AWS EC2 Audit

Your EC2 could become your weakest link. Cloudanix can help!

What we do?

Public Snapshots

Ensure that your EC2 instance snapshots are not publicly accessible. This is to avoid exposing your private data.

Addresses: Security

Additional Reading:

Older Instances Running

EC2 instance running indefinitely in your AWS your account could increase the risk of potential issues.

Addresses: Reliability, Security

Additional Reading:

Non-public EC2 AMI

AWS AMIs should not be shared publicly with the other AWS accounts to prevent exposing sensitive data.

Addresses: Security

Additional Reading:

Encrypted AMI

Amazon Machine Images (AMIs) should be encrypted to fulfill compliance requirements for data-at-rest encryption.

Addresses: Security

Additional Reading:

EC2 Instances vCPU Limit

Monitoring vCPU-based limits for on-demand EC2 instances avoids resource starvation. Service Quotas is an AWS service that enables you to view and manage your quotas from a central location. Quotas, also referred to as limits, are the maximum value for your resources, actions, and items in your AWS account.

Addresses: Operational Maturity, Reliability

Additional Reading:

No Blacklisted AMI

Blacklist all those AMI to prevent certain security issues to attack your application.

Addresses: Security, Operational Maturity

Additional Reading:

Default VPC Not In Use

It is recommended not to using the default VPC.

Addresses: Security

Additional Reading:

Description for Security Groups

Your security groups should have descriptions associated with them to help you run your operations smoothly. It serves as a documentation and guidance in future.

Addresses: Security, Operational Maturity

Additional Reading:

AMI Age

Your AMI age should be more than configured number of days. This ensures that your EC2 instances deployed are secure and reliable.

Addresses: Operational Maturity, Security, Reliability

Additional Reading:

Desired Instance Type

EC2 instance launched should be from an approved list of instance types.

Addresses: Operational Maturity, Reliability

Additional Reading:

Detailed Monitoring

Detailed monitoring should be enabled on EC2 instances.

Addresses: Operational Efficiency

Additional Reading:

No EC2 Classic

Ensure VPC is used for EC2 instances instead of using EC2 Classic. VPCs are the latest and more secure method of launching AWS resources.

Addresses: Security, Reliability, Operational Maturity

Additional Reading:

Scheduled Events

There are EC2 instances scheduled for retirement and/or maintenance. Kindly take the necessary steps (reboot, restart or re-launch).

Addresses: Security

Additional Reading:

Multiple Security Groups

Checks if EC2 instances have several Security Groups attached. Ideally there should be just 1 security group attach to an EC2 instance.

Addresses: Security

Additional Reading:

Termination Protection

Ensuring Termination Protection feature is enabled for EC2 instances that are not part of ASGs.

Addresses: Reliability

Additional Reading:

Unrestricted Netbios Access

No AWS EC2 security group should allow unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS).

Addresses: Security

Additional Reading:

EC2 IAM Roles

IAM Roles/Instance profiles should be used instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your EC2 instances.

Addresses: Security

Additional Reading:

Restrict data-tier subnet connectivity to VPC NAT Gateway

Ensuring that the Amazon VPC route table associated with the data-tier subnets has no default route configured to allow access to an AWS NAT Gateway in order to restrict Internet connectivity for the EC2 instances available within the data tier.

Addresses: Security

Additional Reading:

Unrestricted CIFS Access

No AWS EC2 security group should allow unrestricted inbound access to TCP port 445 and (CIFS).

Addresses: Security

Unrestricted ICMP Access

No security group should allow unrestricted inbound access using Internet Control Message Protocol (ICMP).

Addresses: Security

Unrestricted Inbound Access on All Uncommon Ports

No EC2 security group should allow unrestricted inbound access to any uncommon ports.

Addresses: Security

Unrestricted MongoDB Access

No security group should allow unrestricted ingress access to MongoDB port 27017.

Addresses: Security

Unrestricted MsSQL Access

No security group should allow unrestricted inbound access to TCP port 1433 (MSSQL)

Addresses: Security

Unrestricted MySQL Access

No security group should allow unrestricted inbound access to TCP port 3306 (MySQL).

Addresses: Security

Unrestricted Oracle Access

No security group should allow unrestricted inbound access to TCP port 1521 (Oracle Database).

Addresses: Security

Security Group Port Range

Security groups should not have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks.

Addresses: Security

Unrestricted PostgreSQL Access

No security group should allow unrestricted inbound access to TCP port 5432 (PostgreSQL Database).

Addresses: Security

Unrestricted RDP Access

No AWS EC2 security group should allow unrestricted inbound access to TCP port 3389 (RDP).

Addresses: Security

Unrestricted RPC Access

No security group should allow unrestricted inbound access to TCP port 135 (RPC).

Addresses: Security

Unrestricted SMTP Access

No security group should allow unrestricted inbound access to TCP port 25 (SMTP).

