Scan for Infrastructure Runtime Misconfigurations

Description

Cloud misconfigurations occur when resources have not been constructed properly, leaving your systems vulnerable to attack. Cloud environment misconfigurations can cause system outages, unwanted downtime, or security risks. Causes can include overly complex environments, insufficient security practice knowledge, and human error due to manual processes.

Stack layerSecurity domainSecurity tool initiated by this item
InfrastructureRuntime scanningProwler

Checklist

This Security Requirement runs the following 70 checks:

Cloud ServiceChecks
IAMEnsure no root account access key exists
Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)
Avoid the use of the root account
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Ensure users of groups with AdministratorAccess policy have MFA tokens enabled
Ensure MFA is enabled for the root account
Ensure hardware MFA is enabled for the root account
S3Check if S3 buckets have policies which allow WRITE access
Ensure there are no S3 buckets open to Everyone or Any AWS user
CloudTrailEnsure the S3 bucket CloudTrail logs to is not publicly accessible
Ensure CloudTrail is enabled in all regions
SQSCheck if SQS queues have a policy set as Public
EC2Ensure there are no EC2 AMIs set as Publicextra72, Ensure there are no EBS Snapshots set as Public
Find secrets in EC2 User Data
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to SSH port 22
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Microsoft RDP port 3389
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018
Ensure there are no Security Groups without ingress filtering being used
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22
Ensure the default security group of every VPC restricts all traffic
Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY)
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports
RDSEnsure there are no Public Accessible RDS instances
Check if RDS Snapshots and Cluster Snapshots are public
LambdaCheck if Lambda functions have resource-based policy set as Public
Find secrets in Lambda functions variables
Check if Lambda functions have policies which allow access to any AWS account
Check Public Lambda Function URL
GlacierCheck if S3 Glacier vaults have policies which allow access to everyone
EFSCheck if EFS have policies which allow access to everyone
SNSCheck if SNS topics have policy set as Public
KMSCheck exposed KMS keys
ElasticSearchCheck connection and authentication for Internet exposed Elasticsearch/Kibana ports
Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access
Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains
Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled
SSMFind secrets in SSM Documents
Check if there are SSM Documents set as public
Check if EC2 instances managed by Systems Manager are compliant with patching requirements
AutoScalingFind secrets in EC2 Auto Scaling Launch Configuration
GuardDutyThere are High severity GuardDuty findings
Check if GuardDuty is enabled
RedshiftCheck for Publicly Accessible Redshift Clusters
CloudFormationFind secrets in CloudFormation outputs
ECSFind secrets in ECS task definitions environment variables
ECREnsure there are no ECR repositories set as Public
Check if ECR image scan found vulnerabilities in the newest image version
Check if ECR image scan on push is enabled
EKSEnsure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled
Restrict Access to the EKS Control Plane Endpoint
EMREMR Account Public Access Block enabled
Publicly accessible EMR Cluster
ACMCheck if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less
SecurityHubCheck if Security Hub is enabled and its standard subscription
CodeBuildCodeBuild Project with an user controlled buildspec
CodeBuild Project last invoked greater than 90 days
AccessAnalyzerCheck if IAM Access Analyzer is enabled and its findings

Did this page help you?