Benchmark: EC2
Description
This section contains recommendations for configuring EC2 resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select EC2.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_ec2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_ec2 --share
Controls
- EC2 AMIs should restrict public access
- EC2 Client VPN endpoints should have client connection logging enabled
- EBS default encryption should be enabled
- EC2 instance detailed monitoring should be enabled
- EC2 instance should have EBS optimization enabled
- EC2 instances should have IAM profile attached
- EC2 instances should be in a VPC
- EC2 instances should not use key pairs in running state
- EC2 instances high level findings should not be there in inspector scans
- EC2 instance IAM should not allow pass role and lambda invoke function access.
- EC2 instance IAM role should not be attached with credentials exposure access
- EC2 instance IAM role should not allow to alter critical s3 permissions configuration
- EC2 instance IAM role should not allow cloud log tampering access
- EC2 instance IAM role should not allow data destruction access
- EC2 instance IAM role should not allow database management write access
- EC2 instance IAM role should not allow defense evasion impact of AWS security services access
- EC2 instance IAM role should not allow destruction KMS access
- EC2 instance IAM role should not allow destruction RDS access
- EC2 instance IAM role should not allow elastic IP hijacking access.
- EC2 instance IAM role should not allow management level access
- EC2 instance IAM role should not allow new group creation with attached policy access
- EC2 instance IAM role should not allow new role creation with attached policy access
- EC2 instance IAM role should not allow new user creation with attached policy access
- EC2 instance IAM role should not allow oraganization write access
- EC2 instance IAM role should not allow privilege escalation risk access
- EC2 instance IAM role should not allow security group write access
- EC2 instance IAM role should not allow write access to resource based policies
- EC2 instance IAM role should not allow write permission on critical s3 configuration
- EC2 instance IAM role should not allow write level access
- EC2 instances should not be attached to 'launch wizard' security groups
- EC2 instances should not have a public IP address
- EC2 instances should not use multiple ENIs
- EC2 instances should be protected by backup plan
- Public EC2 instances should have IAM profile attached
- AWS EC2 instances should have termination protection enabled
- EC2 instances user data should not have secrets
- EC2 instances should use IMDSv2
- Paravirtual EC2 instance types should not be used
- AWS EC2 launch templates should not assign public IPs to network interfaces
- EC2 stopped instances should be removed in 30 days
- EC2 transit gateways should have auto accept shared attachments disabled