AWS Network Audit

Audit your Network to safe gaurd your data

What we do?

Unused Virtual Private Gateways

Remove unused Amazon Virtual Private Gateways in order to adhere to best practices and to avoid reaching the service limit.

Addresses: Operational Maturity

Enable Flow Logs on VPC

VPC flow logs record all traffic flowing in to and out of a VPC. These logs are critical for auditing and review after security incidents.

Addresses: Security

Flow Logs Enabled on Subnet

Subnet flow logs record all traffic flowing in to and out of a Subnet. These logs are critical for auditing and review after security incidents.

Addresses: Security

Unused network ACLs

Maintaining unused resources increases risks of misconfigurations and increases the difficulty of audits.

Addresses: Security

Unused Security Groups

Non-default security groups were defined which were unused and may not be required. This being the case, their existence in the configuration increases the risk that they may be inappropriately assigned. The unused security groups should be reviewed and removed if no longer required.

Addresses: Security

Default Security Group Unrestricted

Ensure that your AWS EC2 default security groups restrict all inbound public traffic in order to enforce AWS users (EC2 administrators, resource managers, etc) to create custom security groups that exercise the rule of least privilege instead of using the default security groups.

Addresses: Security

Default Security Group

Ensure the default security groups block all traffic by default. EC2 instances should not be associated with default security groups.

Addresses: Security

Additional Reading:

Default Security Group in use and it allows public access

Ensure the default security groups block all traffic by default. EC2 instances should not be associated with default security groups with public access.

Addresses: Security

Additional Reading:

EC2 with Multiple Security Groups

Determine if there are an excessive number of security groups in the account. AWS applies the most permissive rule amongst all the Security Groups assigned to any EC2 instance.

Addresses: Security

Additional Reading:

Publicly accessible EC2 instances

Ensure that unknown EC2 instances are not publicly accessible. It is good practice to maintain a list of known, publicly accessible instances and flag all other instances that meet this criteria.

Addresses: Security

All EC2 instance ports open for external traffic

Determine if security group has all ports or protocols open to the public. Security groups should be created on a per-service basis and avoid allowing all ports or protocols.

Addresses: Security

Additional Reading:

All EC2 instance ports open for internal traffic

Determine if security group has all ports or protocols open to the internal traffic. Security groups should be created on a per-service basis and avoid allowing all ports or protocols even for internal access.

Addresses: Security

Additional Reading:

EC2 instance with open ICMP ports

Ensure that ICMP ports are not open for EC2 instances.

Addresses: Security

Additional Reading:

RDS is Publicly Accessible

Ensures RDS instances are not launched into the public cloud. Unless there is a specific business requirement, RDS instances should not have a public endpoint and should be accessed from within a VPC only.

Addresses: Security

Additional Reading:

Redshift is Publicly Accessible

Ensures Redshift clusters are not launched into the public cloud. Unless there is a specific business requirement, Redshift clusters should not have a public endpoint and should be accessed from within a VPC only.

Addresses: Security

Additional Reading:

MQ Broker is Publicly Accessible

Ensure MQ brokers are not launched into public cloud. Unless there is a specific business requirement, MQ Brokers should not have a public endpoint and should be accessed from within a VPC only.

Addresses: Security


Not ready for a free signup yet? No worries!

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.