Security
You can use the following checks for the security category.
Note
If you enabled Security Hub for your Amazon Web Services account, you can view your findings in the Trusted Advisor console. For information, see Viewing Amazon Security Hub controls in Amazon Trusted Advisor.
You can view all controls in the Amazon Foundational Security Best Practices security standard except for controls that have the Category: Recover > Resilience. For a list of supported controls, see Amazon Foundational Security Best Practices controls in the Amazon Security Hub User Guide.
Check names
- Amazon EC2 instances with Ubuntu LTS end of standard support
- Amazon EFS clients not using data-in-transit encryption
- Amazon Route 53 mismatching CNAME records pointing directly to S3 buckets
- Amazon S3 Bucket Permissions
- Application Load Balancer Target Groups Encrypted Protocol
- ELB Listener Security
- Classic Load Balancer Security Groups
- IAM Password Policy
- IAM SAML 2.0 Identity Provider
- Root User Access Key
- Security Groups – Specific Ports Unrestricted
- Security Groups – Unrestricted Access
Amazon EC2 instances with Ubuntu LTS end of standard support
- Description
-
This check alerts you if the versions are near or have reached the end of standard support. It is important to take action – either by migrating to the next LTS or upgrading to Ubuntu Pro. After the end of support, your 18.04 LTS machines will not receive any security updates. With an Ubuntu Pro subscription, your Ubuntu 18.04 LTS deployment can receive Expanded Security Maintenance (ESM) until 2028. Security vulnerabilities that remain unpatched open your systems to hackers and the potential of a major breach.
Note
Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
For Business, Enterprise On-Ramp, or Enterprise Support customers, you can use the BatchUpdateRecommendationResourceExclusion API to include or exclude one or more resources from your Trusted Advisor results.
- Check ID
-
c1dfprch15
- Alert Criteria
-
Red: An Amazon EC2 instance has an Ubuntu version that reached the end of standard support (Ubuntu 18.04 LTS, 18.04.1 LTS, 18.04.2 LTS, 18.04.3 LTS, 18.04.4 LTS, 18.04.5 LTS, and 18.04.6 LTS).
Yellow: An Amazon EC2 instance has an Ubuntu version that will reach the end of standard support in less than 6 months (Ubuntu 20.04 LTS, 20.04.1 LTS, 20.04.2 LTS, 20.04.3 LTS, 20.04.4 LTS, 20.04.5 LTS, and 20.04.6 LTS).
Green: All Amazon EC2 instances are compliant.
- Recommended Action
-
To upgrade the Ubuntu 18.04 LTS instances to a supported LTS version, please follow the steps mentioned in this article
. To upgrade the Ubuntu 18.04 LTS instances to Ubuntu Pro , visit Amazon License Manager console and follow the steps mentioned in the Amazon License Manager user guide. You can also refer to the Ubuntu blog showing a step by step demo of upgrading Ubuntu instances to Ubuntu Pro. - Additional Resources
-
For information about pricing, reach out to Amazon Web Services Support
. - Report columns
-
-
Status
-
Region
-
Ubuntu Lts Version
-
Expected End Of Support Date
-
Instance ID
-
Support Cycle
-
Last Updated Time
-
Amazon EFS clients not using data-in-transit encryption
- Description
-
Checks if Amazon EFS file system is mounted using data-in-transit encryption. Amazon recommends that customers use data-in-transit encryption for all data flows to protect data from accidental exposure or unauthorized access. Amazon EFS recommends clients use the ‘-o tls’ mount setting using the Amazon EFS mount helper to encrypt data in transit using TLS v1.2.
- Check ID
-
c1dfpnchv1
- Alert Criteria
-
Yellow: One or more NFS clients for your Amazon EFS file system are not using the recommended mount settings that provide data-in-transit encryption.
Green: All NFS clients for your Amazon EFS file system are using the recommended mount settings that provide data-in-transit encryption.
- Recommended Action
-
To take advantage of data-in-transit encryption feature on Amazon EFS, we recommend that you remount your file system using the Amazon EFS mount helper and the recommended mount settings.
Note
Some Linux distributions don't include a version of stunnel that supports TLS features by default. If you're using an unsupported Linux distribution (see Supported distributions in the Amazon Elastic File System User Guide), then it's a best practice that you upgrade it before remounting with the recommended mount setting.
