| Account name | Account ID | Collection date |
|---|---|---|
| demo | 123456789012 | 2019-05-07 |
S3 buckets |
EC2 instances |
ELBs |
ELBv2s |
RDS instances |
Redshift clusters |
ElasticSearch domains |
Elasticache clusters |
SNS topics |
SQS queues |
CloudFronts |
Autoscaling groups |
ElasticBeanstalks |
Firehose streams |
Glacier vaults |
KMS keys |
Lambda functions |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| demo | 1 | 3 | 1 | 1 | 1 | 1 | 1 | 0 | 2 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
This table shows whether a region contains the resources being counted. Currently all S3 buckets, no matter their location, and CloudFronts, are identified as being in us-east-1.
us-east-1 |
|
|---|---|
| demo | YS3 buckets:1 EC2 instances:3 ELBs:1 ELBv2s:1 RDS instances:1 Redshift clusters:1 ElasticSearch domains:1 SNS topics:2 SQS queues:1 Lambda functions:1 |
ec2 |
elb |
elbv2 |
rds |
redshift |
ecs |
autoscaling |
cloudfront |
apigateway |
|
|---|---|---|---|---|---|---|---|---|---|
| demo | 0 | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 |
Severity: Info
Issue ID: S3_PUBLIC_POLICY_GETOBJECT_ONLY
This is the right way to make an S3 bucket public when you don't want to put CloudFront in front of it. This may be done when a third-party caching service is being used and you don't care about direct access to the S3 bucket.
Severity: Low
Issue ID: S3_ACCESS_BLOCK_OFF
This control prevents S3 buckets from being made public. If there are no public S3 buckets in the account this should be turned on.
Severity: Low
Issue ID: CLOUDTRAIL_NOT_MULTIREGION
When CloudTrail was first released, you had to specify which regions to enable it in. It now defaults to recording audit logs for all regions. It should be configured for multiregion.
Severity: High
Issue ID: IAM_BAD_MFA_POLICY
AWS had advised incorrect policies for enforcing MFA which allowed an attacker, if they compromised keys that were protected by this policy, to remove the MFA policy from themselves, or remove the existing MFA device and add their own.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetAccountSummary"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAllUsersToListAccounts"
},
{
"Action": [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:ListSigningCertificates",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::123456789012:user/${aws:username}",
"Effect": "Allow",
"Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation"
},
{
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::123456789012:mfa/*",
"arn:aws:iam::123456789012:user/${aws:username}"
],
"Effect": "Allow",
"Sid": "AllowIndividualUserToListTheirOwnMFA"
},
{
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:RequestSmsMfaRegistration",
"iam:FinalizeSmsMfaRegistration",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::123456789012:mfa/${aws:username}",
"arn:aws:iam::123456789012:user/${aws:username}"
],
"Effect": "Allow",
"Sid": "AllowIndividualUserToManageTheirOwnMFA"
},
{
"NotAction": "iam:*",
"Resource": "*",
"Effect": "Deny",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
},
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA"
}
]
}
Severity: High
Issue ID: IAM_KNOWN_BAD_POLICY
AWS has provided flawed policies to customers. These are either deprecated or no longer advised.
{
"comment": "Use AmazonSSMManagedInstanceCore instead and add privs as needed",
"policy": "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}
Severity: Low
Issue ID: IAM_CUSTOM_POLICY_ALLOWS_ADMIN
Instead of using the AdministratorAccess policy, a custom policy was created that does the same thing, or allows escalation to the same thing.
{
"comment": "Role has custom policy allowing admin",
"policy": {
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
Severity: High
Issue ID: IAM_ROLE_ALLOWS_ASSUMPTION_FROM_ANYWHERE
The IAM role's trust policy allows any other account to assume it.
{
"statement": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "*"
}
}
],
"Version": "2012-10-17"
}
}
Severity: High
Issue ID: IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL
The ability to list s3 buckets, and get objects from them, should be restricted largely to people as compromising an EC2 with this privilege could lead to exfiltration of data.
