EC2 Instance Snapshots Should Not Be Public
Your EC2 instance snapshots should not be publicly accessible. This is to avoid exposing your private data.
Your EC2 instance snapshots should not be publicly accessible. This is to avoid exposing your private data.
EC2 instance running indefinitely in your AWS your account could increase the risk of potential issues.
AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data.
Amazon Machine Images (AMIs) should be encrypted to fulfill compliance requirements for data-at-rest encryption.
Monitoring vCPU-based limits for on-demand EC2 instances avoids resource starvation. Service Quotas is an AWS service that enables you to view and manage your quotas from a central location. Quotas, also referred to as limits, are the maximum value for your resources, actions, and items in your AWS account.
Blacklist all those AMI to prevent certain security issues to attack your application. Your EC2 Instances should not use any of the blacklisted AMIs.
It is recommended not to using the default VPC.
Your security groups should have descriptions associated with them to help you run your operations smoothly. It serves as a documentation and guidance in future.
Your AMI age should be more than configured number of days. This ensures that your EC2 instances deployed are secure and reliable.
EC2 instance launched should be from an approved list of instance types.
Detailed monitoring should be enabled on EC2 instances.
VPC should be used for EC2 instances instead of using EC2 Classic. VPCs are the latest and more secure method of launching AWS resources.
There are EC2 instances scheduled for retirement and/or maintenance. Kindly take the necessary steps (reboot, restart or re-launch).
Checks if EC2 instances have several Security Groups attached. Ideally there should be just 1 security group attach to an EC2 instance.
Ensuring Termination Protection feature is enabled for EC2 instances that are not part of ASGs.
No AWS EC2 security group should allow unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS).
EC2 security groups should not allow unrestricted outbound/egress access.
IAM Roles/Instance profiles should be used instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your EC2 instances.
Ensuring that the Amazon VPC route table associated with the data-tier subnets has no default route configured to allow access to an AWS NAT Gateway in order to restrict Internet connectivity for the EC2 instances available within the data tier.
No AWS EC2 security group should allow unrestricted inbound access to TCP port 445 and (CIFS).
No security group should allow unrestricted inbound access using Internet Control Message Protocol (ICMP).
No EC2 security group should allow unrestricted inbound access to any uncommon ports.
No security group should allow unrestricted ingress access to MongoDB port 27017.
No security group should allow unrestricted inbound access to TCP port 1433 (MSSQL)
No security group should allow unrestricted inbound access to TCP port 3306 (MySQL).
No security group should allow unrestricted inbound access to TCP port 1521 (Oracle Database).
Security groups should not have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks.
No security group should allow unrestricted inbound access to TCP port 5432 (PostgreSQL Database).
No AWS EC2 security group should allow unrestricted inbound access to TCP port 3389 (RDP).
No security group should allow unrestricted inbound access to TCP port 135 (RPC).
No security group should allow unrestricted inbound access to TCP port 25 (SMTP).
Default security groups should restrict all public traffic to follow AWS security best practices.
No security group should allow unrestricted inbound access to TCP port 23 (Telnet).
No security group should allow unrestricted inbound access to TCP port 22 (SSH).
No security group should allow unrestricted inbound access to TCP port 9200 (Elasticsearch).
No security group should allow unrestricted inbound access to TCP ports 20 and 21 (FTP).
To ensure that none of your AWS EC2 Reserved Instance purchases have failed.
To ensure that none of your AWS EC2 Reserved Instance purchases are pending.
For regularly reviewing your EC2 Reserved Instance purchases for cost optimization (informational).
Your account should not reach the limit set by AWS for the number of allocated Elastic IPs.
Your account should not reach the limit set by AWS for the number of Elastic IPs.
The Hibernation feature should be enabled for EBS-backed EC2 instances to retain memory state across instance stop/start cycles.
Every EC2 instance should be launched inside an Auto Scaling Group (ASG) in order to follow the best AWS reliability and security practices.
Lists all EC2 reserved instances expiring in the next 30 days.
Lists all EC2 reserved instances expiring in the next 7 days.
Your AWS account should not have excessive number of security groups per region.
EC2 security groups prefixed with launch-wizard should not be in use in order to follow AWS security best practices.
Your AWS account should not reached the limit set for the number of EC2 instances.
Your AWS servers should be using the latest generation of EC2 instances for price-performance improvements.
EC2 security groups should not have an excessive number of rules defined.
No EC2 security group should allow inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices.
Identify and remove any unassociated Elastic IP (EIP) addresses for cost optimization.
No backend EC2 instances should be running in public subnets.
No security group should allow unrestricted inbound access to TCP and UDP port 53 (DNS).
No security group should allow unrestricted inbound access to TCP port 80 (HTTP).
No security group should allow unrestricted inbound access to TCP port 443 (HTTPS).
Your AWS account should not have any EC2 instance with the instance type blacklisted.
Unused AWS Elastic Network Interfaces (ENIs) should be removed to follow best practices.
Unused AMIs should be removed to follow best practices.
Unused AWS EC2 key pairs should be decommissioned to follow best practices.
AWS EC2 Reserved Instances should be fully utilized.
Overutilized EC2 instances should be upgraded to optimize application response time.
Idle AWS EC2 instances should be stopped or terminated in order to optimize AWS costs.
Underutilized EC2 instances should be downsized in order to optimize your AWS costs.
EC2 instances should have the required tenancy for security and regulatory compliance requirements.
If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.