_ _ __ _ __ _____ _| | ___ _ __ | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__| | |_) | | | (_) \ V V /| | __/ | | .__/|_| \___/ \_/\_/ |_|\___|_|v2.1.0 |_| the handy cloud security tool Date: Wed Nov 27 11:40:14 EST 2019 Colors code for results: INFO (Information), PASS (Recommended value), FAIL (Fix required), Not Scored This report is being generated using credentials below: AWS-CLI Profile: [basc] AWS API Region: [us-east-1] AWS Filter Region: [all] Caller Identity: ---------------------------------------------------- | GetCallerIdentity | +---------+----------------------------------------+ | Account| XXXXXXXXXXXX | | Arn | arn:aws:iam::XXXXXXXXXXXX:user/rami | | UserId | AIDAVYKGZEV6VVEJD6YPD | +---------+----------------------------------------+ 1.0 Identity and Access Management - [group1] ********************** 0.1 Generating AWS IAM Credential Report... 1.1 [check11] Avoid the use of the root account (Scored) INFO! Root account last accessed (password key_1 key_2): 2019-11-26T18:27:54+00:00 N/A N/A 1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored) FAIL! User jdow has Password enabled but MFA disabled FAIL! User student-10 has Password enabled but MFA disabled FAIL! User student-11 has Password enabled but MFA disabled FAIL! User student-12 has Password enabled but MFA disabled FAIL! User student-13 has Password enabled but MFA disabled FAIL! User student-14 has Password enabled but MFA disabled FAIL! User student-15 has Password enabled but MFA disabled FAIL! User student-16 has Password enabled but MFA disabled FAIL! User student-17 has Password enabled but MFA disabled FAIL! User student-18 has Password enabled but MFA disabled FAIL! User student-19 has Password enabled but MFA disabled FAIL! User student-2 has Password enabled but MFA disabled FAIL! User student-20 has Password enabled but MFA disabled FAIL! User student-21 has Password enabled but MFA disabled FAIL! User student-3 has Password enabled but MFA disabled FAIL! User student-4 has Password enabled but MFA disabled FAIL! User student-5 has Password enabled but MFA disabled FAIL! User student-6 has Password enabled but MFA disabled FAIL! User student-7 has Password enabled but MFA disabled FAIL! User student-8 has Password enabled but MFA disabled FAIL! User student-9 has Password enabled but MFA disabled 1.3 [check13] Ensure credentials unused for 90 days or greater are disabled (Scored) PASS! User "jdow" found with credentials used in the last 90 days PASS! User "student-10" found with credentials used in the last 90 days FAIL! User "student-11" has not logged in during the last 90 days FAIL! User "student-12" has not logged in during the last 90 days FAIL! User "student-13" has not logged in during the last 90 days FAIL! User "student-14" has not logged in during the last 90 days FAIL! User "student-15" has not logged in during the last 90 days PASS! User "student-16" found with credentials used in the last 90 days PASS! User "student-17" found with credentials used in the last 90 days PASS! User "student-18" found with credentials used in the last 90 days FAIL! User "student-19" has not logged in during the last 90 days FAIL! User "student-2" has not logged in during the last 90 days PASS! User "student-20" found with credentials used in the last 90 days FAIL! User "student-21" has not logged in during the last 90 days FAIL! User "student-3" has not logged in during the last 90 days FAIL! User "student-4" has not logged in during the last 90 days PASS! User "student-5" found with credentials used in the last 90 days PASS! User "student-6" found with credentials used in the last 90 days FAIL! User "student-7" has not logged in during the last 90 days PASS! User "student-8" found with credentials used in the last 90 days PASS! User "student-9" found with credentials used in the last 90 days 1.4 [check14] Ensure access keys are rotated every 90 days or less (Scored) PASS! No users with access key 1 older than 90 days. PASS! No users with access key 2 older than 90 days. 1.5 [check15] Ensure IAM password policy requires at least one uppercase letter (Scored) FAIL! Password Policy missing upper-case requirement 1.6 [check16] Ensure IAM password policy require at least one lowercase letter (Scored) FAIL! Password Policy missing lower-case requirement 1.7 [check17] Ensure IAM password policy require at least one symbol (Scored) FAIL! Password Policy missing symbol requirement 1.8 [check18] Ensure IAM password policy require at least one number (Scored) FAIL! Password Policy missing number requirement 1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored) FAIL! Password Policy missing or weak length requirement 1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored) FAIL! Password Policy has weak reuse requirement (lower than 24) 1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less (Scored) FAIL! Password expiration is not set 1.12 [check112] Ensure no root account access key exists (Scored) PASS! No access key 1 found for root PASS! No access key 2 found for root 1.13 [check113] Ensure MFA is enabled for the root account (Scored) PASS! Virtual MFA is enabled for root 1.14 [check114] Ensure hardware MFA is enabled for the root account (Scored) FAIL! Only Virtual MFA is enabled for root 1.15 [check115] Ensure security questions are registered in the AWS account (Not Scored) INFO! No command available for check 1.15 INFO! Login to the AWS Console as root & click on the Account INFO! Name -> My Account -> Configure Security Challenge Questions 1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored) FAIL! jdow has managed policy directly attached FAIL! rami has managed policy directly attached FAIL! sadcloudInlineUser has inline policy directly attached 1.17 [check117] Maintain current contact details (Not Scored) INFO! No command available for check 1.17 INFO! See section 1.17 on the CIS Benchmark guide for details 1.18 [check118] Ensure security contact information is registered (Not Scored) INFO! No command available for check 1.18 INFO! See section 1.18 on the CIS Benchmark guide for details 1.19 [check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) INFO! No command available for check 1.19 INFO! See section 1.19 on the CIS Benchmark guide for details 1.20 [check120] Ensure a support role has been created to manage incidents with AWS Support (Scored) FAIL! Support Policy not applied to any Role 1.21 [check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored) PASS! No users found with Access Key 1 never used PASS! No users found with Access Key 2 never used 1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored) INFO! Looking for custom policies: (skipping default policies - it may take few seconds...) INFO! List of custom policies: FAIL! Policy arn:aws:iam::XXXXXXXXXXXX:policy/sadcloud_superuser_policy allows "*:*" FAIL! Policy arn:aws:iam::XXXXXXXXXXXX:policy/wildcard_IAM_policy20191127153143207000000004 allows "*:*" 2.0 Logging - [group2] ********************************************* 2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored) PASS! Basc2019-PreBuiltDemo trail in us-east-1 is enabled for all regions 2.2 [check22] Ensure CloudTrail log file validation is enabled (Scored) PASS! Basc2019-PreBuiltDemo trail in us-east-1 has log file validation enabled 2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) PASS! Bucket basc2019-prebuiltdemo is set correctly 2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) FAIL! Basc2019-PreBuiltDemo trail is not logging in the last 24h or not configured (it is in us-east-1) 2.5 [check25] Ensure AWS Config is enabled in all regions (Scored) FAIL! Region eu-north-1 has AWS Config disabled or not configured FAIL! Region ap-south-1 has AWS Config disabled or not configured FAIL! Region eu-west-3 has AWS Config disabled or not configured FAIL! Region eu-west-2 has AWS Config disabled or not configured FAIL! Region eu-west-1 has AWS Config disabled or not configured FAIL! Region ap-northeast-2 has AWS Config disabled or not configured FAIL! Region ap-northeast-1 has AWS Config disabled or not configured FAIL! Region sa-east-1 has AWS Config disabled or not configured FAIL! Region ca-central-1 has AWS Config disabled or not configured FAIL! Region ap-southeast-1 has AWS Config disabled or not configured FAIL! Region ap-southeast-2 has AWS Config disabled or not configured FAIL! Region eu-central-1 has AWS Config disabled or not configured PASS! Region us-east-1 has AWS Config recorder: ON FAIL! Region us-east-2 has AWS Config disabled or not configured FAIL! Region us-west-1 has AWS Config disabled or not configured FAIL! Region us-west-2 has AWS Config disabled or not configured 2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) INFO! CloudTrail S3 bucket basc2019-prebuiltdemo for trail Basc2019-PreBuiltDemo is not in current account 2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) FAIL! Encryption is not enabled in your CloudTrail trail Basc2019-PreBuiltDemo (KMS key not found)! 