Platform Specific Controls

AWS

AWS provides on demand Cloud Computing Services to organizations around the globe. These include services like: computing, storage, networking, database, analytics, application services, and many others. The most popular include Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). Organizations such as the Cloud Security Alliance (CSA) or National Institute of Technology (NIST) have outlined controls and best practices for providing security assurance with cloud computing.

The following AWS related controls are organized by Category. You can also “Jump To” other Control Types and Categories by clicking on the link located at the right of this screen.

The following are links to more detailed pages:

Cloud Controls

Showing 140 controls:
Control TitleControl TypeRisk Rating
AWS Amazon Machine Images (AMIs) shared with unknown AWS accounts without restrictions Cloud ControlsHigh
AWS Amazon Machine Images (AMIs) using unencrypted Amazon Elastic Block Store (EBS) Cloud ControlsHigh
Amazon Redshift clusters with Database Auditing disabled Cloud ControlsHigh
AWS Account with CloudTrail and encryption not enabled for log files Cloud Controls, Data ControlsMedium
AWS Account with CloudTrail not Enabled/Created Cloud ControlsHigh
AWS Accounts with AWS Config disabled Cloud Controls, Configuration controlsMedium
AWS security credentials stored in public repositories Cloud ControlsHigh
AWS Default Security Groups allowing all traffic Cloud ControlsHigh
AWS Identity and Access Management (IAM) inline policy usage Cloud ControlsMedium
AWS Identity and Access Management (IAM) with privileged access on AWS Customer Master Keys Cloud Controls, Least PrivilegeHigh
AWS Security Groups for EC2 instances allowing traffic through DNS Port Cloud ControlsHigh
AWS Security Groups for workload allowing traffic through RDP Port Cloud ControlsHigh
AWS Security Groups for EC2 instances allowing traffic through CIFS Port Cloud ControlsLow
AWS Security Groups for EC2 instances allowing traffic through FTP Command Port Cloud ControlsLow
AWS Security Groups for EC2 instances allowing traffic through FTP Data Port Cloud ControlsLow
AWS Security Groups for EC2 instances allowing traffic through Net-Bios Port Cloud ControlsLow
AWS Security Groups for EC2 instances allowing traffic through PostgreSQL Port Cloud ControlsLow
AWS Security Groups for EC2 instances allowing traffic through RPC Port Cloud ControlsLow
AWS Security Groups for EC2 instances allowing traffic through Telnet Port Cloud ControlsHigh
AWS Security Groups for EC2 instances allowing traffic through VNC Listener Port Cloud ControlsLow
AWS Security Groups for EC2 instances allowing traffic through VNC Server Port Cloud ControlsLow
AWS Security Groups for EC2 instances allowing traffic through MySQL Port Cloud ControlsHigh
AWS Security Groups for EC2 instances allowing traffic through RDP Port Cloud ControlsHigh
AWS Security Groups for EC2 instances allowing traffic through SSH Port Cloud ControlsHigh
AWS Security Groups – Orphaned and Unused Cloud ControlsMedium
AWS Amazon Machine Images (AMIs) that are shared publicly Cloud ControlsHigh
CloudFormation Templates created without Deletion Policy Attribute Cloud ControlsHigh
CloudFormation Templates created without “Output” section Cloud ControlsMedium
CloudFormation Templates not integrated with Simple Notification Service (SNS) Cloud ControlsMedium
CloudFormation templates with Open RDP Port Security Groups Cloud ControlsHigh
CloudFormation Templates used to create Security Groups that allow traffic though an SSH Port Cloud ControlsHigh
CloudFormation templates created with password violations Cloud Controls, Password controlsHigh
AWS Accounts with CloudTrail S3 Buckets publicly available Cloud ControlsHigh
Ensure the Customer Gateways Limit is not reached Cloud ControlsMedium
AWS Account with CloudTrail and Log Validation not enabled Cloud ControlsMedium
Amazon Elastic Cloud Compute (EC2) with Termination Protection Disabled Cloud ControlsMedium
Events based on DROP (Don’t Route Or Peer) IP List Cloud ControlsHigh
Amazon Elastic Block Store (EBS) that are not encrypted and attached to an EC2 instance Cloud Controls, Data ControlsHigh
Ensure the EBS Snapshot Limit is not reached Cloud ControlsLow
Ensure the EBS Volume Limit is not reached Cloud ControlsLow
Amazon Elastic Block Store (EBS) that are not Encrypted Cloud Controls, Data ControlsHigh
Amazon Elastic Compute Cloud (EC2) instances affected by Saviynt Preventative Controls Cloud ControlsLow
