Security & Compliance Monitoring Rules
Hundreds of Rules, Based on Best Practices & Frameworks
Continually monitor your cloud to ensure complete cloud security and compliance, designed to help you comply with key frameworks, including CIS, NIST, NIST 800-53, NIST 800-171, AWS Well-Architected, HIPAA, PCI DSS, & FedRAMP:
- Hyperglance is shipped with hundreds of customizable rules, tailored to AWS & Azure
- New rules are added regularly in Hyperglance updates
- Automatically fix problems as they arise
- Trigger SNS, EventGrid, Slack, Teams, Jira & SMTP notifications
AWS Rules
API Gateway
API Gateway is not protected by an AWS Web Application Firewall (WAF)
AWS WAF is a web application firewall that inspects web traffic to applications and APIs hosted in AWS, allowing or blocking requests based on pre-defined rules. AWS WAF helps protect API Gateways from web-application attacks that could compromise performance and security or significantly increase AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
API Gateways with X-Ray Tracing disabled
X-Ray traces and analyzes API calls traveling from the AWS API Gateway to the backend to help identify latency issues.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
API Gateways with content encoding disabled
Enabling content encoding in AWS API Gateway compresses the data sent in API responses, reducing the volume of data sent from the API while optimizing transfer times.
• AWS Well-Architected (Reliability)
• ACSC ISM
API Gateways with invalid Endpoint types
Customize this rule to control Amazon API Gateway types allowed in your environment and to ensure network integrity.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
API Gateways without a Client Certificate
Using client certificates to authenticate API calls from AWS API Gateway allows the backend to verify, control, and accept HTTP requests that originate from the API Gateway only, reducing the risk of unauthorized API calls.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Public API Gateways
Public API endpoints allow direct Internet access to backend services, potentially exposing sensitive data to unauthorized modification, destruction, or disclosure. Using Amazon API Gateways with private API endpoints can restrict access to backend services from selected VPCs and VPC endpoints, isolating critical backend services from the Internet.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
API Gateway Stage
API Gateway stage-level cache encryption disabled
API caching reduces the number of API calls made to the backend by caching API responses, decreasing latency. Encrypting cached API responses at the API Gateway preserves the confidentiality of sensitive data at rest, reducing the risk of unauthorized or accidental disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
API Gateway stage-level logging disabled
API Gateway logging displays detailed views of users who accessed the API and the way they accessed it. This insight enables visibility of user activities.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Application Load Balancer
Application Load Balancers listening on Insecure Protocol
Configuring Amazon Application Load Balancers to redirect unencrypted HTTP requests to HTTPS automatically helps preserve the confidentiality of sensitive data in transit.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Application Load Balancers with Access Logs Disabled
AWS Application Load Balancer access logs record detailed information about client requests sent to the load balancer, including the requests' time, source IP addresses, request paths, and server responses. Access logs help troubleshoot performance issues and support forensics investigation during or after a security incident.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Application Load Balancers with Deletion Protection Disabled
AWS Application Load Balancers forward client requests to a backend target group. Deletion protection prevents load balancers from being accidentally or deliberately deleted, thus causing denial of service.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Application Load Balancers with no Registered Targets
AWS Application Load Balancers forward client requests to a backend target group. A target group consists of multiple registered targets in different availability zones, such as EC2 instances. AWS Load Balancers with no registered targets can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Idle Application Load Balancers
AWS Application Load Balancers distribute and forward network traffic across multiple instances in different Availability Zones. Idle or unused AWS Application Load Balancers can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Internet-facing Application Load Balancers
Internet-facing Application Load Balancers route requests from clients on the Internet to registered target groups. It is recommended to review all Internet-facing Load Balancers to ensure validity.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Application Load Balancer + Classic Load Balancer + Network Load Balancer
Load Balancer with Cross-Zone Load Balancing Disabled
Cross-zone load balancing helps maintain adequate capacity and availability. It reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Aurora DB Cluster
Amazon Aurora Clusters with Logging Not Enabled
Amazon Aurora Cluster Logging records detailed information about database events, connections, disconnections, and queries and helps detect abnormal events, troubleshoot issues, and support forensics investigations during or after a security incident.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Amazon Aurora Clusters with less Than 2 AZs configured
Creating Amazon Aurora Clusters across multiple AWS Availability Zones ensures fault tolerance and reliability and supports business continuity and disaster recovery operations.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Amazon Aurora DB Clusters with Backtrack feature disabled
Backtracking enables AWS Customers to return a DB cluster to a specified point in time. Backtracking helps undo destructive actions and mistakes on DB clusters with minimal service disruption.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Amazon Aurora DB Clusters with Deletion Protection Disabled
Amazon Aurora DB Clusters are groups of one or more DB instances managed by a cluster volume. Deletion protection prevents clusters from being accidentally or deliberately deleted, thus causing data loss and denial of service.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Idle Amazon Aurora DB Clusters
Amazon Aurora DB Clusters are groups of one or more DB instances managed by a cluster volume. Idle or unused AWS Aurora DB clusters can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Classic Load Balancer
Classic Load Balancers in Use
While both AWS Classic Load Balancers and Application Load Balancers support distributing incoming network traffic across multiple EC2 instances, Application Load Balancers offer better performance and traffic distribution by making decisions based on Layer-7 or application attributes.
