Scan for Infrastructure Runtime Misconfigurations
Description
Cloud misconfigurations occur when resources have not been constructed properly, leaving your systems vulnerable to attack. Cloud environment misconfigurations can cause system outages, unwanted downtime, or security risks. Causes can include overly complex environments, insufficient security practice knowledge, and human error due to manual processes.
| Stack layer | Security domain | Security tool initiated by this item |
|---|---|---|
| Infrastructure | Runtime scanning | Prowler |
Checklist
This Security Requirement runs the following 70 checks:
| Cloud Service | Checks |
|---|---|
| IAM | Ensure no root account access key exists |
| Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) | |
| Avoid the use of the root account | |
| Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | |
| Ensure users of groups with AdministratorAccess policy have MFA tokens enabled | |
| Ensure MFA is enabled for the root account | |
| Ensure hardware MFA is enabled for the root account | |
| S3 | Check if S3 buckets have policies which allow WRITE access |
| Ensure there are no S3 buckets open to Everyone or Any AWS user | |
| CloudTrail | Ensure the S3 bucket CloudTrail logs to is not publicly accessible |
| Ensure CloudTrail is enabled in all regions | |
| SQS | Check if SQS queues have a policy set as Public |
| EC2 | Ensure there are no EC2 AMIs set as Publicextra72, Ensure there are no EBS Snapshots set as Public |
| Find secrets in EC2 User Data | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 | |
| Ensure no Network ACLs allow ingress from 0.0.0.0/0 to SSH port 22 | |
| Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Microsoft RDP port 3389 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 | |
| Ensure there are no Security Groups without ingress filtering being used | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 | |
| Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 | |
| Ensure the default security group of every VPC restricts all traffic | |
| Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY) | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports | |
| RDS | Ensure there are no Public Accessible RDS instances |
| Check if RDS Snapshots and Cluster Snapshots are public | |
| Lambda | Check if Lambda functions have resource-based policy set as Public |
| Find secrets in Lambda functions variables | |
| Check if Lambda functions have policies which allow access to any AWS account | |
| Check Public Lambda Function URL | |
| Glacier | Check if S3 Glacier vaults have policies which allow access to everyone |
| EFS | Check if EFS have policies which allow access to everyone |
| SNS | Check if SNS topics have policy set as Public |
| KMS | Check exposed KMS keys |
| ElasticSearch | Check connection and authentication for Internet exposed Elasticsearch/Kibana ports |
| Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access | |
| Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains | |
| Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled | |
| SSM | Find secrets in SSM Documents |
| Check if there are SSM Documents set as public | |
| Check if EC2 instances managed by Systems Manager are compliant with patching requirements | |
| AutoScaling | Find secrets in EC2 Auto Scaling Launch Configuration |
| GuardDuty | There are High severity GuardDuty findings |
| Check if GuardDuty is enabled | |
| Redshift | Check for Publicly Accessible Redshift Clusters |
| CloudFormation | Find secrets in CloudFormation outputs |
| ECS | Find secrets in ECS task definitions environment variables |
| ECR | Ensure there are no ECR repositories set as Public |
| Check if ECR image scan found vulnerabilities in the newest image version | |
| Check if ECR image scan on push is enabled | |
| EKS | Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled |
| Restrict Access to the EKS Control Plane Endpoint | |
| EMR | EMR Account Public Access Block enabled |
| Publicly accessible EMR Cluster | |
| ACM | Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less |
| SecurityHub | Check if Security Hub is enabled and its standard subscription |
| CodeBuild | CodeBuild Project with an user controlled buildspec |
| CodeBuild Project last invoked greater than 90 days | |
| AccessAnalyzer | Check if IAM Access Analyzer is enabled and its findings |
Updated 3 months ago