docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.89
Public Scan
Submitted URL: http://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-19
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html
Submission: On September 28 via api from DE — Scanned from DE
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html
Submission: On September 28 via api from DE — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Security Hub
5. User Guide
Feedback
Preferences
AWS SECURITY HUB
USER GUIDE
* What is AWS Security Hub?
* Terminology and concepts
* Prerequisites and recommendations
* Using Organizations
* Enabling AWS Config
* Setting up Security Hub
* Enabling Security Hub manually
* Managing accounts
* Effects of an administrator-member relationship
* Restrictions and recommendations
* Making the transition to Organizations
* Allowed actions for accounts
* Designating a Security Hub administrator account
* Managing organization member accounts
* Enabling new accounts automatically
* Enabling member accounts
* Disassociating member accounts
* Managing member accounts by invitation
* Adding and inviting member accounts
* Responding to an invitation
* Disassociating member accounts
* Deleting member accounts
* Disassociating from your administrator account
* Effect of account actions on Security Hub data
* Cross-Region aggregation
* How cross-Region aggregation works
* Viewing the current configuration
* Enabling cross-Region aggregation
* Updating the configuration
* Stopping cross-Region aggregation
* Findings
* Creating and updating findings
* Using BatchImportFindings
* Using BatchUpdateFindings
* Viewing a cross-Region finding summary
* Viewing finding lists and details
* Filtering and grouping findings (console)
* Viewing finding details
* Taking action on findings
* Setting the workflow status of findings
* Sending findings to a custom action
* Finding format
* ASFF syntax
* Consolidation and ASFF
* ASFF examples
* Required attributes
* Optional top-level attributes
* Resources
* Resource attributes
* AwsAmazonMQ
* AwsApiGateway
* AwsAppSync
* AwsAthena
* AwsAutoScaling
* AwsBackup
* AwsCertificateManager
* AwsCloudFormation
* AwsCloudFront
* AwsCloudTrail
* AwsCloudWatch
* AwsCodeBuild
* AwsDynamoDB
* AwsEc2
* AwsEcr
* AwsEcs
* AwsEfs
* AwsEks
* AwsElasticBeanstalk
* AwsElasticSearch
* AwsElb
* AwsEventBridge
* AwsGuardDuty
* AwsIam
* AwsKinesis
* AwsKms
* AwsLambda
* AwsNetworkFirewall
* AwsOpenSearchService
* AwsRds
* AwsRedshift
* AwsS3
* AwsSageMaker
* AwsSecretsManager
* AwsSns
* AwsSqs
* AwsSsm
* AwsStepFunctions
* AwsWaf
* AwsXray
* Container
* Other
* Insights
* Viewing and filtering the list of insights
* Viewing insight results and findings
* Managed insights
* Custom insights
* Automations
* Automation rules
* Automated response and remediation
* Types of EventBridge integration
* EventBridge event formats
* Configuring a rule for automatically sent findings
* Configuring and using custom actions
* Product integrations
* Managing product integrations
* AWS service integrations
* Third-party product integrations
* Using custom product integrations
* Standards and controls
* IAM permissions for standards and controls
* Security checks and scores
* AWS Config rules and security checks
* Required AWS Config resources for control findings
* Schedule for running security checks
* Generating and updating control findings
* Determining the control status
* Determining security scores
* Standards reference
* AWS FSBP
* CIS AWS Foundations Benchmark v1.2.0 and v1.4.0
* NIST SP 800-53 Rev. 5
* PCI DSS
* Service-managed standards
* Service-Managed Standard: AWS Control Tower
* Viewing and managing security standards
* Enabling and disabling standards
* Viewing details for a standard
* Enabling and disabling controls in specific standards
* Controls reference
* AWS account controls
* AWS Certificate Manager controls
* API Gateway controls
* AWS AppSync controls
* Athena controls
* CloudFormation controls
* CloudFront controls
* CloudTrail controls
* CloudWatch controls
* CodeBuild controls
* AWS Config controls
* AWS DMS controls
* Amazon DocumentDB controls
* DynamoDB controls
* Amazon ECR controls
* Amazon ECS controls
* Amazon EC2 controls
* Amazon EC2 Auto Scaling controls
* Amazon EC2 Systems Manager controls
* Amazon EFS controls
* Amazon EKS controls
* ElastiCache controls
* Elastic Beanstalk controls
* Elastic Load Balancing controls
* Amazon EMR controls
* Elasticsearch controls
* GuardDuty controls
* IAM controls
* Kinesis controls
* AWS KMS controls
* Lambda controls
* Neptune controls
* Network Firewall controls
* OpenSearch Service controls
* Amazon RDS controls
* Amazon Redshift controls
* Amazon S3 controls
* SageMaker controls
* Secrets Manager controls
* Amazon SNS controls
* Amazon SQS controls
* Step Functions controls
* AWS WAF controls
* Viewing and managing security controls
* Control categories
* Enabling and disabling controls in all standards
* Enabling new controls in enabled standards automatically
* Controls that you might want to disable
* Viewing details for a control
* Filtering and sorting controls
* Viewing and taking action on control findings
* Viewing finding and resource details
* Sample control findings
* Filtering and sorting findings
* Taking action on control findings
* Creating resources with CloudFormation
* Subscribing to Security Hub announcements
