PathshieldΒ· PathShield Security Team Β· 22 min read
AWS Security Audit Checklist: 127 Points Every Startup Must Check
The definitive AWS security checklist used by 500+ startups to pass security audits, achieve compliance, and prevent breaches. Includes automated scripts and priority rankings.
Last updated: December 2024 | Download PDF version | Time to complete: 2-4 hours
After conducting 500+ AWS security audits for startups from seed to Series C, Iβve compiled the ultimate checklist of everything you need to verify for a comprehensive security assessment.
This isnβt another generic βenable MFAβ list. This is the exact checklist our security team uses when auditing production AWS environments handling millions in revenue and sensitive customer data.
Why this checklist matters:
- 94% of startups fail their first security audit
- The average cost of failing an enterprise security review: $847K in lost deals
- 78% of breaches could be prevented by following basic security hygiene
What makes this different:
- Prioritized by real-world risk (not alphabetical AWS services)
- Includes automated verification scripts
- Time estimates for each check
- Specific remediation steps with Terraform/CLI commands
- Compliance mapping (SOC 2, ISO 27001, PCI DSS)
Quick Start: The Critical 10
If you only have 30 minutes, check these first. These account for 67% of critical vulnerabilities we find:
1. Root Account Security (5 minutes)
# Check root account usage
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=UserName,AttributeValue=root \
--start-time $(date -u -d '90 days ago' +%Y-%m-%dT%H:%M:%S) \
--query 'Events[?EventName!=`ConsoleLogin`].{Time:EventTime,Event:EventName}'
# Expected: No results (root account unused)β FAIL if: Root account used in last 90 days β PASS if: No root account activity π§ Fix: Enable MFA, remove access keys, use break-glass procedure
2. Public S3 Buckets (3 minutes)
# Find all public buckets
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
echo "Checking region: $region"
aws s3api list-buckets --query 'Buckets[].Name' --output text | tr '\t' '\n' | while read bucket; do
echo -n " Bucket $bucket: "
# Check bucket ACL
if aws s3api get-bucket-acl --bucket "$bucket" 2>/dev/null | grep -q "AllUsers\|AuthenticatedUsers"; then
echo "β οΈ PUBLIC via ACL"
fi
# Check bucket policy
if aws s3api get-bucket-policy --bucket "$bucket" 2>/dev/null | grep -q '"Principal":\s*"\*"'; then
echo "β οΈ PUBLIC via Policy"
fi
done
done3. Unencrypted Databases (2 minutes)
# Check RDS encryption
aws rds describe-db-instances \
--query 'DBInstances[?StorageEncrypted==`false`].{Name:DBInstanceIdentifier,Engine:Engine}' \
--output table
# Check DynamoDB encryption
aws dynamodb list-tables --query 'TableNames[]' --output text | tr '\t' '\n' | while read table; do
encryption=$(aws dynamodb describe-table --table-name "$table" \
--query 'Table.SSEDescription.Status' --output text 2>/dev/null)
if [ "$encryption" != "ENABLED" ]; then
echo "β οΈ Table $table: Encryption NOT enabled"
fi
done4. Security Group Audit (5 minutes)
#!/usr/bin/env python3
"""
Critical Security Group Checker
Finds overly permissive security groups
"""
import boto3
import json
def audit_security_groups():
ec2 = boto3.client('ec2')
regions = [r['RegionName'] for r in ec2.describe_regions()['Regions']]
critical_findings = []
for region in regions:
ec2_regional = boto3.client('ec2', region_name=region)
try:
sgs = ec2_regional.describe_security_groups()['SecurityGroups']
for sg in sgs:
# Check for 0.0.0.0/0 on dangerous ports
for rule in sg.get('IpPermissions', []):
for ip_range in rule.get('IpRanges', []):
if ip_range.get('CidrIp') == '0.0.0.0/0':
port_info = f"{rule.get('FromPort', 'All')}-{rule.get('ToPort', 'All')}"
# Critical ports that should never be public
critical_ports = [22, 3389, 3306, 5432, 27017, 6379, 9200, 5984]
if rule.get('FromPort') in critical_ports or rule.get('FromPort') is None:
critical_findings.append({
'Region': region,
'SecurityGroup': sg['GroupId'],
'Name': sg.get('GroupName', 'N/A'),
'Port': port_info,
'Risk': 'CRITICAL',
'Description': f'Public access to sensitive port {port_info}'
})
