docs.aws.amazon.com Open in urlscan Pro
18.66.147.42  Public Scan

Submitted URL: http://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-19
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html
Submission: On June 09 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice

.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. AWS Security Hub
 5. User Guide

Feedback
Preferences


AWS SECURITY HUB


USER GUIDE

 * What is AWS Security Hub?
    * Benefits of Security Hub
    * How Security Hub works
    * Security Hub free trial, usage, and pricing
    * Working with AWS SDKs

 * Terminology and concepts
 * Prerequisites and recommendations
    * Using Organizations
    * Enabling AWS Config

 * Setting up Security Hub
    * Enabling Security Hub manually
    * Service-linked role assigned to Security Hub

 * Security
    * Data protection
    * AWS Identity and Access Management
       * How AWS Security Hub works with IAM
   
    * Using service-linked roles
    * AWS managed policies
    * Compliance validation
    * Infrastructure security
    * VPC endpoints (AWS PrivateLink)

 * Managing accounts
    * Effects of an administrator-member relationship
    * Restrictions and recommendations
    * Making the transition to Organizations
    * Allowed actions for accounts
    * Designating a Security Hub administrator account
    * Managing organization member accounts
       * Enabling new accounts automatically
       * Enabling member accounts
       * Disassociating member accounts
   
    * Managing member accounts by invitation
       * Adding and inviting member accounts
       * Responding to an invitation
       * Disassociating member accounts
       * Deleting member accounts
       * Disassociating from your administrator account
   
    * Effect of account actions on Security Hub data

 * Cross-Region aggregation
    * How cross-Region aggregation works
    * Viewing the current configuration
    * Enabling cross-Region aggregation
    * Updating the configuration
    * Stopping cross-Region aggregation

 * Findings
    * Creating and updating findings
       * Using BatchImportFindings
       * Using BatchUpdateFindings
   
    * Viewing a cross-Region finding summary
    * Viewing finding lists and details
       * Filtering and grouping findings (console)
       * Viewing finding details
   
    * Taking action on findings
       * Setting the workflow status for findings
       * Sending findings to a custom action
   
    * Finding format
       * ASFF syntax
       * Consolidation and ASFF
       * ASFF examples
          * Required attributes
          * Optional top-level attributes
          * Resources
             * Resource attributes
             * AwsAmazonMQ
             * AwsApiGateway
             * AwsAppSync
             * AwsAutoScaling
             * AwsBackup
             * AwsCertificateManager
             * AwsCloudFormation
             * AwsCloudFront
             * AwsCloudTrail
             * AwsCloudWatch
             * AwsCodeBuild
             * AwsDynamoDB
             * AwsEc2
             * AwsEcr
             * AwsEcs
             * AwsEfs
             * AwsEks
             * AwsElasticBeanstalk
             * AwsElasticSearch
             * AwsElb
             * AwsEventBridge
             * AwsGuardDuty
             * AwsIam
             * AwsKinesis
             * AwsKms
             * AwsLambda
             * AwsNetworkFirewall
             * AwsOpenSearchService
             * AwsRds
             * AwsRedshift
             * AwsS3
             * AwsSageMaker
             * AwsSecretsManager
             * AwsSns
             * AwsSqs
             * AwsSsm
             * AwsStepFunctions
             * AwsWaf
             * AwsXray
             * Container
             * Other

 * Insights
    * Viewing and filtering the list of insights
    * Viewing insight results and findings
    * Managed insights
    * Custom insights

 * Product integrations
    * Managing product integrations
    * AWS service integrations
    * Third-party product integrations
    * Using custom product integrations

 * Standards and controls
    * Prerequisite: IAM permissions
    * Running security checks
       * How Security Hub uses AWS Config rules to run security checks
       * Required AWS Config resources for security checks
       * Schedule for running security checks
       * Generating and updating control findings
       * Determining the control status
       * Determining security scores
   
    * Standards reference
       * AWS FSBP
       * CIS AWS Foundations Benchmark v1.2.0 and v1.4.0
       * NIST SP 800-53 Rev. 5
       * PCI DSS
       * Service-managed standards
          * Service-Managed Standard: AWS Control Tower
   
    * Controls reference
       * AWS account controls
       * AWS Certificate Manager controls
       * API Gateway controls
       * AWS AppSync controls
       * Auto Scaling controls
       * CloudFormation controls
       * CloudFront controls
       * CloudTrail controls
       * CloudWatch controls
       * CodeBuild controls
       * AWS Config controls
       * AWS DMS controls
       * DynamoDB controls
       * Amazon ECR controls
       * Amazon ECS controls
       * Amazon EC2 controls
       * Amazon EFS controls
       * Amazon EKS controls
       * ElastiCache controls
       * Elastic Beanstalk controls
       * Elastic Load Balancing controls
       * Amazon EMR controls
       * Elasticsearch controls
       * GuardDuty controls
       * IAM controls
       * Kinesis controls
       * AWS KMS controls
       * Lambda controls
       * Network Firewall controls
       * OpenSearch Service controls
       * Amazon RDS controls
       * Amazon Redshift controls
       * Amazon S3 controls
       * SageMaker controls
       * Secrets Manager controls
       * Amazon SNS controls
       * Amazon SQS controls
       * Amazon EC2 Systems Manager controls
       * Step Functions controls
       * AWS WAF controls
   
    * Viewing and managing security standards
       * Enabling and disabling standards
       * Viewing details for a standard
       * Enabling and disabling controls in specific standards
   