- Additional Resources
- Report columns
-
-
Status
-
Region
-
EFS File System ID
-
AZs with Unencrypted Connections
-
Last Updated Time
-
Amazon Route 53 mismatching CNAME records pointing directly to S3 buckets
- Description
-
Checks the Amazon Route 53 Hosted Zones with CNAME records pointing directly to Amazon S3 bucket hostnames and alerts if your CNAME does not match with your S3 bucket name.
- Check ID
-
c1ng44jvbm
- Alert Criteria
-
Red: Amazon Route 53 Hosted Zone has CNAME records pointing to mismatching S3 bucket hostnames.
Green: No mismatching CNAME records found in your Amazon Route 53 Hosted Zone.
- Recommended Action
-
When pointing CNAME records to S3 bucket hostnames, you must make sure that a matching bucket exists for any CNAME or alias record you configure. By doing this, you avoid the risk of your CNAME records being spoofed. You also prevent any unauthorized Amazon user from hosting faulty or malicious web content with your domain.
To avoid pointing CNAME records directly to S3 bucket hostnames, consider using origin access control (OAC) to access your S3 bucket web assets through Amazon CloudFront.
For more information about associating CNAME with an Amazon S3 bucket hostname, see Customizing Amazon S3 URLs with CNAME records.
- Additional Resources
- Report columns
-
-
Status
-
Hosted Zone ID
-
Hosted Zone ARN
-
Matching CNAME Records
-
Mismatching CNAME Records
-
Last Updated Time
-
Amazon S3 Bucket Permissions
- Description
-
Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions, or that allow access to any authenticated Amazon user.
This check examines explicit bucket permissions, as well as bucket policies that might override those permissions. Granting list access permissions to all users for an Amazon S3 bucket is not recommended. These permissions can lead to unintended users listing objects in the bucket at high frequency, which can result in higher than expected charges. Permissions that grant upload and delete access to everyone can lead to security vulnerabilities in your bucket.
- Check ID
-
Pfx0RwqBli
- Alert Criteria
-
-
Yellow: The bucket ACL allows List access for Everyone or Any Authenticated Amazon User.
-
Yellow: A bucket policy allows any kind of open access.
-
Yellow: Bucket policy has statements that grant public access. The Block public and cross-account access to buckets that have public policies setting is turned on and has restricted access to only authorized users of that account until public statements are removed.
-
Yellow: Trusted Advisor does not have permission to check the policy, or the policy could not be evaluated for other reasons.
-
Red: The bucket ACL allows upload and delete access for Everyone or Any Authenticated Amazon User.
-
Green: All Amazon S3 are compliant based on the ACL and/or bucket policy.
-
- Recommended Action
-
If a bucket allows open access, determine if open access is truly needed. For example to host a static website, you can use Amazon CloudFront to serve the content hosted on Amazon S3. See Restricting access to anAmazon S3 origin in the Amazon CloudFront Developer Guide. When possible,, update the bucket permissions to restrict access to the owner or specific users. Use Amazon S3 Block Public Access to control the settings that allow public access to your data. See Setting Bucket and Object Access Permissions.
- Additional Resources
-
Managing Access Permissions to Your Amazon S3 Resources
Configuring block public access settings for your Amazon S3 buckets
- Report columns
-
-
Status
-
Region Name
-
Region API Parameter
-
Bucket Name
-
ACL Allows List
-
ACL Allows Upload/Delete
-
Policy Allows Access
-
Application Load Balancer Target Groups Encrypted Protocol
- Description
-
Checks Application Load Balancer (ALB) target groups are using HTTPS protocol to encrypt communication in transit for back-end target types of instance or IP. HTTPS requests between ALB and back-end targets help to maintain data confidentiality for data in transit.
- Check ID
-
c2vlfg0p1w
- Alert Criteria
-
-
Yellow: Application Load Balancer target group using HTTP.
-
Green: Application Load Balancer target group using HTTPS.
-
- Recommended Action
-
Configure back-end target types of instance or IP to support HTTPS access, and change target group to use HTTPS protocol to encrypt communication between ALB and back-end target types of instance or IP.
- Additional Resources
-
Application Load Balancer Target Types
- Report columns
-
-
Status
-
Region
-
ALB Arn
-
ALB Name
-
ALB VPC Id
-
Target Group Arn
-
Target Group Name
-
Target Group Protocol
-
Last Updated Time
-
ELB Listener Security
- Description
-
Checks for classic load balancers with listeners that don't use the recommended security configurations for encrypted communication. Amazon recommends that you use a secure protocol (HTTPS or SSL), up-to-date security policies, and ciphers and protocols that are secure. When you use a secure protocol for a front-end connection (client to load balancer), the requests are encrypted between your clients and the load balancer. This creates a more secure environment. Elastic Load Balancing provides predefined security policies with ciphers and protocols that adhere to Amazon security best practices. New versions of predefined policies are released as new configurations become available.
