Home

The included AWS checks are listed below. For more information about each check, see the link provided.

Code Summary Details
AWS001 S3 Bucket has an ACL defined which allows public access. AWS001
AWS002 S3 Bucket does not have logging enabled. AWS002
AWS003 AWS Classic resource usage. AWS003
AWS004 Use of plain HTTP. AWS004
AWS005 Load balancer is exposed to the internet. AWS005
AWS006 An ingress security group rule allows traffic from /0. AWS006
AWS007 An egress security group rule allows traffic to /0. AWS007
AWS008 An inline ingress security group rule allows traffic from /0. AWS008
AWS009 An inline egress security group rule allows traffic to /0. AWS009
AWS010 An outdated SSL policy is in use by a load balancer. AWS010
AWS011 A resource is marked as publicly accessible. AWS011
AWS012 A resource has a public IP address. AWS012
AWS013 Task definition defines sensitive environment variable(s). AWS013
AWS014 Launch configuration with unencrypted block device. AWS014
AWS015 Unencrypted SQS queue. AWS015
AWS016 Unencrypted SNS topic. AWS016
AWS017 Unencrypted S3 bucket. AWS017
AWS018 Missing description for security group/security group rule. AWS018
AWS019 A KMS key is not configured to auto-rotate. AWS019
AWS020 CloudFront distribution allows unencrypted (HTTP) communications. AWS020
AWS021 CloudFront distribution uses outdated SSL/TLS protocols. AWS021
AWS022 A MSK cluster allows unencrypted data in transit. AWS022
AWS023 ECR repository has image scans disabled. AWS023
AWS024 Kinesis stream is unencrypted. AWS024
AWS025 API Gateway domain name uses outdated SSL/TLS protocols. AWS025
AWS031 Elasticsearch domain isn’t encrypted at rest. AWS031
AWS032 Elasticsearch domain uses plaintext traffic for node to node communication. AWS032
AWS033 Elasticsearch doesn’t enforce HTTPS traffic. AWS033
AWS034 Elasticsearch domain endpoint is using outdated TLS policy. AWS034
AWS035 Unencrypted Elasticache Replication Group. AWS035
AWS036 Elasticache Replication Group uses unencrypted traffic. AWS036
AWS037 IAM Password policy should prevent password reuse. AWS037
AWS038 IAM Password policy should have expiry less than or equal to 90 days. AWS038
AWS039 IAM Password policy should have minimum password length of 14 or more characters. AWS039
AWS040 IAM Password policy should have requirement for at least one symbol in the password. AWS040
AWS041 IAM Password policy should have requirement for at least one number in the password. AWS041
AWS042 IAM Password policy should have requirement for at least one lowercase character. AWS042
AWS043 IAM Password policy should have requirement for at least one uppercase character. AWS043
AWS044 AWS provider has access credentials specified. AWS044
AWS045 CloudFront distribution does not have a WAF in front. AWS045
AWS046 AWS IAM policy document has wildcard action statement. AWS046
AWS047 AWS SQS policy document has wildcard action statement. AWS047
AWS048 EFS Encryption has not been enabled AWS048
AWS049 An ingress Network ACL rule allows specific ports from /0. AWS049
AWS050 An ingress Network ACL rule allows ALL ports from /0. AWS050
AWS051 There is no encryption specified or encryption is disabled on the RDS Cluster. AWS051
AWS052 RDS encryption has not been enabled at a DB Instance level. AWS052
AWS053 Encryption for RDS Perfomance Insights should be enabled. AWS053
AWS054 ElasticSearch domains should enforce HTTPS AWS054
AWS055 ElasticSearch nodes should communicate with node to node encryption enabled. AWS055
AWS057 Domain logging should be enabled for Elastic Search domains AWS057