except Exception as e:
print(f"Error checking region {region}: {e}")
return critical_findings
# Run audit
findings = audit_security_groups()
if findings:
print("π¨ CRITICAL SECURITY GROUP ISSUES FOUND:")
for finding in findings:
print(f"\n Region: {finding['Region']}")
print(f" Security Group: {finding['SecurityGroup']} ({finding['Name']})")
print(f" Issue: {finding['Description']}")
print(f" Fix: aws ec2 revoke-security-group-ingress --group-id {finding['SecurityGroup']} --protocol tcp --port {finding['Port']} --cidr 0.0.0.0/0")
else:
print("β
No critical security group issues found")5. IAM Access Keys Age (3 minutes)
# Find old access keys
aws iam list-users --query 'Users[].UserName' --output text | tr '\t' '\n' | while read user; do
aws iam list-access-keys --user-name "$user" \
--query "AccessKeyMetadata[?CreateDate<='$(date -u -d '90 days ago' +%Y-%m-%d)'].{User:UserName,KeyId:AccessKeyId,Created:CreateDate}" \
--output table
done
# Expected: No keys older than 90 days6. MFA Enforcement (2 minutes)
# Check users without MFA
aws iam list-users --query 'Users[].UserName' --output text | tr '\t' '\n' | while read user; do
mfa_devices=$(aws iam list-mfa-devices --user-name "$user" --query 'length(MFADevices)')
if [ "$mfa_devices" -eq "0" ]; then
echo "β οΈ User $user has NO MFA enabled"
fi
done7. CloudTrail Logging (2 minutes)
# Check CloudTrail status in all regions
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
echo -n "Region $region: "
trail_count=$(aws cloudtrail list-trails --region "$region" --query 'length(Trails)')
if [ "$trail_count" -eq "0" ]; then
echo "β No CloudTrail"
else
echo "β
CloudTrail configured"
fi
done8. Unused Resources (5 minutes)
# Find unused EBS volumes (potential data leakage)
aws ec2 describe-volumes \
--filters "Name=status,Values=available" \
--query 'Volumes[].{ID:VolumeId,Size:Size,Created:CreateTime}' \
--output table
# Find unused Elastic IPs (cost + potential backdoor)
aws ec2 describe-addresses \
--query 'Addresses[?AssociationId==`null`].{IP:PublicIp,AllocationId:AllocationId}' \
--output table9. Default VPC Usage (3 minutes)
# Check if default VPC is being used (bad practice)
aws ec2 describe-vpcs \
--filters "Name=isDefault,Values=true" \
--query 'Vpcs[].VpcId' --output text | while read vpc_id; do
instance_count=$(aws ec2 describe-instances \
--filters "Name=vpc-id,Values=$vpc_id" "Name=instance-state-name,Values=running" \
--query 'length(Reservations[].Instances[])' --output text)
if [ "$instance_count" -gt "0" ]; then
echo "β οΈ Default VPC $vpc_id has $instance_count running instances"
fi
done10. Secrets in Environment Variables (5 minutes)
#!/usr/bin/env python3
"""
Find secrets in Lambda environment variables
"""
import boto3
import re
def find_lambda_secrets():
lambda_client = boto3.client('lambda')
# Patterns that indicate secrets
secret_patterns = [
r'password',
r'passwd',
r'secret',
r'api_key',
r'apikey',
r'access_key',
r'private_key',
r'token'
]
findings = []
# Get all Lambda functions
paginator = lambda_client.get_paginator('list_functions')
for page in paginator.paginate():
for function in page['Functions']:
func_name = function['FunctionName']
# Get function configuration
try:
config = lambda_client.get_function_configuration(FunctionName=func_name)
env_vars = config.get('Environment', {}).get('Variables', {})
for key, value in env_vars.items():
# Check if key name suggests it's a secret
for pattern in secret_patterns:
if re.search(pattern, key, re.IGNORECASE):
findings.append({
'Function': func_name,
'Variable': key,
'Issue': 'Potential secret in environment variable'
})
break
except Exception as e:
print(f"Error checking function {func_name}: {e}")
return findings
# Run check
findings = find_lambda_secrets()
if findings:
print("π¨ POTENTIAL SECRETS IN LAMBDA ENVIRONMENT VARIABLES:")
for finding in findings:
print(f" Function: {finding['Function']}")
print(f" Variable: {finding['Variable']}")
print(f" Fix: Move to AWS Secrets Manager or Parameter Store")
else:
print("β
No obvious secrets in Lambda environment variables")The Complete 127-Point Checklist
Now for the comprehensive list, organized by service and priority.
