Security
You can use the following checks for the security category.
If you enabled Security Hub for your Amazon Web Services account, you can view your findings in the Trusted Advisor console. For information, see Viewing Amazon Security Hub controls in Amazon Trusted Advisor.
You can view all controls in the Amazon Foundational Security Best Practices security standard except for controls that have the Category: Recover > Resilience. For a list of supported controls, see Amazon Foundational Security Best Practices controls in the Amazon Security Hub User Guide.
Check names
Amazon S3 Bucket Permissions
- Description
-
Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions, or that allow access to any authenticated Amazon user.
This check examines explicit bucket permissions, as well as bucket policies that might override those permissions. Granting list access permissions to all users for an Amazon S3 bucket is not recommended. These permissions can lead to unintended users listing objects in the bucket at high frequency, which can result in higher than expected charges. Permissions that grant upload and delete access to everyone can lead to security vulnerabilities in your bucket.
- Check ID
-
Pfx0RwqBli
- Alert Criteria
-
-
Yellow: The bucket ACL allows List access for Everyone or Any Authenticated Amazon User.
-
Yellow: A bucket policy allows any kind of open access.
-
Yellow: Bucket policy has statements that grant public access. The Block public and cross-account access to buckets that have public policies setting is turned on and has restricted access to only authorized users of that account until public statements are removed.
-
Yellow: Trusted Advisor does not have permission to check the policy, or the policy could not be evaluated for other reasons.
-
Red: The bucket ACL allows upload and delete access for Everyone or Any Authenticated Amazon User.
-
- Recommended Action
-
If a bucket allows open access, determine if open access is truly needed. If not, update the bucket permissions to restrict access to the owner or specific users. Use Amazon S3 Block Public Access to control the settings that allow public access to your data. See Setting Bucket and Object Access Permissions.
- Additional Resources
- Report columns
-
-
Status
-
Region Name
-
Region API Parameter
-
Bucket Name
-
ACL Allows List
-
ACL Allows Upload/Delete
-
Policy Allows Access
-
ELB Listener Security
- Description
-
Checks for load balancers with listeners that do not use recommended security configurations for encrypted communication. Amazon recommends using a secure protocol (HTTPS or SSL), up-to-date security policies, as well as ciphers and protocols that are secure.
When you use a secure protocol for a front-end connection (client to load balancer), the requests are encrypted between your clients and the load balancer, which create a more secure environment. Elastic Load Balancing provides predefined security policies with ciphers and protocols that adhere to Amazon security best practices. New versions of predefined policies are released as new configurations become available.
- Check ID
-
a2sEc6ILx
- Alert Criteria
-
-
Yellow: A load balancer has no listener that uses a secure protocol (HTTPS or SSL).
-
Yellow: A load balancer listener uses an outdated predefined SSL security policy.
-
Yellow: A load balancer listener uses a cipher or protocol that is not recommended.
-
Red: A load balancer listener uses an insecure cipher or protocol.
-
- Recommended Action
-
If the traffic to your load balancer must be secure, use either the HTTPS or the SSL protocol for the front-end connection.
Upgrade your load balancer to the latest version of the predefined SSL security policy.
Use only the recommended ciphers and protocols.
For more information, see Listener Configurations for Elastic Load Balancing.
- Additional Resources
- Report columns
-
-
Status
-
Region
-
Load Balancer Name
-
Load Balancer Port
-
Reason
-
ELB Security Groups
- Description
-
Checks for load balancers configured with a missing security group, or a security group that allows access to ports that are not configured for the load balancer.
If a security group associated with a load balancer is deleted, the load balancer will not work as expected. If a security group allows access to ports that are not configured for the load balancer, the risk of loss of data or malicious attacks increases.
- Check ID
-
xSqX82fQu
- Alert Criteria
-
-
Yellow: The inbound rules of an Amazon VPC security group associated with a load balancer allow access to ports that are not defined in the load balancer's listener configuration.
-
Red: A security group associated with a load balancer does not exist.
-
- Recommended Action
-
Configure the security group rules to restrict access to only those ports and protocols that are defined in the load balancer listener configuration, plus the ICMP protocol to support Path MTU Discovery. See Listeners for Your Classic Load Balancer and Security Groups for Load Balancers in a VPC.
If a security group is missing, apply a new security group to the load balancer. Create security group rules that restrict access to only those ports and protocols that are defined in the load balancer listener configuration. See Security Groups for Load Balancers in a VPC.
- Additional Resources
- Report columns
-
-
Status
-
Region
-
Load Balancer Name
-
Security Group IDs
-
Reason
-
IAM Password Policy
- Description
-
Checks the password policy for your account and warns when a password policy is not enabled, or if password content requirements have not been enabled.
Password content requirements increase the overall security of your Amazon environment by enforcing the creation of strong user passwords. When you create or change a password policy, the change is enforced immediately for new users but does not require existing users to change their passwords.
- Check ID
-
Yw2K9puPzl
- Alert Criteria
-
-
Yellow: A password policy is enabled, but at least one content requirement is not enabled.
-
Red: No password policy is enabled.
-
- Recommended Action
-
If some content requirements are not enabled, consider enabling them. If no password policy is enabled, create and configure one. See Setting an Account Password Policy for IAM Users.
- Additional Resources
- Report columns
-
-
Password Policy
-
Uppercase
-
Lowercase
-
Number
-
Non-alphanumeric
-
Security Groups – Specific Ports Unrestricted
- Description
-
Checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports.
Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP.
If you have intentionally configured your security groups in this manner, we recommend using additional security measures to secure your infrastructure (such as IP tables).
Note This check only evaluates security groups that you create and their inbound rules for IPv4 addresses. Security groups created by Amazon Directory Service are flagged as red or yellow, but they don’t pose a security risk and can be safely ignored or excluded. For more information, see the Trusted Advisor FAQ
. - Check ID
-
HCP4007jGY
- Alert Criteria
-
-
Green: Access to port 80, 25, 443, or 465 is unrestricted.
-
Red: Access to port 20, 21, 1433, 1434, 3306, 3389, 4333, 5432, or 5500 is unrestricted.
-
Yellow: Access to any other port is unrestricted.
-
- Recommended Action
-
Restrict access to only those IP addresses that require it. To restrict access to a specific IP address, set the suffix to /32 (for example, 192.0.2.10/32). Be sure to delete overly permissive rules after creating rules that are more restrictive.
- Additional Resources
- Report columns
-
-
Status
-
Region
-
Security Group Name
-
Security Group ID
-
Protocol
-
From Port
-
To Port
-
Security Groups – Unrestricted Access
- Description
-
Checks security groups for rules that allow unrestricted access to a resource.
Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data).
Note This check only evaluates security groups that you create and their inbound rules for IPv4 addresses. Security groups created by Amazon Directory Service are flagged as red or yellow, but they don’t pose a security risk and can be safely ignored or excluded. For more information, see the Trusted Advisor FAQ
. - Check ID
-
1iG5NDGVre
- Alert Criteria
-
Red: A security group rule has a source IP address with a /0 suffix for ports other than 25, 80, or 443.
- Recommended Action
-
Restrict access to only those IP addresses that require it. To restrict access to a specific IP address, set the suffix to /32 (for example, 192.0.2.10/32). Be sure to delete overly permissive rules after creating rules that are more restrictive.
- Additional Resources
- Report columns
-
-
Status
-
Region
-
Security Group Name
-
Security Group ID
-
Protocol
-
From Port
-
To Port
-
IP Range
-