Documentation

Cloudfront Distributions which accept unencrypted traffic respond to requests in plain text compromising all information sent and recieved.

Critical cloudfront aws

Cloudfront Distributions that do not use AWS Waf lack a number of security protections and tracking

High cloudfront aws

Cloudfront Distributions that do not use an S3 Origin Identity require the S3 bucket to use website hosting, splitting access controls across S3 and Cloudfront as well as implementing unencrypted communication for all traffic between S3 and Cloudfront.

Moderate cloudfront aws

Cloudfront Distributions are accepting traffic from all locations on the internet. This includes traffic from geographical regions which are unlikely to be business accessible.

Moderate cloudfront aws

Cloudfront Distributions are set to distribute content to all available edge locations, including locations that may not include commercially viable users or may pose data sovereignty concerns

Low cloudfront aws

AWS CloudTrail tracks all API calls for the relevant AWS Account, providing a total repository of all activity within the account. Not enabling CloudTrail means that all data older than 90 days is lost as well as making the data harder to traverse with third party tools

High cloudtrail aws

An EC2 instance that utilising a public IP address directly connects the instance to the internet leading to a vastly diminished security posture compared to available architectures utilising Application Firewalls and Load Balancers.

High ec2 aws

Unecrypted EBS Snapshots contain all data on the original EBS volume in an unencrypted format, failing to protect this data from unauthorised decryption

High ec2 aws

VPC Flow Logs provide forensic logs utilised for tracking breach origins and lateral movement. Missing or unconfigured flow logs deny access to vital forensic data

High ec2 aws

Instances in public subnets without routes to a NAT require an Elastic IP to communicate externally exposing them directly to internet traffic. This is a diminished security posture compared to available cloud tools and services.

High ec2 aws

EC2 Instances without an IAM Role attached either do not have permissions to securely interact with AWS Services or they host long term credentials that are prone to compromise

High ec2 aws

Instances do not have monitoring enabled, causing a large amount of data loss that can indicate compromiseand breaches

High ec2 aws

Fully open security groups are wholly open to all of the internet including from geographic locations with no business benefits

High ec2 aws

EC2 instances that do not exclusively utilise the IMDSv2 endpoints utilise a weaker version of IMDS issued credentials that lack a number of protections against theft and misuse.

Moderate ec2 aws

Instances using SSH Keys are configured to run OpenSSH server leaving them exposed to OpenSSH attacks, lacking the features of other access methods and reinforcing the use of pet style infrastructure.

Moderate ec2 aws

Elastic IP addresses are requisitioned by the account but not in current use

Low ec2 aws

Default VPCs are often insecure cloud environments providing ease of access rather than a secure posture, enabling implicit configurations with insecure defaults

Low ec2 aws

SSH Keys that are available in an AWS account allow for provisioning of OpenSSH server and provide metadata information that can be utilised for research

Advisory ec2 aws

Allowing public access to the EKS hosted Kubernetes API endpoint is a substantially worse security posture than utilising private API endpoints

High eks aws

The core feature of AWS EKS is the provision of managed hosting for the Kubernetes control plane.

Moderate eks aws