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Classic Load Balancers Listening on Insecure Protocol
AWS Classic Load Balancer listeners check for connection requests on a specified port and protocol. A TLS or HTTPS listener attached to a Classic Load Balancer allows backend applications to offload the encryption and decryption process to the load balancer, increasing application performance while preserving the confidentiality of sensitive data in transit.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Classic Load Balancers with no Registered Instances
AWS Classic Load Balancers forward client requests to a backend instance group consisting of multiple registered instances in different availability zones. AWS Load Balancers with no registered instances can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Classic Load Balancers without SSL Certificate
To help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Idle Classic Load Balancers
AWS Classic Load Balancers distribute and forward network traffic across multiple instances in different Availability Zones. Idle or unused AWS Classic Load Balancers can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Internet-facing Classic Load Balancers
Internet-facing Classic Load Balancers route traffic from clients on the Internet to registered EC2 instances. It is recommended to review all Internet-facing Load Balancers to ensure validity.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
DynamoDB Accelerator
DynamoDB Accelerator Cluster encryption disabled
Amazon DynamoDB Accelerator (DAX) is a managed in-memory cache for Amazon DynamoDB. Encrypting DAX helps preserve the confidentiality and integrity of sensitive data at rest and limits the impacts of accidental or deliberate data disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
DynamoDB Table
DynamoDB Point-in-Time recovery disabled
Point-in-Time Recovery enables continuous backups of DynamoDB tables, protecting against accidental or intentional write or delete operations.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
DynamoDB Tables Not Encrypted Using A Customer-Managed KMS Key
Amazon DynamoDB is a managed NoSQL database service. Encrypting DynamoDB Tables using customer-managed encryption keys stored in AWS KMS provides more granular confidentiality controls over sensitive data and can help meet compliance requirements.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
DynamoDB Tables with invalid Encryption Status
Amazon DynamoDB is a managed NoSQL database service. Encrypting DynamoDB Tables preserves the confidentiality and integrity of sensitive data at rest and limits the impacts of accidental or deliberate data disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
DynamoDB Tables with Zero Items
Empty or unused AWS DynamoDB Tables may violate the principle of least functionality and increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EBS Snapshot
Unencrypted EBS snapshot
Amazon Elastic Block Storage (EBS) Spanshots are incremental backups of EBS volumes stored in Amazon S3 and help restore data to new EBS volumes. Encrypting EBS Snapshots preserves the confidentiality and integrity of sensitive data at rest while limiting the impacts of unauthorized or accidental data disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Orphaned EBS Snapshots older than 30 days
Amazon Elastic Block Storage (EBS) Spanshots are incremental backups of EBS volumes stored in Amazon S3 and help restore data to new EBS volumes. Keeping EBS snapshots older than 30 days can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EBS Volume
EBS Volumes Attached to a Stopped EC2 Instance
Amazon Elastic Block Storage (EBS) volumes are storage devices attached to an instance, similar to physical hard drives. AWS EBS volumes attached to stopped EC2 instances may violate the principle of least functionality and increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EBS Volumes Not Marked For "Delete On Terminate"
Amazon Elastic Block Storage (EBS) volumes are storage devices attached to an instance, similar to physical hard drives. Retaining AWS EBS volumes attached to terminated EC2 instances may violate the principle of least functionality and increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Unencrypted EBS Volume
Amazon Elastic Block Storage (EBS) offers volume encryption using AES-256-XTS and a customer-managed key stored in KMS. Encrypting EBS volumes preserves the confidentiality and integrity of sensitive data stored in them while reducing the risk of unauthorized or accidental data disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
EBS Volumes without a backup plan
Amazon Backup is a fully-managed service allowing customers to automate AWS EBS and EC2 backup operations. Using AWS Backup to manage and automate AWS EBS volume backups supports business continuity, disaster recovery, and system restoration efforts.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Idle EBS volumes
Amazon Elastic Block Storage (EBS) volumes are storage devices attached to an instance, similar to physical hard drives. Idle or unused AWS EBS volumes can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Unattached EBS Volume
Amazon Elastic Block Storage (EBS) volumes are storage devices attached to an instance, similar to physical hard drives. AWS EBS volumes unattached from EC2 instances may violate the principle of least functionality and increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance
EC2 Instance not configured to use only Instance Metadata Service Version 2
Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata. The IMDSv2 method uses session-based controls. With IMDSv2, controls can be implemented to restrict changes to instance metadata.
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port 53 (DNS) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Ports 135 (RPC) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Ports 1433 (MSSQL) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Ports 1521 (Oracle) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 22 (SSH) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 23 (Telnet) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 25 (SMTP) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 27017 (MongoDB) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Ports 3306 (MySQL) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 3389 (RDP) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 443 (HTTPS) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 445 (SMB) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 5432 (PostgeSQL) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 80 (HTTP) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Port 9200 (Elasticsearch) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to TCP Ports 20 or 21 (FTP) via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to well-known ports or ports assigned to critical services on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound ICMP Access via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, public ICMP access to VPC resources enables system discovery and amplification (DoS) attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance not deployed in an EC2-VPC network
EC2-Classic is Amazon's original EC2 network, designed as a flat network with public IP addresses assigned to EC2 instances at launch time. Amazon is retiring the EC2-Classic network on August 15, 2022, requiring customers to migrate to EC2-VPC or VPC-Only network.
