AWS logo
Amazon QDetector Library

High

Showing all detectors for the CloudFormation language with high severity.

Cloudfront Custom SSL Certificate

CloudFront Distribution Resources does not have the Viewer Certificate configuration present.

DynamoDB Autoscaling Enabled

Provisioned throughput capacity of DynamoDB tables is not configured.

CLOUD TRAIL CLOUD WATCH LOGS

AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.

Cloudfront Origin Failover

Amazon CloudFront Distribution is not configured with two Origin Group Members.

Sagemaker Notebook Direct Access

DirectInternetAccess property is set to Enabled and value for SubnetId property is not set.

Cloudwatch Alarm Action Check

CloudWatch alarms have at least one alarm action.

ELB Cross Zone Load Balancing

Cross-zone load balancing is not enabled for the Classic Load Balancer.

Elasticsearch Primary Node

Elasticsearch domains are not configured with at least three dedicated primary nodes.

S3 Bucket SSL Request Only

S3 bucket has policies allowing HTTP requests.

Redshift Backup Enabled

Amazon Redshift automated snapshot is not enabled for clusters.

RDS instance logging enabled

Amazon Relational Database Service logs (Amazon RDS) are not enabled.

S3 Bucket replication enabled

S3 buckets have cross-region replication not enabled.

IAM Profile Not Attached.

IAM profile is not attached with EC2 instance.

S3 Bucket Default Encryption With AWS KMS

Amazon S3 bucket is not encrypted with AWS KMS key.

Unsecure encryption of DAX at rest

Unsecured encryption of DAX is detected at rest.

Disabled encryption on Aurora at rest

Disabled Encryption is detected for all data in Aurora at rest.

Restrict wildcard in KMS key

The KMS key policy includes wildcard (asterisk) principal.

CLOUDFRONT DEFAULT ROOT OBJECT CONFIGURED

Amazon CloudFront distribution is configured to return a specific object that is the default root object.

RDS Auto Version Upgrade

RDS instances with AutoMinorVersionUpgrade property is not present or set to false.

Subnet Auto Assign Public IP

Amazon Virtual Private Cloud (Amazon VPC) subnets are not assigned a public IP address.

Unecrypted AWS Redshift using CMK

Unencrypted AWS Redshift cluster using CMK is detected.

CW Loggroup Retention Period

The Amazon CloudWatch LogGroup retention period is not set.

EMR Kerberos Enabled

EMR cluster resources KerberosAttributes property does not exist.

RedShift Enhanced VPC Routing

Redshift Cluster resources have property EnhancedVpcRouting is not persent or set to false.

Disabled AWS S3 object versioning

Disabled versioning is detected for AWS S3 object.

Configure HTTPS for CloudFront distribution ViewerProtocolPolicy

HTTPS is not configured in the ViewerProtocolPolicy of CloudFront distribution.

Monitoring Disabled EC2 instances

Monitoring is not enabled for EC2 instances.

Disabled AWS RDS Encryption

Disabled Encryption is detected for AWS RDS DB cluster.

Cloudtrail S3 Dataevents enabled

AWS CloudTrail trail is not logging Amazon S3 data events for all S3 buckets.

Restrict IAM permissive role assumption

AWS IAM policy permits role permission for assumption for all services.

Restrict public access on DMS replication instance

DMS replication instance with public accessibility is detected.

Redshift Cluster Maintenance Settings

Amazon Redshift clusters don't have the specified maintenance settings.

DB instance backup enabled

It seems like RDS instances with BackupRetentionPeriod property is not present or is set to 0.

EKS Endpoint No Public Access

Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is publicly accessible.

More Restrictive CIDR

CidrIp Property is set to 0.0.0.0/0.

Aurora MySQL Backtracking

Amazon Aurora MySQL cluster has backtracking disabled.

ELB ACM Certificate

Classic Load Balancer configured with HTTPS/SSL listener does not use a certificate provided by ACM.

S3 default lock enabled

S3 ObjectLockEnabled parameter not set to true.

Sagemaker NoteBook Instance Kms

Sagemaker Notebook Instance resources KmsKeyId property does not exist.

Exposed secrets in EC2 user data

Secrets are being revealed by EC2 user data.

Cloudfront SNI Enabled

Amazon CloudFront distributions are not configured to use SNI to serve HTTPS requests.

DynamoDB Table Encryption

All DynamoDB Tables does not have SEE enabled.

Exposed secrets in Lambda function environment variables

The exposure of secrets through Lambda function's environment variables is detected.

Disabled Neptune logging

Disabled Neptune logging is detected.

API GW Resources Type Check

API GW does not have endpoint configuration set to REGIONAL, PRIVATE, and/or EDGE.

Restricted Common Ports

The security groups in use is allowing unrestricted incoming TCP traffic to the specified ports.

Disabled DynamoDB Point-In-Time Recovery

Disabled DynamoDB Point-In-Time Recovery is detected.

EBS Optimization Disabled EC2 instances

EBS Optimization is not enabled for EC2 instances.

Restrict assumed IAM role access

The IAM role doesn't permit only specific services or principals for assumption.

Autoscaling Launch Config

EC2 Auto Scaling launch configurations are configured to not associate public IP addresses.

Autoscaling Group ELB Health Checks

Auto Scaling groups that are associated with a load balancer are not using Elastic Load Balancing health checks.

Implicit SSH for AWS EKS node group

implicit SSH access from 0.0.0.0/0 for AWS EKS node group is detected.

Elasticsearch in VPS

Elasticsearch domain does not have VPCOptions or Endpoint properties.

Disabled Glue Data Catalog encryption

Disabled Encryption is detected for the Glue Data Catalog.

Unsecured Encryption in transit for EFS volumes

Unsecured Encryption in transit is detected for EFS volumes in ECS task definitions.

EFS Resources Protected By Backup Plan

EFS File System is not covered by a backup plan.

Unencrypted EBS Volumes

Instances and Launch configurations with unencrypted EBS volumes is detected.

Restrict public IP association on EC2 instance

EC2 instance with public IP is detected.

RDS Instance Deletion Protection

RDS instances with DeletionProtection property is not present or set to false.

Disabled AWS Glue security encryption

Disabled encryption is configured in AWS Glue security.

EC2 Instance In VPC

EC2 instance does not belong to a virtual private cloud (VPC).