🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Hub
Docs
Home
Plugins
Docs
Home
Mods
turbot
/
steampipe-mod-aws-well-architected
Overview
3
Dashboards
205
Benchmarks
24
Queries
6
Variables
GitHub
Install Mod
AWS Well-Architected Framework
Operational Excellence
OPS04 How do you design your workload so that you can understand its state?
BP01 Implement application telemetry
API Gateway stage logging should be enabled
Auto Scaling groups with a load balancer should use health checks
CloudFront distributions access logs should be enabled
CodeBuild projects should have logging enabled
ECS task definitions should have logging enabled
Elastic Beanstalk enhanced health reporting should be enabled
ELB application and classic load balancer logging should be enabled
RDS DB instances should be integrated with CloudWatch logs
BP02 Implement and configure workload telemetry
At least one enabled trail should be present in a region
CloudTrail trails should be integrated with CloudWatch logs
CloudWatch alarm should have an action configured
EC2 instance detailed monitoring should be enabled
VPC flow logs should be enabled
OPS05 How do you reduce defects, ease remediation, and improve flow into production?
BP03 Use configuration management systems
AWS Config should be enabled
BP05 Perform patch management
SSM managed instance patching should be compliant
Reliability
REL01 How do you manage service quotas and constraints?
BP03 Accommodate fixed service quotas and constraints through architecture
Lambda functions concurrent execution limit configured
REL02 How do you plan your network topology?
BP01 Use highly available network connectivity for your workload public endpoints
CloudFront distributions should have origin failover configured
CloudFront distributions should have AWS WAF enabled
ELB application, network, and gateway load balancers should span multiple availability zones
ELB classic load balancers should have cross-zone load balancing enabled
ELB classic load balancers should span multiple availability zones
Lambda functions should operate in more than one availability zone
RDS DB clusters should be configured for multiple Availability Zones
RDS DB instance multiple az should be enabled
S3 bucket cross-region replication should be enabled
BP02 Provision redundant connectivity between private networks in the cloud and on-premises environments
EC2 instances should be in a VPC
ECS cluster instances should be in a VPC
ES domains should be in a VPC
Lambda functions should be in a VPC
AWS Redshift enhanced VPC routing should be enabled
Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
REL06 How do you monitor workload resources?
BP01 Monitor all components for the workload
EC2 instance detailed monitoring should be enabled
API Gateway stage logging should be enabled
ACM certificates should have transparency logging enabled
CodeBuild projects should have logging enabled
ECS task definitions should have logging enabled
ELB application and classic load balancer logging should be enabled
Lambda functions CloudTrail logging should be enabled
OpenSearch domains should have audit logging enabled.
Database logging should be enabled
Route 53 zones should have query logging enabled
S3 bucket logging should be enabled
S3 buckets object logging should be enabled
WAF web ACL logging should be enabled
BP02 Define and calculate metrics (Aggregation)
ECS clusters should have container insights enabled
Elastic Beanstalk enhanced health reporting should be enabled
REL07 How do you design your workload to adapt to changes in demand?
BP01 Use automation when obtaining or scaling resources
EC2 auto scaling groups should cover multiple availability zones
DynamoDB table auto scaling should be enabled
REL08 How do you implement change?
BP05 Deploy changes with automation
RDS DB instance automatic minor version upgrade should be enabled
REL09 How do you back up data?
BP02 Secure and encrypt backups
Backup recovery points should be encrypted
DynamoDB table should have encryption enabled
EBS default encryption should be enabled
EBS volume encryption at rest should be enabled
RDS DB instance encryption at rest should be enabled
RDS DB snapshots should be encrypted at rest
S3 bucket default encryption should be enabled
BP03 Perform data backup automatically
Backup recovery points manual deletion should be disabled
Backup recovery points should not expire before retention period
DynamoDB tables should be in a backup plan
DynamoDB table point-in-time recovery should be enabled
DynamoDB table should be protected by backup plan
EC2 instances should be protected by backup plan
ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
FSx file system should be protected by backup plan
RDS Aurora clusters should have backtracking enabled
RDS Aurora clusters should be protected by backup plan
RDS DB instance backup should be enabled
Security
SEC01 How do you securely operate your workload?