* Security
* Data protection
* AWS Identity and Access Management
* How AWS Security Hub works with IAM
* Using service-linked roles
* AWS managed policies
* Compliance validation
* Infrastructure security
* VPC endpoints (AWS PrivateLink)
* Logging API calls
* Quotas
* Regional limits
* Disabling Security Hub
* Controls change log
* Beta features
* Document history
Amazon Elastic Compute Cloud controls - AWS Security Hub
AWSDocumentationAWS Security HubUser Guide
[EC2.1] Amazon EBS snapshots should not be publicly restorable[EC2.2] VPC
default security groups should not allow inbound or outbound traffic[EC2.3]
Attached Amazon EBS volumes should be encrypted at-rest[EC2.4] Stopped Amazon
EC2 instances should be removed after a specified time period[EC2.6] VPC flow
logging should be enabled in all VPCs[EC2.7] EBS default encryption should be
enabled[EC2.8] EC2 instances should use Instance Metadata Service Version 2
(IMDSv2)[EC2.9] Amazon EC2 instances should not have a public IPv4
address[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are
created for the Amazon EC2 service[EC2.12] Unused Amazon EC2 EIPs should be
removed[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port
22[EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port
3389[EC2.15] Amazon EC2 subnets should not automatically assign public IP
addresses[EC2.16] Unused Network Access Control Lists should be removed[EC2.17]
Amazon EC2 instances should not use multiple ENIs[EC2.18] Security groups should
only allow unrestricted incoming traffic for authorized ports[EC2.19] Security
groups should not allow unrestricted access to ports with high risk[EC2.20] Both
VPN tunnels for an AWS Site-to-Site VPN connection should be up[EC2.21] Network
ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389[EC2.22]
Unused Amazon EC2 security groups should be removed[EC2.23] Amazon EC2 Transit
Gateways should not automatically accept VPC attachment requests[EC2.24] Amazon
EC2 paravirtual instance types should not be used[EC2.25] Amazon EC2 launch
templates should not assign public IPs to network interfaces[EC2.28] EBS volumes
should be covered by a backup plan[EC2.29] EC2 instances should be launched in a
VPC
AMAZON ELASTIC COMPUTE CLOUD CONTROLS
PDFRSS
These controls are related to Amazon EC2 resources.
These controls may not be available in all AWS Regions. For more information,
see Availability of controls by Region.
[EC2.1] AMAZON EBS SNAPSHOTS SHOULD NOT BE PUBLICLY RESTORABLE
Related requirements: PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.1,PCI DSS
v3.2.1/1.3.4,PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3,
NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11),
NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Critical
Resource type: AWS::::Account
AWS Config rule: ebs-snapshot-public-restorable-check
Schedule type: Periodic
Parameters: None
This control checks whether Amazon Elastic Block Store snapshots are not public.
The control fails if Amazon EBS snapshots are restorable by anyone.
EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a
specific point in time. You can use the snapshots to restore previous states of
EBS volumes. It is rarely acceptable to share a snapshot with the public.
Typically the decision to share a snapshot publicly was made in error or without
a complete understanding of the implications. This check helps ensure that all
such sharing was fully planned and intentional.
To make a public EBS snapshot private, see Share a snapshot in the Amazon EC2
User Guide for Linux Instances. For Actions, Modify permissions, choose Private.
[EC2.2] VPC DEFAULT SECURITY GROUPS SHOULD NOT ALLOW INBOUND OR OUTBOUND TRAFFIC
Related requirements: PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.4,PCI DSS
v3.2.1/2.1, CIS AWS Foundations Benchmark v1.2.0/4.3, CIS AWS Foundations
Benchmark v1.4.0/5.3, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)
Category: Protect > Secure network configuration
Severity: High
Resource type: AWS::EC2::SecurityGroup
AWS Config rule: vpc-default-security-group-closed
Schedule type: Change triggered
Parameters: None
This control checks whether the default security group of a VPC allows inbound
or outbound traffic. The control fails if the security group allows inbound or
outbound traffic.
The rules for the default security group allow all outbound and inbound traffic
from network interfaces (and their associated instances) that are assigned to
the same security group. We recommend that you don't use the default security
group. Because the default security group cannot be deleted, you should change
the default security group rules setting to restrict inbound and outbound
traffic. This prevents unintended traffic if the default security group is
accidentally configured for resources such as EC2 instances.
REMEDIATION
To remediate this issue, start by creating new least-privilege security groups.
For instructions, see Create a security group in the Amazon VPC User Guide.
Then, assign the new security groups to your EC2 instances. For instructions,
see Change an instance's security group in the Amazon EC2 User Guide for Linux
Instances.
After you assign the new security groups to your resources, remove all inbound
and outbound rules from the default security groups. For instructions, see
Delete security group rules in the Amazon VPC User Guide.
