Amazon EBS volume isn't deleted when the instance that it's attached to is terminated, it may violate the concept of least functionality.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP

EC2 Instance

EC2 Instances not in a VPC

Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet for ICMP via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On Port 53 (DNS) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Ports 20 or 21 (FTP) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 135 (RPC) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 1433 (MsSQL) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 1521 (Oracle) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 22 (SSH) via an Internet Gateway

Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 23 (Telnet) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 25 (SMTP) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 27017 (MongoDB) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 3306 (MySQL) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 3389 (RDP) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 443 (HTTPS) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 445 (CIFS) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 5432 (PostgeSQL) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 80 (HTTP) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances Open To The Entire Internet On TCP Port 9200 (Elasticsearch) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances stopped for more than 30 days

Enable this rule to help with the baseline configuration of Amazon Elastic Compute Cloud (Amazon EC2) instances by checking whether Amazon EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA

EC2 instances that are open to the entire Internet (on any port) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet (on any port) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances that are Open to the Entire Internet (on any port) via a Transit Gateway and a NAT Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on port 53 (DNS) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 135 (RPC) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 1433 (MsSQL) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 1521 (Oracle) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 20 or 21 (FTP) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 22 (SSH) via a Transit Gateway and an Internet Gateway

Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 23 (Telnet) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 25 (SMTP) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 27017 (MongoDB) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 3306 (MySQL) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 3389 (RDP) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 443 (HTTPS) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 445 (CIFS) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 5432 (PostgreSQL) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 80 (HTTP) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are open to the Entire internet on TCP port 9200 (Elasticsearch) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are partially open to the internet (on any port) via an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 instances that are partially open to the internet (on any port) via a Transit Gateway and an Internet Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances that are partially open to the Internet (on any port) via a Transit Gateway and a NAT Gateway

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EC2 Instances with detailed monitoring disabled

Enabling detailed monitoring of your Amazon Elastic Compute Cloud (Amazon EC2) instances allows the AWS console to display monitoring graphs with a fine-grain 1-minute period.

• NIST 800-53
• FedRAMP

EC2 Instances with EBS Optimization Disabled

An optimized instance in Amazon Elastic Block Store (Amazon EBS) provides additional, dedicated capacity for Amazon EBS I/O operations. This optimization provides the most efficient performance for your EBS volumes by minimizing contention between Amazon EBS I/O operations and other traffic from your instance.

• NIST 800-171

EC2 Instance not configured to use only Instance Metadata Service Version 2

Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata. The IMDSv2 method uses session-based controls. With IMDSv2, controls can be implemented to restrict changes to instance metadata.

• NIST 800-53
• FedRAMP
• AWS Well-Architected (Security)

EC2 Instances With Public IP

Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

EKS Cluster

EKS allows something other than port 443 0.0.0.0/0

Checks for any EKS allows something other than port 443 0.0.0.0/0.

• PCI DSS

EKS Cluster Endpoints Publicly Accessible

Checks for any EKS Cluster Endpoints Publicly Accessible.

• HIPAA
• PCI DSS
• GDPR

Elastic IP Address

Unattached Elastic IP Addresses

Checks whether all EIP addresses allocated to a VPC are attached to EC2 instances or are in-use.

• CIS
• NIST 800-171
• PCI DSS

IAM User

Accounts with no IAM Password Policy set

Checks for any accounts with no IAM Password Policy set.

• CIS
• NIST 800-53
• PCI DSS

Active IAM Access Keys older than 30 days

The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised.

• CIS
• NIST 800-53
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Active IAM Access Keys older than 45 days

The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised.

• CIS
• NIST 800-53
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Active IAM Access Keys older than 90 days

The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised.

• CIS
• NIST 800-53
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Expired SSL/TLS IAM certificates

Checks for any expired SSL/TLS IAM certificates.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• PCI DSS
• AWS Well-Architected (Security)

IAM access keys not used in the last 90 days

AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period. If these unused credentials are identified, you should disable and/or remove the credentials, as this may violate the principle of least privilege.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

IAM Root Access Keys Exist

Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role. Ensure that the root access keys are deleted. Instead, create and use role-based AWS accounts to help to incorporate the principle of least functionality.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

IAM root users that are not MFA protected

Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

IAM root user login in the past 30 days

With the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks

• CIS
• NIST 800-53

IAM users with a password age over 90 days

Checks for any IAM users with a password age over 90 days.