BP01 Separate workloads using accounts
AWS account should be part of AWS Organizations
BP02 Secure account root user and properties
IAM root user hardware MFA should be enabled
IAM root user MFA should be enabled
IAM root user should not have access keys
BP06 Automate testing and validation of security controls in pipelines
EC2 instances should be managed by AWS Systems Manager
ECR repositories should have image scan on push enabled
BP08 Evaluate and implement new security services and features regularly
CodeBuild project plaintext environment variables should not contain sensitive AWS values
SEC02 How do you manage identities for people and machines?
BP01 Use strong sign-in mechanisms
IAM password policies for users should have strong configurations
IAM users should have hardware MFA enabled
IAM user MFA should be enabled
IAM users with console access should have MFA enabled
IAM root user should not have access keys
IAM administrator users should have MFA enabled
SageMaker notebook instances root access should be disabled
BP02 Use temporary credentials
IAM user access keys should be rotated at least every 90 days
IAM user credentials that have not been used in 90 days should be disabled
Secrets Manager secrets should have automatic rotation enabled
Secrets Manager secrets should be rotated within specific number of days
Secrets Manager secrets should be rotated as per the rotation schedule
Secrets Manager secrets that have not been used in 90 days should be removed
BP03 Store and use secrets securely
CloudFormation stacks outputs should not have any secrets
EC2 instances user data should not have secrets
ECS task definition containers should not have secrets passed as environment variables
BP05 Audit and rotate credentials periodically
IAM user access keys should be rotated at least every 90 days
KMS CMK rotation should be enabled
Secrets Manager secrets should have automatic rotation enabled
SEC03 How do you manage permissions for people and machines?
BP01 Define access requirements
EC2 instances should use IMDSv2
EC2 instances should have IAM profile attached
ECS task definition container definitions should be checked for host mode
CloudWatch should not allow cross-account sharing
BP02 Grant least privilege access
ECS containers should be limited to read-only access to root filesystems
EMR cluster Kerberos should be enabled
EC2 instances should have IAM profile attached
BP03 Establish emergency access process
IAM groups should have at least one user
Ensure managed IAM policies should not allow blocked actions on KMS keys
BP04 Reduce permissions continuously
IAM policy should not have statements with admin access
BP05 Define permission guardrails for your organization
AWS account should be part of AWS Organizations
IAM user credentials that have not been used in 90 days should be disabled
BP06 Manage access based on lifecycle
IAM user credentials that have not been used in 90 days should be disabled
DMS replication instances should not be publicly accessible
Log group retention period should be at least 365 days
CodeBuild projects should not be unused for 90 days or greater
VPC EIPs should be associated with an EC2 instance or ENI
ECR repositories should have lifecycle policies configured
Ensure IAM password policy expires passwords within 90 days or less
BP07 Analyze public and cross-account access
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should not have a public IP address
ES domains should be in a VPC
OpenSearch domains should be in a VPC
EMR cluster master nodes should not have public IP addresses
EMR account public access should be blocked
EC2 instances should be in a VPC
Lambda functions should restrict public access
Lambda functions should be in a VPC
RDS DB instances should prohibit public access
RDS snapshots should prohibit public access
KMS CMK policies should prohibit public access
Redshift clusters should prohibit public access
S3 bucket policy should prohibit public access
S3 buckets should prohibit public write access
SageMaker notebook instances should not have direct internet access
Secrets Manager secrets that have not been used in 90 days should be removed
Auto Scaling launch config public IP should be disabled
Ensure the S3 bucket CloudTrail logs to is not publicly accessible
ECR repositories should prohibit public access
EKS clusters endpoint should restrict public access
ELB load balancers should prohibit public access
S3 public access should be blocked at account level
SNS topic policies should prohibit public access
SQS queue policies should prohibit public access
SSM documents should not be public
BP08 Share resources securely within your organization
DMS replication instances should not be publicly accessible
ES domains should be in a VPC
OpenSearch domains should be in a VPC
EC2 instances should be in a VPC
Lambda functions should be in a VPC
SageMaker notebook instances should not have direct internet access
Secrets Manager secrets that have not been used in 90 days should be removed
CodeBuild projects should not use an user controlled buildspec
SEC04 How do you detect and investigate security events?