{
"comment": "Unexpected Principal in AssumeRolePolicyDocument for an admin",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
Severity: Low
Issue ID: PASSWORD_POLICY_NOT_SET
A password policy helps ensure strong passwords are used by IAM Users. Setting a password policy does not impact existing users, so after setting this, you should ensure users reset their passwords so that they are in compliance.
Severity: Low
Issue ID: ROOT_USER_HAS_ACCESS_KEYS
The root user should be used only in exceptional cases, and should therefore not use access keys. IAM Users or Roles should be used instead.
{
"Number of access keys": 1
}
Severity: Low
Issue ID: USER_HAS_NOT_USED_ACCESS_KEY_FOR_MAX_DAYS
Access keys that have not been used for a while should be removed as they may have been lost, but still grant access to the account.
{
"Days since key 1 used:": 161,
"Number of days since key was rotated": 164
}
{
"Days since key 2 used:": 365,
"Number of days since key was rotated": 365
}
Severity: Low
Issue ID: USER_HAS_UNUSED_ACCESS_KEY
These users have access keys that have never been used. These access keys may have been communicated to the user insecurely, or otherwise may not be as well protected as they should.
{
"Unused key": 1,
"Number of days since key was rotated": 0
}
{
"Unused key": 1,
"Number of days since key was rotated": 0
}
Severity: Medium
Issue ID: USER_WITH_PASSWORD_LOGIN_BUT_NO_MFA
MFA (multi-factor authentication) helps mitigate user account take-over.
{
"Number of days since user was created": 365
}
Severity: Medium
Issue ID: USER_HAS_NOT_LOGGED_IN_FOR_OVER_MAX_DAYS
The user has not used their password login for over 90 days. The password login should be removed from this user, or the user entirely.
{
"Number of days since user was created": 365,
"Number of days since last login": 365
}
Severity: Low
Issue ID: USER_HAS_TWO_ACCESS_KEYS
A user should only have one access key. The ability to have multiple access keys is only for when an access key is being rolled, and the old one should be removed. The user should identify one access key to use and the other should be removed.
{
"Number of days since key1 was rotated": 0,
"Number of days since key2 was rotated": 365
}
Severity: Medium
Issue ID: GUARDDUTY_OFF
GuardDuty is an AWS threat detection service that detects compromised access keys, EC2 instances, and more. It should be enabled in all regions.
Severity: Medium
Issue ID: ECR_PUBLIC
The Amazon Elastic Container Registry (ECR) stores docker images. These may contain sensitive information. These are somewhat hard for an attacker to find, but should not be made public.
"{\n \"Version\" : \"2008-10-17\",\n \"Statement\" : [ {\n \"Sid\" : \"AccessControl\",\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : [ \"ecr:GetDownloadUrlForLayer\", \"ecr:BatchGetImage\", \"ecr:BatchCheckLayerAvailability\", \"ecr:ListImages\", \"ecr:DescribeImages\" ]\n } ]\n}"
Severity: Medium
Issue ID: REDSHIFT_PUBLIC_IP
Redshift databases should be in private subnets. Databases should not have public IPs. You should additionally check if the Security Groups associated with this are allowing it to be publicly accessible.
Severity: Info
Issue ID: EC2_OLD
EC2 runnning that was launched more than 365 days ago.
{
"Age in days": 523,
"Name": "Bastion",
"Tags": [
{
"Value": "Bastion",
"Key": "Name"
}
]
}
{
"Age in days": 523,
"Name": "Web1",
"Tags": [
{
"Value": "Web1",
"Key": "Name"
}
]
}
{
"Age in days": 523,
"Name": "Web2",
"Tags": [
{
"Value": "Web2",
"Key": "Name"
}
]
}
Severity: Medium
Issue ID: SQS_PUBLIC
This may allow an attacker to read or write messages to this queue.
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"sqs:SendMessage\",\"Resource\":\"arn:aws:sqs:us-east-1:123456789012:demo\"}]}"
Severity: Medium
Issue ID: SNS_PUBLIC
This may allow an attacker to read or write messages to this queue.
"{\"Version\":\"2008-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\",\"SNS:Receive\"],\"Resource\":\"arn:aws:sns:us-east-1:123456789012:demo_public\"}]}"