Link Search Menu Expand Document

The included AWS checks are listed below. For more information about each check, see the link provided.

Code Summary
AWS001 S3 Bucket has an ACL defined which allows public access.
AWS002 S3 Bucket does not have logging enabled.
AWS003 AWS Classic resource usage.
AWS004 Use of plain HTTP.
AWS005 Load balancer is exposed to the internet.
AWS006 An ingress security group rule allows traffic from /0.
AWS007 An egress security group rule allows traffic to /0.
AWS008 An inline ingress security group rule allows traffic from /0.
AWS009 An inline egress security group rule allows traffic to /0.
AWS010 An outdated SSL policy is in use by a load balancer.
AWS011 A resource is marked as publicly accessible.
AWS012 A resource has a public IP address.
AWS013 Task definition defines sensitive environment variable(s).
AWS014 Launch configuration with unencrypted block device.
AWS015 Unencrypted SQS queue.
AWS016 Unencrypted SNS topic.
AWS017 Unencrypted S3 bucket.
AWS018 Missing description for security group/security group rule.
AWS019 A KMS key is not configured to auto-rotate.
AWS020 CloudFront distribution allows unencrypted (HTTP) communications.
AWS021 CloudFront distribution uses outdated SSL/TLS protocols.
AWS022 A MSK cluster allows unencrypted data in transit.
AWS023 ECR repository has image scans disabled.
AWS024 Kinesis stream is unencrypted.
AWS025 API Gateway domain name uses outdated SSL/TLS protocols.
AWS031 Elasticsearch domain isn’t encrypted at rest.
AWS032 Elasticsearch domain uses plaintext traffic for node to node communication.
AWS033 Elasticsearch doesn’t enforce HTTPS traffic.
AWS034 Elasticsearch domain endpoint is using outdated TLS policy.
AWS035 Unencrypted Elasticache Replication Group.
AWS036 Elasticache Replication Group uses unencrypted traffic.
AWS037 IAM Password policy should prevent password reuse.
AWS038 IAM Password policy should have expiry less than or equal to 90 days.
AWS039 IAM Password policy should have minimum password length of 14 or more characters.
AWS040 IAM Password policy should have requirement for at least one symbol in the password.
AWS041 IAM Password policy should have requirement for at least one number in the password.
AWS042 IAM Password policy should have requirement for at least one lowercase character.
AWS043 IAM Password policy should have requirement for at least one uppercase character.
AWS044 AWS provider has access credentials specified.
AWS045 CloudFront distribution does not have a WAF in front.
AWS046 AWS IAM policy document has wildcard action statement.
AWS047 AWS SQS policy document has wildcard action statement.
AWS048 EFS Encryption has not been enabled
AWS049 An ingress Network ACL rule allows specific ports from /0.
AWS050 An ingress Network ACL rule allows ALL ports from /0.
AWS051 There is no encryption specified or encryption is disabled on the RDS Cluster.
AWS052 RDS encryption has not been enabled at a DB Instance level.
AWS053 Encryption for RDS Perfomance Insights should be enabled.
AWS054 ElasticSearch domains should enforce HTTPS
AWS055 ElasticSearch nodes should communicate with node to node encryption enabled.
AWS057 Domain logging should be enabled for Elastic Search domains
AWS058 Ensure that lambda function permission has a source arn specified
AWS059 Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted
AWS060 Athena workgroups should enforce configuration to prevent client disabling encryption
AWS061 API Gateway stages for V1 and V2 should have access logging enabled
AWS062 User data for EC2 instances must not contain sensitive AWS keys
AWS063 Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed
AWS064 Cloudtrail log validation should be enabled to prevent tampering of log data
AWS065 Cloudtrail should be encrypted at rest to secure access to sensitive trail data
AWS066 EKS should have the encryption of secrets enabled
AWS067 EKS Clusters should have cluster control plane logging turned on
AWS068 EKS cluster should not have open CIDR range for public access
AWS069 EKS Clusters should have the public access disabled
AWS070 AWS ES Domain should have logging enabled
AWS071 Cloudfront distribution should have Access Logging configured
AWS072 Viewer Protocol Policy in Cloudfront Distribution Cache should always be set to HTTPS
AWS073 S3 Access Block should Ignore Public Acl
AWS074 S3 Access block should block public ACL
AWS075 S3 Access block should restrict public bucket to limit access
AWS076 S3 Access block should block public policy
AWS077 S3 Data should be versioned