    * Viewing and managing security controls
       * Control categories
       * Enabling and disabling controls in all standards
       * Enabling new controls in enabled standards automatically
       * Controls that you might want to disable
       * Viewing details for a control
       * Filtering and sorting controls
       * Viewing and taking action on control findings
          * Viewing finding and resource details
          * Sample control findings
          * Filtering and sorting findings
          * Taking action on control findings

 * Security Hub with CloudTrail
 * Automated response and remediation
    * Types of EventBridge integration
    * EventBridge event formats
    * Configuring a rule for automatically sent findings
    * Configuring and using custom actions

 * Subscribing to Security Hub announcements
 * Quotas
 * Regional limits
 * Disabling Security Hub
 * Controls change log
 * Document history

Amazon Elastic Compute Cloud controls - AWS Security Hub
AWSDocumentationAWS Security HubUser Guide
[EC2.1] Amazon EBS snapshots should not be publicly restorable[EC2.2] The VPC
default security group should not allow inbound and outbound traffic[EC2.3]
Attached Amazon EBS volumes should be encrypted at-rest[EC2.4] Stopped Amazon
EC2 instances should be removed after a specified time period[EC2.6] VPC flow
logging should be enabled in all VPCs[EC2.7] Amazon EBS default encryption
should be enabled[EC2.8] Amazon EC2 instances should use Instance Metadata
Service Version 2 (IMDSv2)[EC2.9] Amazon EC2 instances should not have a public
IPv4 address[EC2.10] Amazon EC2 should be configured to use VPC endpoints that
are created for the Amazon EC2 service[EC2.12] Unused Amazon EC2 EIPs should be
removed[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port
22[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port
3389[EC2.15] Amazon EC2 subnets should not automatically assign public IP
addresses[EC2.16] Unused Network Access Control Lists should be removed[EC2.17]
Amazon EC2 instances should not use multiple ENIs[EC2.18] Security groups should
only allow unrestricted incoming traffic for authorized ports[EC2.19] Security
groups should not allow unrestricted access to ports with high risk[EC2.20] Both
VPN tunnels for an AWS Site-to-Site VPN connection should be up[EC2.21] Network
ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389[EC2.22]
Unused Amazon EC2 security groups should be removed[EC2.23] Amazon EC2 Transit
Gateways should not automatically accept VPC attachment requests[EC2.24] Amazon
EC2 paravirtual instance types should not be used[EC2.25] Amazon EC2 launch
templates should not assign public IPs to network interfaces[EC2.28] EBS volumes
should be covered by a backup plan[EC2.29] EC2 instances should be launched in a
VPC


AMAZON ELASTIC COMPUTE CLOUD CONTROLS

PDFRSS

These controls are related to Amazon EC2 resources.


[EC2.1] AMAZON EBS SNAPSHOTS SHOULD NOT BE PUBLICLY RESTORABLE

Related requirements: PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.1,PCI DSS
v3.2.1/1.3.4,PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3,
NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11),
NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)

Category: Protect > Secure network configuration

Severity: Critical

Resource type: AWS::::Account

AWS Config rule: ebs-snapshot-public-restorable-check

Schedule type: Periodic

Parameters: None

This control checks whether Amazon Elastic Block Store snapshots are not public.
The control fails if Amazon EBS snapshots are restorable by anyone.

EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a
specific point in time. You can use the snapshots to restore previous states of
EBS volumes. It is rarely acceptable to share a snapshot with the public.
Typically the decision to share a snapshot publicly was made in error or without
a complete understanding of the implications. This check helps ensure that all
such sharing was fully planned and intentional.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)

To make a public EBS snapshot private, see Share a snapshot in the Amazon EC2
User Guide for Linux Instances. For Actions, Modify permissions, choose Private.


[EC2.2] THE VPC DEFAULT SECURITY GROUP SHOULD NOT ALLOW INBOUND AND OUTBOUND
TRAFFIC

Related requirements: PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.4,PCI DSS
v3.2.1/2.1, CIS AWS Foundations Benchmark v1.2.0/4.3, CIS AWS Foundations
Benchmark v1.4.0/5.3, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)

Category: Protect > Secure network configuration

Severity: High

Resource type: AWS::EC2::SecurityGroup

AWS Config rule: vpc-default-security-group-closed

Schedule type: Change triggered

Parameters: None

This control checks that the default security group of a VPC does not allow
inbound or outbound traffic.

The rules for the default security group allow all outbound and inbound traffic
from network interfaces (and their associated instances) that are assigned to
the same security group.

We do not recommend using the default security group. Because the default
security group cannot be deleted, you should change the default security group
rules setting to restrict inbound and outbound traffic. This prevents unintended
traffic if the default security group is accidentally configured for resources
such as EC2 instances.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Europe (Spain)

 * Europe (Zurich)


REMEDIATION

To remediate this issue, start by creating new least-privilege security groups.
For instructions, see Create a security group in the Amazon VPC User Guide.
Then, assign the new security groups to your EC2 instances. For instructions,
see Change an instance's security group in the Amazon EC2 User Guide for Linux
Instances.

After you assign the new security groups to your resources, remove all inbound
and outbound rules from the default security groups. For instructions, see
Delete security group rules in the Amazon VPC User Guide.


[EC2.3] ATTACHED AMAZON EBS VOLUMES SHOULD BE ENCRYPTED AT-REST

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6),
NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1),
NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)

Category: Protect > Data protection > Encryption of data at rest

Severity: Medium

Resource type: AWS::EC2::Volume

AWS Config rule: encrypted-volumes

Schedule type: Change triggered

Parameters: None

This control checks whether the EBS volumes that are in an attached state are
encrypted. To pass this check, EBS volumes must be in use and encrypted. If the
EBS volume is not attached, then it is not subject to this check.