[EC2.3] ATTACHED AMAZON EBS VOLUMES SHOULD BE ENCRYPTED AT-REST
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6),
NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1),
NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type: AWS::EC2::Volume
AWS Config rule: encrypted-volumes
Schedule type: Change triggered
Parameters: None
This control checks whether the EBS volumes that are in an attached state are
encrypted. To pass this check, EBS volumes must be in use and encrypted. If the
EBS volume is not attached, then it is not subject to this check.
For an added layer of security of your sensitive data in EBS volumes, you should
enable EBS encryption at rest. Amazon EBS encryption offers a straightforward
encryption solution for your EBS resources that doesn't require you to build,
maintain, and secure your own key management infrastructure. It uses KMS keys
when creating encrypted volumes and snapshots.
To learn more about Amazon EBS encryption, see Amazon EBS encryption in the
Amazon EC2 User Guide for Linux Instances.
REMEDIATION
There's no direct way to encrypt an existing unencrypted volume or snapshot. You
can only encrypt a new volume or snapshot when you create it.
If you enabled encryption by default, Amazon EBS encrypts the resulting new
volume or snapshot using your default key for Amazon EBS encryption. Even if you
have not enabled encryption by default, you can enable encryption when you
create an individual volume or snapshot. In both cases, you can override the
default key for Amazon EBS encryption and choose a symmetric customer managed
key.
For more information, see Creating an Amazon EBS volume and Copying an Amazon
EBS snapshot in the Amazon EC2 User Guide for Linux Instances.
[EC2.4] STOPPED AMAZON EC2 INSTANCES SHOULD BE REMOVED AFTER A SPECIFIED TIME
PERIOD
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2,
NIST.800-53.r5 CM-2(2)
Category: Identify > Inventory
Severity: Medium
Resource type: AWS::EC2::Instance
AWS Config rule: ec2-stopped-instance
Schedule type: Periodic
Parameters:
* allowedDays: 30
This control checks whether any EC2 instances have been stopped for more than
the allowed number of days. An EC2 instance fails this check if it is stopped
for longer than the maximum allowed time period, which by default is 30 days.
A failed finding indicates that an EC2 instance has not run for a significant
period of time. This creates a security risk because the EC2 instance is not
being actively maintained (analyzed, patched, updated). If it is later launched,
the lack of proper maintenance could result in unexpected issues in your AWS
environment. To safely maintain an EC2 instance over time in a nonrunning state,
start it periodically for maintenance and then stop it after maintenance.
Ideally this is an automated process.
REMEDIATION
After 30 days of inactivity, we recommend terminating an EC2 instance. For
instructions, see Terminating an instance in the Amazon EC2 User Guide for Linux
Instances.
[EC2.6] VPC FLOW LOGGING SHOULD BE ENABLED IN ALL VPCS
Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.9, PCI DSS
v3.2.1/10.3.3,PCI DSS v3.2.1/10.3.4,PCI DSS v3.2.1/10.3.5,PCI DSS v3.2.1/10.3.6,
CIS AWS Foundations Benchmark v1.4.0/3.9, NIST.800-53.r5 AC-4(26),
NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5
AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-7(8)
Category: Identify > Logging
Severity: Medium
Resource type: AWS::EC2::VPC
AWS Config rule: vpc-flow-logs-enabled
Schedule type: Periodic
Parameters:
* trafficType: REJECT
This control checks whether Amazon VPC Flow Logs are found and enabled for VPCs.
The traffic type is set to Reject.
With the VPC Flow Logs feature, you can capture information about the IP address
traffic going to and from network interfaces in your VPC. After you create a
flow log, you can view and retrieve its data in CloudWatch Logs. To reduce cost,
you can also send your flow logs to Amazon S3.
Security Hub recommends that you enable flow logging for packet rejects for
VPCs. Flow logs provide visibility into network traffic that traverses the VPC
and can detect anomalous traffic or provide insight during security workflows.
By default, the record includes values for the different components of the IP
address flow, including the source, destination, and protocol. For more
information and descriptions of the log fields, see VPC Flow Logs in the Amazon
VPC User Guide.
REMEDIATION
To create a VPC Flow Log, see Create a Flow Log in the Amazon VPC User Guide.
After you open the Amazon VPC console, choose Your VPCs. For Filter, choose
Reject or All.
[EC2.7] EBS DEFAULT ENCRYPTION SHOULD BE ENABLED
Related requirements: CIS AWS Foundations Benchmark v1.4.0/2.2.1, NIST.800-53.r5
CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28,
NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type: AWS::::Account
AWS Config rule: ec2-ebs-encryption-by-default
Schedule type: Periodic
Parameters: None
This control checks whether account-level encryption is enabled by default for
Amazon Elastic Block Store(Amazon EBS). The control fails if the account level
encryption is not enabled.
When encryption is enabled for your account, Amazon EBS volumes and snapshot
copies are encrypted at rest. This adds an additional layer of protection for
your data. For more information, see Encryption by default in the Amazon EC2
User Guide for Linux Instances.