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance running for more than six months
AWS EC2 instances running for extended periods can impact system reliability. It is recommended to re-launch any EC2 instances older than six months to avoid performance or reliability issues.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instances stopped for more than 30 days
Enable this rule to help with the baseline configuration of Amazon Elastic Compute Cloud (Amazon EC2) instances by checking whether Amazon EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instances that are Open to the Entire Internet (on any port) via a Transit Gateway and a NAT Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instances that are partially open to the Internet (on any port) via a Transit Gateway and a NAT Gateway
Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups. Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance with Security Group created by 'Launch Wizard'
AWS Launch Wizard helps AWS customers create and launch Amazon EC2 instances into Amazon VPCs and creates security groups that are generally too permissive. Restricting inbound and outbound traffic to and from EC2 instances can reduce the risk of unauthorized access, denial of service, and system modifications.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instances with detailed monitoring disabled
Amazon Elastic Cloud Compute (EC2) Instances are launched with basic monitoring turned on by default, with optional detailed monitoring available. Enabling detailed monitoring for an EC2 Instance allows the AWS Console to display EC2-Instance graphs in one-minute intervals.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 135 (RPC) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 1433 (MSSQL) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 1521 (Oracle) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Ports TCP 20 and 21 (FTP) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 22 (SSH) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 23 (Telnet) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 25 (SMTP) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 27017 (MongoDB) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 3306 (MySQL) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 3389 (RDP) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 443 (HTTPS) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 445 (SMB) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 5432 (PostgreSQL) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 80 (HTTP) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port TCP 9200 (Elasticsearch) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to all Ports and Protocols via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to Port 53 (DNS) via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Unrestricted Inbound Access to all Ports and Protocols via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, inbound access to all ports and protocols on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Partial Unrestricted Inbound Access to all Ports and Protocols via a Transit Gateway and an Internet Gateway
Amazon Transit Gateways connect multiple AWS VPCs and on-premises networks via a central network transit hub, enabling bi-directional communication between cloud and on-premises resources. Unrestricted, inbound access to all ports and protocols on VPC resources via a Transit Gateway can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance Allows Partial Unrestricted Inbound Access to all Ports and Protocols via an Internet Gateway
Amazon Internet Gateways allow VPC resources in public subnets, such as EC2 instances, to communicate with the Internet. Similarly, Internet gateways allow resources on the Internet to initiate connections to VPC resources in a public subnet if they have assigned public IP addresses. Unrestricted, partial inbound access to all ports and protocols on VPC resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Idle EC2 Instances
Amazon Elastic Compute Cloud (EC2) are virtual servers deployed in an AWS account. Idle or unused AWS EC2 Instances can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Overutilized AWS EC2 Instances
Overutilized Amazon EC2 Instances can cause performance issues and should be right-sized for improved processing and response times.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Previous generation EC2 Instance types
Amazon recommends upgrading EC2 instances to the latest generations for best performance.
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Stopped EC2 Instances
Amazon Elastic Compute Cloud (EC2) are virtual servers deployed in an AWS account. While stopped AWS EC2 Instances do not incur charges, the Elastic IP addresses and EBS volumes attached to stopped instances can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EC2 Instance With Public IP Address
Amazon Elastic Compute Cloud (EC2) are virtual servers deployed in an AWS account. EC2 Instances that do not require direct Internet access should be deployed in private subnets behind NAT gateways to limit exposure to Internet-borne threats, reduce unauthorized access, and preserve their integrity.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
EKS Cluster
EKS Cluster Endpoints Publicly Accessible
Amazon Elastic Kubernetes Service (EKS) is a managed service allowing customers to run Kubernetes on AWS without managing the control plane or underlying infrastructure. New AWS EKS Clusters are launched with a public endpoint for the managed Kubernetes API server, enabling customers to manage the cluster. Enabling private access to the Kubernetes API server prevents resources on the Internet from accessing the cluster, reducing the risk of unauthorized access, modification, and denial of service through vulnerability exploitation or brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Unrestricted EKS Access on Ports Other than TCP 443
Amazon Elastic Kubernetes Service (EKS) is a managed service allowing customers to run Kubernetes on AWS without managing the control plane or underlying infrastructure. EKS Clusters are launched with a default security group allowing unrestricted inbound and outbound access. Restricting public inbound access to EKS Clusters to port TCP 443 (HTTPS) reduces the risk of unauthorized access, modification, and denial of service through vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Elastic IP Address
Elastic IP Address not associated with an AWS Resource
AWS Elastic IP addresses are public IPv4 addresses associated with an AWS resource, such as an instance, Internet gateway, NAT gateway, or load balancer. Disassociated Elastic IP addresses can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM Policy
IAM policies allowing full administrative privileges are attached
AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing "Effect": "Allow" with "Action": "*" over "Resource": "*". Allowing users to have more privileges than needed to complete a task may violate the principle of least privilege and separation of duties.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM support policy is not attached to a support role
AWS Support Center helps customers with incident notification and response, technical support, and customer services. Creating an IAM Role with a suitable IAM policy for AWS Support Center Access helps adhere to the principle of least privilege while ensuring prompt access to your AWS account during security incidents.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM User
Accounts with no IAM Password Policy set
Checks for any accounts with no IAM Password Policy set.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Active IAM Access Keys older than 30 days
The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Active IAM Access Keys older than 45 days
The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Active IAM Access Keys older than 90 days
The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. Changing the access keys on a regular schedule is a security best practice. It shortens the period an access key is active and reduces the business impact if the keys are compromised.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS BENCHMARK LEVEL 1
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Expired SSL/TLS IAM certificates
