AWS EC2 Audit

Your EC2 could become your weakest link. Cloudanix can help!

What we do?

Public Snapshots

Ensure that your EC2 instance snapshots are not publicly accessible. This is to avoid exposing your private data.

Older Instances Running

EC2 instance running indefinitely in your AWS your account could increase the risk of potential issues.

Non-public EC2 AMI

AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data.

Encrypted AMI

Amazon Machine Images (AMIs) should be encrypted to fulfill compliance requirements for data-at-rest encryption.

EC2 Instances vCPU Limit

Monitoring vCPU-based limits for on-demand EC2 instances avoids resource starvation. Service Quotas is an AWS service that enables you to view and manage your quotas from a central location. Quotas, also referred to as limits, are the maximum value for your resources, actions, and items in your AWS account.

No Blacklisted AMI

Blacklist all those AMI to prevent certain security issues to attack your application.

Default VPC Not In Use

It is recommended not to using the default VPC.

Description for Security Groups

Your security groups should have descriptions associated with them to help you run your operations smoothly. It serves as a documentation and guidance in future.

AMI Age

Your AMI age should be more than configured number of days. This ensures that your EC2 instances deployed are secure and reliable.

Desired Instance Type

EC2 instance launched should be from an approved list of instance types.

Detailed Monitoring

Detailed monitoring should be enabled on EC2 instances.

No EC2 Classic

Ensure VPC is used for EC2 instances instead of using EC2 Classic. VPCs are the latest and more secure method of launching AWS resources.

Scheduled Events

There are EC2 instances scheduled for retirement and/or maintenance. Kindly take the necessary steps (reboot, restart or re-launch).

Multiple Security Groups

Checks if EC2 instances have several Security Groups attached. Ideally there should be just 1 security group attach to an EC2 instance.

Termination Protection

Ensuring Termination Protection feature is enabled for EC2 instances that are not part of ASGs.

Unrestricted Netbios Access

No AWS EC2 security group should allow unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS).

Unrestricted Outbound Access

EC2 security groups should not allow unrestricted outbound/egress access.

EC2 IAM Roles

IAM Roles/Instance profiles should be used instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your EC2 instances.

Restrict data-tier subnet connectivity to VPC NAT Gateway

Ensuring that the Amazon VPC route table associated with the data-tier subnets has no default route configured to allow access to an AWS NAT Gateway in order to restrict Internet connectivity for the EC2 instances available within the data tier.

Unrestricted CIFS Access

No AWS EC2 security group should allow unrestricted inbound access to TCP port 445 and (CIFS).

Unrestricted ICMP Access

No security group should allow unrestricted inbound access using Internet Control Message Protocol (ICMP).

Unrestricted Inbound Access on All Uncommon Ports

No EC2 security group should allow unrestricted inbound access to any uncommon ports.

Unrestricted MongoDB Access

No security group should allow unrestricted ingress access to MongoDB port 27017.

Unrestricted MsSQL Access

No security group should allow unrestricted inbound access to TCP port 1433 (MSSQL)

Unrestricted MySQL Access

No security group should allow unrestricted inbound access to TCP port 3306 (MySQL).

Unrestricted Oracle Access

No security group should allow unrestricted inbound access to TCP port 1521 (Oracle Database).

Security Group Port Range

Security groups should not have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks.

Unrestricted PostgreSQL Access

No security group should allow unrestricted inbound access to TCP port 5432 (PostgreSQL Database).

Unrestricted RDP Access

No AWS EC2 security group should allow unrestricted inbound access to TCP port 3389 (RDP).

Unrestricted RPC Access

No security group should allow unrestricted inbound access to TCP port 135 (RPC).

Unrestricted SMTP Access

No security group should allow unrestricted inbound access to TCP port 25 (SMTP).

Default Security Group Unrestricted

Default security groups should restrict all public traffic to follow AWS security best practices.

Unrestricted Telnet Access

No security group should allow unrestricted inbound access to TCP port 23 (Telnet).

Unrestricted SSH Access

No security group should allow unrestricted inbound access to TCP port 22 (SSH).

Unrestricted Elasticsearch Access

No security group should allow unrestricted inbound access to TCP port 9200 (Elasticsearch).

Unrestricted FTP Access

No security group should allow unrestricted inbound access to TCP ports 20 and 21 (FTP).

EC2 Reserved Instance Payment Failed

To ensure that none of your AWS EC2 Reserved Instance purchases have failed.

EC2 Reserved Instance Payment Pending

To ensure that none of your AWS EC2 Reserved Instance purchases are pending.

EC2 Reserved Instance Recent Purchases

For regularly reviewing your EC2 Reserved Instance purchases for cost optimization (informational).

EC2-Classic Elastic IP Address Limit

Your account should not reach the limit set by AWS for the number of allocated Elastic IPs.

EC2-VPC Elastic IP Address Limit

Your account should not reach the limit set by AWS for the number of Elastic IPs.

Enable AWS EC2 Hibernation

The Hibernation feature should be enabled for EBS-backed EC2 instances to retain memory state across instance stop/start cycles.

Instance In Auto Scaling Group

Every EC2 instance should be launched inside an Auto Scaling Group (ASG) in order to follow the best AWS reliability and security practices.

Reserved Instance Lease Expiration In The Next 30 Days

Lists all EC2 reserved instances expiring in the next 30 days.

Reserved Instance Lease Expiration In The Next 7 Days

Lists all EC2 reserved instances expiring in the next 7 days.

Security Group Excessive Counts

Your AWS account should not have excessive number of security groups per region.

Security Group Name Prefixed With launch-wizard

EC2 security groups prefixed with launch-wizard should not be in use in order to follow AWS security best practices.

EC2 Instance Counts

Your AWS account should not reached the limit set for the number of EC2 instances.

EC2 Instance Generation

Your AWS servers should be using the latest generation of EC2 instances for price-performance improvements.

Security Group Rules Counts

EC2 security groups should not have an excessive number of rules defined.

Security Group RFC 1918

No EC2 security group should allow inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices.

Unassociated Elastic IP Addresses

Identify and remove any unassociated Elastic IP (EIP) addresses for cost optimization.

EC2 Instance Not In Public Subnet

No backend EC2 instances should be running in public subnets.

Unrestricted DNS Access

No security group should allow unrestricted inbound access to TCP and UDP port 53 (DNS).

Unrestricted HTTP Access

No security group should allow unrestricted inbound access to TCP port 80 (HTTP).

Unrestricted HTTPS Access

No security group should allow unrestricted inbound access to TCP port 443 (HTTPS).

Check for EC2 Instances with Blacklisted Instance Types

Your AWS account should not have any EC2 instance with the instance type blacklisted.

Unused Elastic Network Interfaces

Unused AWS Elastic Network Interfaces (ENIs) should be removed to follow best practices.

Unused AMI

Unused AMIs should be removed to follow best practices.

Unused AWS EC2 Key Pairs

Unused AWS EC2 key pairs should be decommissioned to follow best practices.

Unused AWS EC2 Key Pairs

AWS EC2 Reserved Instances should be fully utilized.

Overutilized AWS EC2 Instances

Overutilized EC2 instances should be upgraded to optimize application response time.

Idle EC2 Instance

Idle AWS EC2 instances should be stopped or terminated in order to optimize AWS costs.

Underutilized EC2 Instance

Underutilized EC2 instances should be downsized in order to optimize your AWS costs.

EC2 Instance Tenancy

EC2 instances should have the required tenancy for security and regulatory compliance requirements.


Not ready for a free signup yet? No worries!

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.