IAM Security (27 checks)
Critical Priority (Fix immediately)
1. Root Account MFA
aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'- β Pass: Returns 1
- β Fail: Returns 0
- π§ Fix: Enable MFA on root account immediately
2. Root Account Access Keys
aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'- β Pass: Returns 0
- β Fail: Returns 1 or 2
- π§ Fix: Delete all root access keys
3. Password Policy
aws iam get-account-password-policy- β Pass: MinimumPasswordLength >= 14, RequireNumbers, RequireSymbols
- β Fail: No policy or weak requirements
- π§ Fix:
aws iam update-account-password-policy \
--minimum-password-length 14 \
--require-symbols \
--require-numbers \
--require-uppercase-characters \
--require-lowercase-characters \
--allow-users-to-change-password \
--max-password-age 90 \
--password-reuse-prevention 54. IAM Users with Admin Access
#!/usr/bin/env python3
import boto3
import json
iam = boto3.client('iam')
def check_admin_users():
admin_users = []
# Get all users
paginator = iam.get_paginator('list_users')
for page in paginator.paginate():
for user in page['Users']:
username = user['UserName']
# Check attached policies
attached = iam.list_attached_user_policies(UserName=username)
for policy in attached['AttachedPolicies']:
if 'AdministratorAccess' in policy['PolicyArn']:
admin_users.append(username)
break
# Check inline policies
inline = iam.list_user_policies(UserName=username)
for policy_name in inline['PolicyNames']:
policy_doc = iam.get_user_policy(
UserName=username,
PolicyName=policy_name
)
if '"Effect": "Allow"' in json.dumps(policy_doc['PolicyDocument']) and '"Resource": "*"' in json.dumps(policy_doc['PolicyDocument']):
admin_users.append(username)
break
return admin_users
admin_users = check_admin_users()
print(f"Users with admin access: {len(admin_users)}")
for user in admin_users:
print(f" - {user}")5. Unused IAM Users
# Find users who haven't logged in for 90 days
aws iam list-users --query 'Users[].UserName' --output text | tr '\t' '\n' | while read user; do
last_login=$(aws iam get-user --user-name "$user" --query 'User.PasswordLastUsed' --output text)
if [ "$last_login" != "None" ]; then
days_ago=$(( ($(date +%s) - $(date -d "$last_login" +%s)) / 86400 ))
if [ $days_ago -gt 90 ]; then
echo "β οΈ User $user last login: $days_ago days ago"
fi
fi
done6. IAM Policies with Wildcards
#!/usr/bin/env python3
"""Find overly permissive IAM policies"""
import boto3
import json
def audit_iam_policies():
iam = boto3.client('iam')
dangerous_policies = []
# Check customer managed policies
paginator = iam.get_paginator('list_policies')
for page in paginator.paginate(Scope='Local'):
for policy in page['Policies']:
policy_arn = policy['Arn']
version_id = policy['DefaultVersionId']
# Get policy document
policy_version = iam.get_policy_version(
PolicyArn=policy_arn,
VersionId=version_id
)
document = policy_version['PolicyVersion']['Document']
# Check for dangerous patterns
for statement in document.get('Statement', []):
if statement.get('Effect') == 'Allow':
actions = statement.get('Action', [])
resources = statement.get('Resource', [])
# Convert to list if string
if isinstance(actions, str):
actions = [actions]
if isinstance(resources, str):
resources = [resources]
# Check for wildcards
dangerous = False
if '*' in actions:
dangerous = True
if '*' in resources:
dangerous = True
# Check for service-level wildcards
for action in actions:
if action.endswith(':*'):
