Efficiency risks focus on how effectively systems are designed and configured. These issues highlight unnecessary complexity, suboptimal architecture, or inefficient use of services that reduce performance or value. Addressing efficiency risks ensures systems operate in the most effective and streamlined way possible.
VPCs should utilise a private hosted zone for each VPC to allow for contextual DNS for ease of use and standardized addressing across environments.
Virtual Private Clouds (VPCs) should utilise private network ranges for their address space to avoid conflicts with external connections.
Organisations should avoid using the default address space provided by AWS Virtual Private Clouds (VPCs), as this limits connectivity options such as VPC Peering in the future.
VPCs should not use the range 172.17.0.0/16, as it is used by some AWS services when configured in your network.
VPC Peering is a complex solution for inter-network connectivity that may be better replaced with VPC Private Links or other alternatives.
Subnets should be explicitly associated with a route table to ensure route updates are explicit and controlled.
Subnets should utilise a single exit route for outbound traffic, such as an Internet Gateway or a NAT, and not multiple external routes.
An SPF record must start with the format v=spf1; otherwise, it will be disregarded.
Cloudfront Distributions that do not use an S3 Origin Identity require the S3 bucket to use website hosting, splitting access controls across S3 and Cloudfront as well as implementing unencrypted …
AWS S3 Bucket Policies should deny public access to S3 data. This should be part of a standard bucket policy applied to all buckets within your organisation
AWS S3 Bucket Website Endpoints have been superseded by better architectural patterns bringing greater control and data protection
AWS S3 Buckets with neither the full set of Public Access Blocks nor a Bucket Policy that prevents public access should consider their hosted data publicly accessible
AWS S3 offers Public Access Blocks to over-ride bucket changes that leak data. Implementing all Public Access Blocks should be a standard policy for all buckets
AWS S3 Bucket names can include the account ID for easier cross-account management and introducing name entropy via a manageable naming convention
AWS S3 Buckets should enforce the transfer of ownership for objects upon upload.
Public EBS Snapshots mean that any AWS customer can create a volume in the same AWS Region from the EBS snapshot effectively making the data public
Outside of entirely open-source resources, AMIs should never be shared publicly.
Domains used for sending emails should have a corresponding DKIM record that validates the signatures in each official email. This provides clear validation of legitimate emails and helps identify …
RFC 7208 requires a single SPF record for SPF validation. Multiple records will lead to the disregard of domain checks.
Disabling MTLS Expiry Checks effectively gives all issued client certificates an eternal validity. This infinitely expands the impact risk for client certificates and undermines client certificate …
AWS Lambda Functions without Logs
AWS Lambda can encounter failure states when attemping an update. When an update fails the service falls back to the previous iteration of the code potentially leading to outdated application …
AWS Lambda can encounter failure states when attemping execution of code. When invocations of the function fail the reason will be provided by the AWS Lambda Service for remediation
Instances not running inside a VPC are unsupported
A domain with the status of “serverDeleteProhibited” prevents a domain from becoming unregistered. This is potentially a lock but may also stem from legal contests and should be determined
AWS Account Password Policy should not require hard password resets, where passwords are reset only by an administrator.
IAM user passwords should not expire.
AWS account password policies should allow users to change their own passwords.
AWS IAM users that are inactive should be deleted
AWS IAM Users should have a single Access Key and not multiple Access Keys.
AWS IAM Users should not have long-term inactive Access Keys
AWS IAM Users should not have unused Access Keys.
Hosted Zones for domains purchased through the Route53 Registrar come with a default comment. This default comment forfeits the opportunity for labelling and control.
Unencrypted Snapshots contain data at rest in plain text and forfeit additional data controls available from AWS KMS
RDS Snapshots that are available publicly mean that any AWS customer can clone the data on those snapshots to their own RDS instance.
The Sender Policy Framework (SPF) offers a straightforward method for specifying the origins of valid emails, helping to protect your domain from fraud. Domains without SPF records available face …
Allowing public access to the EKS hosted Kubernetes API endpoint is a substantially worse security posture than utilising private API endpoints
EC2 Instances without an IAM Role attached either do not have permissions to securely interact with AWS Services or they host long term credentials that are prone to compromise
Instances do not have monitoring enabled, causing a large amount of data loss that can indicate compromiseand breaches
DMARC policies allow the opportunity to advice external email services how to handle spoofed email for your domain
Lax DMARC policies do not explicitly advertise to mail servers that fraudulent emails should be either quarantined or rejected, guarding your domain’s reputation and allowing for spoofing …
Domains without a transfer lock are missing a key gating tool preventing the theft or sale of domains
Expiring Domains without Autorenew lead to service downtime and signal operational risk. Expired domains can also be captured by malicious parties.
DNS resolution should be shared across peered VPCs to ensure that each VPC routes privately to endpoints in the peered VPC network.
DKIM encryption using key sizes under 1024 bits are trivial to brute force. As DKIM DNS records are public, weak email signatures are discoverable
Virtual Private Clouds (VPCs) should be designed with standardized subnet spaces to facilitate maintenance and optimise address space utilization.
Cloudfront Distributions are accepting traffic from all locations on the internet. This includes traffic from geographical regions which are unlikely to be business accessible.
CloudFront Distributions that do not compress responses lead to slower applications and forfeit a positive ranking signal to search providers
