Benchmark: EC2
Description
This section contains recommendations for configuring EC2 resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select EC2.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_ec2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_ec2 --shareControls
- Ensure Images (AMI's) are encrypted
- Ensure Images (AMI) are not older than 90 days
- EC2 AMIs should restrict public access
- EC2 Client VPN endpoints should have client connection logging enabled
- EBS default encryption should be enabled
- Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination
- EC2 instance detailed monitoring should be enabled
- EC2 instance should have EBS optimization enabled
- EC2 instances should have IAM profile attached
- EC2 instances should be in a VPC
- EC2 instances should not use key pairs in running state
- EC2 instances high level findings should not be there in inspector scans
- EC2 instance IAM should not allow pass role and lambda invoke function access.
- EC2 instance IAM role should not be attached with credentials exposure access
- EC2 instance IAM role should not allow to alter critical s3 permissions configuration
- EC2 instance IAM role should not allow cloud log tampering access
- EC2 instance IAM role should not allow data destruction access
- EC2 instance IAM role should not allow database management write access
- EC2 instance IAM role should not allow defense evasion impact of AWS security services access
- EC2 instance IAM role should not allow destruction KMS access
- EC2 instance IAM role should not allow destruction RDS access
- EC2 instance IAM role should not allow elastic IP hijacking access.
- EC2 instance IAM role should not allow management level access
- EC2 instance IAM role should not allow new group creation with attached policy access
- EC2 instance IAM role should not allow new role creation with attached policy access
- EC2 instance IAM role should not allow new user creation with attached policy access
- EC2 instance IAM role should not allow oraganization write access
- EC2 instance IAM role should not allow privilege escalation risk access
- EC2 instance IAM role should not allow security group write access
- EC2 instance IAM role should not allow write access to resource based policies
- EC2 instance IAM role should not allow write permission on critical s3 configuration
- EC2 instance IAM role should not allow write level access
- EC2 instances should not be attached to 'launch wizard' security groups
- Ensure no AWS EC2 Instances are older than 180 days
- EC2 instances should not have a public IP address
- EC2 instances should not use multiple ENIs
- EC2 instances should be protected by backup plan
- Public EC2 instances should have IAM profile attached
- AWS EC2 instances should have termination protection enabled
- EC2 instances user data should not have secrets
- EC2 instances should use IMDSv2
- Ensure IAM instance roles are used for AWS resource access from instances
- Paravirtual EC2 instance types should not be used
- EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)
- AWS EC2 launch templates should not assign public IPs to network interfaces
- EC2 network interfaces should have source/destination checking enabled
- Ensure unused ENIs are removed
- EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes
- EC2 stopped instances should be removed in 30 days
- Ensure instances stopped for over 90 days are removed
- EC2 transit gateways should have auto accept shared attachments disabled