AWS Security Checks

cloud-audit runs 94 security checks across 23 AWS services. Each check includes copy-paste remediation in AWS CLI and Terraform. Browse by service below.

IAM (16 checks)

CRITICAL aws-iam-001

Root account MFA

Checks if the AWS root account has MFA enabled.

HIGH aws-iam-002

IAM users MFA

Checks if all IAM users with console access have MFA enabled..

MEDIUM aws-iam-003

Access key rotation

Checks if active access keys are older than 90 days..

MEDIUM aws-iam-004

Unused access keys

Checks for active access keys that haven't been used in 30+ days or have never been used..

CRITICAL aws-iam-005

Overly permissive IAM policies

Checks for customer-managed IAM policies with Action: * and Resource: *, granting full admin access to all AWS services..

MEDIUM aws-iam-006

Password policy strength

Checks if the account password policy meets CIS requirements (min 14 chars, uppercase, lowercase, numbers, symbols)..

CRITICAL aws-iam-007

OIDC trust policy without sub condition

Checks IAM roles with OIDC federation (GitHub Actions, GitLab CI, etc.) for missing 'sub' condition.

CRITICAL aws-iam-008

Root account access keys

Checks if the root account has active access keys.

MEDIUM aws-iam-009

Multiple active access keys

Checks if any IAM user has more than one active access key.

MEDIUM aws-iam-010

Direct user policies

Checks if IAM users have policies attached directly instead of through groups.

MEDIUM aws-iam-011

Support role exists

Checks if an IAM role, user, or group has the AWSSupportAccess managed policy attached.

MEDIUM aws-iam-012

IAM Access Analyzer enabled

Checks if IAM Access Analyzer is enabled in all active regions.

MEDIUM aws-iam-013

Expired SSL/TLS certificates

Checks for expired SSL/TLS certificates stored in IAM.

MEDIUM aws-iam-014

CloudShell full access restricted

Checks if AWSCloudShellFullAccess managed policy is attached to any IAM entity.

MEDIUM aws-iam-015

Root hardware MFA

Checks if the root account uses a hardware MFA device instead of virtual MFA.

MEDIUM aws-iam-016

EC2 instance IAM roles

Checks if running EC2 instances have IAM instance profiles attached.

S3 (7 checks)

HIGH aws-s3-001

Public S3 buckets

Checks for S3 buckets that do not have all four public access block settings enabled..

LOW aws-s3-002

S3 bucket encryption

Checks if S3 buckets use SSE-KMS encryption instead of default SSE-S3.

LOW aws-s3-003

S3 bucket versioning

Checks if S3 buckets have versioning enabled to protect against accidental deletion or overwrites..

LOW aws-s3-004

S3 bucket lifecycle policy

Checks if S3 buckets have lifecycle rules configured to automatically transition or expire objects..

MEDIUM aws-s3-005

S3 access logging

Checks if S3 buckets have server access logging enabled to track requests..

MEDIUM aws-s3-006

S3 bucket denies HTTP

Checks if S3 buckets have a bucket policy that denies non-HTTPS (HTTP) requests using the aws:SecureTransport condition..

MEDIUM aws-s3-007

S3 MFA Delete

Checks if S3 buckets have MFA Delete enabled to prevent accidental or malicious deletion of versioned objects..

EC2 (6 checks)

HIGH aws-ec2-001

Public AMIs

Checks for AMIs owned by your account that are publicly shared to all AWS accounts..

MEDIUM aws-ec2-002

Unencrypted EBS volumes

Checks for EBS volumes that are not encrypted at rest..

LOW aws-ec2-003

Stopped EC2 instances (cost)

Checks for EC2 instances in stopped state.

HIGH aws-ec2-004

EC2 IMDSv1 enabled

Checks for running EC2 instances that allow IMDSv1 (HttpTokens not set to 'required').

LOW aws-ec2-005

EC2 termination protection

Checks for running EC2 instances without API termination protection enabled..

MEDIUM aws-ec2-006

EBS default encryption

Checks if EBS default encryption is enabled in each scanned region.

