Security risks represent direct exposure to compromise. These issues highlight where access controls, authentication, or system boundaries are insufficient, allowing attackers or unintended users to gain entry. Addressing security risks ensures that systems remain protected against unauthorized access and malicious activity.
Unecrypted EBS Snapshots contain all data on the original EBS volume in an unencrypted format, failing to protect this data from unauthorised decryption
An SPF record must start with the format v=spf1; otherwise, it will be disregarded.
Cloudfront Distributions that do not use an S3 Origin Identity require the S3 bucket to use website hosting, splitting access controls across S3 and Cloudfront as well as implementing unencrypted …
AWS S3 Bucket Policies should deny public access to S3 data. This should be part of a standard bucket policy applied to all buckets within your organisation
AWS S3 Bucket Website Endpoints have been superseded by better architectural patterns bringing greater control and data protection
AWS S3 Buckets with neither the full set of Public Access Blocks nor a Bucket Policy that prevents public access should consider their hosted data publicly accessible
AWS S3 Buckets without a Bucket Policy are prone to insecure behaviour that does not meet modern security standards
Invalid AWS S3 Bucket Policies require replacement to a functioning policy to ensure that they provide provable security protection
AWS S3 offers Public Access Blocks to over-ride bucket changes that leak data. Implementing all Public Access Blocks should be a standard policy for all buckets
AWS S3 Bucket names can include the account ID for easier cross-account management and introducing name entropy via a manageable naming convention
AWS S3 Buckets should enforce the transfer of ownership for objects upon upload.
AWS S3 Buckets allow for unencrypted uploads which need to be blocked via Bucket Policy
Public EBS Snapshots mean that any AWS customer can create a volume in the same AWS Region from the EBS snapshot effectively making the data public
Outside of entirely open-source resources, AMIs should never be shared publicly.
Fully open security groups are wholly open to all of the internet including from geographic locations with no business benefits
Domains used for sending emails should have a corresponding DKIM record that validates the signatures in each official email. This provides clear validation of legitimate emails and helps identify …
RFC 7208 requires a single SPF record for SPF validation. Multiple records will lead to the disregard of domain checks.
HTTP listeners force clients to communicate in plain text, exposing all communications to any machines with connectivity to the traffic route
Disabling MTLS Expiry Checks effectively gives all issued client certificates an eternal validity. This infinitely expands the impact risk for client certificates and undermines client certificate …
AWS Lambda Functions without Logs
Instances using SSH Keys are configured to run OpenSSH server leaving them exposed to OpenSSH attacks, lacking the features of other access methods and reinforcing the use of pet style infrastructure.
Instances in public subnets without routes to a NAT require an Elastic IP to communicate externally exposing them directly to internet traffic. This is a diminished security posture compared to …
An EC2 instance that utilising a public IP address directly connects the instance to the internet leading to a vastly diminished security posture compared to available architectures utilising …
EC2 instances that do not exclusively utilise the IMDSv2 endpoints utilise a weaker version of IMDS issued credentials that lack a number of protections against theft and misuse.
Domains marked as ‘pendingTransfer’ should have their transfer request confirmed as legitimate or cancelled and the domain locked if not intended
The use of special characters in passwords is not recommended.
AWS IAM user passwords should require at least 8 characters and include a variety of character types.
AWS Account Password Policies should prevent users from utilizing previous passwords.
AWS accounts should have a custom password policy rather than relying on the default password policy.
AWS Account Password Policy should not require hard password resets, where passwords are reset only by an administrator.
IAM user passwords should not expire.
AWS account password policies should allow users to change their own passwords.
AWS IAM user passwords should include all variations of characters if the password is less than 15 characters.
AWS IAM Users should have MFA enabled and active.
AWS IAM users that are inactive should be deleted
AWS IAM Users should have a single Access Key and not multiple Access Keys.
AWS IAM Users should not have long-term inactive Access Keys
AWS IAM Users should not have unused Access Keys.
Unencrypted Snapshots contain data at rest in plain text and forfeit additional data controls available from AWS KMS
RDS Snapshots that are available publicly mean that any AWS customer can clone the data on those snapshots to their own RDS instance.
The Sender Policy Framework (SPF) offers a straightforward method for specifying the origins of valid emails, helping to protect your domain from fraud. Domains without SPF records available face …
Allowing public access to the EKS hosted Kubernetes API endpoint is a substantially worse security posture than utilising private API endpoints
EKS Clusters should remain updated to prevent publicly exposed APIs from compromise and avoid forced updates which can break service
EFS file systems should be configured to encrypt data at rest to create a permissions barrier to accessing and copying the data, thereby reducing the impact of leaked raw data.
EFS allows for insecure mounts, leaving communications between host machines and remote file systems unencrypted.
Instances do not have monitoring enabled, causing a large amount of data loss that can indicate compromiseand breaches
DMARC policies allow the opportunity to advice external email services how to handle spoofed email for your domain
Lax DMARC policies do not explicitly advertise to mail servers that fraudulent emails should be either quarantined or rejected, guarding your domain’s reputation and allowing for spoofing …
Domains without a transfer lock are missing a key gating tool preventing the theft or sale of domains
Expiring Domains without Autorenew lead to service downtime and signal operational risk. Expired domains can also be captured by malicious parties.
DKIM encryption using key sizes under 1024 bits are trivial to brute force. As DKIM DNS records are public, weak email signatures are discoverable
Cloudfront Distributions that do not use AWS WAF lack a number of security protections and tracking
Cloudfront Distributions which accept unencrypted traffic respond to requests in plain text compromising all information sent and recieved.
The AWS Root User should have an MFA device enabled and active.
AWS root account users should not have attached Signing Certificates.
The AWS Root Account User should not utilise Access Keys.