- Check ID
-
a2sEc6ILx
- Alert Criteria
-
-
Red: A load balancer has no listeners configured with a secure protocol (HTTPS).
-
Yellow: A load balancer HTTPS listener is configured with a Security Policy that contains a weak cipher.
-
Yellow: A load balancer HTTPS listener is not configured with the recommended Security Policy.
-
Green: A load balancer has at least one HTTPS listener AND all HTTPS listeners are configured with the recommended policy.
-
- Recommended Action
-
If the traffic to your load balancer must be secure, use either the HTTPS or the SSL protocol for the front-end connection.
Upgrade your load balancer to the latest version of the predefined SSL security policy.
Use only the recommended ciphers and protocols.
For more information, see Listener Configurations for Elastic Load Balancing.
- Additional Resources
- Report columns
-
-
Status
-
Region
-
Load Balancer Name
-
Load Balancer Port
-
Reason
-
Classic Load Balancer Security Groups
- Description
-
Checks for load balancers configured with a security group that allows access to ports that are not configured for the load balancer.
If a security group allows access to ports that are not configured for the load balancer, the risk of loss of data or malicious attacks increases.
- Check ID
-
xSqX82fQu
- Alert Criteria
-
-
Yellow: The inbound rules of an Amazon VPC security group associated with a load balancer allow access to ports that are not defined in the load balancer's listener configuration.
-
Green: The inbound rules of an Amazon VPC security group associated with a load balancer do not allow access to ports that are not defined in the load balancers listener configuration.
-
- Recommended Action
-
Configure the security group rules to restrict access to only those ports and protocols that are defined in the load balancer listener configuration, plus the ICMP protocol to support Path MTU Discovery. See Listeners for Your Classic Load Balancer and Security Groups for Load Balancers in a VPC.
If a security group is missing, apply a new security group to the load balancer. Create security group rules that restrict access to only those ports and protocols that are defined in the load balancer listener configuration. See Security Groups for Load Balancers in a VPC.
- Additional Resources
- Report columns
-
-
Status
-
Region
-
Load Balancer Name
-
Security Group IDs
-
Reason
-
IAM Password Policy
- Description
-
Checks the password policy for your account and warns when a password policy is not enabled, or if password content requirements have not been enabled.
Password content requirements increase the overall security of your Amazon environment by enforcing the creation of strong user passwords. When you create or change a password policy, the change is enforced immediately for new users but does not require existing users to change their passwords.
- Check ID
-
Yw2K9puPzl
- Alert Criteria
-
-
Green: A password policy is enabled with recommended content requirement enabled.
-
Yellow: A password policy is enabled, but at least one content requirement is not enabled.
-
- Recommended Action
-
If some content requirements are not enabled, consider enabling them. If no password policy is enabled, create and configure one. See Setting an Account Password Policy for IAM Users.
To access the Amazon Web Services Management Console, IAM users need passwords. As a best practice, Amazon highly recommends that instead of creating IAM users, you use federation. Federation allows users to use their existing corporate credentials to log into the Amazon Web Services Management Console. Use IAM Identity Center to create or federate the user, and then assume an IAM role into an account.
To learn more about identity providers and federation, see Identity providers and federation in the IAM User Guide. To learn more about IAM Identity Center, see the IAM Identity Center User Guide.
- Additional Resources
- Report columns
-
-
Password Policy
-
Uppercase
-
Lowercase
-
Number
-
Non-alphanumeric
-
IAM SAML 2.0 Identity Provider
- Description
-
Checks if the Amazon Web Services account is configured for access via an identity provider (IdP) that supports SAML 2.0. Be sure to follow best practices when you centralize identities and configure users in an external identity provider or Amazon IAM Identity Center
. - Check ID
-
c2vlfg0p86
- Alert Criteria
-
-
Yellow: This account isn’t configured for access via an identity provider (IdP) that supports SAML 2.0.
-
Green: This account is configured for access via an identity provider (IdP) that supports SAML 2.0.
-
- Recommended Action
-
Activate IAM Identity Center for the Amazon Web Services account. For more information, see EnablingIAM Identity Center. After you turn on IAM Identity Center, you can then perform common tasks like creating a permission set and assigning access for Identity Center groups. For more information, see Common tasks.