BP01 Configure service and application logging
API Gateway stage logging should be enabled
OpenSearch domains should have audit logging enabled.
CloudTrail trails should be integrated with CloudWatch logs
All S3 buckets should log S3 data events in CloudTrail
ACM certificates should have transparency logging enabled
Lambda functions CloudTrail logging should be enabled
CloudFront distributions access logs should be enabled
3.10 Ensure that Object-level logging for write events is enabled for S3 bucket
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket
EKS clusters should have control plane audit logging enabled
ELB application and classic load balancer logging should be enabled
RDS DB instances should be integrated with CloudWatch logs
AWS Redshift audit logging should be enabled
Route 53 zones should have query logging enabled
S3 buckets object logging should be enabled
VPC flow logs should be enabled
BP02 Analyze logs, findings, and metrics centrally
Elasticsearch domain should send logs to CloudWatch
At least one multi-region AWS CloudTrail should be present in an account
Database logging should be enabled
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
At least one trail should be enabled with security best practices
AWS Redshift audit logging should be enabled
AWS Config should be enabled
BP03 Automate response to events
Elasticsearch domain should send logs to CloudWatch
ELB application and classic load balancer logging should be enabled
At least one multi-region AWS CloudTrail should be present in an account
Database logging should be enabled
VPC flow logs should be enabled
Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
At least one trail should be enabled with security best practices
AWS Redshift audit logging should be enabled
SEC05 How do you protect your network resources?
BP01 Create network layers
ES domains should be in a VPC
OpenSearch domains should be in a VPC
EC2 instances should be in a VPC
Lambda functions should be in a VPC
AWS Redshift enhanced VPC routing should be enabled
ELB application load balancers should have Web Application Firewall (WAF) enabled
API Gateway stage should be associated with waf
CloudFront distributions should have AWS WAF enabled
EKS clusters endpoint should restrict public access
SageMaker models should have network isolation enabled
SageMaker models should be in a VPC
SageMaker notebook instances should be in a VPC
SageMaker training jobs should have network isolation enabled
SageMaker training jobs should be in VPC
BP02 Control traffic at all layers
DMS replication instances should not be publicly accessible
EBS snapshots should not be publicly restorable
EC2 instances should not use multiple ENIs
SageMaker notebook instances should not have direct internet access
VPC subnet auto assign public IP should be disabled
VPC default security group should not allow inbound and outbound traffic
API Gateway stages should have authorizers configured
S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
2.1.3 Ensure MFA Delete is enabled on S3 buckets
BP03 Automate network protection
DMS replication instances should not be publicly accessible
Auto Scaling launch config public IP should be disabled
Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
VPC Security groups should only allow unrestricted incoming traffic for authorized ports
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
VPC security groups should restrict ingress Kafka port access from 0.0.0.0/0
Security groups should not allow unrestricted access to ports with high risk
VPC security groups should restrict ingress redis access from 0.0.0.0/0
WAF global web ACL should have at least one rule or rule group
WAF global rule group should have at least one rule
VPC network access control lists (network ACLs) should be associated with a subnet.
VPC default security group should not allow inbound and outbound traffic
EC2 instances should not be attached to 'launch wizard' security groups
Route53 domains privacy protection should be enabled
Route 53 domains should have transfer lock enabled
BP04 Implement inspection and protection
GuardDuty should be enabled
VPC flow logs should be enabled
API Gateway stages should have authorizers configured
SEC06 How do you protect your compute resources?
