AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix

AWS Network Audit

Unused Amazon Virtual Private Gateways should be removed in order to adhere to best practices and to avoid reaching the service limit.

Unused Virtual Private Gateways Should Be Removed

Unused Amazon Virtual Private Gateways should be removed in order to adhere to best practices and to avoid reaching the service limit.

Flow Logs on VPC Should Be Enabled

VPC flow logs record all traffic flowing in to and out of a VPC. These logs are critical for auditing and review after security incidents.

Flow Logs Should be Enabled on Subnet

Subnet flow logs record all traffic flowing in to and out of a Subnet. These logs are critical for auditing and review after security incidents.

Unused Network ACLs Should Be Removed

Maintaining unused resources increases risks of misconfigurations and increases the difficulty of audits. Unused Network ACLs should therefore be discarded.

Unused Security Groups Should Be Removed

Non-default security groups were defined which were unused and may not be required. This being the case, their existence in the configuration increases the risk that they may be inappropriately assigned. The unused security groups should be reviewed and removed if no longer required.

Default Security Groups Should Block All Traffic

Default security groups should block all traffic by default. EC2 instances should not be associated with default security groups.

Default Security Group Should Not Be Publicly Accessible

Default security groups should block all traffic by default. EC2 instances should not be associated with default security groups with public access.

Excessive Number of Security Groups Should Not Be Present

There should not be an excessive number of security groups in the account. AWS applies the most permissive rule amongst all the Security Groups assigned to any EC2 instance.

EC2 instances Should Not Be Publicly Accessible

Unknown EC2 instances should not be publicly accessible. It is good practice to maintain a list of known, publicly accessible instances and flag all other instances that meet this criteria.

Ports Should Not Be Open for External Traffic

Security groups should not have all ports or protocols open to the public. Security groups should be created on a per-service basis and avoid allowing all ports or protocols.

Ports Should Not Be Open for Internal Traffic

Security groups should not have all ports or protocols open to the internal traffic. Security groups should be created on a per-service basis and avoid allowing all ports or protocols even for internal access.

EC2 Instance Should Not Have Open ICMP ports

ICMP ports should not be open for EC2 instances.

RDS Instances Should Not Be Publicly Accessible

RDS instances should not be launched into the public cloud. Unless there is a specific business requirement, RDS instances should not have a public endpoint and should be accessed from within a VPC only.

Redshift Should Not Be Publicly Accessible

Redshift clusters should not be launched into the public cloud. Unless there is a specific business requirement, Redshift clusters should not have a public endpoint and should be accessed from within a VPC only.

MQ Broker Should Not Be Publicly Accessible

MQ brokers should not be launched into public cloud. Unless there is a specific business requirement, MQ Brokers should not have a public endpoint and should be accessed from within a VPC only.

cta-image

Secure Every Layer of Your Cloud Stack with Cloudanix

Unify your security workflows with Cloudanix — one dashboard for misconfigurations, drift detection, CI/CD, and identity protection.

Get Started

CLOUDANIX

Insights from Cloudanix

Explore guides, checklists, and blogs that simplify cloud security and help you secure your infrastructure.