Cloud9 has sadly been decommissioned and AWS customers are advised to decommission and replace Cloud9 environments
Advisory cloud9 aws
Cloudfront Distributions which accept unencrypted traffic respond to requests in plain text compromising all information sent and recieved.
Critical cloudfront aws
Cloudfront Distributions that do not use AWS WAF lack a number of security protections and tracking
High cloudfront aws
Cloudfront Distributions that do not use an S3 Origin Identity require the S3 bucket to use website hosting, splitting access controls across S3 and Cloudfront as well as implementing unencrypted communication for all traffic between S3 and Cloudfront.
Moderate cloudfront aws
Cloudfront Distributions are accepting traffic from all locations on the internet. This includes traffic from geographical regions which are unlikely to be business accessible.
Cloudfront Distributions are set to distribute content to all available edge locations, including locations that may not include commercially viable users or may pose data sovereignty concerns
Low cloudfront aws
CloudFront Distributions that do not compress responses lead to slower applications and forfeit a positive ranking signal to search providers
Advisory cloudfront aws
AWS CloudTrail tracks all API calls for the relevant AWS Account, providing a total repository of all activity within the account. Not enabling CloudTrail means that all data older than 90 days is lost as well as making the data harder to traverse with third party tools
High cloudtrail aws
AWS Cognito User Pools should utilise Delete Protection to avoid accidental deletion
Moderate cognito-idp aws
Outside of entirely open-source resources, AMIs should never be shared publicly.
Critical ec2 aws
Public EBS Snapshots mean that any AWS customer can create a volume in the same AWS Region from the EBS snapshot effectively making the data public
Instances not running inside a VPC are unsupported
High ec2 aws
An EC2 instance that utilising a public IP address directly connects the instance to the internet leading to a vastly diminished security posture compared to available architectures utilising Application Firewalls and Load Balancers.
Unecrypted EBS Snapshots contain all data on the original EBS volume in an unencrypted format, failing to protect this data from unauthorised decryption
VPC Flow Logs provide forensic logs utilised for tracking breach origins and lateral movement. Missing or unconfigured flow logs deny access to vital forensic data
Instances in public subnets without routes to a NAT require an Elastic IP to communicate externally exposing them directly to internet traffic. This is a diminished security posture compared to available cloud tools and services.
EC2 Instances without an IAM Role attached either do not have permissions to securely interact with AWS Services or they host long term credentials that are prone to compromise
Instances do not have monitoring enabled, causing a large amount of data loss that can indicate compromiseand breaches
Fully open security groups are wholly open to all of the internet including from geographic locations with no business benefits
Subnets should be explicitly associated with a route table to ensure route updates are explicit and controlled.
Moderate ec2 aws
Virtual Private Clouds (VPCs) should be designed with standardized subnet spaces to facilitate maintenance and optimise address space utilization.
Virtual Private Clouds (VPCs) should utilise private network ranges for their address space to avoid conflicts with external connections.
EC2 instances that do not exclusively utilise the IMDSv2 endpoints utilise a weaker version of IMDS issued credentials that lack a number of protections against theft and misuse.
Instances using SSH Keys are configured to run OpenSSH server leaving them exposed to OpenSSH attacks, lacking the features of other access methods and reinforcing the use of pet style infrastructure.
DNS resolution should be shared across peered VPCs to ensure that each VPC routes privately to endpoints in the peered VPC network.
Low ec2 aws
Subnets should utilise a single exit route for outbound traffic, such as an Internet Gateway or a NAT, and not multiple external routes.
VPCs should utilise a private hosted zone for each VPC to allow for contextual DNS for ease of use and standardized addressing across environments.
Elastic IP addresses are requisitioned by the account but not in current use
Default VPCs are often insecure cloud environments providing ease of access rather than a secure posture, enabling implicit configurations with insecure defaults
VPC Peering is a complex solution for inter-network connectivity that may be better replaced with VPC Private Links or other alternatives.
Advisory ec2 aws
AWS VPCs do not require multiple NATs unless the marginal gains from cross-AZ resiliency are worth the increased cost and maintence burden. In such cases, it may be better to consider multi-region solutions for more effective failover.
Organisations should avoid using the default address space provided by AWS Virtual Private Clouds (VPCs), as this limits connectivity options such as VPC Peering in the future.
VPCs should not use the range `172.17.0.0/16`, as it is used by some AWS services when configured in your network.
SSH Keys that are available in an AWS account allow for provisioning of OpenSSH server and provide metadata information that can be utilised for research
EFS file systems should be configured to encrypt data at rest to create a permissions barrier to accessing and copying the data, thereby reducing the impact of leaked raw data.
Critical efs aws
EFS allows for insecure mounts, leaving communications between host machines and remote file systems unencrypted.
Allowing public access to the EKS hosted Kubernetes API endpoint is a substantially worse security posture than utilising private API endpoints
High eks aws
AWS EKS utilises a Container Network Interface designed for EC2, which consumes a significant number of IP addresses that the network must accommodate.
Moderate eks aws
EKS Clusters should remain updated to prevent publicly exposed APIs from compromise and avoid forced updates which can break service
HTTP listeners force clients to communicate in plain text, exposing all communications to any machines with connectivity to the traffic route
Critical elb aws
Disabling MTLS Expiry Checks effectively gives all issued client certificates an eternal validity. This infinitely expands the impact risk for client certificates and undermines client certificate management processes
High elb aws
The AWS Root User should have an MFA device enabled and active.