Addresses: Security

Default Security Group Unrestricted

Default security groups should restrict all public traffic to follow AWS security best practices.

Addresses: Security

Unrestricted Telnet Access

No security group should allow unrestricted inbound access to TCP port 23 (Telnet).

Addresses: Security

Unrestricted SSH Access

No security group should allow unrestricted inbound access to TCP port 22 (SSH).

Addresses: Security

Unrestricted Elasticsearch Access

No security group should allow unrestricted inbound access to TCP port 9200 (Elasticsearch).

Addresses: Security

Unrestricted FTP Access

No security group should allow unrestricted inbound access to TCP ports 20 and 21 (FTP).

Addresses: Security

EC2 Reserved Instance Payment Failed

To ensure that none of your AWS EC2 Reserved Instance purchases have failed.

Addresses: Cost Optimisation

EC2 Reserved Instance Payment Pending

To ensure that none of your AWS EC2 Reserved Instance purchases are pending.

Addresses: Cost Optimisation

EC2 Reserved Instance Recent Purchases

For regularly reviewing your EC2 Reserved Instance purchases for cost optimization (informational).

Addresses: Cost Optimisation

EC2-Classic Elastic IP Address Limit

Your account should not reach the limit set by AWS for the number of allocated Elastic IPs.

Addresses: Operational Maturity

EC2-VPC Elastic IP Address Limit

Your account should not reach the limit set by AWS for the number of Elastic IPs.

Addresses: Operational Maturity

Enable AWS EC2 Hibernation

The Hibernation feature should be enabled for EBS-backed EC2 instances to retain memory state across instance stop/start cycles.

Addresses: Reliability

Instance In Auto Scaling Group

Every EC2 instance should be launched inside an Auto Scaling Group (ASG) in order to follow the best AWS reliability and security practices.

Addresses: Reliability, Security

Reserved Instance Lease Expiration In The Next 30 Days

Lists all EC2 reserved instances expiring in the next 30 days.

Addresses: Cost Optimisation

Reserved Instance Lease Expiration In The Next 7 Days

Lists all EC2 reserved instances expiring in the next 7 days.

Addresses: Cost Optimisation

Security Group Excessive Counts

Your AWS account should not have excessive number of security groups per region.

Addresses: Security

Security Group Name Prefixed With launch-wizard

EC2 security groups prefixed with launch-wizard should not be in use in order to follow AWS security best practices.

Addresses: Security

EC2 Instance Counts

Your AWS account should not reached the limit set for the number of EC2 instances.

Addresses: Security

EC2 Instance Generation

Your AWS servers should be using the latest generation of EC2 instances for price-performance improvements.

Addresses: Cost optimization

Security Group Rules Counts

EC2 security groups should not have an excessive number of rules defined.

Addresses: Security

Security Group RFC 1918

No EC2 security group should allow inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices.

Addresses: Security

Unassociated Elastic IP Addresses

Identify and remove any unassociated Elastic IP (EIP) addresses for cost optimization.

Addresses: Cost Optimisation

EC2 Instance Not In Public Subnet

No backend EC2 instances should be running in public subnets.

Addresses: Security

Unrestricted DNS Access

No security group should allow unrestricted inbound access to TCP and UDP port 53 (DNS).

Addresses: Security

Unrestricted HTTP Access

No security group should allow unrestricted inbound access to TCP port 80 (HTTP).

Addresses: Security

Unrestricted HTTPS Access

No security group should allow unrestricted inbound access to TCP port 443 (HTTPS).

Addresses: Security

Check for EC2 Instances with Blacklisted Instance Types

Your AWS account should not have any EC2 instance with the instance type blacklisted.

Addresses: Security

Unused Elastic Network Interfaces

Unused AWS Elastic Network Interfaces (ENIs) should be removed to follow best practices.

Addresses: Cost optimization, Operational Maturity

Unused AMI

Unused AMIs should be removed to follow best practices.

Addresses: Cost Optimisation

Unused AWS EC2 Key Pairs

Unused AWS EC2 key pairs should be decommissioned to follow best practices.

Addresses: Security

Unused AWS EC2 Key Pairs

AWS EC2 Reserved Instances should be fully utilized.

Addresses: Cost Optimisation

Overutilized AWS EC2 Instances

Overutilized EC2 instances should be upgraded to optimize application response time.

Addresses: Operational Maturity, Reliability

Idle EC2 Instance

Idle AWS EC2 instances should be stopped or terminated in order to optimize AWS costs.

Addresses: Cost optimization

Underutilized EC2 Instance

Underutilized EC2 instances should be downsized in order to optimize your AWS costs.

Addresses: Cost optimization

EC2 Instance Tenancy

EC2 instances should have the required tenancy for security and regulatory compliance requirements.

Addresses: Security


Not ready for a free signup yet? No worries!

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.