2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored) INFO! eu-north-1: This region doesn't have ANY encryption keys INFO! ap-south-1: This region doesn't have ANY encryption keys INFO! eu-west-3: This region doesn't have ANY encryption keys INFO! eu-west-2: This region doesn't have ANY encryption keys INFO! eu-west-1: This region doesn't have ANY encryption keys INFO! ap-northeast-2: This region doesn't have ANY encryption keys INFO! ap-northeast-1: This region doesn't have ANY encryption keys INFO! sa-east-1: This region doesn't have ANY encryption keys INFO! ca-central-1: This region doesn't have ANY encryption keys INFO! ap-southeast-1: This region doesn't have ANY encryption keys INFO! ap-southeast-2: This region doesn't have ANY encryption keys INFO! eu-central-1: This region doesn't have ANY encryption keys PASS! us-east-1: Key 8ac6e207-e518-4523-9c2c-a9ee0e26145b is set correctly FAIL! us-east-1: Key d0d9a7b9-2951-48b7-bbea-eaa93a79c0a4 is not set to rotate! INFO! us-east-2: This region doesn't have ANY encryption keys INFO! us-west-1: This region doesn't have ANY encryption keys INFO! us-west-2: This region doesn't have ANY encryption keys 2.9 [check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored) FAIL! No VPCFlowLog has been found in Region eu-north-1 FAIL! No VPCFlowLog has been found in Region ap-south-1 FAIL! No VPCFlowLog has been found in Region eu-west-3 FAIL! No VPCFlowLog has been found in Region eu-west-2 FAIL! No VPCFlowLog has been found in Region eu-west-1 FAIL! No VPCFlowLog has been found in Region ap-northeast-2 FAIL! No VPCFlowLog has been found in Region ap-northeast-1 FAIL! No VPCFlowLog has been found in Region sa-east-1 FAIL! No VPCFlowLog has been found in Region ca-central-1 FAIL! No VPCFlowLog has been found in Region ap-southeast-1 FAIL! No VPCFlowLog has been found in Region ap-southeast-2 FAIL! No VPCFlowLog has been found in Region eu-central-1 FAIL! No VPCFlowLog has been found in Region us-east-1 FAIL! No VPCFlowLog has been found in Region us-east-1 FAIL! No VPCFlowLog has been found in Region us-east-2 FAIL! No VPCFlowLog has been found in Region us-west-1 FAIL! No VPCFlowLog has been found in Region us-west-2 3.0 Monitoring - [group3] ****************************************** 3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.3 [check33] Ensure a log metric filter and alarm exist for usage of root account (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.4 [check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.5 [check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.6 [check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.7 [check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.8 [check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.9 [check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.10 [check310] Ensure a log metric filter and alarm exist for security group changes (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.11 [check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.12 [check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.13 [check313] Ensure a log metric filter and alarm exist for route table changes (Scored) FAIL! No CloudWatch group found for CloudTrail events 3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored) FAIL! No CloudWatch group found for CloudTrail events 4.0 Networking - [group4] ****************************************** 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored) PASS! No Security Groups found in eu-north-1 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-south-1 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in eu-west-3 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in eu-west-2 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in eu-west-1 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-northeast-2 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-northeast-1 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in sa-east-1 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ca-central-1 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-southeast-1 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-southeast-2 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in eu-central-1 with port 22 TCP open to 0.0.0.0/0 FAIL! Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 in Region us-east-1 FAIL! Found Security Group: sg-05e9aef5d224991be open to 0.0.0.0/0 in Region us-east-1 FAIL! Found Security Group: sg-0aacd7521218eb993 open to 0.0.0.0/0 in Region us-east-1 FAIL! Found Security Group: sg-0c45e7fed2e85b95b open to 0.0.0.0/0 in Region us-east-1 FAIL! Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 in Region us-east-1 PASS! No Security Groups found in us-east-2 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in us-west-1 with port 22 TCP open to 0.0.0.0/0 PASS! No Security Groups found in us-west-2 with port 22 TCP open to 0.0.0.0/0 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored) PASS! No Security Groups found in eu-north-1 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-south-1 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in eu-west-3 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in eu-west-2 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in eu-west-1 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-northeast-2 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-northeast-1 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in sa-east-1 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ca-central-1 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-southeast-1 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in ap-southeast-2 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in eu-central-1 with port 3389 TCP open to 0.0.0.0/0 FAIL! Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 in Region us-east-1 FAIL! Found Security Group: sg-0aacd7521218eb993 open to 0.0.0.0/0 in Region us-east-1 FAIL! Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 in Region us-east-1 PASS! No Security Groups found in us-east-2 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in us-west-1 with port 3389 TCP open to 0.0.0.0/0 PASS! No Security Groups found in us-west-2 with port 3389 TCP open to 0.0.0.0/0 4.3 [check43] Ensure the default security group of every VPC restricts all traffic (Scored) FAIL! Default Security Groups (sg-d9e049b2) found that allow 0.0.0.0 IN or OUT traffic in Region eu-north-1 FAIL! Default Security Groups (sg-e34a0e8d) found that allow 0.0.0.0 IN or OUT traffic in Region ap-south-1 FAIL! Default Security Groups (sg-97039dfa) found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-3 FAIL! Default Security Groups (sg-8b6607e5) found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-2 FAIL! Default Security Groups (sg-951c16e3) found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-1 FAIL! Default Security Groups (sg-5463d935) found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-2 FAIL! Default Security Groups (sg-480eca38) found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-1 FAIL! Default Security Groups (sg-75bb840f) found that allow 0.0.0.0 IN or OUT traffic in Region sa-east-1 FAIL! Default Security Groups (sg-0f096f60) found that allow 0.0.0.0 IN or OUT traffic in Region ca-central-1 FAIL! Default Security Groups (sg-ab2b43d4) found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-1 FAIL! Default Security Groups (sg-9176c5ef) found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-2 FAIL! Default Security Groups (sg-eab6d388) found that allow 0.0.0.0 IN or OUT traffic in Region eu-central-1 FAIL! Default Security Groups (sg-0cb9e75c) found that allow 0.0.0.0 IN or OUT traffic in Region us-east-1 FAIL! Default Security Groups (sg-0fc9567eb8aee2c90) found that allow 0.0.0.0 IN or OUT traffic in Region us-east-1 FAIL! Default Security Groups (sg-3b5bcb59) found that allow 0.0.0.0 IN or OUT traffic in Region us-east-2 FAIL! Default Security Groups (sg-71045d0e) found that allow 0.0.0.0 IN or OUT traffic in Region us-west-1 FAIL! Default Security Groups (sg-e2dbc7a1) found that allow 