Contents

Account Summary

Accounts reviewed

Account nameAccount IDCollection date
demo1234567890122019-05-07

Resources

Resource counts

S3 buckets
EC2 instances
ELBs
ELBv2s
RDS instances
Redshift clusters
ElasticSearch domains
Elasticache clusters
SNS topics
SQS queues
CloudFronts
Autoscaling groups
ElasticBeanstalks
Firehose streams
Glacier vaults
KMS keys
Lambda functions
demo 1 3 1 1 1 1 1 0 2 1 0 0 0 0 0 0 1

Region usage

This table shows whether a region contains the resources being counted. Currently all S3 buckets, no matter their location, and CloudFronts, are identified as being in us-east-1.

us-east-1
demo
YS3 buckets:1
EC2 instances:3
ELBs:1
ELBv2s:1
RDS instances:1
Redshift clusters:1
ElasticSearch domains:1
SNS topics:2
SQS queues:1
Lambda functions:1

IAM

Public network resources

Counts of public resources by type

ec2
elb
elbv2
rds
redshift
ecs
autoscaling
cloudfront
apigateway
demo 0 1 1 0 0 1 0 0 0

Counts of public resources by port ranges


Findings Summary

Counts of finding types by account

Links to findings

High Medium Low Info

Counts of findings by account


Findings

S3

Internet accessible S3 bucket via policy (only GetObject)

Severity: Info
Issue ID: S3_PUBLIC_POLICY_GETOBJECT_ONLY

This is the right way to make an S3 bucket public when you don't want to put CloudFront in front of it. This may be done when a third-party caching service is being used and you don't care about direct access to the S3 bucket.


  • demo (123456789012)
      1. cloudmapper_demo

S3 Control Access Block is not on

Severity: Low
Issue ID: S3_ACCESS_BLOCK_OFF

This control prevents S3 buckets from being made public. If there are no public S3 buckets in the account this should be turned on.


  • demo (123456789012)

CloudTrail

CloudTrail is not multiregion

Severity: Low
Issue ID: CLOUDTRAIL_NOT_MULTIREGION

When CloudTrail was first released, you had to specify which regions to enable it in. It now defaults to recording audit logs for all regions. It should be configured for multiregion.


  • demo (123456789012)
    • us-east-1

IAM

Incorrect policy used to attempt to enforce MFA

Severity: High
Issue ID: IAM_BAD_MFA_POLICY

AWS had advised incorrect policies for enforcing MFA which allowed an attacker, if they compromised keys that were protected by this policy, to remove the MFA policy from themselves, or remove the existing MFA device and add their own.


  • demo (123456789012)
      1. arn:aws:iam::123456789012:policy/BAD_MFA_POLICY
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": [
                        "iam:ListAccountAliases",
                        "iam:ListUsers",
                        "iam:GetAccountSummary"
                    ],
                    "Resource": "*",
                    "Effect": "Allow",
                    "Sid": "AllowAllUsersToListAccounts"
                },
                {
                    "Action": [
                        "iam:ChangePassword",
                        "iam:CreateAccessKey",
                        "iam:CreateLoginProfile",
                        "iam:DeleteAccessKey",
                        "iam:DeleteLoginProfile",
                        "iam:GetAccountPasswordPolicy",
                        "iam:GetLoginProfile",
                        "iam:ListAccessKeys",
                        "iam:UpdateAccessKey",
                        "iam:UpdateLoginProfile",
                        "iam:ListSigningCertificates",
                        "iam:DeleteSigningCertificate",
                        "iam:UpdateSigningCertificate",
                        "iam:UploadSigningCertificate",
                        "iam:ListSSHPublicKeys",
                        "iam:GetSSHPublicKey",
                        "iam:DeleteSSHPublicKey",
                        "iam:UpdateSSHPublicKey",
                        "iam:UploadSSHPublicKey"
                    ],
                    "Resource": "arn:aws:iam::123456789012:user/${aws:username}",
                    "Effect": "Allow",
                    "Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation"
                },
                {
                    "Action": [
                        "iam:ListVirtualMFADevices",
                        "iam:ListMFADevices"
                    ],
                    "Resource": [
                        "arn:aws:iam::123456789012:mfa/*",
                        "arn:aws:iam::123456789012:user/${aws:username}"
                    ],
                    "Effect": "Allow",
                    "Sid": "AllowIndividualUserToListTheirOwnMFA"
                },
                {
                    "Action": [
                        "iam:CreateVirtualMFADevice",
                        "iam:DeactivateMFADevice",
                        "iam:DeleteVirtualMFADevice",
                        "iam:RequestSmsMfaRegistration",
                        "iam:FinalizeSmsMfaRegistration",
                        "iam:EnableMFADevice",
                        "iam:ResyncMFADevice"
                    ],
                    "Resource": [
                        "arn:aws:iam::123456789012:mfa/${aws:username}",
                        "arn:aws:iam::123456789012:user/${aws:username}"
                    ],
                    "Effect": "Allow",
                    "Sid": "AllowIndividualUserToManageTheirOwnMFA"
                },
                {
                    "NotAction": "iam:*",
                    "Resource": "*",
                    "Effect": "Deny",
                    "Condition": {
                        "BoolIfExists": {
                            "aws:MultiFactorAuthPresent": "false"
                        }
                    },
                    "Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA"
                }
            ]
        }

