Security Scanner Policies

Root account

• Eliminate root user usage
• Ensure no root account access key exists
• Root account without MFA
• Root account without hardware MFA

EC2 instances

• EC2 Instance with Public IP
• SSM agent must be enabled
• EC2 instances must use instance profiles

VPC

• Subnets should not issue public IPs
• Security groups with exposed admin ports

Lambda

• Lambda functions with depreciated runtimes

IAM

• Ensure IAM password policy is set to a strong password
• Ensure IAM password policy prevents password reuse
• IAM users centrally managed
• Dormant user accounts
• IAM users with two active access keys
• Access keys must be rotated every 90 days
• IAM users without MFA
• IAM console users with access keys
• IAM users without group permissions
• IAM entities with admin rights
• IAM Roles with external access
• IAM entities with access to update Lambda functions
• IAM entities with access to DynamoDB tables
• Minimum password length
• Privilege Escalation

RDS

• RDS must be encrypted

CloudTrail

• CloudTrail logs must be encrypted
• CloudTrail log file validation
• CloudTrail must be enabled on all regions

GuardDuty

• GuardDuty must be enabled

CloudWatch

• Log Groups without retention