For an added layer of security of your sensitive data in EBS volumes, you should
enable EBS encryption at rest. Amazon EBS encryption offers a straightforward
encryption solution for your EBS resources that doesn't require you to build,
maintain, and secure your own key management infrastructure. It uses KMS keys
when creating encrypted volumes and snapshots.

To learn more about Amazon EBS encryption, see Amazon EBS encryption in the
Amazon EC2 User Guide for Linux Instances.

NOTE

This control isn't supported in the following Regions:

 * Africa (Cape Town)

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Osaka)

 * Europe (Milan)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)


REMEDIATION

There's no direct way to encrypt an existing unencrypted volume or snapshot. You
can only encrypt a new volume or snapshot when you create it.

If you enabled encryption by default, Amazon EBS encrypts the resulting new
volume or snapshot using your default key for Amazon EBS encryption. Even if you
have not enabled encryption by default, you can enable encryption when you
create an individual volume or snapshot. In both cases, you can override the
default key for Amazon EBS encryption and choose a symmetric customer managed
key.

For more information, see Creating an Amazon EBS volume and Copying an Amazon
EBS snapshot in the Amazon EC2 User Guide for Linux Instances.


[EC2.4] STOPPED AMAZON EC2 INSTANCES SHOULD BE REMOVED AFTER A SPECIFIED TIME
PERIOD

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2,
NIST.800-53.r5 CM-2(2)

Category: Identify > Inventory

Severity: Medium

Resource type: AWS::EC2::Instance

AWS Config rule: ec2-stopped-instance

Schedule type: Periodic

Parameters:

 * allowedDays: 30

This control checks whether any EC2 instances have been stopped for more than
the allowed number of days. An EC2 instance fails this check if it is stopped
for longer than the maximum allowed time period, which by default is 30 days.

A failed finding indicates that an EC2 instance has not run for a significant
period of time. This creates a security risk because the EC2 instance is not
being actively maintained (analyzed, patched, updated). If it is later launched,
the lack of proper maintenance could result in unexpected issues in your AWS
environment. To safely maintain an EC2 instance over time in a nonrunning state,
start it periodically for maintenance and then stop it after maintenance.
Ideally this is an automated process.

NOTE

This control isn't supported in the following Regions:

 * Africa (Cape Town)

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * Europe (Milan)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)


REMEDIATION

After 30 days of inactivity, we recommend terminating an EC2 instance. For
instructions, see Terminating an instance in the Amazon EC2 User Guide for Linux
Instances.


[EC2.6] VPC FLOW LOGGING SHOULD BE ENABLED IN ALL VPCS

Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.9, PCI DSS
v3.2.1/10.3.3,PCI DSS v3.2.1/10.3.4,PCI DSS v3.2.1/10.3.5,PCI DSS v3.2.1/10.3.6,
CIS AWS Foundations Benchmark v1.4.0/3.9, NIST.800-53.r5 AC-4(26),
NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5
AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-7(8)

Category: Identify > Logging

Severity: Medium

Resource type: AWS::EC2::VPC

AWS Config rule: vpc-flow-logs-enabled

Schedule type: Periodic

Parameters:

 * trafficType: REJECT

This control checks whether Amazon VPC Flow Logs are found and enabled for VPCs.
The traffic type is set to Reject.

With the VPC Flow Logs feature, you can capture information about the IP address
traffic going to and from network interfaces in your VPC. After you create a
flow log, you can view and retrieve its data in CloudWatch Logs. To reduce cost,
you can also send your flow logs to Amazon S3.

Security Hub recommends that you enable flow logging for packet rejects for
VPCs. Flow logs provide visibility into network traffic that traverses the VPC
and can detect anomalous traffic or provide insight during security workflows.

By default, the record includes values for the different components of the IP
address flow, including the source, destination, and protocol. For more
information and descriptions of the log fields, see VPC Flow Logs in the Amazon
VPC User Guide.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)


REMEDIATION

To create a VPC Flow Log, see Create a Flow Log in the Amazon VPC User Guide.
After you open the Amazon VPC console, choose Your VPCs. For Filter, choose
Reject or All.


[EC2.7] AMAZON EBS DEFAULT ENCRYPTION SHOULD BE ENABLED

Related requirements: CIS AWS Foundations Benchmark v1.4.0/2.2.1, NIST.800-53.r5
CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28,
NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)

Category: Protect > Data protection > Encryption of data at rest

Severity: Medium

Resource type: AWS::::Account

AWS Config rule: ec2-ebs-encryption-by-default

Schedule type: Periodic

Parameters: None

This control checks whether account-level encryption is enabled by default for
Amazon Elastic Block Store(Amazon EBS). The control fails if the account level
encryption is not enabled.

When encryption is enabled for your account, Amazon EBS volumes and snapshot
copies are encrypted at rest. This adds an additional layer of protection for
your data. For more information, see Encryption by default in the Amazon EC2
User Guide for Linux Instances.

Note that following instance types do not support encryption: R1, C1, and M1.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Osaka)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)


REMEDIATION

To configure default encryption for Amazon EBS volumes, see Encryption by
default in the Amazon EC2 User Guide for Linux Instances.