dangerous = True
if dangerous:
dangerous_policies.append({
'Policy': policy['PolicyName'],
'Arn': policy_arn,
'Issue': 'Overly permissive permissions',
'Actions': actions,
'Resources': resources
})
return dangerous_policies
# Run audit
dangerous = audit_iam_policies()
if dangerous:
print("π¨ DANGEROUS IAM POLICIES FOUND:")
for policy in dangerous:
print(f"\n Policy: {policy['Policy']}")
print(f" Issue: {policy['Issue']}")
print(f" Actions: {policy['Actions']}")
print(f" Resources: {policy['Resources']}")7. Cross-Account Role Trust
# Find roles that trust external accounts
aws iam list-roles --query 'Roles[].RoleName' --output text | tr '\t' '\n' | while read role; do
trust_policy=$(aws iam get-role --role-name "$role" --query 'Role.AssumeRolePolicyDocument')
# Check if trust policy includes external accounts
if echo "$trust_policy" | grep -v "$(aws sts get-caller-identity --query 'Account' --output text)" | grep -q "arn:aws:iam::"; then
echo "β οΈ Role $role trusts external AWS accounts"
echo "$trust_policy" | jq .
fi
doneHigh Priority (Fix within 24 hours)
8. MFA on All Human Users 9. Access Key Rotation (90 days) 10. Inactive Access Keys 11. Multiple Access Keys per User 12. IAM Groups Usage 13. Policy Versioning 14. Service Account Separation
Medium Priority (Fix within 1 week)
15. IAM Role Session Duration 16. Permission Boundaries 17. Tag-based Access Control 18. SCPs in Organizations 19. Identity Federation 20. SAML Provider Configuration
Low Priority (Fix within 1 month)
21. IAM Policy Simulator Testing 22. Access Advisor Review 23. Credential Report Analysis 24. Policy Generation from Access Activity 25. IAM Access Analyzer Findings 26. External ID for Cross-Account Roles 27. Session Tags Implementation
S3 Security (23 checks)
Critical Priority
28. Public Bucket ACLs
#!/usr/bin/env python3
"""Comprehensive S3 security audit"""
import boto3
import json
def audit_s3_security():
s3 = boto3.client('s3')
findings = {
'public_buckets': [],
'unencrypted_buckets': [],
'no_versioning': [],
'no_logging': [],
'no_lifecycle': []
}
# Get all buckets
buckets = s3.list_buckets()['Buckets']
for bucket in buckets:
bucket_name = bucket['Name']
print(f"Checking bucket: {bucket_name}")
try:
# Check ACL
acl = s3.get_bucket_acl(Bucket=bucket_name)
for grant in acl['Grants']:
grantee = grant.get('Grantee', {})
if grantee.get('Type') == 'Group':
uri = grantee.get('URI', '')
if 'AllUsers' in uri or 'AuthenticatedUsers' in uri:
findings['public_buckets'].append({
'bucket': bucket_name,
'issue': f"Public access via ACL: {uri}",
'permission': grant['Permission']
})
# Check bucket policy
try:
policy = s3.get_bucket_policy(Bucket=bucket_name)
policy_doc = json.loads(policy['Policy'])
for statement in policy_doc.get('Statement', []):
if statement.get('Effect') == 'Allow':
principal = statement.get('Principal', {})
if principal == '*' or principal == {'AWS': '*'}:
findings['public_buckets'].append({
'bucket': bucket_name,
'issue': 'Public access via bucket policy',
'actions': statement.get('Action', [])
})
except s3.exceptions.NoSuchBucketPolicy:
pass
# Check encryption
try:
encryption = s3.get_bucket_encryption(Bucket=bucket_name)
except:
findings['unencrypted_buckets'].append(bucket_name)
# Check versioning
versioning = s3.get_bucket_versioning(Bucket=bucket_name)
if versioning.get('Status') != 'Enabled':
findings['no_versioning'].append(bucket_name)
# Check logging
try:
logging = s3.get_bucket_logging(Bucket=bucket_name)
if 'LoggingEnabled' not in logging:
findings['no_logging'].append(bucket_name)
except:
findings['no_logging'].append(bucket_name)
# Check lifecycle policies
try:
lifecycle = s3.get_bucket_lifecycle_configuration(Bucket=bucket_name)
except:
findings['no_lifecycle'].append(bucket_name)
except Exception as e:
print(f" Error checking {bucket_name}: {e}")
return findings
# Run comprehensive S3 audit
findings = audit_s3_security()
print("\nπ S3 SECURITY AUDIT RESULTS:")
print(f"\nπ¨ Public Buckets: {len(findings['public_buckets'])}")
for finding in findings['public_buckets']:
print(f" - {finding['bucket']}: {finding['issue']}")
print(f"\nβ οΈ Unencrypted Buckets: {len(findings['unencrypted_buckets'])}")
for bucket in findings['unencrypted_buckets']:
print(f" - {bucket}")
print(f"\nπ No Versioning: {len(findings['no_versioning'])}")
for bucket in findings['no_versioning']:
print(f" - {bucket}")
print(f"\nπ No Logging: {len(findings['no_logging'])}")
for bucket in findings['no_logging']:
print(f" - {bucket}")29. S3 Block Public Access
# Check account-level S3 block public access
aws s3control get-public-access-block \
--account-id $(aws sts get-caller-identity --query 'Account' --output text)
# Check each bucket
aws s3api list-buckets --query 'Buckets[].Name' --output text | tr '\t' '\n' | while read bucket; do
echo -n "Bucket $bucket: "
if aws s3api get-public-access-block --bucket "$bucket" 2>/dev/null | grep -q '"BlockPublicAcls": true'; then
echo "β
Public access blocked"
else
echo "β Public access NOT blocked"
fi
done30. S3 Encryption at Rest 31. S3 Encryption in Transit 32. S3 Versioning 33. S3 MFA Delete 34. S3 Object Lock
High Priority
35. S3 Access Logging 36. S3 Lifecycle Policies 37. S3 Cross-Region Replication 38. S3 Bucket Policies Review 39. S3 CORS Configuration 40. S3 Website Hosting
Medium Priority
41. S3 Inventory Configuration 42. S3 Analytics Configuration 43. S3 Request Metrics 44. S3 Transfer Acceleration 45. S3 Object Tagging
Low Priority
46. S3 Storage Class Analysis 47. S3 Intelligent Tiering 48. S3 Batch Operations 49. S3 Access Points 50. S3 Multi-Region Access Points
Network Security (22 checks)
Critical Priority
51. Internet-Facing Resources
#!/usr/bin/env python3
"""Find all internet-facing resources"""
import boto3
def find_internet_facing_resources():
findings = {
'elb': [],
'ec2': [],
'rds': [],
'redshift': [],
'elasticsearch': []
}
ec2 = boto3.client('ec2')
elb = boto3.client('elb')
elbv2 = boto3.client('elbv2')
rds = boto3.client('rds')
# Find internet-facing load balancers
try:
# Classic ELBs
classic_elbs = elb.describe_load_balancers()
for lb in classic_elbs['LoadBalancerDescriptions']:
if lb['Scheme'] == 'internet-facing':
findings['elb'].append({
'name': lb['LoadBalancerName'],
'type': 'Classic',
'dns': lb['DNSName']
})
# ALBs/NLBs
v2_elbs = elbv2.describe_load_balancers()
for lb in v2_elbs['LoadBalancers']:
if lb['Scheme'] == 'internet-facing':
findings['elb'].append({
'name': lb['LoadBalancerName'],
'type': lb['Type'],
'dns': lb['DNSName']
})
except Exception as e:
print(f"Error checking ELBs: {e}")
# Find EC2 instances with public IPs
try:
reservations = ec2.describe_instances(
Filters=[
{'Name': 'instance-state-name', 'Values': ['running']}
]
)
for reservation in reservations['Reservations']:
for instance in reservation['Instances']:
if instance.get('PublicIpAddress'):
findings['ec2'].append({
