CloudCoreo offers a Cloud Audit for AWS accounts. We leverage the AWS API to scan your cloud infrastructure and report back on any best practice violations we find. Below you'll find a list of all the best practice rules our Cloud Audit checks for.
CIS
These rules check for adherence to the CIS Security Benchmarks recommendations.
- Cloudtrail log file validation not enabled
- CloudTrail trails not integrated with CloudWatch logs
- Cloudtrail logs not configured to use SSE-KMS
- Cloudtrail Service is disabled
- AWS Config not enabled in all regions
- Default VPC security group does not restrict all traffic
- TCP port is open
- VPC flow logging not enabled in all VPCs
- Active user Access Key not rotated
- Root Account Usage
- Passwords not set to expire
- Access key created by default
- MFA not enabled for all IAM users with console password
- Hardware MFA not enabled for root account
- Password policy does not require lowercase
- Password policy does not have a minimum length of 14 or greater
- Password policy does not require a number
- Password policy does not require a symbol
- Password policy does not require uppercase
- Users can reuse old passwords
- Root account has access keys
- MFA not enabled for root account
- Support role has not been created
- Unused access credentials
- Account using inline policies
- KMS key rotation not enabled
- Not monitoring changes to CloudTrail's configurations
- Not monitoring AWS Config configuration changes
- Not monitoring for CMKs that have been disabled or scheduled for deletion
- Not monitoring failed AWS console authentication attempts
- Not monitoring management console sign-in without MFA
- Not monitoring changes made to IAM policies
- Not monitoring changes to NACL
- Not monitoring changes to network gateways
- Not monitoring root login attempts
- Not monitoring route table changes
- Not monitoring changes to S3 bucket policies
- Not monitoring security group changes
- Not monitoring for unauthorized API calls
- Not monitoring VPC changes
CloudTrail
These are all the best practice rules Cloud Audit checks for related to AWS CloudTrail.
EC2
These are all the best practice rules Cloud Audit checks for related to AWS Elastic Compute Cloud (EC2).
- EC2 instance - Alert to Kill
- EC2 instance not launched from latest Amazon Linux AMI
- Default VPC security group does not restrict all traffic
- EC2 Inventory results
- Security Group contains IP address
- Security group contains a port range
- TCP port is open
- Security group allows unrestricted traffic
- Unused EC2 Security Group
- VPC flow logging not enabled in all VPCs
ELB
These are all the best practice rules Cloud Audit checks for related to AWS Elastic Load Balancer (ELB).
IAM
These are all the best practice rules Cloud Audit checks for related to AWS Identity and Access Management (IAM).
- Active user Access Key not rotated
- Root Account Usage
- Password Not Changed since Cloudbleed
- Passwords not set to expire
- Inactive user Access Key not rotated
- Access key created by default
- MFA not enabled for all IAM users with console password
- Password policy doesn't exist
- Account has multiple active access keys
- Hardware MFA not enabled for root account
- Multi-Factor Authentication not enabled
- Password policy does not require lowercase
- Password policy does not have a minimum length of 14 or greater
- Password policy does not require a number
- Password policy does not require a symbol
- Password policy does not require uppercase
- Users can reuse old passwords
- Root user has active Access Key
- Root user has active password
- Root account has access keys
- MFA not enabled for root account
- Multi-Factor Authentication not enabled for root account
- Support role has not been created
- Unused access credentials
- Unused or empty IAM group
- Account using inline policies
- Active user passwords not changed recently
- IAM User Password Not Used Recently
RDS
These are all the best practice rules Cloud Audit checks for related to AWS Relationable Database Service (RDS).
Redshift
These are all the best practice rules Cloud Audit checks for related to Amazon Redshift, AWS's Data Warehouse Service.
- Redshift cluster data is not encrypted at rest
- Redshift connections not SSL
- Redshift user activity logging disabled
- Redshift user activity logging disabled
- Redshift automatic major version upgrades not enabled
- Redshift cluster is publicly accessible
- Redshift default TCP port 5439 is open to the world
S3
These are all the best practice rules Cloud Audit checks for related to AWS Simple Storage Service (S3).
- All users can list the affected bucket
- All users can write the bucket ACP / ACL
- All users can write to the affected bucket
- All authenticated AWS users can read the affected bucket
- All authenticated AWS users can change bucket permissions
- All authenticated AWS users can write to the affected bucket
- S3 bucket logging not enabled
- Bucket policy uses IP addresses to grant permission
- Bucket policy gives world Get, Put, List, and Delete permission
- Bucket policy gives world delete permission
- Bucket policy gives world Get permission
- Bucket policy gives world List permission
- Bucket policy gives world Put permission
Note: Don't see a rule you need? Drop us a line and let us know what you're looking for.