[EC2.8] AMAZON EC2 INSTANCES SHOULD USE INSTANCE METADATA SERVICE VERSION 2
(IMDSV2)

Related requirements: NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15),
NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6

Category: Protect > Network security

Severity: High

Resource type: AWS::EC2::Instance

AWS Config rule: ec2-imdsv2-check

Schedule type: Change triggered

Parameters: None

This control checks whether your EC2 instance metadata version is configured
with Instance Metadata Service Version 2 (IMDSv2). The control passes if
HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set
to optional.

You use instance metadata to configure or manage the running instance. The IMDS
provides access to temporary, frequently rotated credentials. These credentials
remove the need to hard code or distribute sensitive credentials to instances
manually or programmatically. The IMDS is attached locally to every EC2
instance. It runs on a special "link local" IP address of 169.254.169.254. This
IP address is only accessible by software that runs on the instance.

Version 2 of the IMDS adds new protections for the following types of
vulnerabilities. These vulnerabilities could be used to try to access the IMDS.

 * Open website application firewalls

 * Open reverse proxies

 * Server-side request forgery (SSRF) vulnerabilities

 * Open Layer 3 firewalls and network address translation (NAT)

Security Hub recommends that you configure your EC2 instances with IMDSv2.

NOTE

This control isn't supported in the following Regions:

 * Africa (Cape Town)

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * Europe (Milan)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)


REMEDIATION

To configure EC2 instances with IMDSv2, see Recommended path to requiring IMDSv2
in the Amazon EC2 User Guide for Linux Instances.


[EC2.9] AMAZON EC2 INSTANCES SHOULD NOT HAVE A PUBLIC IPV4 ADDRESS

Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)

Category: Protect > Secure network configuration > Public IP addresses

Severity: High

Resource type: AWS::EC2::Instance

AWS Config rule: ec2-instance-no-public-ip

Schedule type: Change triggered

Parameters: None

This control checks whether EC2 instances have a public IP address. The control
fails if the publicIp field is present in the EC2 instance configuration item.
This control applies to IPv4 addresses only.

A public IPv4 address is an IP address that is reachable from the internet. If
you launch your instance with a public IP address, then your EC2 instance is
reachable from the internet. A private IPv4 address is an IP address that is not
reachable from the internet. You can use private IPv4 addresses for
communication between EC2 instances in the same VPC or in your connected private
network.

IPv6 addresses are globally unique, and therefore are reachable from the
internet. However, by default all subnets have the IPv6 addressing attribute set
to false. For more information about IPv6, see IP addressing in your VPC in the
Amazon VPC User Guide.

If you have a legitimate use case to maintain EC2 instances with public IP
addresses, then you can suppress the findings from this control. For more
information about front-end architecture options, see the AWS Architecture Blog
or the This Is My Architecture series.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * Europe (Spain)

 * Europe (Zurich)


REMEDIATION

Use a non-default VPC so that your instance is not assigned a public IP address
by default.

When you launch an EC2 instance into a default VPC, it is assigned a public IP
address. When you launch an EC2 instance into a non-default VPC, the subnet
configuration determines whether it receives a public IP address. The subnet has
an attribute to determine if new EC2 instances in the subnet receive a public IP
address from the public IPv4 address pool.

You cannot manually associate or disassociate an automatically-assigned public
IP address from your EC2 instance. To control whether your EC2 instance receives
a public IP address, do one of the following:

 * Modify the public IP addressing attribute of your subnet. For more
   information, see Modifying the public IPv4 addressing attribute for your
   subnet in the Amazon VPC User Guide.

 * Enable or disable the public IP addressing feature during launch. This
   overrides the subnet's public IP addressing attribute. For more information,
   see Assign a public IPv4 address during instance launch in the Amazon EC2
   User Guide for Linux Instances.

For more information, see Public IPv4 addresses and external DNS hostnames in
the Amazon EC2 User Guide for Linux Instances.

If your EC2 instance is associated with an Elastic IP address, then your EC2
instance is reachable from the internet. You can disassociate an Elastic IP
address from an instance or network interface at any time. To disassociate an
Elastic IP address, see Disassociate an Elastic IP address in the Amazon EC2
User Guide for Linux Instances.


[EC2.10] AMAZON EC2 SHOULD BE CONFIGURED TO USE VPC ENDPOINTS THAT ARE CREATED
FOR THE AMAZON EC2 SERVICE

Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4)

Category: Protect > Secure network configuration > API private access

Severity: Medium

Resource type: AWS::EC2::VPC

AWS Config rule: service-vpc-endpoint-enabled

Schedule type: Periodic

Parameters:

 * serviceName: ec2

This control checks whether a service endpoint for Amazon EC2 is created for
each VPC. The control fails if a VPC does not have a VPC endpoint created for
the Amazon EC2 service.

This control evaluates resources in single account. It cannot describe resources
that are outside of the account. Because AWS Config and Security Hub do not
conduct cross-account checks, you will see FAILED findings for VPCs that are
shared across accounts. Security Hub recommends that you suppress these FAILED
findings.

To improve the security posture of your VPC, you can configure Amazon EC2 to use
an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a
technology that enables you to access Amazon EC2 API operations privately. It
restricts all network traffic between your VPC and Amazon EC2 to the Amazon
network. Because endpoints are supported within the same Region only, you cannot
create an endpoint between a VPC and a service in a different Region. This
prevents unintended Amazon EC2 API calls to other Regions.