VPC (5 checks)

MEDIUM aws-vpc-001

Default VPC usage

Checks if the default VPC has active resources (network interfaces).

CRITICAL aws-vpc-002

Open security groups

Checks for security groups with unrestricted inbound access (0.0.0.0/0 or ::/0) on sensitive ports like SSH, RDP, databases, or all traffic..

MEDIUM aws-vpc-003

VPC flow logs

Checks if non-default VPCs have flow logs enabled.

MEDIUM aws-vpc-004

Unrestricted NACL

Checks for non-default Network ACLs that allow all inbound traffic from 0.0.0.0/0 or ::/0..

MEDIUM aws-vpc-005

Default security group restricts all traffic

Checks if the default security group of every VPC restricts all inbound and outbound traffic.

RDS (4 checks)

CRITICAL aws-rds-001

Public RDS instances

Checks for RDS instances with PubliclyAccessible set to true..

HIGH aws-rds-002

RDS encryption at rest

Checks for RDS instances without storage encryption enabled..

MEDIUM aws-rds-003

RDS Multi-AZ

Checks for non-micro/small RDS instances (likely production) without Multi-AZ failover enabled..

LOW aws-rds-004

RDS auto minor upgrade

Checks for RDS instances with automatic minor version upgrade disabled..

CloudTrail (7 checks)

CRITICAL aws-ct-001

CloudTrail enabled

Checks if CloudTrail is enabled with multi-region logging.

HIGH aws-ct-002

CloudTrail log validation

Checks if CloudTrail trails have log file integrity validation enabled..

CRITICAL aws-ct-003

CloudTrail S3 bucket public access

Checks if S3 buckets used by CloudTrail have all public access block settings enabled..

HIGH aws-ct-004

CloudTrail S3 bucket access logging

Checks if the S3 bucket used by CloudTrail has server access logging enabled.

MEDIUM aws-ct-005

CloudTrail KMS encryption

Checks if CloudTrail logs are encrypted with a KMS Customer Managed Key (CMK).

MEDIUM aws-ct-006

S3 object-level write logging

Checks if CloudTrail is configured to log S3 object-level write events (PutObject, DeleteObject, etc.).

MEDIUM aws-ct-007

S3 object-level read logging

Checks if CloudTrail is configured to log S3 object-level read events (GetObject).

CloudWatch (15 checks)

HIGH aws-cw-001

Root account usage alarm

Checks if a CloudWatch metric filter and alarm exist to detect root account usage..

MEDIUM aws-cw-002

Unauthorized API calls alarm

Checks if a CloudWatch metric filter and alarm exist to detect unauthorized API calls (AccessDenied, UnauthorizedAccess).

MEDIUM aws-cw-003

Console sign-in without MFA alarm

Checks if a CloudWatch metric filter and alarm exist to detect console sign-ins without MFA.

MEDIUM aws-cw-004

IAM policy changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect IAM policy changes (CreatePolicy, DeletePolicy, AttachRolePolicy, etc.).

MEDIUM aws-cw-005

CloudTrail config changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect CloudTrail configuration changes (CreateTrail, DeleteTrail, UpdateTrail, StopLogging).

MEDIUM aws-cw-006

Console auth failures alarm

Checks if a CloudWatch metric filter and alarm exist to detect console authentication failures.

MEDIUM aws-cw-007

CMK disable/deletion alarm

Checks if a CloudWatch metric filter and alarm exist to detect KMS Customer Master Key disabling or scheduled deletion.

MEDIUM aws-cw-008

S3 bucket policy changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect S3 bucket policy changes (PutBucketPolicy, PutBucketAcl, DeleteBucketPolicy).

MEDIUM aws-cw-009

Config changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect AWS Config configuration changes (StopConfigurationRecorder, DeleteDeliveryChannel).

MEDIUM aws-cw-010

Security group changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect security group changes (AuthorizeSecurityGroupIngress, CreateSecurityGroup, etc.).

MEDIUM aws-cw-011

NACL changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect Network ACL changes (CreateNetworkAcl, DeleteNetworkAcl, ReplaceNetworkAclEntry).