Critical iam aws
The AWS Root Account User should not utilise Access Keys.
AWS IAM user passwords should require at least 8 characters and include a variety of character types.
High iam aws
AWS IAM Users should have MFA enabled and active.
AWS root account users should not have attached Signing Certificates.
AWS Account Password Policies should prevent users from utilizing previous passwords.
AWS Account Password Policy should not require hard password resets, where passwords are reset only by an administrator.
AWS IAM Users should not have unused Access Keys.
Moderate iam aws
AWS IAM Users should not have long-term inactive Access Keys
AWS IAM user passwords should include all variations of characters if the password is less than 15 characters.
IAM user passwords should not expire.
AWS accounts should have a custom password policy rather than relying on the default password policy.
AWS account password policies should allow users to change their own passwords.
AWS IAM Users should have a single Access Key and not multiple Access Keys.
Low iam aws
AWS IAM Users have a per user limit for Access Keys, hitting this limit interferes with the ability to cycle Access Keys and contributes to the overall acount Access Key Limit
AWS Accounts have a limit on the number of Access Keys they can issue. This should be monitored and managed to prevent reaching the limit, which can block regular key rotation processes.
AWS IAM users that are inactive should be deleted
The use of special characters in passwords is not recommended.
Advisory iam aws
AWS Lambda can encounter failure states when attemping execution of code. When invocations of the function fail the reason will be provided by the AWS Lambda Service for remediation
High lambda aws
AWS Lambda can encounter failure states when attemping an update. When an update fails the service falls back to the previous iteration of the code potentially leading to outdated application functionality
Running depreciated AWS Lambda runtimes incurs both security and operational risks as well as upgrade risk should the service owner force an update to the runtime
Moderate lambda aws
AWS Lambda Functions without Logs
Domains with the ICANN EPP status serverRenewProhibited cannot be renewed and requires action to rescue the domain or otherwise migrate away from it
Critical route53 aws
DKIM encryption using key sizes under 1024 bits are trivial to brute force. As DKIM DNS records are public, weak email signatures are discoverable
High route53 aws
Domains marked as 'inactive' may be missing vital configuration and are effectively useless
Domains marked by ICANN as pending deletion will be available for re-registration by third parties within 30 days
Domains marked as 'pendingTransfer' should have their transfer request confirmed as legitimate or cancelled and the domain locked if not intended
Expiring Domains without Autorenew lead to service downtime and signal operational risk. Expired domains can also be captured by malicious parties.
Domains without a transfer lock are missing a key gating tool preventing the theft or sale of domains
Moderate route53 aws
RFC 7208 requires a single SPF record for SPF validation. Multiple records will lead to the disregard of domain checks.
The Sender Policy Framework (SPF) offers a straightforward method for specifying the origins of valid emails, helping to protect your domain from fraud. Domains without SPF records available face verification and deliverability challenges.
Domains used for sending emails should have a corresponding DKIM record that validates the signatures in each official email. This provides clear validation of legitimate emails and helps identify spoofed messages.
Private VPC Hosted Zone is using .local TLD
Low route53 aws
An SPF record must start with the format `v=spf1`; otherwise, it will be disregarded.
DMARC policies allow the opportunity to advice external email services how to handle spoofed email for your domain
A domain with the status of "serverDeleteProhibited" prevents a domain from becoming unregistered. This is potentially a lock but may also stem from legal contests and should be determined
Advisory route53 aws
A 'serverHold' ICANN EPP Status Code can indicate an issue with your domain requiring action
Hosted Zones for domains purchased through the Route53 Registrar come with a default comment. This default comment forfeits the opportunity for labelling and control.
Lax DMARC policies do not explicitly advertise to mail servers that fraudulent emails should be either quarantined or rejected, guarding your domain's reputation and allowing for spoofing reports
RDS Snapshots that are available publicly mean that any AWS customer can clone the data on those snapshots to their own RDS instance.
Critical rds aws
Unencrypted Snapshots contain data at rest in plain text and forfeit additional data controls available from AWS KMS
High rds aws
Invalid AWS S3 Bucket Policies require replacement to a functioning policy to ensure that they provide provable security protection
Critical s3 aws
AWS S3 Buckets without a Bucket Policy are prone to insecure behaviour that does not meet modern security standards
AWS S3 Buckets with neither the full set of Public Access Blocks nor a Bucket Policy that prevents public access should consider their hosted data publicly accessible
AWS S3 Buckets should enforce the transfer of ownership for objects upon upload.
High s3 aws
AWS S3 Bucket Website Endpoints have been superseded by better architectural patterns bringing greater control and data protection
AWS S3 Buckets allow for unencrypted uploads which need to be blocked via Bucket Policy
AWS S3 offers Public Access Blocks to over-ride bucket changes that leak data. Implementing all Public Access Blocks should be a standard policy for all buckets
AWS S3 Bucket Policies should deny public access to S3 data. This should be part of a standard bucket policy applied to all buckets within your organisation
AWS S3 Bucket names can include the account ID for easier cross-account management and introducing name entropy via a manageable naming convention
Advisory s3 aws