To learn more about creating VPC endpoints for Amazon EC2, see Amazon EC2 and
interface VPC endpoints in the Amazon EC2 User Guide for Linux Instances.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Osaka)

 * Europe (Spain)

 * Europe (Zurich)


REMEDIATION

To create an interface endpoint to Amazon EC2 from the Amazon VPC console, see
Create a VPC endpoint in the AWS PrivateLink Guide. For Service name, choose
com.amazonaws.region.ec2.

You can also create and attach an endpoint policy to your VPC endpoint to
control access to the Amazon EC2 API. For instructions on creating a VPC
endpoint policy, see Create an endpoint policy in the Amazon EC2 User Guide for
Linux Instances.


[EC2.12] UNUSED AMAZON EC2 EIPS SHOULD BE REMOVED

Related requirements: PCI DSS v3.2.1/2.4, NIST.800-53.r5 CM-8(1)

Category: Protect > Secure network configuration

Severity: Low

Resource type: AWS::EC2::EIP

AWS Config rule: eip-attached

Schedule type: Change triggered

Parameters: None

This control checks whether Elastic IP (EIP) addresses that are allocated to a
VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).

A failed finding indicates you may have unused EC2 EIPs.

This will help you maintain an accurate asset inventory of EIPs in your
cardholder data environment (CDE).

NOTE

This control isn't supported in the following Regions:

 * Africa (Cape Town)

 * Europe (Milan)

 * Middle East (UAE)

To release an unused EIP, see Release an Elastic IP address in the Amazon EC2
User Guide for Linux Instances.


[EC2.13] SECURITY GROUPS SHOULD NOT ALLOW INGRESS FROM 0.0.0.0/0 TO PORT 22

Related requirements: CIS AWS Foundations Benchmark v1.2.0/4.1, PCI DSS
v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.1,PCI DSS v3.2.1/2.2.2, NIST.800-53.r5 AC-4,
NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7,
NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)

Category: Protect > Secure network configuration

Severity: High

Resource type: AWS::EC2::SecurityGroup

AWS Config rule: restricted-ssh

Schedule type: Change triggered

Security groups provide stateful filtering of ingress and egress network traffic
to AWS resources.

CIS recommends that no security group allow unrestricted ingress access to port
22. Removing unfettered connectivity to remote console services, such as SSH,
reduces a server's exposure to risk.

NOTE

This control isn't supported in the following Regions:

 * Africa (Cape Town)

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * Europe (Milan)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)


REMEDIATION

To prohibit ingress to port 22, remove the rule that allows such access for each
security group associated with a VPC. For instructions, see Update security
group rules in the Amazon VPC User Guide. After selecting a security group in
the Amazon VPC Console, choose Actions, Edit inbound rules. Remove the rule that
allows access to port 22.


[EC2.14] ENSURE NO SECURITY GROUPS ALLOW INGRESS FROM 0.0.0.0/0 TO PORT 3389

Related requirements: CIS AWS Foundations Benchmark v1.2.0/4.2

Category: Protect > Secure network configuration

Severity: High

Resource type: AWS::EC2::SecurityGroup

AWS Config rule: restricted-common-ports

Schedule type: Change triggered

The name of the associated AWS Config managed rule is restricted-common-ports.
However, the rule that is created uses the name restricted-rdp.

Security groups provide stateful filtering of ingress and egress network traffic
to AWS resources.

CIS recommends that no security group allow unrestricted ingress access to port
3389. Removing unfettered connectivity to remote console services, such as RDP,
reduces a server's exposure to risk.

NOTE

This control isn't supported in the following Regions:

 * Africa (Cape Town)

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * Europe (Milan)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)


REMEDIATION

To prohibit ingress to port 3389, remove the rule that allows such access for
each security group associated with a VPC. For instructions, see Update security
group rules in the Amazon VPC User Guide. After selecting a security group in
the Amazon VPC Console, choose Actions, Edit inbound rules. Remove the rule that
allows access to port 3389.


[EC2.15] AMAZON EC2 SUBNETS SHOULD NOT AUTOMATICALLY ASSIGN PUBLIC IP ADDRESSES

Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)

Category: Protect > Network security

Severity: Medium

Resource type: AWS::EC2::Subnet

AWS Config rule: subnet-auto-assign-public-ip-disabled

Schedule type: Change triggered

Parameters: None

This control checks whether the assignment of public IPs in Amazon Virtual
Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The
control passes if the flag is set to FALSE.

All subnets have an attribute that determines whether a network interface
created in the subnet automatically receives a public IPv4 address. Instances
that are launched into subnets that have this attribute enabled have a public IP
address assigned to their primary network interface.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Osaka)

 * China (Beijing)

 * China (Ningxia)

 * Europe (Spain)

 * Europe (Zurich)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)


REMEDIATION

To configure a subnet to not assign public IP addresses, see Modify the public
IPv4 addressing attribute for your subnet in the Amazon VPC User Guide. Clear
the check box for Enable auto-assign public IPv4 address.


[EC2.16] UNUSED NETWORK ACCESS CONTROL LISTS SHOULD BE REMOVED

Related requirements: NIST.800-53.r5 CM-8(1)

Category: Prevent > Network security

Severity: Low

Resource type: AWS::EC2::NetworkAcl

AWS Config rule: vpc-network-acl-unused-check

Schedule type: Change triggered

Parameters: None

This control checks whether there are any unused network access control lists
(ACLs).

The control checks the item configuration of the resource AWS::EC2::NetworkAcl
and determines the relationships of the network ACL.

If the only relationship is the VPC of the network ACL, then the control fails.