Note that following instance types do not support encryption: R1, C1, and M1.
REMEDIATION
To configure default encryption for Amazon EBS volumes, see Encryption by
default in the Amazon EC2 User Guide for Linux Instances.
[EC2.8] EC2 INSTANCES SHOULD USE INSTANCE METADATA SERVICE VERSION 2 (IMDSV2)
Related requirements: NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15),
NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6
Category: Protect > Network security
Severity: High
Resource type: AWS::EC2::Instance
AWS Config rule: ec2-imdsv2-check
Schedule type: Change triggered
Parameters: None
This control checks whether your EC2 instance metadata version is configured
with Instance Metadata Service Version 2 (IMDSv2). The control passes if
HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set
to optional.
You use instance metadata to configure or manage the running instance. The IMDS
provides access to temporary, frequently rotated credentials. These credentials
remove the need to hard code or distribute sensitive credentials to instances
manually or programmatically. The IMDS is attached locally to every EC2
instance. It runs on a special "link local" IP address of 169.254.169.254. This
IP address is only accessible by software that runs on the instance.
Version 2 of the IMDS adds new protections for the following types of
vulnerabilities. These vulnerabilities could be used to try to access the IMDS.
* Open website application firewalls
* Open reverse proxies
* Server-side request forgery (SSRF) vulnerabilities
* Open Layer 3 firewalls and network address translation (NAT)
Security Hub recommends that you configure your EC2 instances with IMDSv2.
REMEDIATION
To configure EC2 instances with IMDSv2, see Recommended path to requiring IMDSv2
in the Amazon EC2 User Guide for Linux Instances.
[EC2.9] AMAZON EC2 INSTANCES SHOULD NOT HAVE A PUBLIC IPV4 ADDRESS
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration > Public IP addresses
Severity: High
Resource type: AWS::EC2::Instance
AWS Config rule: ec2-instance-no-public-ip
Schedule type: Change triggered
Parameters: None
This control checks whether EC2 instances have a public IP address. The control
fails if the publicIp field is present in the EC2 instance configuration item.
This control applies to IPv4 addresses only.
A public IPv4 address is an IP address that is reachable from the internet. If
you launch your instance with a public IP address, then your EC2 instance is
reachable from the internet. A private IPv4 address is an IP address that is not
reachable from the internet. You can use private IPv4 addresses for
communication between EC2 instances in the same VPC or in your connected private
network.
IPv6 addresses are globally unique, and therefore are reachable from the
internet. However, by default all subnets have the IPv6 addressing attribute set
to false. For more information about IPv6, see IP addressing in your VPC in the
Amazon VPC User Guide.
If you have a legitimate use case to maintain EC2 instances with public IP
addresses, then you can suppress the findings from this control. For more
information about front-end architecture options, see the AWS Architecture Blog
or the This Is My Architecture series.
REMEDIATION
Use a non-default VPC so that your instance is not assigned a public IP address
by default.
When you launch an EC2 instance into a default VPC, it is assigned a public IP
address. When you launch an EC2 instance into a non-default VPC, the subnet
configuration determines whether it receives a public IP address. The subnet has
an attribute to determine if new EC2 instances in the subnet receive a public IP
address from the public IPv4 address pool.
You cannot manually associate or disassociate an automatically-assigned public
IP address from your EC2 instance. To control whether your EC2 instance receives
a public IP address, do one of the following:
* Modify the public IP addressing attribute of your subnet. For more
information, see Modifying the public IPv4 addressing attribute for your
subnet in the Amazon VPC User Guide.
* Enable or disable the public IP addressing feature during launch. This
overrides the subnet's public IP addressing attribute. For more information,
see Assign a public IPv4 address during instance launch in the Amazon EC2
User Guide for Linux Instances.
For more information, see Public IPv4 addresses and external DNS hostnames in
the Amazon EC2 User Guide for Linux Instances.
If your EC2 instance is associated with an Elastic IP address, then your EC2
instance is reachable from the internet. You can disassociate an Elastic IP
address from an instance or network interface at any time. To disassociate an
Elastic IP address, see Disassociate an Elastic IP address in the Amazon EC2
User Guide for Linux Instances.
[EC2.10] AMAZON EC2 SHOULD BE CONFIGURED TO USE VPC ENDPOINTS THAT ARE CREATED
FOR THE AMAZON EC2 SERVICE
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4)
Category: Protect > Secure network configuration > API private access
Severity: Medium
Resource type: AWS::EC2::VPC
AWS Config rule: service-vpc-endpoint-enabled
Schedule type: Periodic
Parameters:
* serviceName: ec2
This control checks whether a service endpoint for Amazon EC2 is created for
each VPC. The control fails if a VPC does not have a VPC endpoint created for
the Amazon EC2 service.
This control evaluates resources in single account. It cannot describe resources
that are outside of the account. Because AWS Config and Security Hub do not
conduct cross-account checks, you will see FAILED findings for VPCs that are
shared across accounts. Security Hub recommends that you suppress these FAILED
findings.