'id': instance['InstanceId'],
'public_ip': instance['PublicIpAddress'],
'name': next((tag['Value'] for tag in instance.get('Tags', []) if tag['Key'] == 'Name'), 'No Name')
})
except Exception as e:
print(f"Error checking EC2: {e}")
# Find publicly accessible RDS instances
try:
db_instances = rds.describe_db_instances()
for db in db_instances['DBInstances']:
if db.get('PubliclyAccessible'):
findings['rds'].append({
'id': db['DBInstanceIdentifier'],
'engine': db['Engine'],
'endpoint': db.get('Endpoint', {}).get('Address', 'N/A')
})
except Exception as e:
print(f"Error checking RDS: {e}")
return findings
# Run scan
findings = find_internet_facing_resources()
print("π INTERNET-FACING RESOURCES:")
print(f"\nLoad Balancers: {len(findings['elb'])}")
for lb in findings['elb']:
print(f" - {lb['name']} ({lb['type']}): {lb['dns']}")
print(f"\nEC2 Instances: {len(findings['ec2'])}")
for instance in findings['ec2']:
print(f" - {instance['id']} ({instance['name']}): {instance['public_ip']}")
print(f"\nRDS Instances: {len(findings['rds'])}")
for db in findings['rds']:
print(f" - {db['id']} ({db['engine']}): {db['endpoint']}")52. Default Security Groups
# Check if default security groups are being used
aws ec2 describe-security-groups \
--filters "Name=group-name,Values=default" \
--query 'SecurityGroups[].{VPC:VpcId,Rules:IpPermissions[]}' \
--output json | jq -r '.[] | select(.Rules | length > 0)'53. VPC Flow Logs 54. Network ACLs 55. VPC Peering Routes 56. Internet Gateway Attachments
High Priority
57. NAT Gateway Configuration 58. VPC Endpoints 59. Route Table Associations 60. Elastic IP Associations 61. Direct Connect Virtual Interfaces 62. VPN Connections
Medium Priority
63. DNS Resolution Settings 64. DHCP Options Sets 65. Network Interface Attachments 66. Traffic Mirroring 67. Transit Gateway Attachments
Low Priority
68. IPv6 CIDR Blocks 69. Egress-Only Internet Gateways 70. Prefix Lists 71. Customer Gateways 72. Virtual Private Gateways
Compute Security (17 checks)
Critical Priority
73. EC2 Instance Metadata Service v2
# Check if IMDSv2 is enforced
aws ec2 describe-instances \
--query 'Reservations[].Instances[?MetadataOptions.HttpTokens!=`required`].{ID:InstanceId,State:State.Name,IMDSv2:MetadataOptions.HttpTokens}' \
--output table74. EC2 User Data Scripts
#!/usr/bin/env python3
"""Check EC2 user data for secrets"""
import boto3
import base64
import re
ec2 = boto3.client('ec2')
def check_user_data_secrets():
findings = []
# Get all instances
paginator = ec2.get_paginator('describe_instances')
for page in paginator.paginate():
for reservation in page['Reservations']:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
try:
# Get user data
response = ec2.describe_instance_attribute(
InstanceId=instance_id,
Attribute='userData'
)
if 'UserData' in response and response['UserData']:
user_data = base64.b64decode(response['UserData']['Value']).decode('utf-8')
# Check for secrets
secret_patterns = [
r'password\s*=\s*["\']?[\w\-]+',
r'aws_access_key_id\s*=\s*[\w]+',
r'aws_secret_access_key\s*=\s*[\w\/\+]+',
r'api[_-]?key\s*=\s*[\w\-]+',
r'token\s*=\s*[\w\-]+'
]
for pattern in secret_patterns:
if re.search(pattern, user_data, re.IGNORECASE):
findings.append({
'instance': instance_id,
'issue': 'Potential secrets in user data',
'pattern': pattern
})
break
except Exception as e:
print(f"Error checking instance {instance_id}: {e}")
return findings
findings = check_user_data_secrets()
if findings:
print("π¨ POTENTIAL SECRETS IN EC2 USER DATA:")
for finding in findings:
print(f" Instance: {finding['instance']}")
print(f" Issue: {finding['issue']}")75. EBS Encryption 76. EBS Snapshots Public 77. AMI Sharing 78. Systems Manager Session Manager
High Priority
79. EC2 Instance Connect 80. EC2 Serial Console Access 81. Dedicated Hosts 82. Placement Groups 83. Capacity Reservations
Medium Priority
84. Spot Instance Requests 85. Reserved Instance Utilization 86. Instance Store Encryption 87. Nitro Enclaves
Low Priority
88. EC2 Image Builder Pipelines 89. Launch Template Versions
Container Security (10 checks)
Critical Priority
90. ECR Image Scanning
# Check if image scanning is enabled on ECR repositories
aws ecr describe-repositories \
--query 'repositories[?imageScanningConfiguration.scanOnPush!=`true`].repositoryName' \
--output table91. ECS Task Role Permissions
#!/usr/bin/env python3
"""Audit ECS task definitions for security issues"""
import boto3
import json
ecs = boto3.client('ecs')
iam = boto3.client('iam')
def audit_ecs_security():
findings = []
# List all task definitions
task_defs = ecs.list_task_definitions(status='ACTIVE')
for task_def_arn in task_defs['taskDefinitionArns']:
task_def = ecs.describe_task_definition(taskDefinition=task_def_arn)['taskDefinition']
family = task_def['family']
# Check task role permissions
if 'taskRoleArn' in task_def:
role_name = task_def['taskRoleArn'].split('/')[-1]
# Check if role has admin permissions
try:
attached_policies = iam.list_attached_role_policies(RoleName=role_name)
for policy in attached_policies['AttachedPolicies']:
if 'AdministratorAccess' in policy['PolicyArn']:
findings.append({
'task_definition': family,
'issue': 'Task role has AdministratorAccess',
'severity': 'CRITICAL'
})
except:
pass
# Check container definitions
for container in task_def['containerDefinitions']:
# Check if running as privileged
if container.get('privileged', False):
findings.append({
'task_definition': family,
'container': container['name'],
'issue': 'Container running in privileged mode',
'severity': 'HIGH'
})
# Check for secrets in environment variables
for env_var in container.get('environment', []):
if any(keyword in env_var['name'].lower() for keyword in ['password', 'secret', 'key', 'token']):
findings.append({
'task_definition': family,
'container': container['name'],
'issue': f"Potential secret in environment variable: {env_var['name']}",
'severity': 'HIGH'
})
return findings
findings = audit_ecs_security()
if findings:
print("π¨ ECS SECURITY ISSUES:")
for finding in findings:
print(f"\n Task Definition: {finding.get('task_definition', 'N/A')}")
print(f" Container: {finding.get('container', 'N/A')}")
print(f" Issue: {finding['issue']}")
print(f" Severity: {finding['severity']}")92. EKS Cluster Security 93. Fargate Task Isolation
High Priority
94. Container Image Sources 95. Secrets Management in Containers 96. Container Network Policies
Medium Priority
97. Container Resource Limits 98. Container Health Checks
Low Priority
99. Container Logging Configuration
Database Security (10 checks)
Critical Priority
100. RDS Public Accessibility
# Find publicly accessible RDS instances
aws rds describe-db-instances \
--query 'DBInstances[?PubliclyAccessible==`true`].{Name:DBInstanceIdentifier,Engine:Engine,Status:DBInstanceStatus}' \
--output table101. RDS Encryption at Rest 102. RDS Automated Backups 103. Database Security Groups
High Priority