If other relationships are listed, then the control passes.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Osaka)

 * China (Beijing)

 * China (Ningxia)

 * Europe (Spain)

 * Europe (Zurich)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)


REMEDIATION

For instructions on deleting an unused network ACL, see Deleting a network ACL
in the Amazon VPC User Guide. You can't delete the default network ACL or an ACL
that is associated with subnets.


[EC2.17] AMAZON EC2 INSTANCES SHOULD NOT USE MULTIPLE ENIS

Related requirements: NIST.800-53.r5 AC-4(21)

Category: Network security

Severity: Low

Resource type: AWS::EC2::Instance

AWS Config rule: ec2-instance-multiple-eni-check

Schedule type: Change triggered

Parameters:

 * Adapterids (Optional) – A list of network interface IDs that are attached to
   EC2 instances

This control checks whether an EC2 instance uses multiple Elastic Network
Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a
single network adapter is used. The control includes an optional parameter list
to identify the allowed ENIs. This control also fails if an EC2 instance that
belongs to an Amazon EKS cluster uses more than one ENI. If your EC2 instances
need to have multiple ENIs as part of an Amazon EKS cluster, you can suppress
those control findings.

Multiple ENIs can cause dual-homed instances, meaning instances that have
multiple subnets. This can add network security complexity and introduce
unintended network paths and access.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Osaka)

 * Europe (Spain)

 * Europe (Zurich)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)


REMEDIATION

To detach a network interface from an EC2 instance, see Detach a network
interface from an instance in the Amazon EC2 User Guide for Linux Instances.


[EC2.18] SECURITY GROUPS SHOULD ONLY ALLOW UNRESTRICTED INCOMING TRAFFIC FOR
AUTHORIZED PORTS

Related requirements: NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)

Category: Protect > Secure network configuration > Security group configuration

Severity: High

Resource type: AWS::EC2::SecurityGroup

AWS Config rule: vpc-sg-open-only-to-authorized-ports

Schedule type: Change triggered

Parameters:

 * authorizedTcpPorts (Optional) – Comma-separated list of ports to which to
   allow unrestricted access. For example: '80, 443'. For this rule, the default
   values for authorizedTcpPorts are 80 and 443.

This control checks whether the security groups that are in use allow
unrestricted incoming traffic. Optionally the rule checks whether the port
numbers are listed in the authorizedTcpPorts parameter.

 * If the security group rule port number allows unrestricted incoming traffic,
   but the port number is specified in authorizedTcpPorts, then the control
   passes. The default value for authorizedTcpPorts is 80, 443.

 * If the security group rule port number allows unrestricted incoming traffic,
   but the port number is not specified in authorizedTcpPorts input parameter,
   then the control fails.

 * If the parameter is not used, then the control fails for any security group
   that has an unrestricted inbound rule.

Security groups provide stateful filtering of ingress and egress network traffic
to AWS. Security group rules should follow the principal of least privileged
access. Unrestricted access (IP address with a /0 suffix) increases the
opportunity for malicious activity such as hacking, denial-of-service attacks,
and loss of data.

Unless a port is specifically allowed, the port should deny unrestricted access.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * Europe (Spain)

 * Europe (Zurich)


REMEDIATION

To modify a security group, see Add, remove, or update rules in the Amazon VPC
User Guide.


[EC2.19] SECURITY GROUPS SHOULD NOT ALLOW UNRESTRICTED ACCESS TO PORTS WITH HIGH
RISK

Related requirements: NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2),
NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11),
NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4),
NIST.800-53.r5 SC-7(5)

Category: Protect > Restricted network access

Severity: Critical

Resource type: AWS::EC2::SecurityGroup

AWS Config rule: vpc-sg-restricted-common-ports (custom Security Hub rule)

Schedule type: Change triggered

Parameters: None

This control checks whether unrestricted incoming traffic for the security
groups is accessible to the specified ports that have the highest risk. This
control fails if any of the rules in a security group allow ingress traffic from
'0.0.0.0/0' or '::/0' for those ports.

Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity,
such as hacking, denial-of-service attacks, and loss of data.

Security groups provide stateful filtering of ingress and egress network traffic
to AWS resources. No security group should allow unrestricted ingress access to
the following ports:

 * 20, 21 (FTP)

 * 22 (SSH)

 * 23 (Telnet)

 * 25 (SMTP)

 * 110 (POP3)

 * 135 (RPC)

 * 143 (IMAP)

 * 445 (CIFS)

 * 1433, 1434 (MSSQL)

 * 3000 (Go, Node.js, and Ruby web development frameworks)

 * 3306 (mySQL)

 * 3389 (RDP)

 * 4333 (ahsp)

 * 5000 (Python web development frameworks)

 * 5432 (postgresql)

 * 5500 (fcp-addr-srvr1)

 * 5601 (OpenSearch Dashboards)

 * 8080 (proxy)

 * 8088 (legacy HTTP port)

 * 8888 (alternative HTTP port)

 * 9200 or 9300 (OpenSearch)

NOTE

This control isn't supported in Asia Pacific (Melbourne).


REMEDIATION

To delete rules from a security group, see Delete rules from a security group in
the Amazon EC2 User Guide for Linux Instances.


[EC2.20] BOTH VPN TUNNELS FOR AN AWS SITE-TO-SITE VPN CONNECTION SHOULD BE UP

Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2),
NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)

Category: Resilience > Recover > High availability

Severity: Medium

Resource type:AWS::EC2::VPNConnection

AWS Config rule: vpc-vpn-2-tunnels-up

Schedule type: Change triggered

Parameters: None

A VPN tunnel is an encrypted link where data can pass from the customer network
to or from AWS within an AWS Site-to-Site VPN connection. Each VPN connection
includes two VPN tunnels which you can simultaneously use for high availability.
Ensuring that both VPN tunnels are up for a VPN connection is important for
confirming a secure and highly available connection between an AWS VPC and your
remote network.