Deploying valid, unexpired SSL/TLS certificates is a security best practice that preserves the credibility of HTTPS-enabled applications and websites.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM Root User Access Keys Exist
Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role. Ensure that the root access keys are deleted. Instead, create and use role-based AWS accounts to help to incorporate the principle of least functionality.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM User with Console Password set and MFA disabled
Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. MFA adds an extra layer of protection on top of a user name and password. By requiring MFA for IAM users, you can reduce incidents of compromised accounts and keep sensitive data from being accessed by unauthorized users.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM User with Password and Access Keys configured
Try to minimise privileges to reduce impact if any one of these is compromised
IAM access keys unused for 90 days or more
Disabling or deleting access keys unused for 90 days or more is a security best practice that reduces the window of opportunity for using abandoned credentials.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM root user login in the past 30 days
With the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM User password unused for 90 days or more
Disabling or deleting IAM Users unused for 90 days or more is a security best practice that reduces the window of opportunity for using compromised credentials.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM Password Policy permits password reuse
Preventing users from reusing old passwords is a security best practice that limits the effectiveness of password brute-force attacks against an AWS account.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM user with direct inline policy
This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. Assigning privileges at the group or the role level helps to reduce opportunity for an identity to receive or retain excessive privileges.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
IAM users with a password age over 90 days
Requiring users to refresh their passwords regularly is a security best practice limiting the effectiveness of password brute-force attacks against an AWS account, particularly when passwords are stolen or compromised.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Weak IAM password policy
Requiring users to create strong passwords is a security best practice that limits the effectiveness of password brute-force attacks against an AWS account.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
IAM root users that are not MFA protected
Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. The root user is the most privileged user in an AWS account. The MFA adds an extra layer of protection for a user name and password. By requiring MFA for the root user, you can reduce the incidents of compromised AWS accounts.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS BENCHMARK LEVEL 2
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Internet Gateway
Internet Gateway not attached to a VPC
Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Clouds (Amazon VPCs). Internet gateways allow bi-directional internet access to and from the Amazon VPC, potentially leading to unauthorized access to Amazon VPC resources.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Lambda Function
Lambda Function without VPC Access
Deploy AWS Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC. With this configuration, there is no requirement for an internet gateway, NAT device, or VPN connection. All the traffic remains securely within the AWS Cloud.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Lambda Functions with no Dead Letter Queue Configured
AWS Lambda Dead Letter Queue (DLQ) enables message handling for all asynchronous function invocations. Enabling DLQ on Lambda Functions helps notify the appropriate personnel through Amazon Simple Queue Service (Amazon SQS) or Amazon Simple Notification Service (Amazon SNS) when a function has failed.
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• DISA IL2
• DISA IL4
• DISA IL5
Lambda Functions with Outdated Runtime Environment
Lambda Runtime provides a language-specific environment for the execution of Lambda Functions. Using the latest version of runtime environments ensures resolution for known security issues, bug fixes, and support for new features.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Lambda Functions with Tracing Disabled
X-Ray traces and analyzes Lambda Function invocations to help identify performance issues and troubleshoot errors.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
NAT Gateway
Idle NAT Gateways
AWS NAT Gateways enable instances in a private subnet to connect to systems and services outside the VPC in which they reside but prevent external systems and services from initiating connections to those instances. Idle or underutilized NAT Gateways can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Network ACL
Network ACLs that includes remote admin ports
AWS Network Access Control Lists (NACLs) control ingress and egress traffic to AWS through stateless filtering. Unrestricted, public access to all TCP port 22 (SSH) or port 3389 (RDP) increases the risk of unauthorized administrative access to AWS instances via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Network Interface
Detached Elastic Network Interface
An AWS Elastic Network Interface (ENI) represents a virtual network card inside a VPC and directs network traffic to the AWS instance to which it is attached. Deleting detached ENIs reduces unnecessary configuration items, increases the accuracy of cloud inventories, and streamlines network management.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Network Load Balancer
Idle Network Load Balancers
AWS Network Load Balancers distribute and forward network traffic across multiple targets in an attached target group without modifying the headers. Idle or unused AWS Network Load Balancers can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Internet-facing Network Load Balancers
Internet-facing Network Load Balancers route network traffic from clients on the Internet to registered target groups. It is recommended to review all Internet-facing Load Balancers to ensure validity.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Network Load Balancer with no TLS/HTTPS listener
AWS Network Load Balancer listeners check for connection requests on a specified port and protocol. A TLS or HTTPS listener attached to a Network Load Balancer allows backend applications to offload the encryption and decryption process to the load balancer, increasing application performance while preserving the confidentiality of sensitive data in transit
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Network Load Balancer with Logging Disabled
AWS Network Load Balancer logs record detailed information about TLS connections sent to a network load balancer and help troubleshoot issues, identify abnormal traffic patterns, and perform forensics analysis during or after a security incident.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Network Load Balancers with no Registered Targets
AWS Network Load Balancers forward network traffic from clients to a backend target group. A target group consists of multiple registered targets in different availability zones, such as EC2 instances. AWS Load Balancers with no registered targets can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
RDS DB Instance
AWS RDS instances with Auto Minor Version Upgrade not enabled
Enabling automated minor version upgrades for Amazon RDS ensures that instances automatically receive security updates and bug fixes during established maintenance windows.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Idle RDS Instances
Amazon Relational Database Service (RDS) instances are database servers deployed in an AWS account. RDS instances contain one or more user-created databases. Idle or unused AWS RDS instances can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Previous Generation RDS Instances
Amazon recommends upgrading RDS instances to the latest generations for best performance.
