CloudWiki

AWS Well-Architected Framework

Visit Website

The AWS Well-Architected Framework helps understand how your decisions will affect your systems as you build on AWS by learning architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud.

Compliance checks for Amazon Web Services

Warning
Ensure Kinesis Data Stream encryption is enabled
Critical
IAM Role with Admin access (*:*)
Warning
Ensure IAM policies that allow over privileges access to data are not created
Info
EC2 large instance create alarm
Info
Ensure there are no EBS snapshots older than a month
Info
Internet Gateway (IGW) changes alarm
Warning
Ensure OpenSearch nodes are using General Purpose SSD storage
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
Critical
Ensure there is no unrestricted inbound access to UDP port 11211 (Memcached)
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 6379 (Redis)
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
Critical
Ensure there is no unrestricted inbound access to TCP port 11211 (Memcached)
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Critical
Ensure SageMaker Notebook Data is Encrypted
Info
VPC Peering changes alarm
Info
Transit Gateway (TGW) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Warning
Ensure Amazon SageMaker Notebook Instance is in VPC
Critical
IAM Role with inline Admin access (*:*)
Warning
IAM user inline policy is over permissive
Info
Ensure Internet Gateway is attached to a VPC
Warning
Unused NAT Resources
Warning
AMI (Amazon Machine Images) not in use (12 months)
Critical
Ensure EBS snapshots are not publicly accessible
Warning
EBS snapshots not in use
Warning
AMI (Amazon Machine Images) not in use
Warning
Ensure Lambda environment variables are encrypted using customer-managed Customer Master Keys (CMKs)
Warning
Ensure EMR clusters are encrypted in-transit and at-rest
Info
Ensure EMR cluster archive log files to S3
Info
Ensure DynamoDB Tables are encrypted with customer managed key
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one lowercase letter
Warning
Ensure EBS volumes are of type gp3 (General purpose SSD) instead of gp2
Critical
IAM Role with Admin access (*:*)
Warning
IAM Role with high privileged policies
Warning
Ensure IAM Role has no inline policy
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
Info
Ensure RDS is not using the default port 1433
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
EBS volume not in use
Warning
Ensure IAM users receive permissions only through groups
Warning
Ensure S3 object versioning is enabled
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure IAM users are members of at least one IAM group
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Warning
Ensure communication between CloudFront distributions and their origins is encrypted using HTTPS
Info
Ensure Lambda function is configured to use a Dead Letter Queue (DLQ)
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Warning
DynamoDB tables not in use
Warning
VPC endpoint is publicly accessible
Info
Ensure RDS MySQL and PostgreSQL database instances have Performance Insights feature enabled
Warning
Ensure IAM User has no inline policy
Warning
Ensure Zone Awareness is enabled for OpenSearch clusters
Warning
Gateway VPC endpoint is not in use
Warning
ELB not in use
Warning
Ensure EBS volumes are of type gp3 (General purpose SSD) instead of io1
Warning
Ensure both VPN tunnels are up
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure S3 buckets have server access logging enabled to track access requests
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest
Warning
Ensure CloudFront web distributions enforce field-level encryption
Warning
Ensure RDS Instances have IAM Database Authentication enabled
Warning
Ensure RDS instances are using General Purpose SSD storage and not Provisioned IOPS SSD storage
Info
Ensure RDS is not using the default port 3306
Info
Ensure RDS is not using the default port 1521
Info
Ensure RDS is not using the default port 5432
Info
Ensure RDS database instances have Copy Tags to Snapshots enabled