Known bad policy used

Severity: High
Issue ID: IAM_KNOWN_BAD_POLICY

AWS has provided flawed policies to customers. These are either deprecated or no longer advised.


  • demo (123456789012)
      1. arn:aws:iam::123456789012:role/bad_role
        {
            "comment": "Use AmazonSSMManagedInstanceCore instead and add privs as needed",
            "policy": "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
        }

Custom policy allows admin

Severity: Low
Issue ID: IAM_CUSTOM_POLICY_ALLOWS_ADMIN

Instead of using the AdministratorAccess policy, a custom policy was created that does the same thing, or allows escalation to the same thing.


  • demo (123456789012)
      1. arn:aws:iam::123456789012:role/bad_role
        {
            "comment": "Role has custom policy allowing admin",
            "policy": {
                "Statement": [
                    {
                        "Action": [
                            "*"
                        ],
                        "Effect": "Allow",
                        "Resource": "*"
                    }
                ],
                "Version": "2012-10-17"
            }
        }

IAM role allows assumption from anywhere

Severity: High
Issue ID: IAM_ROLE_ALLOWS_ASSUMPTION_FROM_ANYWHERE

The IAM role's trust policy allows any other account to assume it.


  • demo (123456789012)
      1. arn:aws:iam::123456789012:role/bad_role
        {
            "statement": {
                "Statement": [
                    {
                        "Action": "sts:AssumeRole",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "*"
                        }
                    }
                ],
                "Version": "2012-10-17"
            }
        }

IAM role with s3 listing and get privileges can be assumed by unexpected principals

Severity: High
Issue ID: IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL

The ability to list s3 buckets, and get objects from them, should be restricted largely to people as compromising an EC2 with this privilege could lead to exfiltration of data.


  • demo (123456789012)
      1. arn:aws:iam::123456789012:role/exfiller
        {
            "comment": "Unexpected Principal in AssumeRolePolicyDocument for an admin",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            }
        }

Password policy is not set

Severity: Low
Issue ID: PASSWORD_POLICY_NOT_SET

A password policy helps ensure strong passwords are used by IAM Users. Setting a password policy does not impact existing users, so after setting this, you should ensure users reset their passwords so that they are in compliance.


  • demo (123456789012)

Root user has access keys

Severity: Low
Issue ID: ROOT_USER_HAS_ACCESS_KEYS

The root user should be used only in exceptional cases, and should therefore not use access keys. IAM Users or Roles should be used instead.


  • demo (123456789012)
        {
            "Number of access keys": 1
        }

User has not used access key for over 90 days

Severity: Low
Issue ID: USER_HAS_NOT_USED_ACCESS_KEY_FOR_MAX_DAYS

Access keys that have not been used for a while should be removed as they may have been lost, but still grant access to the account.


  • demo (123456789012)
      1. {
            "Days since key 1 used:": 161,
            "Number of days since key was rotated": 164
        }
      2. user
        {
            "Days since key 2 used:": 365,
            "Number of days since key was rotated": 365
        }

User has unused access key

Severity: Low
Issue ID: USER_HAS_UNUSED_ACCESS_KEY

These users have access keys that have never been used. These access keys may have been communicated to the user insecurely, or otherwise may not be as well protected as they should.