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Public RDS Instances
Amazon RDS Database Instances should be deployed in private subnets to limit exposure to Internet-borne threats, reduce unauthorized access, and preserve their integrity.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
RDS Instances with "Copy Tags" Disabled
Amazon RDS tags add metadata and apply access policies to RDS resources and should be copied to database snapshots so that they match the parent instance.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
RDS Instances With Enhanced Monitoring Disabled
Enhanced monitoring provides detailed visibility into the health of your Amazon RDS database instances. When the Amazon RDS storage is using more than one underlying physical device, Enhanced Monitoring collects the data for each device. Also, when the Amazon RDS database instance is running in a Multi-AZ deployment, the data for each device on the secondary host is collected, and the secondary host metrics.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• CMMC
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Overutilized RDS Instance
Overutilized Amazon RDS Database Instances can cause performance issues and should be upgraded for improved processing and response times.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
RDS Instances that have Backup Retention Period = 0
Retaining backups of AWS RDS Instances for a specified period helps support business continuity and disaster recovery operations and meets regulatory and legal requirements.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
RDS Instances with Logging Not Enabled
Amazon RDS Database Instance Logging records detailed information about database events, connections, disconnections, and queries and helps detect abnormal events, troubleshoot issues, and support forensics investigations during or after a security incident.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
RDS Instances with a backup retention period less than 7 days
Taking backups of AWS RDS Instances on a specified frequency helps support business continuity and disaster recovery operations and meets regulatory and legal requirements.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
RDS Instance with default admin username
Amazon RDS Instances are created with a default administrator username of admin. Changing the default admin username provides additional protection against brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• DISA IL2
• DISA IL4
• DISA IL5
Unencrypted RDS Instance
Encrypting RDS Database Instances helps preserve the confidentiality and integrity of sensitive data at rest and limits the impacts of accidental or deliberate data disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
RDS Instances without Performance Insights
Amazon RDS Performance Insights is a monitoring service that helps detect and isolate performance and load issues on RDS instances.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• CMMC
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
RDS Instance without a Backup Plan
Amazon Backup is a fully-managed service allowing customers to automate AWS RDS backup operations. Using AWS Backup to manage and automate AWS RDS Instance backups supports business continuity, disaster recovery, and system restoration efforts.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
RDS instances that are not Multi-AZ
Creating Amazon RDS Instances across multiple AWS Availability Zones ensures fault tolerance and reliability and supports business continuity and disaster recovery operations.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
RDS Snapshot
Unencrypted RDS Snapshot
Encrypting RDS Database Instance Spanshots helps preserve the confidentiality and integrity of sensitive data at rest and limits the impacts of accidental or deliberate data disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Cluster
Older generation Redshift Clusters
The latest generation of Redshift Clusters start with DC2. Running the latest generation will give you enhanced performance and cost benefits.
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Cluster running on default port
Amazon Redshift clusters run on port TCP 5439 by default. Changing the default port provides additional protection against non-targeted attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Cluster is publicly accessible
Amazon Redshift is a data warehouse service consisting of clusters with one or more databases that can store sensitive information. Disabling public access to Amazon Redshift clusters when such access is not required helps preserve the confidentiality, integrity, and availability of sensitive data by preventing unauthorized access.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Cluster with database encryption disabled
Encrypting Amazon Redshift cluster databases helps preserve the confidentiality of sensitive data in storage, reducing the impact of unauthorized or unintended information disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Cluster not deployed in an EC2-VPC Network
EC2-Classic is Amazon's original EC2 network, designed as a flat network with public IP addresses assigned to EC2 instances at launch time. Amazon is retiring the EC2-Classic network on August 15, 2022, requiring customers to migrate to EC2-VPC or VPC-Only network.
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Clusters that don't allow version upgrades
Enabling version upgrade for Amazon Redshift clusters ensures that clusters automatically receive security updates and bug fixes during established maintenance windows.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Cluster without a specified maintenance window
The weekly maintenance window for Amazon Redshift clusters ensures that database instances receive updates to the operating system or database engines.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Cluster with default admin username
Amazon Redshift clusters are created with a default admin username of "awsuser". Changing the default admin username provides additional protection against brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Cluster with insufficient retention period
Snapshots are backup copies of Amazon Redshift clusters with a default retention period of one day. Modifying the retention period according to an organization's recovery requirements helps meet recovery point objectives and restore clusters upon destruction, failure, or corruption.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Redshift Cluster Node
Redshift Node with High Disk Space Usage
High disk usage in Redshift Nodes can cause performance issues and data loss.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Reliability)
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Idle Redshift Cluster Nodes
Amazon Redshift is a data warehouse service consisting of clusters with one or more databases that can store sensitive information. Idle or unused AWS Redshift Cluster Nodes can increase your monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Underutilized Redshift Cluster Nodes
Down-sizing underutilized Redshift Clusters can help reduce your monthly AWS costs.
• ISO27001
Region
IAM Access analyzer status is disabled
AWS Access analyzer monitors IAM policies and roles to detect unauthorized or unintended access to your AWS resources by external entities
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
AWS Region with EBS Encryption By Default Disabled
AWS Elastic Block Storage (EBS) Encryption By Default enforces encryption of new EBS volumes and snapshots created per Region in an AWS account. Enabling EBS encryption by default for all Regions ensures that EBS Volumes and Snapshots are encrypted when created, preserving the confidentiality of sensitive data stored in Volumes and snapshots.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 2
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
S3 Bucket
Public S3 Buckets
Disabling public access to Amazon S3 buckets when such access is not required helps preserve the confidentiality, integrity, and availability of sensitive data by preventing unauthorized access.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
S3 Bucket Logging Disabled
Amazon S3 server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request including: The requester, bucket name, request time, request action, response status, and an error code.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
S3 Bucket Name is not DNS compliant
AWS recommends following best practices for naming S3 buckets. Except for S3 buckets used for hosting static websites, you should avoid using dots (.) in bucket names to ensure support for virtual-host-style addressing over HTTPS, S3 Transfer Acceleration, and future AWS features.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• DISA IL2
• DISA IL4
• DISA IL5
S3 Bucket Replication Disabled
Amazon Amazon S3 Cross-Region Replication (CRR) supports maintaining adequate capacity and availability. CRR enables automatic, asynchronous copying of objects across Amazon S3 buckets to help ensure that data availability is maintained.
