AWS Security Checks

cloud-audit runs 47 security checks across 15 AWS services. Each check includes copy-paste remediation in AWS CLI and Terraform. Browse by service below.

IAM (7 checks)

CRITICAL aws-iam-001

Root account MFA

Checks if the AWS root account has MFA enabled.

HIGH aws-iam-002

IAM users MFA

Checks if all IAM users with console access have MFA enabled..

MEDIUM aws-iam-003

Access key rotation

Checks if active access keys are older than 90 days..

MEDIUM aws-iam-004

Unused access keys

Checks for active access keys that haven't been used in 30+ days or have never been used..

CRITICAL aws-iam-005

Overly permissive IAM policies

Checks for customer-managed IAM policies with Action: * and Resource: *, granting full admin access to all AWS services..

MEDIUM aws-iam-006

Password policy strength

Checks if the account password policy meets CIS requirements (min 14 chars, uppercase, lowercase, numbers, symbols)..

CRITICAL aws-iam-007

OIDC trust policy without sub condition

Checks IAM roles with OIDC federation (GitHub Actions, GitLab CI, etc.) for missing 'sub' condition.

S3 (5 checks)

HIGH aws-s3-001

Public S3 buckets

Checks for S3 buckets that do not have all four public access block settings enabled..

LOW aws-s3-002

S3 bucket encryption

Checks if S3 buckets use SSE-KMS encryption instead of default SSE-S3.

LOW aws-s3-003

S3 bucket versioning

Checks if S3 buckets have versioning enabled to protect against accidental deletion or overwrites..

LOW aws-s3-004

S3 bucket lifecycle policy

Checks if S3 buckets have lifecycle rules configured to automatically transition or expire objects..

MEDIUM aws-s3-005

S3 access logging

Checks if S3 buckets have server access logging enabled to track requests..

EC2 (6 checks)

HIGH aws-ec2-001

Public AMIs

Checks for AMIs owned by your account that are publicly shared to all AWS accounts..

MEDIUM aws-ec2-002

Unencrypted EBS volumes

Checks for EBS volumes that are not encrypted at rest..

LOW aws-ec2-003

Stopped EC2 instances (cost)

Checks for EC2 instances in stopped state.

HIGH aws-ec2-004

EC2 IMDSv1 enabled

Checks for running EC2 instances that allow IMDSv1 (HttpTokens not set to 'required').

LOW aws-ec2-005

EC2 termination protection

Checks for running EC2 instances without API termination protection enabled..

MEDIUM aws-ec2-006

EBS default encryption

Checks if EBS default encryption is enabled in each scanned region.

VPC (4 checks)

MEDIUM aws-vpc-001

Default VPC usage

Checks if the default VPC has active resources (network interfaces).

CRITICAL aws-vpc-002

Open security groups

Checks for security groups with unrestricted inbound access (0.0.0.0/0 or ::/0) on sensitive ports like SSH, RDP, databases, or all traffic..

MEDIUM aws-vpc-003

VPC flow logs

Checks if non-default VPCs have flow logs enabled.

MEDIUM aws-vpc-004

Unrestricted NACL

Checks for non-default Network ACLs that allow all inbound traffic from 0.0.0.0/0 or ::/0..

RDS (4 checks)

CRITICAL aws-rds-001

Public RDS instances

Checks for RDS instances with PubliclyAccessible set to true..

HIGH aws-rds-002

RDS encryption at rest

Checks for RDS instances without storage encryption enabled..

MEDIUM aws-rds-003

RDS Multi-AZ

Checks for non-micro/small RDS instances (likely production) without Multi-AZ failover enabled..

LOW aws-rds-004

RDS auto minor upgrade

Checks for RDS instances with automatic minor version upgrade disabled..

CloudTrail (3 checks)

CRITICAL aws-ct-001

CloudTrail enabled

Checks if CloudTrail is enabled with multi-region logging.

HIGH aws-ct-002

CloudTrail log validation

Checks if CloudTrail trails have log file integrity validation enabled..

CRITICAL aws-ct-003

CloudTrail S3 bucket public access

Checks if S3 buckets used by CloudTrail have all public access block settings enabled..

CloudWatch (1 check)

HIGH aws-cw-001

Root account usage alarm

Checks if a CloudWatch metric filter and alarm exist to detect root account usage..

Config (2 checks)

MEDIUM aws-cfg-001

AWS Config enabled

Checks if AWS Config is enabled in each scanned region.

HIGH aws-cfg-002

Config recorder active

Checks if AWS Config recorders are actively recording.

ECS (3 checks)

CRITICAL aws-ecs-001

ECS privileged containers

Checks for ECS task definitions with containers running in privileged mode, which gives root-level access to the host..

HIGH aws-ecs-002

ECS task logging

Checks for ECS task definitions with containers that have no log configuration.

MEDIUM aws-ecs-003

ECS Exec enabled

Checks for ECS services with executeCommand enabled, which allows interactive shell access to running containers..

EIP (1 check)

LOW aws-eip-001

Unattached Elastic IPs

Checks for Elastic IPs that are allocated but not associated with any resource..

GuardDuty (2 checks)

HIGH aws-gd-001

GuardDuty enabled

Checks if Amazon GuardDuty is enabled in each scanned region for threat detection..

MEDIUM aws-gd-002

GuardDuty unresolved findings

Checks for unresolved GuardDuty findings older than 30 days that have not been investigated..

KMS (2 checks)

MEDIUM aws-kms-001

KMS key rotation

Checks if customer-managed symmetric KMS keys have automatic key rotation enabled..

HIGH aws-kms-002

KMS key policy

Checks for customer-managed KMS keys with wildcard Principal (*) in the key policy without conditions..

Lambda (3 checks)

HIGH aws-lambda-001

Lambda public function URL

Checks for Lambda functions with public function URLs (AuthType=NONE), allowing anyone on the internet to invoke them..

MEDIUM aws-lambda-002

Lambda deprecated runtime

Checks for Lambda functions using deprecated/end-of-life runtimes that no longer receive security patches..

HIGH aws-lambda-003

Lambda env var secrets

Checks for Lambda functions with environment variable names matching secret patterns (SECRET, PASSWORD, API_KEY, TOKEN, etc.)..

Secrets Manager (2 checks)

MEDIUM aws-sm-001

Secrets Manager rotation

Checks for secrets without automatic rotation configured or secrets that haven't been rotated in over 90 days..

LOW aws-sm-002

Unused secrets

Checks for secrets not accessed in over 90 days, which may indicate forgotten or abandoned credentials..

SSM (2 checks)

MEDIUM aws-ssm-001

EC2 not managed by SSM

Checks for running EC2 instances that are not registered with AWS Systems Manager for patching and remote management..

HIGH aws-ssm-002

SSM insecure parameters

Checks for SSM parameters with secret-like names (password, api_key, token, etc.) that are stored as plain String instead of SecureString..

These checks are part of cloud-audit - install with pip install cloud-audit