0.0.0.0 IN or OUT traffic in Region us-west-2 4.4 [check44] Ensure routing tables for VPC peering are "least access" (Not Scored) INFO! Looking for VPC peering in all regions... PASS! eu-north-1: No VPC peering found PASS! ap-south-1: No VPC peering found PASS! eu-west-3: No VPC peering found PASS! eu-west-2: No VPC peering found PASS! eu-west-1: No VPC peering found PASS! ap-northeast-2: No VPC peering found PASS! ap-northeast-1: No VPC peering found PASS! sa-east-1: No VPC peering found PASS! ca-central-1: No VPC peering found PASS! ap-southeast-1: No VPC peering found PASS! ap-southeast-2: No VPC peering found PASS! eu-central-1: No VPC peering found PASS! us-east-1: No VPC peering found PASS! us-east-2: No VPC peering found PASS! us-west-1: No VPC peering found PASS! us-west-2: No VPC peering found 7.0 Extras - [extras] ********************************************** 7.1 [extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) INFO! sadcloudInlineGroup group provides non-administrative access INFO! sadcloud_superuser group provides non-administrative access INFO! Students group provides non-administrative access 7.2 [extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) INFO! Looking for EBS Snapshots in all regions... PASS! us-east-1: snap-0fc4f7ab9f60bda78 is not Public 7.3 [extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark) INFO! Looking for open S3 Buckets (ACLs and Policies) in all regions... PASS! us-east-1: basc2019-prebuiltdemo bucket is not open PASS! us-east-1: config-bucket-XXXXXXXXXXXX bucket is not open FAIL! us-east-1: (bucket: sadcloud-s3-stack-s3bucket-1o9nhbfprv2wb) ALLUSERS_ACL: bucket ACL is open to the Internet (Everyone) with permissions: READ | AUTHUSERS_ACL: Ok | BUCKET_POLICY: Ok PASS! us-east-1: sadcloud-secret-stack-s3bucket-bhe21sijjdya bucket is not open PASS! us-east-1: sadcloud20191127153146245900000009 bucket is not open PASS! us-east-1: sadcloudhetonlys320191127153142068600000001 bucket is not open PASS! us-east-1: sadcloudhetonlys320191127153143116700000003 bucket is not open PASS! us-east-1: sadelb20191127153142073000000002 bucket is not open 7.4 [extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark) INFO! Looking for Security Groups in all regions... INFO! us-east-1: sg-022fe349f5a8729ce has no ingress filtering but it is not being used FAIL! us-east-1: sg-03766005a1346f503 has no ingress filtering and it is being used! INFO! us-east-1: sg-05e91ae8856eb74dd has no ingress filtering but it is not being used INFO! us-east-1: sg-05e9aef5d224991be has no ingress filtering but it is not being used INFO! us-east-1: sg-0aacd7521218eb993 has no ingress filtering but it is not being used FAIL! us-east-1: sg-0c45e7fed2e85b95b has no ingress filtering and it is being used! INFO! us-east-1: sg-0c96d68ff91bee750 has no ingress filtering but it is not being used INFO! us-east-1: sg-0d0ca203e03d6df90 has no ingress filtering but it is not being used INFO! us-east-1: sg-0d32d0c4a5a6a0ccc has no ingress filtering but it is not being used 7.5 [extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark) INFO! Looking for Security Groups in all regions... FAIL! eu-north-1: sg-d9e049b2 is not being used! FAIL! ap-south-1: sg-e34a0e8d is not being used! FAIL! eu-west-3: sg-97039dfa is not being used! FAIL! eu-west-2: sg-8b6607e5 is not being used! FAIL! eu-west-1: sg-951c16e3 is not being used! FAIL! ap-northeast-2: sg-5463d935 is not being used! FAIL! ap-northeast-1: sg-480eca38 is not being used! FAIL! sa-east-1: sg-75bb840f is not being used! FAIL! ca-central-1: sg-0f096f60 is not being used! FAIL! ap-southeast-1: sg-ab2b43d4 is not being used! FAIL! ap-southeast-2: sg-9176c5ef is not being used! FAIL! eu-central-1: sg-eab6d388 is not being used! FAIL! us-east-1: sg-01dd978939ff79a94 is not being used! FAIL! us-east-1: sg-022bd2c733a900531 is not being used! FAIL! us-east-1: sg-022fe349f5a8729ce is not being used! PASS! us-east-1: sg-03766005a1346f503 is being used FAIL! us-east-1: sg-05e91ae8856eb74dd is not being used! FAIL! us-east-1: sg-05e9aef5d224991be is not being used! FAIL! us-east-1: sg-05f97c10c069b9be0 is not being used! FAIL! us-east-1: sg-09be13d229d0655c1 is not being used! FAIL! us-east-1: sg-0a74dde934a3634f9 is not being used! FAIL! us-east-1: sg-0aacd7521218eb993 is not being used! FAIL! us-east-1: sg-0af580f5256245d47 is not being used! PASS! us-east-1: sg-0c45e7fed2e85b95b is being used FAIL! us-east-1: sg-0c96d68ff91bee750 is not being used! FAIL! us-east-1: sg-0cb9e75c is not being used! FAIL! us-east-1: sg-0d0ca203e03d6df90 is not being used! FAIL! us-east-1: sg-0d32d0c4a5a6a0ccc is not being used! FAIL! us-east-1: sg-0e8eb6c1dd1623af7 is not being used! PASS! us-east-1: sg-0fc9567eb8aee2c90 is being used FAIL! us-east-2: sg-3b5bcb59 is not being used! FAIL! us-west-1: sg-71045d0e is not being used! FAIL! us-west-2: sg-e2dbc7a1 is not being used! 7.6 [extra76] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark) INFO! Looking for AMIs in all regions... PASS! eu-north-1: No Public AMIs found PASS! ap-south-1: No Public AMIs found PASS! eu-west-3: No Public AMIs found PASS! eu-west-2: No Public AMIs found PASS! eu-west-1: No Public AMIs found PASS! ap-northeast-2: No Public AMIs found PASS! ap-northeast-1: No Public AMIs found PASS! sa-east-1: No Public AMIs found PASS! ca-central-1: No Public AMIs found PASS! ap-southeast-1: No Public AMIs found PASS! ap-southeast-2: No Public AMIs found PASS! eu-central-1: No Public AMIs found PASS! us-east-1: No Public AMIs found PASS! us-east-2: No Public AMIs found PASS! us-west-1: No Public AMIs found PASS! us-west-2: No Public AMIs found 7.7 [extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark) INFO! Looking for ECR repos in all regions... FAIL! us-east-1: sadcloud policy "may" allow Anonymous users to perform actions (Principal: "*") 7.8 [extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark) INFO! Looking for RDS instances in all regions... PASS! eu-north-1: no Publicly Accessible RDS instances found PASS! ap-south-1: no Publicly Accessible RDS instances found PASS! eu-west-3: no Publicly Accessible RDS instances found PASS! eu-west-2: no Publicly Accessible RDS instances found PASS! eu-west-1: no Publicly Accessible RDS instances found PASS! ap-northeast-2: no Publicly Accessible RDS instances found PASS! ap-northeast-1: no Publicly Accessible RDS instances found PASS! sa-east-1: no Publicly Accessible RDS instances found PASS! ca-central-1: no Publicly Accessible RDS instances found PASS! ap-southeast-1: no Publicly Accessible RDS instances found PASS! ap-southeast-2: no Publicly Accessible RDS instances found PASS! eu-central-1: no Publicly Accessible RDS instances found FAIL! us-east-1: RDS instance: terraform-2019112715315400040000000f at terraform-2019112715315400040000000f.c8ajxmmdw6bx.us-east-1.rds.amazonaws.com is set as Publicly Accessible! PASS! us-east-2: no Publicly Accessible RDS instances found PASS! us-west-1: no Publicly Accessible RDS instances found PASS! us-west-2: no Publicly Accessible RDS instances found 7.9 [extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark) INFO! Looking for Elastic Load Balancers in all regions... PASS! eu-north-1: no Internet Facing ELBs found PASS! ap-south-1: no Internet Facing ELBs found PASS! eu-west-3: no Internet Facing ELBs found PASS! eu-west-2: no Internet Facing ELBs found PASS! eu-west-1: no Internet Facing ELBs found PASS! ap-northeast-2: no Internet Facing ELBs found PASS! ap-northeast-1: no Internet Facing ELBs found PASS! sa-east-1: no Internet Facing ELBs found PASS! ca-central-1: no Internet Facing ELBs found PASS! ap-southeast-1: no Internet Facing ELBs found PASS! ap-southeast-2: no Internet Facing ELBs found PASS! eu-central-1: no Internet Facing ELBs found FAIL! us-east-1: ELB: sadcloud-elb at DNS: sadcloud-elb-492701746.us-east-1.elb.amazonaws.com is internet-facing! FAIL! us-east-1: ELB: tf-lb-2019112715315326460000000e at DNS: tf-lb-2019112715315326460000000e-1350975234.us-east-1.elb.amazonaws.com is internet-facing! PASS! us-east-2: no Internet Facing ELBs found PASS! us-west-1: no Internet Facing ELBs found PASS! us-west-2: no Internet Facing ELBs found 7.10 [extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark) INFO! Looking for instances in all regions... PASS! eu-north-1: no Internet Facing EC2 Instances found PASS! ap-south-1: no Internet Facing EC2 Instances found PASS! eu-west-3: no Internet Facing EC2 Instances found PASS! eu-west-2: no Internet Facing EC2 Instances found PASS! eu-west-1: no Internet Facing EC2 