This control is about giving users only the access they need, separating administrator access from normal user accounts, and removing access when it is no longer required. It supports least privilege, stronger account management, and better control over sensitive systems.
Unecrypted EBS Snapshots contain all data on the original EBS volume in an unencrypted format, failing to protect this data from unauthorised decryption
AWS S3 Bucket Policies should deny public access to S3 data. This should be part of a standard bucket policy applied to all buckets within your organisation
AWS S3 Buckets with neither the full set of Public Access Blocks nor a Bucket Policy that prevents public access should consider their hosted data publicly accessible
AWS S3 offers Public Access Blocks to over-ride bucket changes that leak data. Implementing all Public Access Blocks should be a standard policy for all buckets
AWS S3 Buckets should enforce the transfer of ownership for objects upon upload.
AWS S3 Buckets allow for unencrypted uploads which need to be blocked via Bucket Policy
Public EBS Snapshots mean that any AWS customer can create a volume in the same AWS Region from the EBS snapshot effectively making the data public
Outside of entirely open-source resources, AMIs should never be shared publicly.
HTTP listeners force clients to communicate in plain text, exposing all communications to any machines with connectivity to the traffic route
Disabling MTLS Expiry Checks effectively gives all issued client certificates an eternal validity. This infinitely expands the impact risk for client certificates and undermines client certificate …
AWS IAM user passwords should require at least 8 characters and include a variety of character types.
AWS accounts should have a custom password policy rather than relying on the default password policy.
AWS account password policies should allow users to change their own passwords.
AWS IAM user passwords should include all variations of characters if the password is less than 15 characters.
AWS IAM Users should have MFA enabled and active.
AWS IAM users that are inactive should be deleted
AWS IAM Users should not have long-term inactive Access Keys
AWS IAM Users should not have unused Access Keys.
Unencrypted Snapshots contain data at rest in plain text and forfeit additional data controls available from AWS KMS
RDS Snapshots that are available publicly mean that any AWS customer can clone the data on those snapshots to their own RDS instance.
EFS file systems should be configured to encrypt data at rest to create a permissions barrier to accessing and copying the data, thereby reducing the impact of leaked raw data.
EFS allows for insecure mounts, leaving communications between host machines and remote file systems unencrypted.
Cloudfront Distributions which accept unencrypted traffic respond to requests in plain text compromising all information sent and recieved.
The AWS Root User should have an MFA device enabled and active.
