Security Scanner Policies
Root account
- Eliminate root user usage
- Ensure no root account access key exists
- Root account without MFA
- Root account without hardware MFA
EC2 instances
VPC
Lambda
IAM
- Ensure IAM password policy is set to a strong password
- Ensure IAM password policy prevents password reuse
- IAM users centrally managed
- Dormant user accounts
- IAM users with two active access keys
- Access keys must be rotated every 90 days
- IAM users without MFA
- IAM console users with access keys
- IAM users without group permissions
- IAM entities with admin rights
- IAM Roles with external access
- IAM entities with access to update Lambda functions
- IAM entities with access to DynamoDB tables
- Minimum password length
- Privilege Escalation
RDS
CloudTrail
- CloudTrail logs must be encrypted
- CloudTrail log file validation
- CloudTrail must be enabled on all regions