To improve the security posture of your VPC, you can configure Amazon EC2 to use
an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a
technology that enables you to access Amazon EC2 API operations privately. It
restricts all network traffic between your VPC and Amazon EC2 to the Amazon
network. Because endpoints are supported within the same Region only, you cannot
create an endpoint between a VPC and a service in a different Region. This
prevents unintended Amazon EC2 API calls to other Regions.
To learn more about creating VPC endpoints for Amazon EC2, see Amazon EC2 and
interface VPC endpoints in the Amazon EC2 User Guide for Linux Instances.
REMEDIATION
To create an interface endpoint to Amazon EC2 from the Amazon VPC console, see
Create a VPC endpoint in the AWS PrivateLink Guide. For Service name, choose
com.amazonaws.region.ec2.
You can also create and attach an endpoint policy to your VPC endpoint to
control access to the Amazon EC2 API. For instructions on creating a VPC
endpoint policy, see Create an endpoint policy in the Amazon EC2 User Guide for
Linux Instances.
[EC2.12] UNUSED AMAZON EC2 EIPS SHOULD BE REMOVED
Related requirements: PCI DSS v3.2.1/2.4, NIST.800-53.r5 CM-8(1)
Category: Protect > Secure network configuration
Severity: Low
Resource type: AWS::EC2::EIP
AWS Config rule: eip-attached
Schedule type: Change triggered
Parameters: None
This control checks whether Elastic IP (EIP) addresses that are allocated to a
VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).
A failed finding indicates you may have unused EC2 EIPs.
This will help you maintain an accurate asset inventory of EIPs in your
cardholder data environment (CDE).
To release an unused EIP, see Release an Elastic IP address in the Amazon EC2
User Guide for Linux Instances.
[EC2.13] SECURITY GROUPS SHOULD NOT ALLOW INGRESS FROM 0.0.0.0/0 TO PORT 22
Related requirements: CIS AWS Foundations Benchmark v1.2.0/4.1, PCI DSS
v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.1,PCI DSS v3.2.1/2.2.2, NIST.800-53.r5 AC-4,
NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7,
NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)
Category: Protect > Secure network configuration
Severity: High
Resource type: AWS::EC2::SecurityGroup
AWS Config rule: restricted-ssh
Schedule type: Change triggered
Security groups provide stateful filtering of ingress and egress network traffic
to AWS resources.
CIS recommends that no security group allow unrestricted ingress access to port
22. Removing unfettered connectivity to remote console services, such as SSH,
reduces a server's exposure to risk.
REMEDIATION
To prohibit ingress to port 22, remove the rule that allows such access for each
security group associated with a VPC. For instructions, see Update security
group rules in the Amazon VPC User Guide. After selecting a security group in
the Amazon VPC Console, choose Actions, Edit inbound rules. Remove the rule that
allows access to port 22.
[EC2.14] ENSURE NO SECURITY GROUPS ALLOW INGRESS FROM 0.0.0.0/0 TO PORT 3389
Related requirements: CIS AWS Foundations Benchmark v1.2.0/4.2
Category: Protect > Secure network configuration
Severity: High
Resource type: AWS::EC2::SecurityGroup
AWS Config rule: restricted-common-ports
Schedule type: Change triggered
The name of the associated AWS Config managed rule is restricted-common-ports.
However, the rule that is created uses the name restricted-rdp.
Security groups provide stateful filtering of ingress and egress network traffic
to AWS resources.
CIS recommends that no security group allow unrestricted ingress access to port
3389. Removing unfettered connectivity to remote console services, such as RDP,
reduces a server's exposure to risk.
REMEDIATION
To prohibit ingress to port 3389, remove the rule that allows such access for
each security group associated with a VPC. For instructions, see Update security
group rules in the Amazon VPC User Guide. After selecting a security group in
the Amazon VPC Console, choose Actions, Edit inbound rules. Remove the rule that
allows access to port 3389.
[EC2.15] AMAZON EC2 SUBNETS SHOULD NOT AUTOMATICALLY ASSIGN PUBLIC IP ADDRESSES
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Network security
Severity: Medium
Resource type: AWS::EC2::Subnet
AWS Config rule: subnet-auto-assign-public-ip-disabled
Schedule type: Change triggered
Parameters: None
This control checks whether the assignment of public IPs in Amazon Virtual
Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The
control passes if the flag is set to FALSE.
All subnets have an attribute that determines whether a network interface
created in the subnet automatically receives a public IPv4 address. Instances
that are launched into subnets that have this attribute enabled have a public IP
address assigned to their primary network interface.
REMEDIATION
To configure a subnet to not assign public IP addresses, see Modify the public
IPv4 addressing attribute for your subnet in the Amazon VPC User Guide. Clear
the check box for Enable auto-assign public IPv4 address.
[EC2.16] UNUSED NETWORK ACCESS CONTROL LISTS SHOULD BE REMOVED
Related requirements: NIST.800-53.r5 CM-8(1)
Category: Prevent > Network security
Severity: Low
Resource type: AWS::EC2::NetworkAcl
AWS Config rule: vpc-network-acl-unused-check
Schedule type: Change triggered
Parameters: None
This control checks whether there are any unused network access control lists
(ACLs).