Instances found PASS! ap-northeast-2: no Internet Facing EC2 Instances found PASS! ap-northeast-1: no Internet Facing EC2 Instances found PASS! sa-east-1: no Internet Facing EC2 Instances found PASS! ca-central-1: no Internet Facing EC2 Instances found PASS! ap-southeast-1: no Internet Facing EC2 Instances found PASS! ap-southeast-2: no Internet Facing EC2 Instances found PASS! eu-central-1: no Internet Facing EC2 Instances found FAIL! us-east-1: Instance: i-0b2e55b69aaa55875 at IP: 54.146.176.4 is internet-facing! FAIL! us-east-1: Instance: i-0c65b7690e4051cc9 at IP: 3.91.181.144 is internet-facing! PASS! us-east-2: no Internet Facing EC2 Instances found PASS! us-west-1: no Internet Facing EC2 Instances found PASS! us-west-2: no Internet Facing EC2 Instances found 7.11 [extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark) INFO! Looking for Redshift clusters in all regions... PASS! eu-north-1: no Publicly Accessible Redshift Clusters found PASS! ap-south-1: no Publicly Accessible Redshift Clusters found PASS! eu-west-3: no Publicly Accessible Redshift Clusters found PASS! eu-west-2: no Publicly Accessible Redshift Clusters found PASS! eu-west-1: no Publicly Accessible Redshift Clusters found PASS! ap-northeast-2: no Publicly Accessible Redshift Clusters found PASS! ap-northeast-1: no Publicly Accessible Redshift Clusters found PASS! sa-east-1: no Publicly Accessible Redshift Clusters found PASS! ca-central-1: no Publicly Accessible Redshift Clusters found PASS! ap-southeast-1: no Publicly Accessible Redshift Clusters found PASS! ap-southeast-2: no Publicly Accessible Redshift Clusters found PASS! eu-central-1: no Publicly Accessible Redshift Clusters found FAIL! us-east-1: Cluster: sadcloud at Endpoint: sadcloud.cse5u4hh9aby.us-east-1.redshift.amazonaws.com is publicly accessible! PASS! us-east-2: no Publicly Accessible Redshift Clusters found PASS! us-west-1: no Publicly Accessible Redshift Clusters found PASS! us-west-2: no Publicly Accessible Redshift Clusters found 7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) INFO! No API commands available to check if Macie is enabled, INFO! just looking if IAM Macie related permissions exist. FAIL! No Macie related IAM roles found. It is most likely not to be enabled 7.13 [extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) FAIL! eu-north-1: GuardDuty detector not configured! FAIL! ap-south-1: GuardDuty detector not configured! FAIL! eu-west-3: GuardDuty detector not configured! FAIL! eu-west-2: GuardDuty detector not configured! FAIL! eu-west-1: GuardDuty detector not configured! FAIL! ap-northeast-2: GuardDuty detector not configured! FAIL! ap-northeast-1: GuardDuty detector not configured! FAIL! sa-east-1: GuardDuty detector not configured! FAIL! ca-central-1: GuardDuty detector not configured! FAIL! ap-southeast-1: GuardDuty detector not configured! FAIL! ap-southeast-2: GuardDuty detector not configured! FAIL! eu-central-1: GuardDuty detector not configured! PASS! us-east-1: GuardDuty detector 6cb6f09478077c376508358d046a6d90 enabled FAIL! us-east-2: GuardDuty detector not configured! FAIL! us-west-1: GuardDuty detector not configured! FAIL! us-west-2: GuardDuty detector not configured! 7.14 [extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) INFO! No CloudFront distributions found 7.15 [extra715] Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No Elasticsearch Service domain found INFO! ap-south-1: No Elasticsearch Service domain found INFO! eu-west-3: No Elasticsearch Service domain found INFO! eu-west-2: No Elasticsearch Service domain found INFO! eu-west-1: No Elasticsearch Service domain found INFO! ap-northeast-2: No Elasticsearch Service domain found INFO! ap-northeast-1: No Elasticsearch Service domain found INFO! sa-east-1: No Elasticsearch Service domain found INFO! ca-central-1: No Elasticsearch Service domain found INFO! ap-southeast-1: No Elasticsearch Service domain found INFO! ap-southeast-2: No Elasticsearch Service domain found INFO! eu-central-1: No Elasticsearch Service domain found FAIL! us-east-1: ElasticSearch Service domain sadcloud SEARCH_SLOW_LOGS disabled! FAIL! us-east-1: ElasticSearch Service domain sadcloud INDEX_SLOW_LOGS disabled! INFO! us-east-2: No Elasticsearch Service domain found INFO! us-west-1: No Elasticsearch Service domain found INFO! us-west-2: No Elasticsearch Service domain found 7.16 [extra716] Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No Elasticsearch Service domain found INFO! ap-south-1: No Elasticsearch Service domain found INFO! eu-west-3: No Elasticsearch Service domain found INFO! eu-west-2: No Elasticsearch Service domain found INFO! eu-west-1: No Elasticsearch Service domain found INFO! ap-northeast-2: No Elasticsearch Service domain found INFO! ap-northeast-1: No Elasticsearch Service domain found INFO! sa-east-1: No Elasticsearch Service domain found INFO! ca-central-1: No Elasticsearch Service domain found INFO! ap-southeast-1: No Elasticsearch Service domain found INFO! ap-southeast-2: No Elasticsearch Service domain found INFO! eu-central-1: No Elasticsearch Service domain found FAIL! us-east-1: sadcloud policy "may" allow Anonymous users to perform actions (Principal: "*") INFO! us-east-1: No Elasticsearch Service domain found INFO! us-east-2: No Elasticsearch Service domain found INFO! us-west-1: No Elasticsearch Service domain found INFO! us-west-2: No Elasticsearch Service domain found 7.17 [extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No ELBs found INFO! ap-south-1: No ELBs found INFO! eu-west-3: No ELBs found INFO! eu-west-2: No ELBs found INFO! eu-west-1: No ELBs found INFO! ap-northeast-2: No ELBs found INFO! ap-northeast-1: No ELBs found INFO! sa-east-1: No ELBs found INFO! ca-central-1: No ELBs found INFO! ap-southeast-1: No ELBs found INFO! ap-southeast-2: No ELBs found INFO! eu-central-1: No ELBs found FAIL! us-east-1: sadcloud-elb has not configured access logs FAIL! us-east-1: tf-lb-2019112715315326460000000e has not configured access logs INFO! us-east-2: No ELBs found INFO! us-west-1: No ELBs found INFO! us-west-2: No ELBs found 7.18 [extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) FAIL! Bucket basc2019-prebuiltdemo has server access logging disabled! FAIL! Bucket config-bucket-XXXXXXXXXXXX has server access logging disabled! FAIL! Bucket sadcloud-s3-stack-s3bucket-1o9nhbfprv2wb has server access logging disabled! FAIL! Bucket sadcloud-secret-stack-s3bucket-bhe21sijjdya has server access logging disabled! FAIL! Bucket sadcloud20191127153146245900000009 has server access logging disabled! FAIL! Bucket sadcloudhetonlys320191127153142068600000001 has server access logging disabled! FAIL! Bucket sadcloudhetonlys320191127153143116700000003 has server access logging disabled! FAIL! Bucket sadelb20191127153142073000000002 has server access logging disabled! 7.19 [extra719] Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark) INFO! No Route53 hosted zones found 7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No Lambda functions found INFO! ap-south-1: No Lambda functions found INFO! eu-west-3: No Lambda functions found INFO! eu-west-2: No Lambda functions found INFO! eu-west-1: No Lambda functions found INFO! ap-northeast-2: No Lambda functions found INFO! ap-northeast-1: No Lambda functions found INFO! sa-east-1: No Lambda functions found INFO! ca-central-1: No Lambda functions found INFO! ap-southeast-1: No Lambda functions found INFO! ap-southeast-2: No Lambda functions found INFO! eu-central-1: No Lambda functions found INFO! us-east-1: No Lambda functions found INFO! us-east-2: No Lambda functions found INFO! us-west-1: No Lambda functions found INFO! us-west-2: No Lambda functions found 7.21 [extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No Redshift cluster configured INFO! ap-south-1: No Redshift cluster configured INFO! eu-west-3: No Redshift cluster configured INFO! eu-west-2: No Redshift cluster configured INFO! eu-west-1: No Redshift cluster configured INFO! ap-northeast-2: No Redshift cluster configured INFO! ap-northeast-1: No Redshift cluster configured INFO! sa-east-1: No Redshift cluster configured INFO! ca-central-1: No Redshift cluster configured INFO! ap-southeast-1: No Redshift cluster configured INFO! ap-southeast-2: No Redshift cluster configured INFO! eu-central-1: No Redshift cluster configured FAIL! us-east-1: Redshift cluster sadcloud logging disabled! INFO! us-east-2: No Redshift cluster configured INFO! us-west-1: No Redshift cluster configured INFO! us-west-2: No Redshift cluster configured 7.22 [extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No API Gateway found INFO! ap-south-1: No API Gateway found INFO! eu-west-3: No API Gateway found INFO! eu-west-2: No API Gateway found INFO! eu-west-1: No API Gateway found INFO! ap-northeast-2: No API Gateway found INFO! ap-northeast-1: No API Gateway found INFO! sa-east-1: No API Gateway found INFO! ca-central-1: No API Gateway found INFO! ap-southeast-1: No API Gateway found INFO! ap-southeast-2: No API Gateway found INFO! eu-central-1: No API Gateway found INFO! us-east-1: No API Gateway found INFO! us-east-2: No API Gateway found INFO! us-west-1: No API Gateway found INFO! us-west-2: No API Gateway found 7.23 [extra723] Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No RDS Snapshots found INFO! eu-north-1: No RDS Cluster Snapshots found INFO! ap-south-1: No RDS Snapshots found INFO! ap-south-1: No RDS Cluster Snapshots found INFO! eu-west-3: No RDS Snapshots found INFO! eu-west-3: No RDS Cluster Snapshots found INFO! eu-west-2: No RDS Snapshots found INFO! eu-west-2: No RDS Cluster Snapshots found INFO! eu-west-1: No RDS Snapshots found INFO! eu-west-1: No RDS Cluster Snapshots found INFO! ap-northeast-2: No RDS Snapshots found INFO! ap-northeast-2: No RDS Cluster Snapshots found INFO! ap-northeast-1: No RDS Snapshots found INFO! ap-northeast-1: No RDS Cluster Snapshots found INFO! sa-east-1: No RDS Snapshots found INFO! sa-east-1: No RDS Cluster Snapshots found INFO! ca-central-1: No RDS Snapshots found INFO! ca-central-1: No RDS Cluster Snapshots found INFO! ap-southeast-1: No RDS Snapshots found INFO! ap-southeast-1: No RDS Cluster Snapshots found INFO! ap-southeast-2: No RDS Snapshots found INFO! ap-southeast-2: No RDS Cluster Snapshots found INFO! eu-central-1: No RDS Snapshots found INFO! eu-central-1: No RDS Cluster Snapshots found INFO! us-east-1: No RDS Snapshots found INFO! us-east-1: No RDS Cluster Snapshots found INFO! us-east-2: No RDS Snapshots found INFO! us-east-2: No RDS Cluster Snapshots found INFO! us-west-1: No RDS Snapshots found INFO! us-west-1: No RDS Cluster Snapshots found INFO! us-west-2: No RDS Snapshots found INFO! us-west-2: No RDS Cluster Snapshots found 7.24 [extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No ACM Certificates found INFO! ap-south-1: No ACM Certificates found INFO! eu-west-3: No ACM Certificates found INFO! eu-west-2: No ACM Certificates found INFO! eu-west-1: No ACM Certificates found INFO! ap-northeast-2: No ACM Certificates found INFO! ap-northeast-1: No ACM Certificates found INFO! sa-east-1: No ACM Certificates found INFO! ca-central-1: No ACM Certificates found INFO! ap-southeast-1: No ACM Certificates found INFO! ap-southeast-2: No ACM Certificates found INFO! eu-central-1: No ACM Certificates found FAIL! us-east-1: ACM Certificate example.com has Certificate Transparency logging disabled! INFO! us-east-2: No ACM Certificates found INFO! us-west-1: No ACM Certificates found INFO! us-west-2: No ACM Certificates found INFO! *Read more about this here: https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/ 7.25 [extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark) INFO! Looking for S3 Buckets Object-level logging information in all trails... FAIL! us-west-2: S3 bucket basc2019-prebuiltdemo has Object-level logging disabled FAIL! us-west-2: S3 bucket config-bucket-XXXXXXXXXXXX has Object-level logging disabled FAIL! us-west-2: S3 bucket sadcloud-s3-stack-s3bucket-1o9nhbfprv2wb has Object-level logging disabled FAIL! us-west-2: S3 bucket sadcloud-secret-stack-s3bucket-bhe21sijjdya has Object-level logging disabled FAIL! us-west-2: S3 bucket sadcloud20191127153146245900000009 has Object-level logging disabled FAIL! us-west-2: S3 bucket sadcloudhetonlys320191127153142068600000001 has Object-level logging disabled FAIL! us-west-2: S3 bucket sadcloudhetonlys320191127153143116700000003 has Object-level logging disabled FAIL! us-west-2: S3 bucket sadelb20191127153142073000000002 has Object-level logging disabled 7.26 [extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark) 7.27 [extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No SQS queues found INFO! ap-south-1: No SQS queues found INFO! eu-west-3: No SQS queues found INFO! eu-west-2: No SQS queues found INFO! eu-west-1: No SQS queues found INFO! ap-northeast-2: No SQS queues found INFO! ap-northeast-1: No SQS queues found INFO! sa-east-1: No SQS queues found INFO! ca-central-1: No SQS queues found INFO! ap-southeast-1: No SQS queues found INFO! ap-southeast-2: No SQS queues found INFO! eu-central-1: No SQS queues found FAIL! us-east-1: SQS https://queue.amazonaws.com/XXXXXXXXXXXX/sadcloud queue policy with public access: "[Principal: * Action: sqs:*]" INFO! us-east-2: No SQS queues found INFO! us-west-1: No SQS queues found INFO! us-west-2: No SQS queues found 7.28 [extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No SQS queues found INFO! ap-south-1: No SQS queues found INFO! eu-west-3: No SQS queues found INFO! eu-west-2: No SQS queues found INFO! eu-west-1: No SQS queues found INFO! ap-northeast-2: No SQS queues found INFO! ap-northeast-1: No SQS queues found INFO! sa-east-1: No SQS queues found INFO! ca-central-1: No SQS queues found INFO! ap-southeast-1: No SQS queues found INFO! ap-southeast-2: No SQS queues found INFO! eu-central-1: No SQS queues found FAIL! us-east-1: SQS queue https://queue.amazonaws.com/XXXXXXXXXXXX/sadcloud is not using Server Side Encryption INFO! us-east-2: No SQS queues found INFO! us-west-1: No SQS queues found INFO! us-west-2: No SQS queues found 7.29 [extra729] Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark) INFO! Looking for EBS Volumes in all regions... FAIL! us-east-1: vol-0c0ca028c06cb8ff0 is not encrypted! FAIL! us-east-1: vol-031b027c1bc6b45ff is not encrypted! FAIL! us-east-1: vol-0cc11a83163f6bff8 is not encrypted! 7.30 [extra730] Check if ACM Certificates are about to expire in 7 days or less (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No certificates found INFO! ap-south-1: No certificates found INFO! eu-west-3: No certificates found INFO! eu-west-2: No certificates found INFO! eu-west-1: No certificates found INFO! ap-northeast-2: No certificates found INFO! ap-northeast-1: No certificates found INFO! sa-east-1: No certificates found INFO! ca-central-1: No certificates found INFO! ap-southeast-1: No certificates found INFO! ap-southeast-2: No certificates found INFO! eu-central-1: No certificates found FAIL! us-east-1: Certificate for example.com is about to expire in -18227 days! INFO! us-east-2: No certificates found INFO! us-west-1: No certificates found INFO! us-west-2: No certificates found 7.31 [extra731] Check if SNS topics have policy set as Public (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No SNS topic found INFO! ap-south-1: No SNS topic found INFO! eu-west-3: No SNS topic found INFO! eu-west-2: No SNS topic found INFO! eu-west-1: No SNS topic found INFO! ap-northeast-2: No SNS topic found INFO! ap-northeast-1: No SNS topic found INFO! sa-east-1: No SNS topic found INFO! ca-central-1: No SNS topic found INFO! ap-southeast-1: No SNS topic found INFO! ap-southeast-2: No SNS topic found INFO! eu-central-1: No SNS topic found FAIL! us-east-1: SNS topic policy with public access: "[Principal: {\"AWS\":\"*\"} Action: [\"SNS:Subscribe\",\"SNS:SetTopicAttributes\",\"SNS:RemovePermission\",\"SNS:Receive\",\"SNS:Publish\",\"SNS:ListSubscriptionsByTopic\",\"SNS:GetTopicAttributes\",\"SNS:DeleteTopic\",\"SNS:AddPermission\"]]" INFO! us-east-2: No SNS topic found INFO! us-west-1: No SNS topic found INFO! us-west-2: No SNS topic found 7.32 [extra732] Check if Geo restrictions are enabled in CloudFront distributions (Not Scored) (Not part of CIS benchmark) INFO! No CloudFront distributions found 7.33 [extra733] Check if there are SAML Providers then STS can be used (Not Scored) (Not part of CIS benchmark) INFO! No SAML Provider found, add one and use STS 7.34 [extra734] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it (Not Scored) (Not part of CIS benchmark) FAIL! Bucket basc2019-prebuiltdemo does not enforce encryption! FAIL! Bucket config-bucket-XXXXXXXXXXXX does not enforce encryption! FAIL! Bucket sadcloud-s3-stack-s3bucket-1o9nhbfprv2wb does not enforce encryption! FAIL! Bucket sadcloud-secret-stack-s3bucket-bhe21sijjdya does not enforce encryption! FAIL! Bucket sadcloud20191127153146245900000009 does not enforce encryption! FAIL! Bucket sadcloudhetonlys320191127153142068600000001 does not enforce encryption! FAIL! Bucket sadcloudhetonlys320191127153143116700000003 does not enforce encryption! FAIL! Bucket sadelb20191127153142073000000002 does not enforce encryption! 