Amazon Elastic Compute Cloud (Amazon EC2) instances associated with default Security Groups Cloud ControlsHigh
Amazon Elastic Compute Cloud (EC2) instances setup outside of the Virtual Private Network Cloud ControlsHigh
Amazon Elastic Compute Cloud (EC2) instances missing tags Cloud ControlsLow
AWS Security Groups for EC2 instances allowing traffic through SMTP Port Cloud ControlsHigh
Amazon Elastic Compute Cloud (EC2) instances setup on dedicated tenancy Cloud ControlsHigh
Amazon Elastic Compute Cloud (EC2) instances setup on default tenancy Cloud ControlsLow
Amazon Elastic Cloud Compute (EC2) without IAM Roles Cloud ControlsLow
Events based on EDROP (Extended Don’t Route Or Peer) IP List Cloud ControlsHigh
Ensure Elastic IP address Limit is not reached Cloud ControlsMedium
Ensure Elastic IP address Limit is not reached Cloud ControlsHigh
Elastic Load Balancing (ELB) Certificates which are expired Cloud ControlsHigh
Elastic Load Balancing (ELB) Certificates that will expire within 21 days Cloud ControlsLow
Events based on Emerging Threats blocked IP list Cloud ControlsHigh
Amazon Virtual Private Cloud (VPC) without any resources Cloud ControlsMedium
Ensure the Expiry time for an unaccepted Virtual Private Cloud (VPC) peering connection request limit is not reached Cloud ControlsMedium
Ensure VPC Flow Logs limit is not reached Cloud ControlsMedium
GitHub – AWS CloudFormation Templates created without DeletionPolicy attribute Cloud ControlsHigh
GitHub – AWS CloudFormation Templates created without “Output” section Cloud ControlsMedium
AWS CloudFormation Templates not integrated with AWS Simple Notification Service (SNS) Cloud ControlsMedium
GitHub – AWS CloudFormation Templates used to create Security groups allowing traffic though an RDP Port Cloud ControlsHigh
GitHub – AWS CloudFormation Templates used to create Security groups allowing traffic though an SSH Port Cloud ControlsHigh
GitHub – AWS CloudFormation templates created with password violations Cloud Controls, Password controlsHigh
Terminated users with an AWS high privileged user account Cloud Controls, IT General ControlsHigh
AWS Identity and Access Management (IAM) groups with high privileged access Cloud Controls, Least PrivilegeHigh
AWS Identity and Access Management (IAM) users with high privileged access Cloud Controls, Least PrivilegeHigh
AWS Identity and Access Management (IAM) policies with High Privileges Cloud Controls, Least PrivilegeHigh
AWS IAM user without Multi-Factor Authentication (MFA) enabled Cloud ControlsHigh
AWS Identity and Access Management (IAM) user not following organization’s naming standard Cloud ControlsMedium
AWS Identity and Access Management (IAM) user with access to delete CloudFormation Templates Cloud Controls, Least PrivilegeHigh
AWS Identity and Access Management (IAM) user with non-rotated Access Keys Cloud ControlsHigh
AWS Identity and Access Management (IAM) user with non-rotated credentials Cloud ControlsHigh
AWS Identity and Access Management (IAM) High Privileged inactive users Cloud ControlsHigh
Amazon instances/hosts setup on dedicated tenancy Cloud ControlsHigh
Amazon instances/hosts setup on default tenancy Cloud ControlsLow
Amazon Elastic Compute Cloud (EC2) instances setup with non-approved DNS names Cloud ControlsMedium
Ensure the Internet Gateways Limit is not reached Cloud ControlsMedium
AWS Key Management Service (KMS) scheduled for deletion Cloud ControlsHigh
AWS Key Management Service (KMS) with rotation disabled Cloud ControlsHigh
AWS Network Access Control List (NACL) allowing traffic through CIFS Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through FTP Command Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through FTP Data Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through Net-Bios Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through PostgreSQL Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through RPC Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through Telnet Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through VNC Listener Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through VNC Server Port Cloud ControlsLow
AWS Network Access Control List (NACL) restricting incoming traffic Cloud ControlsHigh
AWS Network Access Control List (NACL) allowing traffic through RDP Port Cloud ControlsHigh
AWS Network Access Control List (NACL) allowing traffic through DNS Port Cloud ControlsHigh