• CIS
• NIST 800-53
• PCI DSS

IAM user password last used more than 90 days ago

Consider removing this user if they do not need the access as this may violate the principle of least privilege.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

IAM user password reuse enabled

Ensure IAM password policy prevents password reuse.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

IAM User with Console Password and MFA disabled

Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. MFA adds an extra layer of protection on top of a user name and password. By requiring MFA for IAM users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

IAM user with direct inline policy

This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. Assigning privileges at the group or the role level helps to reduce opportunity for an identity to receive or retain excessive privileges.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

IAM User with Password and Access Keys configured

Try to minimise privileges to reduce impact if any one of these is compromised

• NIST 800-53

Weak IAM password policy

Checks whether a weak account password policy is in use for IAM users.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Internet Gateway

Detached Internet Gateways

Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC). Internet gateways allow bi-directional internet access to and from the Amazon VPC that can potentially lead to unauthorized access to Amazon VPC resources.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Lambda Function

Lambda Functions not In a VPC

Deploy AWS Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC. With this configuration, there is no requirement for an internet gateway, NAT device, or VPN connection. All the traffic remains securely within the AWS Cloud.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Lambda Functions with no Dead Letter Queue

You should use a dead-letter queue to notify the appropriate personnel through Amazon Simple Queue Service (Amazon SQS) or Amazon Simple Notification Service (Amazon SNS) when a function has failed.

• NIST 800-171
• HIPAA

Lambda Functions with old Runtime Environment

Lambda Functions using outdated runtime environments.

• NIST 800-53
• PCI DSS

Network ACL

Network ACLs that includes remote admin ports

Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to admin ports on your resources help you restricting remote access.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Network Interface

Unattached Elastic Network Interfaces

Checks for any unattached Elastic Network Interfaces.

• NIST 800-53

Network Load Balancer

Internet Facing Network Load Balancers

It is recommended that you review all Internet facing Load Balancers to ensure validity

• NIST 800-53
• PCI DSS

Network Load Balancers not listening on TLS

Checks for any Network Load Balancers not listening on TLS.

• PCI DSS

Network Load Balancers with Logs Disabled

Checks for any Network Load Balancers with Logs Disabled.

Policy

IAM full admin policies that are attached

AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

IAM support policy is attached to a support role

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.

• CIS

RDS DB Instance

AWS RDS instances with Auto Minor Version Upgrade not enabled

Checks for any AWS RDS instances with Auto Minor Version Upgrade not enabled.

• NIST 800-53

Publicly Accessible RDS Instances

Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public. Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

RDS instances that are not Multi-AZ

Multi-AZ support in Amazon Relational Database Service (Amazon RDS) provides enhanced availability and durability for database instances. When you provision a Multi-AZ database instance, Amazon RDS automatically creates a primary database instance, and synchronously replicates the data to a standby instance in a different Availability Zone. Each Availability Zone runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby so that you can resume database operations as soon as the failover is complete.

• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Reliability)

RDS Instances without backups enabled

To help with data backup processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Reliability)

RDS Instances with a backup retention period less than 7 days

Checks for any RDS Instances with a backup retention period less than 7 days.

• NIST 800-53

RDS Instances with default master username

Checks for any RDS Instances with default master username.

• PCI DSS

RDS Instances With Enhanced Monitoring Disabled

Enhanced monitoring provides detailed visibility into the health of your Amazon RDS database instances. When the Amazon RDS storage is using more than one underlying physical device, Enhanced Monitoring collects the data for each device. Also, when the Amazon RDS database instance is running in a Multi-AZ deployment, the data for each device on the secondary host is collected, and the secondary host metrics.

• NIST 800-53
• FedRAMP

RDS Instances with Logging Not Enabled

To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging should be enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.