This control checks that both VPN tunnels provided by AWS Site-to-Site VPN are
in UP status. The control fails if one or both tunnels are in DOWN status.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Osaka)

 * China (Beijing)

 * China (Ningxia)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (Bahrain)


REMEDIATION

To modify VPN tunnel options, see Modifying Site-to-Site VPN tunnel options in
the AWS Site-to-Site VPN User Guide.


[EC2.21] NETWORK ACLS SHOULD NOT ALLOW INGRESS FROM 0.0.0.0/0 TO PORT 22 OR PORT
3389

Related requirements: CIS AWS Foundations Benchmark v1.4.0/5.1, NIST.800-53.r5
AC-4(21), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2),
NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(5)

Category: Protect > Secure Network Configuration

Severity: Medium

Resource type:AWS::EC2::NetworkAcl

AWS Config rule: nacl-no-unrestricted-ssh-rdp

Schedule type: Change triggered

Parameters: None

This control checks whether a network access control list (NACL) allows
unrestricted access to the default TCP ports for SSH/RDP ingress traffic. The
rule fails if a NACL inbound entry allows a source CIDR block of '0.0.0.0/0' or
'::/0' for TCP ports 22 or 3389.

Access to remote server administration ports, such as port 22 (SSH) and port
3389 (RDP), should not be publicly accessible, as this may allow unintended
access to resources within your VPC.

NOTE

This control isn't supported in the following Regions:

 * China (Beijing)

 * China (Ningxia)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)


REMEDIATION

For more information about NACLs, see Network ACLs in the VPC User Guide.


[EC2.22] UNUSED AMAZON EC2 SECURITY GROUPS SHOULD BE REMOVED

Related requirements: NIST.800-53.r5 CM-8(1)

Category: Identify > Inventory

Severity: Medium

Resource type:AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup

AWS Config rule: ec2-security-group-attached-to-eni-periodic

Schedule type: Periodic

Parameters: None

This AWS control checks that security groups are attached to Amazon Elastic
Compute Cloud (Amazon EC2) instances or to an elastic network interface. The
control will fail if the security group is not associated with an Amazon EC2
instance or an elastic network interface.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * China (Beijing)

 * China (Ningxia)

 * Europe (Spain)

 * Europe (Zurich)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)

 * Middle East (UAE)


REMEDIATION

To create, assign and delete security groups, see Security groups in Amazon EC2
user guide.


[EC2.23] AMAZON EC2 TRANSIT GATEWAYS SHOULD NOT AUTOMATICALLY ACCEPT VPC
ATTACHMENT REQUESTS

Related requirements: NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CA-9(1),
NIST.800-53.r5 CM-2

Category: Protect > Secure network configuration

Severity: High

Resource type:AWS::EC2::TransitGateway

AWS Config rule: ec2-transit-gateway-auto-vpc-attach-disabled

Schedule type: Change triggered

Parameters: None

This control checks if EC2 transit gateways are automatically accepting shared
VPC attachments. This control fails for a transit gateway that automatically
accepts shared VPC attachment requests.

Turning on AutoAcceptSharedAttachments configures a transit gateway to
automatically accept any cross-account VPC attachment requests without verifying
the request or the account the attachment is originating from. To follow the
best practices of authorization and authentication, we recommended turning off
this feature to ensure that only authorized VPC attachment requests are
accepted.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hong Kong)

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Mumbai)

 * Asia Pacific (Osaka)

 * China (Beijing)

 * China (Ningxia)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (Bahrain)

 * Middle East (UAE)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)


REMEDIATION

To modify a transit gateway, see Modify a transit gateway in the Amazon VPC
Developer Guide.


[EC2.24] AMAZON EC2 PARAVIRTUAL INSTANCE TYPES SHOULD NOT BE USED

Related requirements: NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2)

Category: Identify > Vulnerability, patch, and version management

Severity: Medium

Resource type:AWS::EC2::Instance

AWS Config rule: ec2-paravirtual-instance-check

Schedule type: Change triggered

Parameters: None

This control checks whether the virtualization type of an EC2 instance is
paravirtual. The control fails if the virtualizationType of the EC2 instance is
set to paravirtual.

Linux Amazon Machine Images (AMIs) use one of two types of virtualization:
paravirtual (PV) or hardware virtual machine (HVM). The main differences between
PV and HVM AMIs are the way in which they boot and whether they can take
advantage of special hardware extensions (CPU, network, and storage) for better
performance.

Historically, PV guests had better performance than HVM guests in many cases,
but because of enhancements in HVM virtualization and the availability of PV
drivers for HVM AMIs, this is no longer true. For more information, see Linux
AMI virtualization types in the Amazon EC2 User Guide for Linux Instances.

NOTE

This control isn't supported in the following Regions:

 * US East (Ohio)

 * Africa (Cape Town)

 * Asia Pacific (Hong Kong)

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Mumbai)

 * Asia Pacific (Osaka)

 * Asia Pacific (Seoul)

 * Canada (Central)

 * China (Beijing)

 * China (Ningxia)

 * Europe (London)

 * Europe (Milan)

 * Europe (Paris)

 * Europe (Spain)

 * Europe (Stockholm)

 * Europe (Zurich)

 * Middle East (Bahrain)

 * Middle East (UAE)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)


REMEDIATION

To update an EC2 instance to a new instance type, see Change the instance type
in the Amazon EC2 User Guide for Linux Instances.


