Operational risks focus on the ability of systems to function consistently over time. These issues may not cause immediate failure but can lead to instability, degraded performance, or maintenance challenges. Addressing operational risks ensures systems remain reliable, scalable, and sustainable.
Virtual Private Clouds (VPCs) should utilise private network ranges for their address space to avoid conflicts with external connections.
Organisations should avoid using the default address space provided by AWS Virtual Private Clouds (VPCs), as this limits connectivity options such as VPC Peering in the future.
VPCs should not use the range 172.17.0.0/16, as it is used by some AWS services when configured in your network.
SSH Keys that are available in an AWS account allow for provisioning of OpenSSH server and provide metadata information that can be utilised for research
Invalid AWS S3 Bucket Policies require replacement to a functioning policy to ensure that they provide provable security protection
Private VPC Hosted Zone is using .local TLD
AWS Lambda can encounter failure states when attemping an update. When an update fails the service falls back to the previous iteration of the code potentially leading to outdated application …
Running depreciated AWS Lambda runtimes incurs both security and operational risks as well as upgrade risk should the service owner force an update to the runtime
AWS Lambda can encounter failure states when attemping execution of code. When invocations of the function fail the reason will be provided by the AWS Lambda Service for remediation
Instances not running inside a VPC are unsupported
Instances in public subnets without routes to a NAT require an Elastic IP to communicate externally exposing them directly to internet traffic. This is a diminished security posture compared to …
Domains marked by ICANN as pending deletion will be available for re-registration by third parties within 30 days
Domains marked as ‘pendingTransfer’ should have their transfer request confirmed as legitimate or cancelled and the domain locked if not intended
Domains marked as ‘inactive’ may be missing vital configuration and are effectively useless
Domains with the ICANN EPP status serverRenewProhibited cannot be renewed and requires action to rescue the domain or otherwise migrate away from it
A ‘serverHold’ ICANN EPP Status Code can indicate an issue with your domain requiring action
AWS IAM Users have a per user limit for Access Keys, hitting this limit interferes with the ability to cycle Access Keys and contributes to the overall acount Access Key Limit
AWS EKS utilises a Container Network Interface designed for EC2, which consumes a significant number of IP addresses that the network must accommodate.
EC2 Instances without an IAM Role attached either do not have permissions to securely interact with AWS Services or they host long term credentials that are prone to compromise
Default VPCs are often insecure cloud environments providing ease of access rather than a secure posture, enabling implicit configurations with insecure defaults
Cloud9 has sadly been decommissioned and AWS customers are advised to decommission and replace Cloud9 environments
AWS Accounts have a limit on the number of Access Keys they can issue. This should be monitored and managed to prevent reaching the limit, which can block regular key rotation processes.