• NIST 800-53
• NIST 800-171
• FedRAMP
• AWS Well-Architected (Security)

RDS Instances with no Encryption Enabled

To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances. Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

RDS Snapshot

RDS Snapshot with Encryption Disabled

Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots. Because sensitive data can exist at rest, enable encryption at rest to help protect that data.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Security)

Redshift Cluster

Redshift Clusters running on the default port

The default port is vulnerable to brute-force and dictionary attacks. A non-default port is recommended.

• NIST 800-53
• PCI DSS

Redshift Clusters set to Publicly Accessible

Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public. Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

Redshift Clusters that are not encrypted

To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

Redshift Clusters that are not in VPC

VPC deployments bring many advantages including more comprehensive security, more features, better performance and better isolation.

• NIST 800-53
• HIPAA
• PCI DSS

Redshift Clusters that don't allow version upgrades

Checks whether your Amazon Redshift clusters don't allow version upgrades.

• CIS
• NIST 800-53
• PCI DSS
• AWS Well-Architected (Reliability)

Redshift Clusters that don't have maintenance window

Checks whether your Amazon Redshift clusters don't have preferred maintenance windows.

• CIS
• NIST 800-53
• PCI DSS
• AWS Well-Architected (Reliability)

Redshift Clusters using the master username

The master username should be changed to help stop attacks.

• PCI DSS

Redshift Clusters with insufficient retention period

Checks whether your Amazon Redshift clusters don't have sufficient automated snapshot retention periods.

• CIS
• NIST 800-53
• AWS Well-Architected (Reliability)

Region

IAM Access analyzer status is disabled

AWS Security Hub helps to monitor unauthorized personnel, connections, devices, and software. AWS Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple AWS services. Some such services are Amazon Security Hub, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, and AWS Partner solutions.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Regions with volume encryption disabled

To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes. Because sensitive data can exist at rest in these volumes, enable encryption at rest to help protect that data.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Security)

S3 Bucket

Public S3 Buckets

Manage access to resources in the AWS Cloud by ensuring that Amazon Amazon S3 buckets cannot be publicly accessed. This rule helps keeping sensitive data safe from unauthorized remote users by preventing public access.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

S3 Buckets Not Encrypted

To protect data at rest, ensure that encryption is enabled for your Amazon S3 Buckets.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

S3 Buckets Not Encrypted With KMS Key

To protect data at rest, ensure that encryption is enabled for your Amazon S3 Buckets.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

S3 Buckets without Lifecycle Configuration

Checks for any S3 Buckets without Lifecycle Configuration.

• NIST 800-53

S3 Buckets with MFA Delete Disabled

Checks for any S3 Buckets with MFA Delete Disabled.

• NIST 800-53
• HIPAA
• PCI DSS
• GDPR

S3 Bucket Logging Disabled

Amazon Amazon S3 server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request including: The requester, bucket name, request time, request action, response status, and an error code.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

S3 Bucket Replication Disabled

Amazon Amazon S3 Cross-Region Replication (CRR) supports maintaining adequate capacity and availability. CRR enables automatic, asynchronous copying of objects across Amazon S3 buckets to help ensure that data availability is maintained.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• AWS Well-Architected (Reliability)

S3 Bucket Versioning Off

Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Security Group

AWS Security Groups not attached to a VPC

Checks for any AWS Security Groups not attached to a VPC.

• CIS
• NIST 800-53
• PCI DSS

AWS Security Groups with admin ports wide open

Checks for any AWS Security Groups with admin ports wide open.

AWS Security Group allows all protocols and all ports from 0.0.0.0/0

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

AWS Security Group allows TCP port 22 (SSH) from 0.0.0.0/0

Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Not allowing ingress (or remote) traffic from 0.0.0.0/0 to port 22 on your resources help you restricting remote access.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

AWS Security Group allows TCP port 3389 (RDP) from 0.0.0.0/0

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)

Default Security Group allows 0.0.0.0/0 inbound

Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• PCI DSS
• AWS Well-Architected (Security)

Default Security Group in use

Checks for any default Security Group in use.