[EC2.25] AMAZON EC2 LAUNCH TEMPLATES SHOULD NOT ASSIGN PUBLIC IPS TO NETWORK
INTERFACES

Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)

Category: Protect > Secure network configuration > Resources not publicly
accessible

Severity: High

Resource type:AWS::EC2::LaunchTemplate

AWS Config rule: ec2-launch-template-public-ip-disabled

Schedule type: Change triggered

Parameters: None

This control checks if Amazon EC2 launch templates are configured to assign
public IP addresses to network interfaces upon launch. The control fails if an
EC2 launch template is configured to assign a public IP address to network
interfaces or if there is at least one network interface that has a public IP
address.

A public IP address is one that is reachable from the internet. If you configure
your network interfaces with a public IP address, then the resources associated
with those network interfaces may be reachable from the internet. EC2 resources
shouldn't be publicly accessible because this may permit unintended access to
your workloads.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Melbourne)

 * China (Beijing)

 * China (Ningxia)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)


REMEDIATION

To update an EC2 launch template, see Change the default network interface
settings in the Amazon EC2 Auto Scaling User Guide.


[EC2.28] EBS VOLUMES SHOULD BE COVERED BY A BACKUP PLAN

Category: Recover > Resilience > Backups enabled

Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5
CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2),
NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5)

Severity: Low

Resource type: AWS::EC2::Volume

AWS Config rule: ebs-resources-protected-by-backup-plan

Schedule type: Periodic

Parameters: None

This control evaluates if Amazon EBS volumes are covered by backup plans. The
control fails if an Amazon EBS volume isn't covered by a backup plan. This
control only evaluates Amazon EBS volumes that are in the in-use state.

Backups help you recover more quickly from a security incident. They also
strengthen the resilience of your systems. Including Amazon EBS volumes in a
backup plan helps you protect your data from unintended loss or deletion.

NOTE

This control isn't supported in the following Regions:

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * China (Beijing)

 * China (Ningxia)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)


REMEDIATION

To add an Amazon EBS volume to an AWS Backup backup plan, see Assigning
resources to a backup plan in the AWS Backup Developer Guide.


[EC2.29] EC2 INSTANCES SHOULD BE LAUNCHED IN A VPC

Category: Protect > Secure network configuration > Resources within VPC

Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)

Severity: High

Resource type: AWS::EC2::Instance

AWS Config rule: ec2-instances-in-vpc

Schedule type: Change triggered

Parameters: None

This control checks if Amazon EC2 instances are launched in a virtual private
cloud (VPC). This control fails if an EC2 instance is launched in the
EC2-Classic network.

The EC2-Classic network retired on August 15, 2022. The EC2-Classic network
model was flat, with public IP addresses assigned at launch time. The EC2-VPC
network offers more scalability and security features and should be the default
for launching EC2 instances.

NOTE

This control isn't supported in the following Regions:

 * Africa (Cape Town)

 * Asia Pacific (Hyderabad)

 * Asia Pacific (Jakarta)

 * Asia Pacific (Melbourne)

 * Asia Pacific (Osaka)

 * China (Beijing)

 * China (Ningxia)

 * Europe (Milan)

 * Europe (Spain)

 * Europe (Zurich)

 * Middle East (UAE)

 * AWS GovCloud (US-East)

 * AWS GovCloud (US-West)


REMEDIATION

To migrate instances to the EC2-VPC network, see Migrate from EC2-Classic to a
VPC in the Amazon EC2 User Guide for Linux Instances.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Amazon ECS controls
Amazon EFS controls
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Did this page help you?
Yes
No
Provide feedback
Next topic:Amazon EFS controls
Previous topic:Amazon ECS controls
Need help?
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

--------------------------------------------------------------------------------

 * [EC2.1] Amazon EBS snapshots should not be publicly restorable
 * [EC2.2] The VPC default security group should not allow inbound and outbound
   traffic
 * [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
 * [EC2.4] Stopped Amazon EC2 instances should be removed after a specified time
   period
 * [EC2.6] VPC flow logging should be enabled in all VPCs
 * [EC2.7] Amazon EBS default encryption should be enabled
 * [EC2.8] Amazon EC2 instances should use Instance Metadata Service Version 2
   (IMDSv2)
 * [EC2.9] Amazon EC2 instances should not have a public IPv4 address
 * [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are
   created for the Amazon EC2 service
 * [EC2.12] Unused Amazon EC2 EIPs should be removed
 * [EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
 * [EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
 * [EC2.15] Amazon EC2 subnets should not automatically assign public IP
   addresses
 * [EC2.16] Unused Network Access Control Lists should be removed
 * [EC2.17] Amazon EC2 instances should not use multiple ENIs
 * [EC2.18] Security groups should only allow unrestricted incoming traffic for
   authorized ports
 * [EC2.19] Security groups should not allow unrestricted access to ports with
   high risk
 * [EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
 * [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or
   port 3389
 * [EC2.22] Unused Amazon EC2 security groups should be removed
 * [EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC
   attachment requests
 * [EC2.24] Amazon EC2 paravirtual instance types should not be used
 * [EC2.25] Amazon EC2 launch templates should not assign public IPs to network
   interfaces
 * [EC2.28] EBS volumes should be covered by a backup plan
 * [EC2.29] EC2 instances should be launched in a VPC





DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Feedback