BP01 Perform vulnerability management
RDS DB instance automatic minor version upgrade should be enabled
CloudTrail trail log file validation should be enabled
At least one trail should be enabled with security best practices
EC2 instances should use IMDSv2
Public EC2 instances should have IAM profile attached
SSM managed instance patching should be compliant
BP02 Reduce attack surface
Lambda functions should be in a VPC
ECS clusters should have container insights enabled
ECS fargate services should run on the latest fargate platform version
BP03 Implement managed services
AWS Redshift should have required maintenance settings
EC2 instances should not use multiple ENIs
BP04 Automate compute protection
EC2 instances should have IAM profile attached
EC2 instances should be managed by AWS Systems Manager
EC2 instances should not use multiple ENIs
EC2 stopped instances should be removed in 30 days
BP05 Enable people to perform actions at a distance
EC2 instances should have IAM profile attached
EC2 instances should be managed by AWS Systems Manager
EC2 instances should not use multiple ENIs
EC2 stopped instances should be removed in 30 days
BP06 Validate software integrity
EBS volumes should be attached to EC2 instances
SSM managed instance associations should be compliant
SSM managed instance patching should be compliant
CloudTrail trail log file validation should be enabled
SEC08 How do you protect your data at rest?
BP01 Implement secure key management
API Gateway stage cache encryption at rest should be enabled
Backup recovery points should be encrypted
CodeBuild project artifact encryption should be enabled
CodeBuild project S3 logs should be encrypted
KMS keys should not be pending deletion
BP02 Enforce encryption at rest
EFS file system encryption at rest should be enabled
ES domain encryption at rest should be enabled
OpenSearch domains should have encryption at rest enabled
RDS DB instance encryption at rest should be enabled
RDS DB snapshots should be encrypted at rest
CloudTrail trail logs should be encrypted with KMS CMK
DynamoDB table should have encryption enabled
EBS default encryption should be enabled
EKS clusters should be configured to have kubernetes secrets encrypted using KMS
Glue dev endpoints CloudWatch logs encryption should be enabled
Glue dev endpoints job bookmark encryption should be enabled
Glue dev endpoints S3 encryption should be enabled
Glue jobs S3 encryption should be enabled
Glue jobs bookmarks encryption should be enabled
Glue jobs CloudWatch logs encryption should be enabled
SageMaker notebook instances should be encrypted using CMK
SageMaker training jobs should be enabled with inter-container traffic encryption
SageMaker training jobs volumes and outputs should have KMS encryption enabled
BP03 Automate data at rest protection
AWS Redshift audit logging should be enabled
AWS Redshift clusters should be encrypted with KMS
S3 bucket default encryption should be enabled
SageMaker endpoint configuration encryption should be enabled
SageMaker notebook instance encryption should be enabled
SageMaker notebook instances should be encrypted using CMK
BP04 Enforce access control
SNS topics should be encrypted at rest
S3 bucket versioning should be enabled
AWS account should be part of AWS Organizations
SEC09 How do you protect your data in transit?
BP01 Implement secure key and certificate management
ACM certificates should not expire within 30 days
ELB classic load balancers should use SSL certificates
ELB application and network load balancers should only use SSL or HTTPS listeners
BP02 Enforce encryption in transit
ELB application load balancers should be drop HTTP headers
ELB application load balancers should redirect HTTP requests to HTTPS
Elasticsearch domain node-to-node encryption should be enabled
API Gateway stage should uses SSL certificate
OpenSearch domains node-to-node encryption should be enabled
OpenSearch domains should use HTTPS
CloudFront distributions should encrypt traffic to custom origins
CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
ELB listeners should use secure SSL cipher
S3 buckets should enforce SSL
BP03 Automate detection of unintended data access
Redshift cluster encryption in transit should be enabled
BP04 Authenticate network communications
ELB classic load balancers should only use SSL or HTTPS listeners
VPC flow logs should be enabled
SEC10 How do you anticipate, respond to, and recover from incidents?
BP01 Identify key personnel and external resources
Ensure a support role has been created to manage incidents with AWS Support
SEC11 How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle?
BP01 Identify key personnel and external resources
ECR repositories should have image scan on push enabled
On This Page
Usage
SQL
Get Involved
Edit on GitHub
Discuss on Slack
Control: EC2 stopped instances should be removed in 30 days
This control is from a mod dependency:
aws_compliance.control.ec2_stopped_instance_30_days