CloudWiki

AWS Foundational Security Best Practices Controls

Visit Website

The AWS Foundational Security Best Practices standard is a set controls that help you identify deviation within your cloud resources from security best practices. It helps and provides guidance on how to improve and maintain your resources security to stand up with industry best practices.

Compliance checks for Amazon Web Services

Warning
Ensure RDS instances have Multi-AZ disabled in dev environments
Warning
Ensure SageMaker Notebook Direct Internet Access is disabled
Critical
Ensure EBS snapshots are not publicly accessible
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
Ensure that S3 Buckets are configured with "Block public access"
Critical
Ensure Lambda functions prohibit public access
Warning
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
Warning
Ensure CloudFront has WAF attached
Warning
Ensure RDS database instances are not publicly accessible
Warning
Ensure OpenSearch has at least 3 dedicated master nodes
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure OpenSearch domains are configured to enforce HTTPS connections
Warning
Ensure node-to-node encryption is enabled for OpenSearch clusters
Warning
Ensure OpenSearch data at rest encryption is enabled
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Warning
Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)
Warning
Ensure IAM User has no inline policy
Critical
Ensure all IAM users with console access have MFA enabled
Warning
Ensure EBS volumes are encrypted
Warning
Ensure stopped EC2 instances are removed
Warning
Ensure that Origin Failover feature is enabled for CloudFront web distributions
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest
Warning
Ensure RDS Instances have IAM Database Authentication enabled
Warning
Ensure DynamoDB tables have point in time recovery enabled
Warning
Ensure RDS instances are configured with Auto Minor Version Upgrade
Warning
Ensure RDS instances have Multi-AZ enabled in Production
Warning
Ensure RDS database instances have Deletion Protection enabled
Info
Ensure RDS database instances have Copy Tags to Snapshots enabled