Components Threats
  • IAM policy allows assume role permission across all services (assume/pass:*)
  • Overly permissive IAM roles (wildcards)
  • Overly permissive read access allows visibility to some customer data stores
  • Elasticsearch IAM policy allows internet traffic
  • AWS IAM deprecated managed policies in use by User
  • Access to modify security groups/ NACLs/ ENI's/ Route tables is not restricted in Prod
  • Access to KMS is not restricted
  • Users do not have MFA activated for accounts
Root Account
  • MFA is not enabled on Root account
  • Root account email is not on a distribution list
Secrets / Keys
  • Access keys are not rotated in line with industry standard best practice (90 days)
  • KMS - default keys are used
  • KMS - Keys are shared across services and functions where separate envelope keys should be used
  • KMS - Access policies are too permissive. Too many services can call decrypt function for keys
  • AWS S3 Bucket has Global DELETE Permissions enabled via bucket policy
  • AWS S3 Bucket has Global GET Permissions enabled via bucket policy
  • S3 buckets are accessible to any authenticated user
  • S3 buckets are accessible to public
  • Log buckets are not sufficiently protected from PUT's (to protect against file over-ride/ deletes etc)
  • Versioning is not enabled
  • No bucket replication for high value workloads (minimal backups)
  • EBS snapshots are accessible to public
  • No snapshot/ backup policy
  • Large number of orphaned volumes with confidential data
  • CloudFront distributions lack a WAF
  • WAF has inadequate policies
  • WAF is not consistently in front of all incoming traffic
  • WAF is not in blocking mode
  • No logging/ alerting on WAF
  • Lack of consistent DDoS protection
  • AWS CloudFront origin protocol policy does not enforce HTTPS-only
  • EBS volumes lack encryption
  • S3 lack of encryption
  • TLS is not enforced between ELB - EC2
  • RDS lack of encryption
  • Redshift lack of encryption
  • Lack of visibility of current compliance status
  • No file integrity monitoring for PCI workloads
  • No domain boundary program - lack of documentation around how PCI workloads are isolated (logically or otherwise)
  • CloudTrail is not enabled on the account
  • VPC Flow Logs are not enabled
  • No sys logs from EC2
  • No centralised logging
  • Lack of S3 access logs
  • Confidential/secrets/customer data often written to Cloudwatch during debugging
Security Groups
  • AWS Security Groups allow internet traffic to undesired ports
  • Default Security Group does not restrict all traffic
  • Security groups do not follow least privilege with regards to ports/ CIDR ranges
  • Many groups allow RDP/SSH from any ip
Incident Response
  • Insufficient playbooks for AWS incident response
  • Insufficient access to comms channels (e.g. Slack/JIRA/Trello/Email) for incidents
  • Lack of alerting for high risk events
Vulnerability Management
  • AMIs are not hardened
  • No patching process for instances
  • No vulnerability scanning on instances
  • Lack of alerting and reporting for cost control
  • Incorrectly sized instances