It’s a best practice to manage human users in IAM Identity Center. But you can activate federated user access with IAM for human users in the short-term for small scale deployments. For more information see SAML 2.0 federation.
- Additional Resources
- Report columns
-
-
Status
-
Amazon Web Services account Id
-
Last Updated Time
-
Root User Access Key
- Description
-
Checks if the root user access key is present. It's strongly recommended that you don't create access key pairs for your root user. Because only a few tasks require the root user and you typically perform those tasks infrequently, it’s a best practice to log in to the Amazon Web Services Management Console to perform the root user tasks. Before you create access keys, review the alternatives to long-term access keys.
- Check ID
-
c2vlfg0f4h
- Alert Criteria
-
Red: The root user access key is present
Green: The root user access key isn’t present
- Recommended Action
-
Delete the access key(s) for the root user. See Deleting access keys for the root user. This task must be performed by the root user. You can't perform these steps as an IAM user or role.
- Additional Resources
- Report columns
-
-
Status
-
Account ID
-
Last Updated Time
-
Security Groups – Specific Ports Unrestricted
- Description
-
Checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports.
Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP.
If you have intentionally configured your security groups in this manner, we recommend using additional security measures to secure your infrastructure (such as IP tables).
Note
This check only evaluates security groups that you create and their inbound rules for IPv4 addresses. Security groups created by Amazon Directory Service are flagged as red or yellow, but they don’t pose a security risk and can be excluded. For more information, see the Trusted Advisor FAQ
. - Check ID
-
HCP4007jGY
- Alert Criteria
-
-
Green: Security Group provides unrestricted access on ports 80, 25, 443, or 465.
-
Red: Security Group is attached to a resource and provides unrestricted access to port 20, 21, 22 , 1433, 1434, 3306, 3389, 4333, 5432, or 5500.
-
Yellow: Security Group provides unrestricted access to any other port.
-
Yellow: Security Group is not attached to any resource and provides unrestricted access.
-
- Recommended Action
-
Restrict access to only those IP addresses that require it. To restrict access to a specific IP address, set the suffix to /32 (for example, 192.0.2.10/32). Be sure to delete overly permissive rules after creating rules that are more restrictive.
Review and delete unused security groups. You can use Amazon Firewall Manager to centrally configure and manage security groups at scale across Amazon Web Services accounts, For more information, see the Amazon Firewall Manager documentation.
Consider using Systems Manager Sessions Manager for SSH (Port 22) and RDP (Port 3389) access to EC2 instances. With sessions manager, you can access your EC2 instances without enabling port 22 and 3389 in the security group.
- Additional Resources
- Report columns
-
-
Status
-
Region
-
Security Group Name
-
Security Group ID
-
Protocol
-
From Port
-
To Port
-
Association
-
Security Groups – Unrestricted Access
- Description
-
Checks security groups for rules that allow unrestricted access to a resource.
Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data).
Note
This check evaluates only security groups that you create and their inbound rules for IPv4 addresses. Security groups created by Amazon Directory Service are flagged as red or yellow, but they don’t pose a security risk and can be excluded. For more information, see the Trusted Advisor FAQ
. - Check ID
-
1iG5NDGVre
- Alert Criteria
-
-
Green: A security group rule has a source IP address with a /0 suffix for ports 25, 80, or 443.
-
Yellow: A security group rule has a source IP address with a /0 suffix for ports other than 25, 80, or 443 and security group is attached to a resource.
-
Red: A security group rule has a source IP address with a /0 suffix for ports other than 25, 80, or 443 and security group is not attached to a resource.
-
- Recommended Action
-
Restrict access to only those IP addresses that require it. To restrict access to a specific IP address, set the suffix to /32 (for example, 192.0.2.10/32). Be sure to delete overly permissive rules after creating rules that are more restrictive.
Review and delete unused security groups. You can use Amazon Firewall Manager to centrally configure and manage security groups at scale across Amazon Web Services accounts, For more information, see the Amazon Firewall Manager documentation.
Consider using Systems Manager Sessions Manager for SSH (Port 22) and RDP (Port 3389) access to EC2 instances. With sessions manager, you can access your EC2 instances without enabling port 22 and 3389 in the security group.
- Additional Resources
- Report columns
-
-
Status
-
Region
-
Security Group Name
-
Security Group ID
-
Protocol
-
From Port
-
To Port
-
IP Range
-
Association
-