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
S3 Bucket Versioning Off
Amazon S3 bucket versioning helps preserve, retrieve, and restore previous versions of objects stored in S3 buckets, facilitating data recovery and reconstitution following intentional or unintentional destructive events or failures.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
S3 Buckets Not Encrypted
Encrypting S3 buckets helps preserve the confidentiality of sensitive data in storage, reducing the impact of unauthorized or unintended information disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 2
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
S3 Buckets Not Encrypted With KMS Key
AWS Key Management Service (KMS) allows users to create and manage encryption keys to protect data stored in their AWS accounts. Encrypting S3 buckets using customer-managed encryption keys stored in AWS KMS provides more granular confidentiality controls over sensitive data and can help meet compliance requirements.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
S3 Buckets with MFA Delete Disabled
MFA Delete requires users to provide two forms of authentication before being allowed to delete or change the version state of files stored in S3 buckets, preventing accidental or unauthorized data deletion.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
S3 Buckets without Lifecycle Configuration
Amazon S3 Lifecycle manages the lifecycle of objects stored in S3 buckets by using rules to establish when objects need to be transitioned to another storage class or expired and deleted, helping you keep storage costs down while meeting data retention requirements.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
S3 Buckets without Transfer Acceleration enabled
Amazon S3 Transfer Acceleration improves file transfer speeds for large objects transmitted over large distances.
• GDPR
Security Group
AWS Security Group allows unrestricted access to TCP port 22 (SSH)
AWS Security Groups control ingress and egress traffic to AWS through stateful filtering. Unrestricted, public access to all TCP port 22 (SSH) increases the risk of unauthorized administrative access to AWS instances via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
AWS Security Group allows unrestricted access to TCP port 3389 (RDP)
AWS Security Groups control ingress and egress traffic to AWS through stateful filtering. Unrestricted, public access to all TCP port 3389 (RDP) increases the risk of unauthorized administrative access to AWS instances via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
AWS Security Group allows unrestricted access to all ports and protocols
AWS Security Groups control ingress and egress traffic to AWS through stateful filtering. Unrestricted, public access to all ports and protocols increases the risk of unauthorized access and denial of service via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
AWS Security Group allows unrestricted access to remote administration ports.
AWS Security Groups control ingress and egress traffic to AWS through stateful filtering. Unrestricted, public access to remote administration ports, such as SSH (TCP 22) and RDP (TCP 3389), increases the risk of unauthorized access and denial of service via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Default Security Group allows unrestricted inbound access
AWS VPCs have a default security group that denies all ingress traffic but allows all outbound and intra-instance traffic. New instances are assigned to the default security group when one is not specified. Configuring default security groups to restrict all ingress and egress traffic promotes the principle of deny-all, permit-by-exception, and reduces unnecessary exposure of AWS resources.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Default Security Group in use
AWS VPCs have a default security group that denies all ingress traffic but allows all outbound and intra-instance traffic. New instances are assigned to the default security group when one is not specified. Using the default security group may allow unnecessary traffic in and out of the AWS account, increasing the risk of unauthorized access, resource misuse, denial of service, and data exfiltration.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Security Group allows unrestricted outbound access to all ports and protocols
AWS Security Groups control ingress and egress traffic to AWS through stateful filtering. Unrestricted, outbound access to all ports and protocols increases the risk of data exfiltration, command & control, botnet traffic, and unauthorized network communications.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Security Group allows unrestricted inbound access to a range of ports.
AWS Security Groups control ingress and egress traffic to AWS through stateful filtering. Unrestricted, public access to a range of ports, such as 1024-65535, increases the risk of unauthorized access and denial of service via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Unused AWS Security Group
AWS Security Groups control ingress and egress traffic to AWS through stateful filtering. Deleting security groups not attached to an EC2 instance or Elastic Network Interface (ENI) reduces unnecessary configuration items, increases the accuracy of cloud inventories, and streamlines network management.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Default Security Group allows outbound access
Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Security Group allows ingress access to the entire RFC1918 IP space
AWS Security Groups control ingress and egress traffic to AWS through stateful filtering. Allowing ingress access to the entire RFC1918 IP space creates overly permissive network access control rules that could result in unauthorized access and denial of service via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Private Gateway
Unused Virtual Private Gateway
An AWS Virtual Private Gateway is a VPN concentrator attached to a VPC that terminates a site-to-site VPN connection and enables remote access to resources within the VPC. Deleting virtual private gateways not attached to a VPC reduces unnecessary configuration items, increases the accuracy of cloud inventories, and streamlines network management.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Workspace
Unhealthy Workspaces
Unhealthy Workspaces can cause reliability and performance issues.
