AWS Foundational Security Best Practices Controls

The AWS Foundational Security Best Practices standard is a set controls that help you identify deviation within your cloud resources from security best practices. It helps and provides guidance on how to improve and maintain your resources security to stand up with industry best practices.

Compliance checks for Amazon Web Services

High

Ensure Database Migration Service (DMS) are not publicly accessible

Critical

Ensure DMS instances are not accessible via Internet (Network and API)

AWS Well-Architected Framework

Medium

Ensure CloudTrail Log File Integrity Validation is enabled

Medium

Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs

Critical

Ensure access keys are rotated every 90 days or less

Medium

Ensure RDS instances have Multi-AZ disabled in dev environments

Medium

Ensure SageMaker Notebook Direct Internet Access is disabled

Critical

Ensure EBS snapshots are not publicly accessible

AWS Well-Architected Framework

Medium

Ensure security groups do not have ingress open to any (0.0.0.0/0)

Medium

Ensure security groups do not have all ports open

AWS Foundational Security Best Practices Controls

AWS Well-Architected Framework

Medium

Ensure that S3 Buckets are configured with "Block public access"

Critical

Ensure Lambda functions prohibit public access

AWS Foundational Security Best Practices Controls

Medium

Ensure Application Load Balancers (ALB) are configured to drop HTTP headers

AWS Foundational Security Best Practices Controls

Medium

Ensure CloudFront has WAF attached

AWS Foundational Security Best Practices Controls

Medium

Ensure RDS database instances are not publicly accessible

Medium

Ensure OpenSearch has at least 3 dedicated master nodes

AWS Foundational Security Best Practices Controls

Medium

Ensure VPC flow logging is enabled in all VPCs

Medium

Ensure OpenSearch domains are configured to enforce HTTPS connections

AWS Foundational Security Best Practices Controls

Medium

Ensure node-to-node encryption is enabled for OpenSearch clusters

AWS Foundational Security Best Practices Controls

Medium

Ensure OpenSearch data at rest encryption is enabled

AWS Foundational Security Best Practices Controls

Medium

Ensure CloudFront distribution enforce HTTPS protocol for data in-transit

AWS Well-Architected Framework

Medium

Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)

AWS Foundational Security Best Practices Controls

Medium

Ensure IAM User has no inline policy

AWS Well-Architected Framework

Critical

Ensure all IAM users with console access have MFA enabled

Medium

Ensure OpenSearch domains are in a VPC

AWS Foundational Security Best Practices Controls

AWS Well-Architected Framework

Medium

Ensure EBS volumes are encrypted

Medium

Ensure stopped EC2 instances are removed

AWS Foundational Security Best Practices Controls

Medium

Ensure that Origin Failover feature is enabled for CloudFront web distributions

AWS Foundational Security Best Practices Controls

Medium

Ensure SQS encryption is enabled

AWS Well-Architected Framework

Medium

Ensure SNS encryption is enabled

AWS Well-Architected Framework

Medium

Ensure data stored in the S3 bucket is securely encrypted at rest

Medium

Ensure RDS Instances have IAM Database Authentication enabled

AWS Foundational Security Best Practices Controls

AWS Well-Architected Framework

Medium

Ensure DynamoDB tables have point in time recovery enabled

Medium

Ensure RDS instances are configured with Auto Minor Version Upgrade

AWS Foundational Security Best Practices Controls

Medium

Ensure RDS instances have Multi-AZ enabled in Production

Medium

Ensure RDS instances have backup policy

AWS Foundational Security Best Practices Controls

AWS Well-Architected Framework

Low

Ensure RDS database instances have Copy Tags to Snapshots enabled

AWS Well-Architected Framework

Medium

Ensure RDS database instances have Deletion Protection enabled

AWS Foundational Security Best Practices Controls