AWS Network Access Control List (NACL) allowing traffic through MySQL Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through SMTP Port Cloud ControlsLow
AWS Network Access Control List (NACL) allowing traffic through SSH Port Cloud ControlsHigh
AWS Network Access Control List (NACL) restricting outgoing traffic Cloud ControlsHigh
Ensure the NACLs rule Limit is not reached Cloud ControlsMedium
Ensure the NACLs Limit is not reached Cloud ControlsMedium
Ensure the Network Address Translation (NAT) Gateways Limit is not reached Cloud ControlsMedium
Amazon Redshift clusters that are unencrypted Cloud Controls, Data ControlsHigh
AWS IAM High Privileged user without Multi-Factor Authentication (MFA) enabled Cloud ControlsMedium
Ensure the Outstanding Virtual Private Cloud (VPC) peering connection requests limit is not reached Cloud ControlsMedium
Amazon Relational Database Service (RDS) granting access to AWS accounts outside the organization Cloud Controls, Data Controls, Least PrivilegeMedium
Amazon Relational Database Service (RDS) should not be accessible publicly Cloud Controls, Least PrivilegeHigh
Amazon Relational Database Service (RDS) which are not Encrypted Cloud Controls, Data ControlsHigh
Amazon Relational Database Service (RDS) with last restorable time greater than 5 minutes Cloud Controls, Data ControlsLow
Amazon Relational Database Service (RDS) with retention policy greater than 2 weeks Cloud Controls, Data ControlsLow
AWS Security Groups for RedShift clustered DB allowing traffic through RDP Port Cloud ControlsHigh
AWS Security Groups for AWS RedShift VPC allowing traffic through SSH Port Cloud ControlsHigh
AWS Security Groups for AWS RedShift VPC allowing traffic through RDP Port Cloud ControlsHigh
AWS Security Groups for RedShift clustered DB allowing traffic through SSH Port Cloud ControlsHigh
AWS Root Accounts with API Keys Enabled Cloud ControlsHigh
AWS Root accounts with Multi-Factor Authentication disabled Cloud ControlsHigh
Ensure the Route Tables Limit is not reached Cloud ControlsMedium
Amazon S3 Buckets without MFA Delete enabled Cloud ControlsMedium
Amazon S3 Buckets with logging disabled Cloud ControlsMedium
Amazon S3 Buckets with versioning disabled Cloud ControlsLow
Amazon S3 Buckets allowing Full access to everyone via ACL Cloud ControlsMedium
Amazon S3 Buckets having explicit Global List access via ACL Cloud ControlsMedium
Amazon S3 Buckets allowing explicit Read/Write access via ACL Cloud ControlsMedium
Amazon S3 Buckets allowing access to Everyone via ACL Cloud ControlsHigh
Amazon S3 Buckets with server side encryption disabled Cloud ControlsHigh
AWS Security Groups allowing all incoming traffic Cloud ControlsHigh
Ensure the Security Groups limit per VPC is not reached Cloud ControlsMedium
AWS Security Groups allowing all outgoing traffic Cloud ControlsHigh
Ensure the Security Groups per network interface limit is not reached Cloud ControlsMedium
Events Based on TOR (“The Onion Router”) IP List Cloud ControlsHigh
Elastic Load Balancing (ELB) with zero associated EC2 instances or zero EC2 instances in service Cloud ControlsMedium
Track the unused Elastic IP addresses in the account Cloud ControlsMedium
Track the unused Elastic IP addresses in your account Cloud ControlsHigh
Ensure the Virtual Private Gateways Limit is not reached Cloud ControlsMedium
Ensure the Virtual Private Cloud (VPC) Endpoints limit is not reached Cloud ControlsMedium
Ensure the VPC Limit is not reached Cloud ControlsMedium
Ensure the Virtual Private Cloud (VPC) Peering Active Connections limit is not reached Cloud ControlsMedium
Ensure the VPC Subnet Limit is not reached Cloud ControlsMedium
Amazon Virtual Private Cloud (VPC) setup on dedicated tenancy Cloud ControlsHigh
Amazon Virtual Private Cloud (VPC) setup on default tenancy Cloud ControlsHigh
Ensure the Virtual Private Network (VPN) connections per region limit is not reached Cloud ControlsMedium
Ensure the Virtual Private Network (VPN) Connections per Virtual Private Cloud (VPC) limit is not reached Cloud ControlsMedium
AWS Workloads without Amazon Elastic Block Store (EBS) optimized instance Cloud ControlsLow

Identity Governance

Showing 5 controls:
Control TitleControl TypeRisk Rating
AWS IAM users deprovsioning Identity GovernanceHigh
High privileged Users with non-rotated creds Identity GovernanceMedium
IAM users with delete rights on CF templates Identity GovernanceHigh
Inactive AWS IAM Users Identity GovernanceMedium
Terminated users with an AWS Identity and Access Management (IAM) user account Identity Governance, IT General ControlsHigh