• AWS Well-Architected (Reliability)
Workspaces with no user activity in the last 14 days
Deleting unused AWS Workspaces reduces unnecessary configuration items, increases the accuracy of cloud inventories, and reduces the monthly AWS costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Workspaces without Root Volume encryption
Encrypting AWS Workspaces' root volumes helps preserve the confidentiality of sensitive configuration and system data in storage, reducing the impact of unauthorized or unintended information disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Workspaces without User Volume encryption
Encrypting AWS Workspaces' user volumes helps preserve the confidentiality of sensitive user data in storage, reducing the impact of unauthorized or unintended information disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Azure Rules
Application Gateway
Application Gateways listening on Insecure Protocol
Azure Application Gateway listeners check for web connection requests on a specified port, protocol, host, and IP address. An HTTPS listener attached to an Application Gateway allows backend applications to offload the encryption and decryption process to the application gateway, increasing application performance while preserving the confidentiality of sensitive data in transit.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
Idle Application Gateways
Azure Application Gateways distribute and route traffic to web applications based on HTTP attributes. Idle or underutilized Application Gateways may violate the principle of least functionality and increase your monthly Azure costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Cosmos DB Account
Cosmos DB Accounts Accessible to Azure Services and Resources
Azure Cosmos DB is a serverless NoSQL database service fully managed by Microsoft, to which access is managed through IP-based access controls. Accessing an Azure Cosmos DB account from Azure cloud services that use dynamic IP addresses requires enabling Azure connections or adding 0.0.0.0 to the list of authorized IP addresses. When Azure connections are allowed, any Azure service and resource can connect to the Azure Cosmos DB account, increasing the risk of unauthorized access via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Cosmos DB Accounts Accessible to the Entire Internet
Azure Cosmos DB is a serverless NoSQL database service fully managed by Microsoft, to which access is managed through IP-based access controls. Configuring Azure Cosmos DB accounts to be accessible from authorized IP addresses or ranges can help reduce the risk of unauthorized access via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Unused Cosmos DB Accounts
Azure Cosmos DB is a serverless NoSQL database service fully managed by Microsoft. Unused or underutilized Cosmos DB accounts may violate the principle of least functionality and increase your monthly Azure costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Underutilized Cosmos DB Accounts
Down-sizing underutilized Azure Cosmos DB accounts can reduce your monthly Azure costs.
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
Disk
Detached Managed Disks
Azure Managed Disks are block-level storage volumes attached to Azure Virtual Machines. When Virtual Machines are deleted, any attached disks remain in the Azure subscription to prevent data loss and continue to incur charges. Deleting unattached Azure Disks is consistent with the principle of least functionality and can help lower your monthly Azure costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Load Balancer
Idle Load Balancers
Azure Load Balancers distribute and forward network traffic across multiple backend resources or servers. Idle or underutilized Load Balancers may violate the principle of least functionality and increase your monthly Azure costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
MySQL Flexible Server + MySQL Server
MySQL Servers Accessible to Azure Services and Resources
Azure Database for MySQL server is a fully-managed relational database service in the Microsoft cloud to which access is controlled through firewall rules. Allowing applications within Azure to connect to Azure Database for MySQL servers requires enabling Azure connections or a firewall rule with a starting and ending IP address of 0.0.0.0. When Azure connections are allowed, any Azure service and resource can connect to the Azure MySQL server, increasing the risk of unauthorized access via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
MySQL Servers Accessible to the Entire Internet
Azure Database for MySQL server is a fully-managed relational database service in the Microsoft cloud to which access is controlled through firewall rules. Allowing any Internet resource to connect to Azure MySQL servers requires configuring a firewall rule with a starting IP address equivalent to 0.0.0.0 and an ending IP address equal to 255.255.255.255. Unrestricted ingress access to Azure MySQL servers can increase the risk of unauthorized access via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
MySQL Servers with SSL Connections not Enforced
Enforcing Secure Sockets Layer (SSL) encryption between Azure MySQL Servers and client applications helps preserve the confidentiality of sensitive data while limiting the risk of man-in-the-middle attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
MySQL Servers with over 80% Storage Used
Azure MySQL Servers reaching the provisioned storage capacity are placed in read-only mode to prevent data loss, blocking new write operations and transactions while continuing to execute active transactions and read queries. Increasing the provisioned storage on Azure MySQL Servers is required to enable new write transactions.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Underutilized MySQL Servers
Down-sizing underutilized Azure MySQL Servers can help reduce your monthly Azure costs.
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
Network Interface
Detached Network Interfaces
Azure Network Interfaces allow Virtual Machines to connect to virtual networks. Detached or unused Network Interfaces do not release their IP address leases and could prevent new Network Interfaces from obtaining new IP addresses if address pools are depleted. Deleting Network Interfaces not attached to a Virtual Machine reduces unnecessary configuration items, increases the accuracy of cloud inventories, and streamlines network management.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Network Security Group
Unused Network Security Groups
Azure Network Security Groups control ingress and egress network traffic to and from resources in an Azure virtual network. Deleting Network Security Groups not associated with an Azure subnet or network interface reduces unnecessary configuration items, increases the accuracy of cloud inventories, and streamlines network management.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
PostgreSQL Flexible Server
PostgreSQL Flexible Servers with Low IOPs
Down-sizing underutilized Azure PostgreSQL Servers accounts can help reduce your monthly Azure costs.
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
PostgreSQL Flexible Server + PostgreSQL Server
PostgreSQL Servers Accessible to Azure Services and Resources
Azure Database for PostgreSQL is a fully-managed relational database service in the Microsoft cloud to which access is controlled through firewall rules. Allowing applications within Azure to connect to Azure Database for PostgreSQL requires enabling Azure connections or a firewall rule with a starting and ending IP address of 0.0.0.0. When Azure connections are allowed, any Azure service and resource can connect to the Azure PostgreSQL server, increasing the risk of unauthorized access via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
PostgreSQL Servers Accessible to the Entire Internet
Azure Database for PostgreSQL is a fully-managed relational database service in the Microsoft cloud to which access is controlled through firewall rules. Allowing any Internet resource to connect to Azure PostgreSQL servers requires configuring a firewall rule with a starting IP address equivalent to 0.0.0.0 and an ending IP address equal to 255.255.255.255. Unrestricted ingress access to Azure PostgreSQL servers can increase the risk of unauthorized access via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
PostgreSQL Servers With Over 80% Storage Used
Azure PostgreSQL Servers reaching the provisioned storage capacity are placed in read-only mode to prevent data loss, blocking new write operations and transactions while continuing to execute active transactions and read queries. Increasing the provisioned storage on Azure PostgreSQL Servers is one way to enable new write transactions.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
PostgreSQL Servers With SSL Connection Not Enforced
Enforcing Secure Sockets Layer (SSL) encryption between Azure PostgreSQL Servers and client applications helps preserve the confidentiality of sensitive data while limiting the risk of man-in-the-middle attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
PostgreSQL Server
Underutilized PostgreSQL Servers
Down-sizing underutilized Azure PostgreSQL Servers accounts can help reduce your monthly Azure costs.