7.35 [extra735] Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark) INFO! Looking for RDS Volumes in all regions... INFO! eu-north-1: No RDS instances found INFO! ap-south-1: No RDS instances found INFO! eu-west-3: No RDS instances found INFO! eu-west-2: No RDS instances found INFO! eu-west-1: No RDS instances found INFO! ap-northeast-2: No RDS instances found INFO! ap-northeast-1: No RDS instances found INFO! sa-east-1: No RDS instances found INFO! ca-central-1: No RDS instances found INFO! ap-southeast-1: No RDS instances found INFO! ap-southeast-2: No RDS instances found INFO! eu-central-1: No RDS instances found FAIL! us-east-1: RDS instance terraform-2019112715315400040000000f is not encrypted! INFO! us-east-2: No RDS instances found INFO! us-west-1: No RDS instances found INFO! us-west-2: No RDS instances found 7.36 [extra736] Check exposed KMS keys (Not Scored) (Not part of CIS benchmark) INFO! Looking for KMS keys in all regions... INFO! eu-north-1: No KMS keys found INFO! ap-south-1: No KMS keys found INFO! eu-west-3: No KMS keys found INFO! eu-west-2: No KMS keys found INFO! eu-west-1: No KMS keys found INFO! ap-northeast-2: No KMS keys found INFO! ap-northeast-1: No KMS keys found INFO! sa-east-1: No KMS keys found INFO! ca-central-1: No KMS keys found INFO! ap-southeast-1: No KMS keys found INFO! ap-southeast-2: No KMS keys found INFO! eu-central-1: No KMS keys found FAIL! us-east-1: KMS key 8ac6e207-e518-4523-9c2c-a9ee0e26145b may be publicly accessible! PASS! us-east-1: KMS key d0d9a7b9-2951-48b7-bbea-eaa93a79c0a4 is not exposed to Public INFO! us-east-2: No KMS keys found INFO! us-west-1: No KMS keys found INFO! us-west-2: No KMS keys found 7.37 [extra737] Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark) INFO! Looking for KMS keys in all regions... INFO! eu-north-1: No KMS keys found INFO! ap-south-1: No KMS keys found INFO! eu-west-3: No KMS keys found INFO! eu-west-2: No KMS keys found INFO! eu-west-1: No KMS keys found INFO! ap-northeast-2: No KMS keys found INFO! ap-northeast-1: No KMS keys found INFO! sa-east-1: No KMS keys found INFO! ca-central-1: No KMS keys found INFO! ap-southeast-1: No KMS keys found INFO! ap-southeast-2: No KMS keys found INFO! eu-central-1: No KMS keys found PASS! us-east-1: KMS key 8ac6e207-e518-4523-9c2c-a9ee0e26145b has rotation enabled FAIL! us-east-1: KMS key d0d9a7b9-2951-48b7-bbea-eaa93a79c0a4 has rotation disabled! INFO! us-east-2: No KMS keys found INFO! us-west-1: No KMS keys found INFO! us-west-2: No KMS keys found 7.38 [extra738] Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark) INFO! No CloudFront distributions found 7.39 [extra739] Check if RDS instances have backup enabled (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No RDS instances found INFO! ap-south-1: No RDS instances found INFO! eu-west-3: No RDS instances found INFO! eu-west-2: No RDS instances found INFO! eu-west-1: No RDS instances found INFO! ap-northeast-2: No RDS instances found INFO! ap-northeast-1: No RDS instances found INFO! sa-east-1: No RDS instances found INFO! ca-central-1: No RDS instances found INFO! ap-southeast-1: No RDS instances found INFO! ap-southeast-2: No RDS instances found INFO! eu-central-1: No RDS instances found FAIL! us-east-1: RDS instance terraform-2019112715315400040000000f has not backup enabled! INFO! us-east-2: No RDS instances found INFO! us-west-1: No RDS instances found INFO! us-west-2: No RDS instances found 7.40 [extra740] Check if EBS snapshots are encrypted (Not Scored) (Not part of CIS benchmark) INFO! Looking for EBS Snapshots in all regions... INFO! eu-north-1: No EBS Snapshots found INFO! ap-south-1: No EBS Snapshots found INFO! eu-west-3: No EBS Snapshots found INFO! eu-west-2: No EBS Snapshots found INFO! eu-west-1: No EBS Snapshots found INFO! ap-northeast-2: No EBS Snapshots found INFO! ap-northeast-1: No EBS Snapshots found INFO! sa-east-1: No EBS Snapshots found INFO! ca-central-1: No EBS Snapshots found INFO! ap-southeast-1: No EBS Snapshots found INFO! ap-southeast-2: No EBS Snapshots found INFO! eu-central-1: No EBS Snapshots found FAIL! us-east-1: snap-0fc4f7ab9f60bda78 is currently not encrypted! INFO! us-east-2: No EBS Snapshots found INFO! us-west-1: No EBS Snapshots found INFO! us-west-2: No EBS Snapshots found 7.41 [extra741] Find secrets in EC2 User Data (Not Scored) (Not part of CIS benchmark) INFO! Looking for secrets in EC2 User Data in instances across all regions... (max 100 instances per region use -m to increase it) INFO! eu-north-1: No EC2 instances found INFO! ap-south-1: No EC2 instances found INFO! eu-west-3: No EC2 instances found INFO! eu-west-2: No EC2 instances found INFO! eu-west-1: No EC2 instances found INFO! ap-northeast-2: No EC2 instances found INFO! ap-northeast-1: No EC2 instances found INFO! sa-east-1: No EC2 instances found INFO! ca-central-1: No EC2 instances found INFO! ap-southeast-1: No EC2 instances found INFO! ap-southeast-2: No EC2 instances found INFO! eu-central-1: No EC2 instances found PASS! us-east-1: No secrets found in i-0b2e55b69aaa55875 User Data or it is empty FAIL! us-east-1: Potential secret found in i-0c65b7690e4051cc9 INFO! us-east-2: No EC2 instances found INFO! us-west-1: No EC2 instances found INFO! us-west-2: No EC2 instances found 7.42 [extra742] Find secrets in CloudFormation outputs (Not Scored) (Not part of CIS benchmark) INFO! Looking for secrets in CloudFormation output across all regions... INFO! eu-north-1: No CloudFormation stacks found INFO! ap-south-1: No CloudFormation stacks found INFO! eu-west-3: No CloudFormation stacks found INFO! eu-west-2: No CloudFormation stacks found INFO! eu-west-1: No CloudFormation stacks found INFO! ap-northeast-2: No CloudFormation stacks found INFO! ap-northeast-1: No CloudFormation stacks found INFO! sa-east-1: No CloudFormation stacks found INFO! ca-central-1: No CloudFormation stacks found INFO! ap-southeast-1: No CloudFormation stacks found INFO! ap-southeast-2: No CloudFormation stacks found INFO! eu-central-1: No CloudFormation stacks found INFO! us-east-1: CloudFormation stack sadcloud-s3-stack has not Outputs FAIL! us-east-1: Potential secret found in stack sadcloud-secret-stack Outputs INFO! us-east-2: No CloudFormation stacks found INFO! us-west-1: No CloudFormation stacks found INFO! us-west-2: No CloudFormation stacks found 7.43 [extra743] Check if API Gateway has client certificate enabled to access your backend endpoint (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No API Gateways found INFO! ap-south-1: No API Gateways found INFO! eu-west-3: No API Gateways found INFO! eu-west-2: No API Gateways found INFO! eu-west-1: No API Gateways found INFO! ap-northeast-2: No API Gateways found INFO! ap-northeast-1: No API Gateways found INFO! sa-east-1: No API Gateways found INFO! ca-central-1: No API Gateways found INFO! ap-southeast-1: No API Gateways found INFO! ap-southeast-2: No API Gateways found INFO! eu-central-1: No API Gateways found INFO! us-east-1: No API Gateways found INFO! us-east-2: No API Gateways found INFO! us-west-1: No API Gateways found INFO! us-west-2: No API Gateways found 7.44 [extra744] Check if API Gateway has a WAF ACL attached (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No API Gateways found INFO! ap-south-1: No API Gateways found INFO! eu-west-3: No API Gateways found INFO! eu-west-2: No API Gateways found INFO! eu-west-1: No API Gateways found INFO! ap-northeast-2: No API Gateways found INFO! ap-northeast-1: No API Gateways found INFO! sa-east-1: No API Gateways found INFO! ca-central-1: No API Gateways found INFO! ap-southeast-1: No API Gateways found INFO! ap-southeast-2: No API Gateways found INFO! eu-central-1: No API Gateways found INFO! us-east-1: No API Gateways found INFO! us-east-2: No API Gateways found INFO! us-west-1: No API Gateways found INFO! us-west-2: No API Gateways found 7.45 [extra745] Check if API Gateway endpoint is public or private (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No API Gateways found INFO! ap-south-1: No API Gateways found INFO! eu-west-3: No API Gateways found INFO! eu-west-2: No API Gateways found INFO! eu-west-1: No API Gateways found INFO! ap-northeast-2: No API Gateways found INFO! ap-northeast-1: No API Gateways found INFO! sa-east-1: No API Gateways found INFO! ca-central-1: No API Gateways found INFO! ap-southeast-1: No API Gateways found INFO! ap-southeast-2: No API Gateways found INFO! eu-central-1: No API Gateways