  • demo (123456789012)
      1. auditor_tmp
        {
            "Unused key": 1,
            "Number of days since key was rotated": 0
        }
      2. user
        {
            "Unused key": 1,
            "Number of days since key was rotated": 0
        }

User has password login, but not MFA

Severity: Medium
Issue ID: USER_WITH_PASSWORD_LOGIN_BUT_NO_MFA

MFA (multi-factor authentication) helps mitigate user account take-over.


  • demo (123456789012)
      1. user
        {
            "Number of days since user was created": 365
        }

User has not logged in for over 90 days

Severity: Medium
Issue ID: USER_HAS_NOT_LOGGED_IN_FOR_OVER_MAX_DAYS

The user has not used their password login for over 90 days. The password login should be removed from this user, or the user entirely.


  • demo (123456789012)
      1. user
        {
            "Number of days since user was created": 365,
            "Number of days since last login": 365
        }

User has two access keys

Severity: Low
Issue ID: USER_HAS_TWO_ACCESS_KEYS

A user should only have one access key. The ability to have multiple access keys is only for when an access key is being rolled, and the old one should be removed. The user should identify one access key to use and the other should be removed.


  • demo (123456789012)
      1. user
        {
            "Number of days since key1 was rotated": 0,
            "Number of days since key2 was rotated": 365
        }

GuardDuty

GuardDuty is not enabled

Severity: Medium
Issue ID: GUARDDUTY_OFF

GuardDuty is an AWS threat detection service that detects compromised access keys, EC2 instances, and more. It should be enabled in all regions.


  • demo (123456789012)
    • us-east-1

ECR

ECR is public

Severity: Medium
Issue ID: ECR_PUBLIC

The Amazon Elastic Container Registry (ECR) stores docker images. These may contain sensitive information. These are somewhat hard for an attacker to find, but should not be made public.


  • demo (123456789012)
    • us-east-1
      1. cloudmapper
        "{\n  \"Version\" : \"2008-10-17\",\n  \"Statement\" : [ {\n    \"Sid\" : \"AccessControl\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : \"*\",\n    \"Action\" : [ \"ecr:GetDownloadUrlForLayer\", \"ecr:BatchGetImage\", \"ecr:BatchCheckLayerAvailability\", \"ecr:ListImages\", \"ecr:DescribeImages\" ]\n  } ]\n}"

Redshift

Redshift has public IP

Severity: Medium
Issue ID: REDSHIFT_PUBLIC_IP

Redshift databases should be in private subnets. Databases should not have public IPs. You should additionally check if the Security Groups associated with this are allowing it to be publicly accessible.


  • demo (123456789012)
    • us-east-1
      1. redshift-cluster-1

EC2

Old EC2

Severity: Info
Issue ID: EC2_OLD

EC2 runnning that was launched more than 365 days ago.


  • demo (123456789012)
    • us-east-1
      1. i-00000000000000000
        {
            "Age in days": 523,
            "Name": "Bastion",
            "Tags": [
                {
                    "Value": "Bastion",
                    "Key": "Name"
                }
            ]
        }
      2. i-00000000000000001
        {
            "Age in days": 523,
            "Name": "Web1",
            "Tags": [
                {
                    "Value": "Web1",
                    "Key": "Name"
                }
            ]
        }
      3. i-00000000000000002
        {
            "Age in days": 523,
            "Name": "Web2",
            "Tags": [
                {
                    "Value": "Web2",
                    "Key": "Name"
                }
            ]
        }

SQS

SQS is publicly accesible

Severity: Medium
Issue ID: SQS_PUBLIC

This may allow an attacker to read or write messages to this queue.


  • demo (123456789012)
    • us-east-1
      1. demo
        "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"sqs:SendMessage\",\"Resource\":\"arn:aws:sqs:us-east-1:123456789012:demo\"}]}"

SNS

SNS is publicly accesible

Severity: Medium
Issue ID: SNS_PUBLIC

This may allow an attacker to read or write messages to this queue.


  • demo (123456789012)
    • us-east-1
      1. arn:aws:sns:us-east-1:123456789012:demo_public
        "{\"Version\":\"2008-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\",\"SNS:Receive\"],\"Resource\":\"arn:aws:sns:us-east-1:123456789012:demo_public\"}]}"