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
Public IP Address
Disassociated Public IP Addresses
Azure Public IP addresses enable Azure resources to communicate with and be reachable from external sources. Deleting Public IP addresses not associated with an Azure network resource reduces unnecessary configuration items, increases the accuracy of cloud inventories, streamlines network management, and may lower monthly Azure costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Route Table
Disassociated Route Tables
Azure Route Tables allow Azure resources in virtual networks to communicate with internal and external sources. Deleting Route Tables not associated with a subnet reduces unnecessary configuration items, increases the accuracy of cloud inventories, and streamlines network management.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
SQL Data Warehouse
Azure Synapse Dedicated SQL pool With Transparent Data Encryption Turned Off
Dedicated SQL Pool, previously known as Azure SQL Data Warehouse, is an enterprise data warehousing solution and part of Azure Synapse Analytics. Transparent data encryption (TDE) encrypts and decrypts Dedicated SQL Pools and their associated backups and transaction log files in real-time. Enabling TDE on Dedicated SQL Pools helps preserve the confidentiality and integrity of sensitive data at rest and limits the impacts of accidental or deliberate data disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
SQL Database
SQL Servers With Transparent Data Encryption Turned Off
Transparent data encryption (TDE) encrypts and decrypts Azure SQL Databases and their associated backups and transaction log files in real-time. Enabling TDE on Azure SQL Databases helps preserve the confidentiality and integrity of sensitive data at rest and limits the impacts of accidental or deliberate data disclosure.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• GDPR
• DISA IL2
• DISA IL4
• DISA IL5
SQL Server
SQL Servers Allows Access to Azure Services
Azure SQL Database is a fully-managed database service in the Microsoft cloud to which access is controlled through IP firewall rules. Allowing applications within Azure to connect to Azure SQL Servers requires enabling Azure connections or a firewall rule with a starting and ending IP address of 0.0.0.0. When Azure connections are allowed, any Azure service and resource can connect to the Azure SQL Server, increasing the risk of unauthorized access via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
SQL Servers Accessible To The Entire Internet
Azure SQL Database is a fully-managed database service in the Microsoft cloud to which access is controlled through IP firewall rules. Allowing any Internet resource to connect to Azure SQL Servers requires configuring a firewall rule with starting and ending IP addresses equal to 0.0.0.0 and 255.255.255.255, respectively. Unrestricted ingress access to Azure SQL Databases servers can increase the risk of unauthorized access via vulnerability exploitation and brute-force attacks.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Underutilized SQL Servers
Down-sizing underutilized Azure SQL Servers accounts can help reduce your monthly Azure costs.
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• ACSC ISM
• ISO27001
Traffic Manager Profile
Idle Traffic Manager Profiles
Azure Traffic Managers distribute and route client requests to Internet-facing applications via the global Azure regions using DNS. Idle or underutilized Traffic Managers profiles may violate the principle of least functionality and increase your monthly Azure costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine
Idle Virtual Machines
Azure Virtual Machines (VM) are virtual servers deployed in a Microsoft Azure subscription. Idle or underutilized Virtual Machines may violate the principle of least functionality and increase your monthly Azure costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 135 (RPC)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 1433 (MSSQL)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 1521 (Oracle)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Ports 20 or 21 (FTP)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 22 (SSH)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 23 (Telnet)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 25 (SMTP)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 27017 (MongoDB)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 3306 (MySQL)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 3389 (RDP)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 443 (HTTPS)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 445 (CIFS)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 53 (DNS)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 5432 (PostgreSQL)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 80 (HTTP)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to Port 9200 (Elasticsearch)
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to well-known ports or ports assigned to critical services on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Virtual Machine Allows Unrestricted Inbound Access to all Ports and Protocols
Azure Network Security Groups allow or deny network traffic to and from Azure Virtual Machines. Unrestricted, inbound access to all ports and protocols on Azure resources can lead to attacks against system confidentiality, integrity, and availability through vulnerability or misconfiguration exploitation.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS BENCHMARK LEVEL 1
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• HIPAA
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Stopped Virtual Machines
Azure Virtual Machines (VM) are virtual servers deployed in a Microsoft Azure subscription. Stopped Virtual Machines do not release the leases on underlying resources and incur charges as if they were running, potentially violating the principle of least functionality and increasing your monthly Azure costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5
Web App
Idle Web App Services
Azure App Service is a fully-managed service that allows customers to build and host web apps, REST APIs, and mobile backends. Azure App Service is a fully-managed service that allows customers to build and host web applications, REST APIs, and mobile backends. Idle or underutilized Web Apps may violate the principle of least functionality and increase your monthly Azure costs.
• NIST 800-53 LOW
• NIST 800-53 MODERATE
• NIST 800-53 HIGH
• NIST 800-171
• CIS CRITICAL CONTROLS
• FedRAMP LOW
• FedRAMP MODERATE
• FedRAMP HIGH
• PCI DSS
• AWS Well-Architected (Security)
• AWS Well-Architected (Reliability)
• CMMC
• ACSC ISM
• ISO27001
• DISA IL2
• DISA IL4
• DISA IL5