found INFO! us-east-1: No API Gateways found INFO! us-east-2: No API Gateways found INFO! us-west-1: No API Gateways found INFO! us-west-2: No API Gateways found 7.46 [extra746] Check if API Gateway has configured authorizers (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No API Gateways found INFO! ap-south-1: No API Gateways found INFO! eu-west-3: No API Gateways found INFO! eu-west-2: No API Gateways found INFO! eu-west-1: No API Gateways found INFO! ap-northeast-2: No API Gateways found INFO! ap-northeast-1: No API Gateways found INFO! sa-east-1: No API Gateways found INFO! ca-central-1: No API Gateways found INFO! ap-southeast-1: No API Gateways found INFO! ap-southeast-2: No API Gateways found INFO! eu-central-1: No API Gateways found INFO! us-east-1: No API Gateways found INFO! us-east-2: No API Gateways found INFO! us-west-1: No API Gateways found INFO! us-west-2: No API Gateways found 7.47 [extra747] Check if RDS instances is integrated with CloudWatch Logs (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No RDS instances found INFO! ap-south-1: No RDS instances found INFO! eu-west-3: No RDS instances found INFO! eu-west-2: No RDS instances found INFO! eu-west-1: No RDS instances found INFO! ap-northeast-2: No RDS instances found INFO! ap-northeast-1: No RDS instances found INFO! sa-east-1: No RDS instances found INFO! ca-central-1: No RDS instances found INFO! ap-southeast-1: No RDS instances found INFO! ap-southeast-2: No RDS instances found INFO! eu-central-1: No RDS instances found FAIL! us-east-1: RDS instance terraform-2019112715315400040000000f has not CloudWatch Logs enabled! INFO! us-east-2: No RDS instances found INFO! us-west-1: No RDS instances found INFO! us-west-2: No RDS instances found 7.48 [extra748] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port (Not Scored) (Not part of CIS benchmark) PASS! eu-north-1: No Security Groups found with any port open to 0.0.0.0/0 PASS! ap-south-1: No Security Groups found with any port open to 0.0.0.0/0 PASS! eu-west-3: No Security Groups found with any port open to 0.0.0.0/0 PASS! eu-west-2: No Security Groups found with any port open to 0.0.0.0/0 PASS! eu-west-1: No Security Groups found with any port open to 0.0.0.0/0 PASS! ap-northeast-2: No Security Groups found with any port open to 0.0.0.0/0 PASS! ap-northeast-1: No Security Groups found with any port open to 0.0.0.0/0 PASS! sa-east-1: No Security Groups found with any port open to 0.0.0.0/0 PASS! ca-central-1: No Security Groups found with any port open to 0.0.0.0/0 PASS! ap-southeast-1: No Security Groups found with any port open to 0.0.0.0/0 PASS! ap-southeast-2: No Security Groups found with any port open to 0.0.0.0/0 PASS! eu-central-1: No Security Groups found with any port open to 0.0.0.0/0 FAIL! us-east-1: Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 FAIL! us-east-1: Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 PASS! us-east-2: No Security Groups found with any port open to 0.0.0.0/0 PASS! us-west-1: No Security Groups found with any port open to 0.0.0.0/0 PASS! us-west-2: No Security Groups found with any port open to 0.0.0.0/0 7.49 [extra749] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 (Not Scored) (Not part of CIS benchmark) PASS! eu-north-1: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! ap-south-1: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! eu-west-3: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! eu-west-2: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! eu-west-1: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! ap-northeast-2: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! ap-northeast-1: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! sa-east-1: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! ca-central-1: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! ap-southeast-1: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! ap-southeast-2: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! eu-central-1: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports FAIL! us-east-1: Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 for Oracle ports FAIL! us-east-1: Found Security Group: sg-0aacd7521218eb993 open to 0.0.0.0/0 for Oracle ports FAIL! us-east-1: Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 for Oracle ports PASS! us-east-2: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! us-west-1: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports PASS! us-west-2: No Security Groups found with any port open to 0.0.0.0/0 for Oracle ports 7.50 [extra750] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 (Not Scored) (Not part of CIS benchmark) PASS! eu-north-1: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! ap-south-1: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! eu-west-3: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! eu-west-2: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! eu-west-1: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! ap-northeast-2: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! ap-northeast-1: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! sa-east-1: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! ca-central-1: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! ap-southeast-1: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! ap-southeast-2: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! eu-central-1: No Security Groups found open to 0.0.0.0/0 for MySQL port FAIL! us-east-1: Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 for MySQL port FAIL! us-east-1: Found Security Group: sg-0aacd7521218eb993 open to 0.0.0.0/0 for MySQL port FAIL! us-east-1: Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 for MySQL port PASS! us-east-2: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! us-west-1: No Security Groups found open to 0.0.0.0/0 for MySQL port PASS! us-west-2: No Security Groups found open to 0.0.0.0/0 for MySQL port 7.51 [extra751] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 (Not Scored) (Not part of CIS benchmark) PASS! eu-north-1: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! ap-south-1: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! eu-west-3: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! eu-west-2: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! eu-west-1: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! ap-northeast-2: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! ap-northeast-1: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! sa-east-1: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! ca-central-1: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! ap-southeast-1: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! ap-southeast-2: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! eu-central-1: No Security Groups found open to 0.0.0.0/0 for Postgres port FAIL! us-east-1: Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 for Postgres port FAIL! us-east-1: Found Security Group: sg-0aacd7521218eb993 open to 0.0.0.0/0 for Postgres port FAIL! us-east-1: Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 for Postgres port PASS! us-east-2: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! us-west-1: No Security Groups found open to 0.0.0.0/0 for Postgres port PASS! us-west-2: No Security Groups found open to 0.0.0.0/0 for Postgres port 7.52 [extra752] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 (Not Scored) (Not part of CIS benchmark) PASS! eu-north-1: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! ap-south-1: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! eu-west-3: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! eu-west-2: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! eu-west-1: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! ap-northeast-2: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! ap-northeast-1: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! sa-east-1: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! ca-central-1: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! ap-southeast-1: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! ap-southeast-2: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! eu-central-1: No Security Groups found open to 0.0.0.0/0 for Redis port FAIL! us-east-1: Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 for Redis port FAIL! us-east-1: Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 for Redis port PASS! us-east-2: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! us-west-1: No Security