The control checks the item configuration of the resource AWS::EC2::NetworkAcl
and determines the relationships of the network ACL.
If the only relationship is the VPC of the network ACL, then the control fails.
If other relationships are listed, then the control passes.
REMEDIATION
For instructions on deleting an unused network ACL, see Deleting a network ACL
in the Amazon VPC User Guide. You can't delete the default network ACL or an ACL
that is associated with subnets.
[EC2.17] AMAZON EC2 INSTANCES SHOULD NOT USE MULTIPLE ENIS
Related requirements: NIST.800-53.r5 AC-4(21)
Category: Network security
Severity: Low
Resource type: AWS::EC2::Instance
AWS Config rule: ec2-instance-multiple-eni-check
Schedule type: Change triggered
Parameters:
* Adapterids (Optional) – A list of network interface IDs that are attached to
EC2 instances
This control checks whether an EC2 instance uses multiple Elastic Network
Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a
single network adapter is used. The control includes an optional parameter list
to identify the allowed ENIs. This control also fails if an EC2 instance that
belongs to an Amazon EKS cluster uses more than one ENI. If your EC2 instances
need to have multiple ENIs as part of an Amazon EKS cluster, you can suppress
those control findings.
Multiple ENIs can cause dual-homed instances, meaning instances that have
multiple subnets. This can add network security complexity and introduce
unintended network paths and access.
REMEDIATION
To detach a network interface from an EC2 instance, see Detach a network
interface from an instance in the Amazon EC2 User Guide for Linux Instances.
[EC2.18] SECURITY GROUPS SHOULD ONLY ALLOW UNRESTRICTED INCOMING TRAFFIC FOR
AUTHORIZED PORTS
Related requirements: NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)
Category: Protect > Secure network configuration > Security group configuration
Severity: High
Resource type: AWS::EC2::SecurityGroup
AWS Config rule: vpc-sg-open-only-to-authorized-ports
Schedule type: Change triggered
Parameters:
* authorizedTcpPorts (Optional) – Comma-separated list of ports to which to
allow unrestricted access. For example: '80, 443'. For this rule, the default
values for authorizedTcpPorts are 80 and 443.
This control checks whether the security groups that are in use allow
unrestricted incoming traffic. Optionally the rule checks whether the port
numbers are listed in the authorizedTcpPorts parameter.
* If the security group rule port number allows unrestricted incoming traffic,
but the port number is specified in authorizedTcpPorts, then the control
passes. The default value for authorizedTcpPorts is 80, 443.
* If the security group rule port number allows unrestricted incoming traffic,
but the port number is not specified in authorizedTcpPorts input parameter,
then the control fails.
* If the parameter is not used, then the control fails for any security group
that has an unrestricted inbound rule.
Security groups provide stateful filtering of ingress and egress network traffic
to AWS. Security group rules should follow the principal of least privileged
access. Unrestricted access (IP address with a /0 suffix) increases the
opportunity for malicious activity such as hacking, denial-of-service attacks,
and loss of data.
Unless a port is specifically allowed, the port should deny unrestricted access.
REMEDIATION
To modify a security group, see Add, remove, or update rules in the Amazon VPC
User Guide.
[EC2.19] SECURITY GROUPS SHOULD NOT ALLOW UNRESTRICTED ACCESS TO PORTS WITH HIGH
RISK
Related requirements: NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2),
NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11),
NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4),
NIST.800-53.r5 SC-7(5)
Category: Protect > Restricted network access
Severity: Critical
Resource type: AWS::EC2::SecurityGroup
AWS Config rule: vpc-sg-restricted-common-ports (custom Security Hub rule)
Schedule type: Change triggered
Parameters: None
This control checks whether unrestricted incoming traffic for the security
groups is accessible to the specified ports that have the highest risk. This
control fails if any of the rules in a security group allow ingress traffic from
'0.0.0.0/0' or '::/0' for those ports.
Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity,
such as hacking, denial-of-service attacks, and loss of data.
Security groups provide stateful filtering of ingress and egress network traffic
to AWS resources. No security group should allow unrestricted ingress access to
the following ports:
* 20, 21 (FTP)
* 22 (SSH)
* 23 (Telnet)
* 25 (SMTP)
* 110 (POP3)
* 135 (RPC)
* 143 (IMAP)
* 445 (CIFS)
* 1433, 1434 (MSSQL)
* 3000 (Go, Node.js, and Ruby web development frameworks)
* 3306 (mySQL)
* 3389 (RDP)
* 4333 (ahsp)
* 5000 (Python web development frameworks)
* 5432 (postgresql)
* 5500 (fcp-addr-srvr1)
* 5601 (OpenSearch Dashboards)
* 8080 (proxy)
* 8088 (legacy HTTP port)
* 8888 (alternative HTTP port)
* 9200 or 9300 (OpenSearch)
REMEDIATION
To delete rules from a security group, see Delete rules from a security group in
the Amazon EC2 User Guide for Linux Instances.
