Assessment Documentation

Documentation for Project Assessments and Self Service Organisation Assessments

Documentation by Provider

AWS

AWS Cloud9

Cloud9 Environments Found

CloudFront

Cloudfront Distribution Accepting Insecure Requests

CloudFront Distribution not Compressing Responses

Cloudfront Distribution Not Using Geoblocking

Cloudfront Distribution Not Using Web Application Firewall

Cloudfront Distribution Set to Global Edges

S3 Origin Not Using Access Identity

Cloudtrail

Enable Cloudtrail

AWS Cognito

Cognito User Pools Should Have Delete Protection

Elastic Compute Cloud (EC2)

Default VPC Available

Disparate Subnet Masks

DNS Resolution Unshared Across VPCs

EC2 Instances with Monitoring Disabled

EC2 Instances without an IAM Profile

Instance Not Exclusively Using IMDSv2

Instance With Public IP Address

Instances in Public Subnets

Instances Running Outside VPC

Instances using SSH Keys

No VPC Flow Logs

Open Security Groups

Public AMIs Found

Public EBS Snapshots

SSH Keys found in Account

Subnets attached to Route Tables with Multiple External Routes

Subnets have Implicit Routing

Unencrypted EBS Snapshots

Unused Elastic IP Addresses

VPC Peering Connections Found

VPC Using Conflicting AWS CIDR Range

VPCs Using Default AWS Range

VPCs Using Non-Private Address Space

VPCs with Multiple NATs

VPCs without Private Zones

Elastic File System

EFS Allows Insecure Connections

EFS Mounted Without Encryption at Rest

Elastic Kubernetes Service

EKS Cluster out of Date

EKS Clusters Using Small Subnets

EKS Control Plane Publicly Accessible

Elastic Load Balancing

Load Balancer Ignores MTLS Client Certificate Expiry

Load Balancers Accepting Unencrypted HTTP

Identity & Access Management

Account Root User Has Access Keys Issued

Account Root User Has Signing Certificates

AWS Account Approaching Access Key Limit

AWS Root User Does Not Have MFA

IAM User Access Keys Unused

IAM User Approaching User Access Key Limit

IAM User Has Inactive Access Keys

IAM User has Multiple Access Keys

IAM User Inactive

IAM User Without MFA

IAM Users Password Policy Allows 8-15 Characters with Limited Characters

IAM Users Password Policy Does Not Allow Users to Change Passwords

IAM Users Password Policy Expires Passwords

IAM Users Password Policy Forces a Hard Password Expiry

IAM Users Password Policy Not Set

IAM Users Password Policy Remembers Less Than 3 Previous Passwords

IAM Users Password Policy Requires at Least 8 Characters

IAM Users Password Policy Requires Special Characters

AWS Lambda Service

Lambda Functions in Problem State

Lambda Functions Running Depreciated Runtimes

Lambda Functions with Update Problems

Lambda Functions Without Logs

Route53

DKIM Records with Small Key Size

Domains Due to Expire Within 90 Days

Domains Missing Transfer Lock

Domains with Lax DMARC Policies

Domains Without DMARC Declaration

Found MX records without corresponding SPF Record

Hosted Zones with Default Registrar Comment

ICANN Domain Status has Domain Deletion Prohibited

ICANN Domain Status has Domain on Hold

ICANN Domain Status has Server Renew Prohibited

ICANN Domain Status is Inactive

ICANN Domain Status is Indicating a Transfer

ICANN Domain Status is Pending Deletion

MX Records with Multiple Corresponding SPF Records

MX Records Without Corresponding DKIM Record

Private Zones using local TLD

SPF Record Does Not Start with SPF Statement

Relational Database Service

Found Public RDS Snapshots

Found Unencrypted RDS Snapshots

Simple Storage Service (S3)

S3 Bucket Allows Insecure Uploads

S3 Bucket Does Not Enforce Ownership Controls

S3 Bucket Does Not Include the Account ID

S3 Bucket Does Not Totally Block Public Access

S3 Bucket Has an Invalid Policy

S3 Bucket Has No Policy

S3 Bucket Has No Public Access Protections

S3 Bucket Has Website Endpoint Enabled

S3 Bucket Policy Allows Public Access