Groups found open to 0.0.0.0/0 for Redis port PASS! us-west-2: No Security Groups found open to 0.0.0.0/0 for Redis port 7.53 [extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 (Not Scored) (Not part of CIS benchmark) PASS! eu-north-1: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! ap-south-1: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! eu-west-3: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! eu-west-2: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! eu-west-1: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! ap-northeast-2: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! ap-northeast-1: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! sa-east-1: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! ca-central-1: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! ap-southeast-1: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! ap-southeast-2: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! eu-central-1: No Security Groups found open to 0.0.0.0/0 for MongoDB ports FAIL! us-east-1: Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 for MongoDB ports FAIL! us-east-1: Found Security Group: sg-0aacd7521218eb993 open to 0.0.0.0/0 for MongoDB ports FAIL! us-east-1: Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 for MongoDB ports PASS! us-east-2: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! us-west-1: No Security Groups found open to 0.0.0.0/0 for MongoDB ports PASS! us-west-2: No Security Groups found open to 0.0.0.0/0 for MongoDB ports 7.54 [extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 (Not Scored) (Not part of CIS benchmark) PASS! eu-north-1: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! ap-south-1: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! eu-west-3: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! eu-west-2: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! eu-west-1: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! ap-northeast-2: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! ap-northeast-1: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! sa-east-1: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! ca-central-1: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! ap-southeast-1: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! ap-southeast-2: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! eu-central-1: No Security Groups found open to 0.0.0.0/0 for Cassandra ports FAIL! us-east-1: Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 for Cassandra ports FAIL! us-east-1: Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 for Cassandra ports PASS! us-east-2: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! us-west-1: No Security Groups found open to 0.0.0.0/0 for Cassandra ports PASS! us-west-2: No Security Groups found open to 0.0.0.0/0 for Cassandra ports 7.55 [extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 (Not Scored) (Not part of CIS benchmark) PASS! eu-north-1: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! ap-south-1: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! eu-west-3: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! eu-west-2: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! eu-west-1: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! ap-northeast-2: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! ap-northeast-1: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! sa-east-1: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! ca-central-1: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! ap-southeast-1: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! ap-southeast-2: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! eu-central-1: No Security Groups found open to 0.0.0.0/0 for Memcached port FAIL! us-east-1: Found Security Group: sg-022fe349f5a8729ce open to 0.0.0.0/0 for Memcached port FAIL! us-east-1: Found Security Group: sg-0d32d0c4a5a6a0ccc open to 0.0.0.0/0 for Memcached port PASS! us-east-2: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! us-west-1: No Security Groups found open to 0.0.0.0/0 for Memcached port PASS! us-west-2: No Security Groups found open to 0.0.0.0/0 for Memcached port 7.56 [extra756] Check if Redshift cluster is Public Accessible (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: Redshift clusters found INFO! ap-south-1: Redshift clusters found INFO! eu-west-3: Redshift clusters found INFO! eu-west-2: Redshift clusters found INFO! eu-west-1: Redshift clusters found INFO! ap-northeast-2: Redshift clusters found INFO! ap-northeast-1: Redshift clusters found INFO! sa-east-1: Redshift clusters found INFO! ca-central-1: Redshift clusters found INFO! ap-southeast-1: Redshift clusters found INFO! ap-southeast-2: Redshift clusters found INFO! eu-central-1: Redshift clusters found FAIL! us-east-1: Redshift cluster sadcloud is publicly accessible INFO! us-east-2: Redshift clusters found INFO! us-west-1: Redshift clusters found INFO! us-west-2: Redshift clusters found 7.57 [extra757] Check EC2 Instances older than 6 months (Not Scored) (Not part of CIS benchmark) INFO! Looking for EC2 instances in all regions... INFO! eu-north-1: No EC2 Instances Found INFO! ap-south-1: No EC2 Instances Found INFO! eu-west-3: No EC2 Instances Found INFO! eu-west-2: No EC2 Instances Found INFO! eu-west-1: No EC2 Instances Found INFO! ap-northeast-2: No EC2 Instances Found INFO! ap-northeast-1: No EC2 Instances Found INFO! sa-east-1: No EC2 Instances Found INFO! ca-central-1: No EC2 Instances Found INFO! ap-southeast-1: No EC2 Instances Found INFO! ap-southeast-2: No EC2 Instances Found INFO! eu-central-1: No EC2 Instances Found PASS! us-east-1: All Instances newer than 6 months INFO! us-east-2: No EC2 Instances Found INFO! us-west-1: No EC2 Instances Found INFO! us-west-2: No EC2 Instances Found 7.58 [extra758] Check EC2 Instances older than 12 months (Not Scored) (Not part of CIS benchmark) INFO! Looking for EC2 instances in all regions... INFO! eu-north-1: No EC2 Instances Found INFO! ap-south-1: No EC2 Instances Found INFO! eu-west-3: No EC2 Instances Found INFO! eu-west-2: No EC2 Instances Found INFO! eu-west-1: No EC2 Instances Found INFO! ap-northeast-2: No EC2 Instances Found INFO! ap-northeast-1: No EC2 Instances Found INFO! sa-east-1: No EC2 Instances Found INFO! ca-central-1: No EC2 Instances Found INFO! ap-southeast-1: No EC2 Instances Found INFO! ap-southeast-2: No EC2 Instances Found INFO! eu-central-1: No EC2 Instances Found PASS! us-east-1: All Instances newer than 12 months INFO! us-east-2: No EC2 Instances Found INFO! us-west-1: No EC2 Instances Found INFO! us-west-2: No EC2 Instances Found 7.61 [extra761] Check if EBS Default Encryption is activated (Not Scored) (Not part of CIS benchmark) INFO! Looking for EBS Default Encryption activation in all regions... FAIL! eu-north-1: EBS Default Encryption is not activated FAIL! ap-south-1: EBS Default Encryption is not activated FAIL! eu-west-3: EBS Default Encryption is not activated FAIL! eu-west-2: EBS Default Encryption is not activated FAIL! eu-west-1: EBS Default Encryption is not activated FAIL! ap-northeast-2: EBS Default Encryption is not activated FAIL! ap-northeast-1: EBS Default Encryption is not activated FAIL! sa-east-1: EBS Default Encryption is not activated FAIL! ca-central-1: EBS Default Encryption is not activated FAIL! ap-southeast-1: EBS Default Encryption is not activated FAIL! ap-southeast-2: EBS Default Encryption is not activated FAIL! eu-central-1: EBS Default Encryption is not activated FAIL! us-east-1: EBS Default Encryption is not activated FAIL! us-east-2: EBS Default Encryption is not activated FAIL! us-west-1: EBS Default Encryption is not activated FAIL! us-west-2: EBS Default Encryption is not activated 7.62 [extra762] Find obsolete Lambda runtimes (Not Scored) (Not part of CIS benchmark) INFO! eu-north-1: No Lambda functions found INFO! ap-south-1: No Lambda functions found INFO! eu-west-3: No Lambda functions found INFO! eu-west-2: No Lambda functions found INFO! eu-west-1: No Lambda functions found INFO! ap-northeast-2: No Lambda functions found INFO! ap-northeast-1: No Lambda functions found INFO! sa-east-1: No Lambda functions found INFO! ca-central-1: No Lambda functions found INFO! ap-southeast-1: No Lambda functions found INFO! ap-southeast-2: No Lambda functions found INFO! eu-central-1: No Lambda functions found INFO! us-east-1: No Lambda functions found INFO! us-east-2: No Lambda functions found INFO! us-west-1: No Lambda functions found INFO! us-west-2: No Lambda functions found