[EC2.20] BOTH VPN TUNNELS FOR AN AWS SITE-TO-SITE VPN CONNECTION SHOULD BE UP
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2),
NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Resilience > Recover > High availability
Severity: Medium
Resource type:AWS::EC2::VPNConnection
AWS Config rule: vpc-vpn-2-tunnels-up
Schedule type: Change triggered
Parameters: None
A VPN tunnel is an encrypted link where data can pass from the customer network
to or from AWS within an AWS Site-to-Site VPN connection. Each VPN connection
includes two VPN tunnels which you can simultaneously use for high availability.
Ensuring that both VPN tunnels are up for a VPN connection is important for
confirming a secure and highly available connection between an AWS VPC and your
remote network.
This control checks that both VPN tunnels provided by AWS Site-to-Site VPN are
in UP status. The control fails if one or both tunnels are in DOWN status.
REMEDIATION
To modify VPN tunnel options, see Modifying Site-to-Site VPN tunnel options in
the AWS Site-to-Site VPN User Guide.
[EC2.21] NETWORK ACLS SHOULD NOT ALLOW INGRESS FROM 0.0.0.0/0 TO PORT 22 OR PORT
3389
Related requirements: CIS AWS Foundations Benchmark v1.4.0/5.1, NIST.800-53.r5
AC-4(21), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2),
NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(5)
Category: Protect > Secure Network Configuration
Severity: Medium
Resource type:AWS::EC2::NetworkAcl
AWS Config rule: nacl-no-unrestricted-ssh-rdp
Schedule type: Change triggered
Parameters: None
This control checks whether a network access control list (NACL) allows
unrestricted access to the default TCP ports for SSH/RDP ingress traffic. The
rule fails if a NACL inbound entry allows a source CIDR block of '0.0.0.0/0' or
'::/0' for TCP ports 22 or 3389.
Access to remote server administration ports, such as port 22 (SSH) and port
3389 (RDP), should not be publicly accessible, as this may allow unintended
access to resources within your VPC.
REMEDIATION
For more information about NACLs, see Network ACLs in the VPC User Guide.
[EC2.22] UNUSED AMAZON EC2 SECURITY GROUPS SHOULD BE REMOVED
IMPORTANT
DEPRECATED – Security Hub removed this control on September 20, 2023 from the
AWS Foundational Security Best Practices standard and the NIST SP 800-53 Rev. 5.
This AWS control produces a passed finding if security groups are attached to
EC2 instances or to an elastic network interface. However, for certain use
cases, unattached security groups don't pose a security risk. You can use other
EC2 controls—such as EC2.2, EC2.13, EC2.14, EC2.18, and EC2.19—to monitor your
security groups.
Category: Identify > Inventory
Severity: Medium
Resource type:AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup
AWS Config rule: ec2-security-group-attached-to-eni-periodic
Schedule type: Periodic
Parameters: None
This AWS control checks that security groups are attached to Amazon Elastic
Compute Cloud (Amazon EC2) instances or to an elastic network interface. The
control will fail if the security group is not associated with an Amazon EC2
instance or an elastic network interface.
REMEDIATION
To create, assign and delete security groups, see Security groups in Amazon EC2
user guide.
[EC2.23] AMAZON EC2 TRANSIT GATEWAYS SHOULD NOT AUTOMATICALLY ACCEPT VPC
ATTACHMENT REQUESTS
Related requirements: NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CA-9(1),
NIST.800-53.r5 CM-2
Category: Protect > Secure network configuration
Severity: High
Resource type:AWS::EC2::TransitGateway
AWS Config rule: ec2-transit-gateway-auto-vpc-attach-disabled
Schedule type: Change triggered
Parameters: None
This control checks if EC2 transit gateways are automatically accepting shared
VPC attachments. This control fails for a transit gateway that automatically
accepts shared VPC attachment requests.
Turning on AutoAcceptSharedAttachments configures a transit gateway to
automatically accept any cross-account VPC attachment requests without verifying
the request or the account the attachment is originating from. To follow the
best practices of authorization and authentication, we recommended turning off
this feature to ensure that only authorized VPC attachment requests are
accepted.
REMEDIATION
To modify a transit gateway, see Modify a transit gateway in the Amazon VPC
Developer Guide.
[EC2.24] AMAZON EC2 PARAVIRTUAL INSTANCE TYPES SHOULD NOT BE USED
Related requirements: NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2)
Category: Identify > Vulnerability, patch, and version management
Severity: Medium
Resource type:AWS::EC2::Instance
AWS Config rule: ec2-paravirtual-instance-check
Schedule type: Change triggered
Parameters: None
This control checks whether the virtualization type of an EC2 instance is
paravirtual. The control fails if the virtualizationType of the EC2 instance is
set to paravirtual.
Linux Amazon Machine Images (AMIs) use one of two types of virtualization:
paravirtual (PV) or hardware virtual machine (HVM). The main differences between
PV and HVM AMIs are the way in which they boot and whether they can take
advantage of special hardware extensions (CPU, network, and storage) for better
performance.