• NIST 800-53

Security Groups with a Range of ports enabled

Checks for any Security Groups with a Range of ports enabled.

• NIST 800-53
• HIPAA
• PCI DSS

Security Group has unrestricted outbound for all ports and all protocols for 0.0.0.0/0

Checks for any Security Group has unrestricted outbound for all ports and all protocols for 0.0.0.0/0.

• NIST 800-53
• HIPAA
• PCI DSS

Unused AWS Security Groups

This rule ensures the security groups are attached to an Amazon Elastic Compute Cloud (Amazon EC2) instance or to an ENI. This rule helps monitoring unused security groups in the inventory and the management of your environment.

• CIS
• NIST 800-171
• PCI DSS
• AWS Well-Architected (Security)

VPC default security group allows outbound

Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• PCI DSS
• AWS Well-Architected (Security)

Whole RFC1918 subnet allowed

A rule is allowing either 10.0.0.0/0, 172.16.0.0/12 or 192.168.0.0/16. This is usually too permissive.

• NIST 800-53

Virtual Private Gateway

Unused Virtual Private Gateways

Checks for any unused Virtual Private Gateways.

• NIST 800-53

Workspace

Workspaces without Root Volume encryption

To protect data at rest, ensure that encryption is enabled for your Workspace volumes.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

Workspaces without User Volume encryption

To protect data at rest, ensure that encryption is enabled for your Workspace volumes.

• CIS
• NIST 800-53
• NIST 800-171
• FedRAMP
• HIPAA
• PCI DSS
• GDPR
• AWS Well-Architected (Security)

Azure Rules

Application Gateway

Application Gateways listening on insecure Protocol

Avoid using HTTP and use HTTPS instead

Cosmos DB Account

CosmosDB account accessible to all Azure subscriptions

The server's firewall is configured to accept connections from all Azure resources, including resources not in your subscription.

CosmosDB is accessible from the entire Internet

MySQL Server

MySQL Servers accessible to all Azure subscriptions

The server's firewall is configured to accept connections from all Azure resources, including resources not in your subscription.

MySQL Servers accessible to the entire Internet

MySQL Servers with SSL connections not enforced

PostgreSQL Server

PostgreSQL Servers Accessible To All Azure Subscriptions

The server's firewall is configured to accept connections from all Azure resources, including resources not in your subscription.

PostgreSQL Servers Accessible To the Entire Internet

PostgreSQL Servers With SSL Connections Not Enforced

SQL Data Warehouse

SQL Data Warehouses with Transparent Data Encryption turned off

SQL Database

SQL Databases With Transparent Data Encryption Turned Off

SQL Server

SQL Servers Accessible To All Azure Subscriptions

The server's firewall is configured to accept connections from all Azure resources, including resources not in your subscription.

SQL Servers Accessible To The Entire Internet

Virtual Machine

Virtual Machines Open To The Entire Internet On Port 135 (RPC)

Virtual Machines Open To The Entire Internet On Port 1433 (MsSQL)

Virtual Machines Open To The Entire Internet On Port 1521 (Oracle)

Virtual Machines Open To The Entire Internet On Port 20 or 21 (FTP)

Virtual Machines Open To The Entire Internet On Port 22 (SSH)

Virtual Machines Open To The Entire Internet On Port 23 (Telnet)

Virtual Machines Open To The Entire Internet On Port 25 (SMTP)

Virtual Machines Open To The Entire Internet On Port 27017 (MongoDB)

Virtual Machines Open To The Entire Internet On Port 3306 (MySQL)

Virtual Machines Open To The Entire Internet On Port 3389 (RDP)

Virtual Machines Open To The Entire Internet On Port 443 (HTTPS)

Virtual Machines Open To The Entire Internet On Port 445 (CIFS)

Virtual Machines Open To The Entire Internet On Port 53 (DNS)

Virtual Machines Open To The Entire Internet On Port 5432 (PostgeSQL)

Virtual Machines Open To The Entire Internet On Port 80 (HTTP)

Virtual Machines Open To The Entire Internet On Port 9200 (Elasticsearch)

Virtual Machines that are open to the entire Internet