MEDIUM aws-cw-012

Network gateway changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect network gateway changes (CreateCustomerGateway, AttachInternetGateway, DeleteInternetGateway).

MEDIUM aws-cw-013

Route table changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect route table changes (CreateRoute, DeleteRoute, ReplaceRoute, CreateRouteTable).

MEDIUM aws-cw-014

VPC changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect VPC changes (CreateVpc, DeleteVpc, ModifyVpcAttribute, AcceptVpcPeeringConnection).

MEDIUM aws-cw-015

Organizations changes alarm

Checks if a CloudWatch metric filter and alarm exist to detect AWS Organizations changes (InviteAccountToOrganization, CreateOrganization, etc.).

Config (2 checks)

MEDIUM aws-cfg-001

AWS Config enabled

Checks if AWS Config is enabled in each scanned region.

HIGH aws-cfg-002

Config recorder active

Checks if AWS Config recorders are actively recording.

ECS (3 checks)

CRITICAL aws-ecs-001

ECS privileged containers

Checks for ECS task definitions with containers running in privileged mode, which gives root-level access to the host..

HIGH aws-ecs-002

ECS task logging

Checks for ECS task definitions with containers that have no log configuration.

MEDIUM aws-ecs-003

ECS Exec enabled

Checks for ECS services with executeCommand enabled, which allows interactive shell access to running containers..

EFS (1 check)

MEDIUM aws-efs-001

EFS encryption at rest

Checks if EFS file systems are encrypted at rest.

EIP (1 check)

LOW aws-eip-001

Unattached Elastic IPs

Checks for Elastic IPs that are allocated but not associated with any resource..

GuardDuty (2 checks)

HIGH aws-gd-001

GuardDuty enabled

Checks if Amazon GuardDuty is enabled in each scanned region for threat detection..

MEDIUM aws-gd-002

GuardDuty unresolved findings

Checks for unresolved GuardDuty findings older than 30 days that have not been investigated..

KMS (2 checks)

MEDIUM aws-kms-001

KMS key rotation

Checks if customer-managed symmetric KMS keys have automatic key rotation enabled..

HIGH aws-kms-002

KMS key policy

Checks for customer-managed KMS keys with wildcard Principal (*) in the key policy without conditions..

Lambda (3 checks)

HIGH aws-lambda-001

Lambda public function URL

Checks for Lambda functions with public function URLs (AuthType=NONE), allowing anyone on the internet to invoke them..

MEDIUM aws-lambda-002

Lambda deprecated runtime

Checks for Lambda functions using deprecated/end-of-life runtimes that no longer receive security patches..

HIGH aws-lambda-003

Lambda env var secrets

Checks for Lambda functions with environment variable names matching secret patterns (SECRET, PASSWORD, API_KEY, TOKEN, etc.)..

Secrets Manager (2 checks)

MEDIUM aws-sm-001

Secrets Manager rotation

Checks for secrets without automatic rotation configured or secrets that haven't been rotated in over 90 days..

LOW aws-sm-002

Unused secrets

Checks for secrets not accessed in over 90 days, which may indicate forgotten or abandoned credentials..

Security Hub (1 check)

MEDIUM aws-sh-001

Security Hub enabled

Checks if AWS Security Hub is enabled.

SSM (2 checks)

MEDIUM aws-ssm-001

EC2 not managed by SSM

Checks for running EC2 instances that are not registered with AWS Systems Manager for patching and remote management..

HIGH aws-ssm-002

SSM insecure parameters

Checks for SSM parameters with secret-like names (password, api_key, token, etc.) that are stored as plain String instead of SecureString..

Account (1 check)

MEDIUM aws-account-001

Security contact registered

Checks if a security alternate contact is registered for the AWS account.

Bedrock (2 checks)

HIGH aws-bedrock-001

Bedrock model invocation logging

Checks if Amazon Bedrock model invocation logging is enabled.

MEDIUM aws-bedrock-002

Bedrock guardrails

Checks if Amazon Bedrock guardrails are configured to filter harmful content, enforce topic restrictions, and prevent sensitive information disclosure..

SageMaker (3 checks)

HIGH aws-sagemaker-001