Historically, PV guests had better performance than HVM guests in many cases,
but because of enhancements in HVM virtualization and the availability of PV
drivers for HVM AMIs, this is no longer true. For more information, see Linux
AMI virtualization types in the Amazon EC2 User Guide for Linux Instances.
REMEDIATION
To update an EC2 instance to a new instance type, see Change the instance type
in the Amazon EC2 User Guide for Linux Instances.
[EC2.25] AMAZON EC2 LAUNCH TEMPLATES SHOULD NOT ASSIGN PUBLIC IPS TO NETWORK
INTERFACES
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration > Resources not publicly
accessible
Severity: High
Resource type:AWS::EC2::LaunchTemplate
AWS Config rule: ec2-launch-template-public-ip-disabled
Schedule type: Change triggered
Parameters: None
This control checks if Amazon EC2 launch templates are configured to assign
public IP addresses to network interfaces upon launch. The control fails if an
EC2 launch template is configured to assign a public IP address to network
interfaces or if there is at least one network interface that has a public IP
address.
A public IP address is one that is reachable from the internet. If you configure
your network interfaces with a public IP address, then the resources associated
with those network interfaces may be reachable from the internet. EC2 resources
shouldn't be publicly accessible because this may permit unintended access to
your workloads.
REMEDIATION
To update an EC2 launch template, see Change the default network interface
settings in the Amazon EC2 Auto Scaling User Guide.
[EC2.28] EBS VOLUMES SHOULD BE COVERED BY A BACKUP PLAN
Category: Recover > Resilience > Backups enabled
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5
CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2),
NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5)
Severity: Low
Resource type: AWS::EC2::Volume
AWS Config rule: ebs-resources-protected-by-backup-plan
Schedule type: Periodic
Parameters: None
This control evaluates if Amazon EBS volumes are covered by backup plans. The
control fails if an Amazon EBS volume isn't covered by a backup plan. This
control only evaluates Amazon EBS volumes that are in the in-use state.
Backups help you recover more quickly from a security incident. They also
strengthen the resilience of your systems. Including Amazon EBS volumes in a
backup plan helps you protect your data from unintended loss or deletion.
REMEDIATION
To add an Amazon EBS volume to an AWS Backup backup plan, see Assigning
resources to a backup plan in the AWS Backup Developer Guide.
[EC2.29] EC2 INSTANCES SHOULD BE LAUNCHED IN A VPC
IMPORTANT
DEPRECATED – Security Hub deprecated this control and removed it from all
standards on September 20, 2023. Amazon EC2 has migrated EC2-Classic instances
to a VPC.
Category: Protect > Secure network configuration > Resources within VPC
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Severity: High
Resource type: AWS::EC2::Instance
AWS Config rule: ec2-instances-in-vpc
Schedule type: Change triggered
Parameters: None
This control checks if Amazon EC2 instances are launched in a virtual private
cloud (VPC). This control fails if an EC2 instance is launched in the
EC2-Classic network.
The EC2-Classic network retired on August 15, 2022. The EC2-Classic network
model was flat, with public IP addresses assigned at launch time. The EC2-VPC
network offers more scalability and security features and should be the default
for launching EC2 instances.
REMEDIATION
To migrate instances to the EC2-VPC network, see Migrate from EC2-Classic to a
VPC in the Amazon EC2 User Guide for Linux Instances.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Amazon ECS controls
Amazon EC2 Auto Scaling controls
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Amazon EC2 Auto Scaling controls
PREVIOUS TOPIC:
Amazon ECS controls
NEED HELP?
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* [EC2.1] Amazon EBS snapshots should not be publicly restorable
* [EC2.2] VPC default security groups should not allow inbound or outbound
traffic
* [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
* [EC2.4] Stopped Amazon EC2 instances should be removed after a specified time
period
* [EC2.6] VPC flow logging should be enabled in all VPCs
* [EC2.7] EBS default encryption should be enabled
* [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
* [EC2.9] Amazon EC2 instances should not have a public IPv4 address
* [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are
created for the Amazon EC2 service
* [EC2.12] Unused Amazon EC2 EIPs should be removed
* [EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
* [EC2.14] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
* [EC2.15] Amazon EC2 subnets should not automatically assign public IP
addresses
* [EC2.16] Unused Network Access Control Lists should be removed
* [EC2.17] Amazon EC2 instances should not use multiple ENIs
* [EC2.18] Security groups should only allow unrestricted incoming traffic for
authorized ports
* [EC2.19] Security groups should not allow unrestricted access to ports with
high risk
* [EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
* [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or
port 3389
* [EC2.22] Unused Amazon EC2 security groups should be removed
* [EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC
attachment requests
* [EC2.24] Amazon EC2 paravirtual instance types should not be used
* [EC2.25] Amazon EC2 launch templates should not assign public IPs to network
interfaces
* [EC2.28] EBS volumes should be covered by a backup plan
* [EC2.29] EC2 instances should be launched in a VPC
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback