| Account name | Account ID | Collection date |
|---|---|---|
| NCCGroup-BascWorkshop | XXXXXXXXXXXX | 2019-11-27 |
S3 buckets |
EC2 instances |
ELBs |
ELBv2s |
RDS instances |
Redshift clusters |
ElasticSearch domains |
Elasticache clusters |
SNS topics |
SQS queues |
CloudFronts |
Autoscaling groups |
ElasticBeanstalks |
Firehose streams |
Glacier vaults |
KMS keys |
Lambda functions |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NCCGroup-BascWorkshop | 8 | 2 | 1 | 1 | 1 | 1 | 1 | 0 | 1 | 1 | 0 | 0 | 0 | 0 | 1 | 11 | 0 |
This table shows whether a region contains the resources being counted. Currently all S3 buckets, no matter their location, and CloudFronts, are identified as being in us-east-1.
eu-north-1 |
ap-south-1 |
eu-west-3 |
eu-west-2 |
eu-west-1 |
ap-northeast-2 |
ap-northeast-1 |
sa-east-1 |
ca-central-1 |
ap-southeast-1 |
ap-southeast-2 |
eu-central-1 |
us-east-1 |
us-east-2 |
us-west-1 |
us-west-2 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NCCGroup-BascWorkshop | YS3 buckets:8 EC2 instances:2 ELBs:1 ELBv2s:1 RDS instances:1 Redshift clusters:1 ElasticSearch domains:1 SNS topics:1 SQS queues:1 Glacier vaults:1 KMS keys:11 |
ec2 |
elb |
elbv2 |
rds |
redshift |
ecs |
autoscaling |
cloudfront |
apigateway |
|
|---|---|---|---|---|---|---|---|---|---|
| NCCGroup-BascWorkshop | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Severity: Medium
Issue ID: GUARDDUTY_OFF
GuardDuty is an AWS threat detection service that detects compromised access keys, EC2 instances, and more. It should be enabled in all regions.
Severity: High
Issue ID: S3_PUBLIC_ACL
Access to S3 buckets should be controlled by policies, not ACL. ACLs result in overly permissive privileges to list the contents of the bucket.
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AllUsers"
},
"Permission": "READ"
}
Severity: Info
Issue ID: S3_PUBLIC_POLICY_GETOBJECT_ONLY
This is the right way to make an S3 bucket public when you don't want to put CloudFront in front of it. This may be done when a third-party caching service is being used and you don't care about direct access to the S3 bucket.
Severity: High
Issue ID: S3_PUBLIC_POLICY
This S3 bucket allows more public access than simply GetObject. These public privileges should be reduced.
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::sadcloudhetonlys320191127153143116700000003/*\",\"arn:aws:s3:::sadcloudhetonlys320191127153143116700000003\"]}]}"
Severity: Low
Issue ID: S3_ACCESS_BLOCK_OFF
This control prevents S3 buckets from being made public. If there are no public S3 buckets in the account this should be turned on.
Severity: Low
Issue ID: IAM_CUSTOM_POLICY_ALLOWS_ADMIN
Instead of using the AdministratorAccess policy, a custom policy was created that does the same thing, or allows escalation to the same thing.
{
"policy": {
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
{
"policy": {
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
{
"comment": "Role has custom policy allowing admin",
"policy": {
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"ec2:Describe*"
],
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
{
"comment": "Group has custom policy allowing admin",
"policy": {
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"ec2:*"
],
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
{
"comment": "User has custom policy allowing admin",
"policy": {
"Statement": [
{
"Effect": "Allow",
"NotAction": "s3:DeleteBucket",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
Severity: Medium
Issue ID: IAM_NOTACTION_ALLOW
Using NotAction in an Allow policy almost always results in unwanted actions being allowed and should be avoided.
{
"Statement": {
"Effect": "Allow",
"NotAction": [
"ec2:Describe*"
],
"Resource": "*"
}
}
{
"Statement": {
"Effect": "Allow",
"NotAction": [
"ec2:*"
],
"Resource": "*"
}
}
{
"Statement": {
"Effect": "Allow",
"NotAction": "s3:DeleteBucket",
"Resource": "*"
}
}
Severity: High
Issue ID: IAM_UNEXPECTED_ADMIN_PRINCIPAL
Admins in an account should be assumed by people. This rule detects IAM Roles that can be granted to EC2s and other services, that has admin privileges.
{
"comment": "Unexpected Principal in AssumeRolePolicyDocument for an admin",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
Severity: High
Issue ID: IAM_ROLE_ALLOWS_ASSUMPTION_FROM_ANYWHERE
The IAM role's trust policy allows any other account to assume it.
{
"statement": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Sid": ""
}
],
"Version": "2012-10-17"
}
}
Severity: Low
Issue ID: IAM_NAME_DOES_NOT_INDICATE_ADMIN
This IAM Group grants admin privileges, but the name does not indicate it is for admins.
Severity: High
Issue ID: IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL
The ability to list s3 buckets, and get objects from them, should be restricted largely to people as compromising an EC2 with this privilege could lead to exfiltration of data.
{
"comment": "Unexpected Principal in AssumeRolePolicyDocument for an admin",
"Principal": {
"Service": "cloudformation.amazonaws.com"
}
}
Severity: Low
Issue ID: PASSWORD_POLICY_CHARACTER_MINIMUM
A password length requirement helps ensure strong passwords are used by IAM Users. Setting a password policy does not impact existing users, so after setting this, you should ensure users reset their passwords so that they are in compliance.
{
"MinimumPasswordLength": 6
}
Severity: Low
Issue ID: PASSWORD_POLICY_CHARACTER_SET_REQUIREMENTS
A password character set requirement help ensure strong passwords are used by IAM Users. Setting a password policy does not impact existing users, so after setting this, you should ensure users reset their passwords so that they are in compliance.
{
"Policy lacks": [
"RequireNumbers",
"RequireSymbols",
"RequireLowercaseCharacters",
"RequireUppercaseCharacters"
]
}
Severity: Medium
Issue ID: USER_WITH_PASSWORD_LOGIN_BUT_NO_MFA
MFA (multi-factor authentication) helps mitigate user account take-over.
{
"Number of days since user was created": 47
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
Severity: Low
Issue ID: USER_HAS_TWO_ACCESS_KEYS
A user should only have one access key. The ability to have multiple access keys is only for when an access key is being rolled, and the old one should be removed. The user should identify one access key to use and the other should be removed.
{
"Number of days since key1 was rotated": 38,
"Number of days since key2 was rotated": 39
}
Severity: Medium
Issue ID: USER_HAS_NEVER_LOGGED_IN
The password for these users should be removed. If the user has no access keys, the user should be removed. The password may be a default password or may have been transmitted to the user insecurely, such that the user account may be compromised.
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
{
"Number of days since user was created": 53
}
Severity: Low
Issue ID: RDS_PUBLIC_IP
Check whether this RDS instance is publicly accessible. Best practice is to put RDS instances in private subnets and not give them public IPs.
Severity: Medium
Issue ID: ECR_PUBLIC
The Amazon Elastic Container Registry (ECR) stores docker images. These may contain sensitive information. These are somewhat hard for an attacker to find, but should not be made public.
"{\n \"Version\" : \"2008-10-17\",\n \"Statement\" : [ {\n \"Sid\" : \"AllowPull\",\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : [ \"ecr:GetDownloadUrlForLayer\", \"ecr:BatchGetImage\", \"ecr:BatchCheckLayerAvailability\", \"ecr:PutImage\", \"ecr:InitiateLayerUpload\", \"ecr:UploadLayerPart\", \"ecr:CompleteLayerUpload\", \"ecr:DescribeRepositories\", \"ecr:GetRepositoryPolicy\", \"ecr:ListImages\", \"ecr:DeleteRepository\", \"ecr:BatchDeleteImage\", \"ecr:SetRepositoryPolicy\", \"ecr:DeleteRepositoryPolicy\" ]\n } ]\n}"
Severity: Medium
Issue ID: REDSHIFT_PUBLIC_IP
Redshift databases should be in private subnets. Databases should not have public IPs. You should additionally check if the Security Groups associated with this are allowing it to be publicly accessible.
Severity: High
Issue ID: ES_PUBLIC
ElasticSearch databases should be public. Change the resource policy to fix this.
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:XXXXXXXXXXXX:domain/sadcloud/*\"}]}"
Severity: Low
Issue ID: SG_CIDR_OVERLAPS
This often happens when one attempts to restrict access, then opens up the access further.
{
"cidr1": "162.168.2.0/24",
"cidr2": "162.168.2.0/25"
}
Severity: Info
Issue ID: SG_CIDR_UNNEEDED
The CIDR in the Security Group cannot be blocked, so including it is not necessary.
{
"cidr": "127.0.0.0/8"
}
Severity: Info
Issue ID: SG_CIDR_UNEXPECTED
The CIDR in the Security Group is formatted oddly.
{
"cidr": "0.0.0.0/8"
}
Severity: Info
Issue ID: SG_LARGE_CIDR
The CIDR in a Security Group in the account contains a large IP range, defeating the purpose of restricting access with a Security Group
{
"size": 65536,
"security_groups": [
"sg-05f97c10c069b9be0"
]
}
{
"size": 65536,
"security_groups": [
"sg-0e8eb6c1dd1623af7"
]
}
Severity: Medium
Issue ID: GLACIER_PUBLIC
Glacier is a storage service like S3. These vaults are harder to find, but may still contain sensitive information. The resource policy should be locked down to allow access only by certain accounts.
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"public\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"glacier:*\",\"Resource\":\"arn:aws:glacier:us-east-1:XXXXXXXXXXXX:vaults/sadcloud_public_vault\"}]}"
Severity: Medium
Issue ID: KMS_PUBLIC
This may allow an attacker to decrypt data using the KMS key.
"{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"key-insecure-1\",\n \"Statement\" : [ {\n \"Sid\" : \"Default IAM policy for KMS keys\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:*\",\n \"Resource\" : \"*\"\n } ]\n}"
"{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"key-insecure-1\",\n \"Statement\" : [ {\n \"Sid\" : \"Default IAM policy for KMS keys\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:*\",\n \"Resource\" : \"*\"\n } ]\n}"
"{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"key-insecure-1\",\n \"Statement\" : [ {\n \"Sid\" : \"Default IAM policy for KMS keys\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:*\",\n \"Resource\" : \"*\"\n } ]\n}"
"{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"key-insecure-1\",\n \"Statement\" : [ {\n \"Sid\" : \"Default IAM policy for KMS keys\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:*\",\n \"Resource\" : \"*\"\n } ]\n}"
Severity: Medium
Issue ID: SQS_PUBLIC
This may allow an attacker to read or write messages to this queue.
"{\"Version\":\"2012-10-17\",\"Id\":\"sqspolicy\",\"Statement\":[{\"Sid\":\"First\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:*\",\"Resource\":\"arn:aws:sqs:us-east-1:XXXXXXXXXXXX:sadcloud\"}]}"
Severity: Medium
Issue ID: SNS_PUBLIC
This may allow an attacker to read or write messages to this queue.
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:Subscribe\",\"SNS:SetTopicAttributes\",\"SNS:RemovePermission\",\"SNS:Receive\",\"SNS:Publish\",\"SNS:ListSubscriptionsByTopic\",\"SNS:GetTopicAttributes\",\"SNS:DeleteTopic\",\"SNS:AddPermission\"],\"Resource\":\"arn:aws:sns:us-east-1:XXXXXXXXXXXX:sadcloud\"}]}"
Severity: Info
Issue ID: LIGHTSAIL_IN_USE
There is nothing wrong with Lightsail, but it does not tend to be used in enterprises. The instances often were created while testing something and forgotten about.
{
"instance count": 1
}