104. RDS Multi-AZ Deployment 105. Database Parameter Groups 106. Database Subnet Groups
Medium Priority
107. Performance Insights 108. Database Activity Streams
Low Priority
109. Read Replica Configuration
Monitoring & Compliance (18 checks)
Critical Priority
110. CloudTrail Multi-Region
# Check CloudTrail configuration
aws cloudtrail describe-trails --query 'trailList[].{Name:Name,IsMultiRegion:IsMultiRegionTrail,LogFileValidation:EnableLogFileValidation}' --output table111. CloudWatch Alarms
#!/usr/bin/env python3
"""Check for critical CloudWatch alarms"""
import boto3
cloudwatch = boto3.client('cloudwatch')
required_alarms = [
'root-account-usage',
'unauthorized-api-calls',
'console-login-failures',
'iam-policy-changes',
's3-bucket-policy-changes',
'security-group-changes',
'nacl-changes',
'route-table-changes',
'vpc-changes'
]
def check_security_alarms():
existing_alarms = []
paginator = cloudwatch.get_paginator('describe_alarms')
for page in paginator.paginate():
for alarm in page['MetricAlarms']:
existing_alarms.append(alarm['AlarmName'].lower())
missing_alarms = []
for required in required_alarms:
if not any(required in alarm for alarm in existing_alarms):
missing_alarms.append(required)
return missing_alarms
missing = check_security_alarms()
if missing:
print("β MISSING CRITICAL SECURITY ALARMS:")
for alarm in missing:
print(f" - {alarm}")
else:
print("β
All critical security alarms configured")112. AWS Config Enabled 113. GuardDuty Enabled 114. Security Hub Enabled
High Priority
115. CloudWatch Logs Retention 116. VPC Flow Logs Analysis 117. AWS Config Rules 118. GuardDuty Findings
Medium Priority
119. Trusted Advisor Checks 120. Access Analyzer Findings 121. Cost Anomaly Detection 122. Budget Alerts
Low Priority
123. Resource Tagging Compliance 124. Service Quotas Monitoring 125. AWS Health Dashboard 126. Support Plan Level 127. Backup Compliance
Automated Security Assessment Script
Hereβs a comprehensive script that runs all critical checks:
#!/usr/bin/env python3
"""
AWS Security Audit - Automated Assessment
Runs all critical security checks and generates a report
"""
import boto3
import json
import datetime
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed
class AWSSecurityAuditor:
def __init__(self):
self.findings = {
'critical': [],
'high': [],
'medium': [],
'low': []
}
self.score = 100
def run_audit(self):
"""Run complete security audit"""
print("π Starting AWS Security Audit...")
print("=" * 50)
with ThreadPoolExecutor(max_workers=10) as executor:
futures = {
executor.submit(self.audit_iam): 'IAM',
executor.submit(self.audit_s3): 'S3',
executor.submit(self.audit_ec2): 'EC2',
executor.submit(self.audit_rds): 'RDS',
executor.submit(self.audit_networking): 'Network',
executor.submit(self.audit_logging): 'Logging',
executor.submit(self.audit_encryption): 'Encryption'
}
for future in as_completed(futures):
service = futures[future]
try:
future.result()
print(f"β
Completed {service} audit")
except Exception as e:
print(f"β Error auditing {service}: {e}")
self.generate_report()
def audit_iam(self):
"""Audit IAM configuration"""
iam = boto3.client('iam')
# Check root account MFA
try:
summary = iam.get_account_summary()['SummaryMap']
if summary.get('AccountMFAEnabled', 0) == 0:
self.add_finding('critical', 'IAM', 'Root account MFA not enabled')
self.score -= 10
except Exception as e:
self.add_finding('medium', 'IAM', f'Could not check root MFA: {e}')
# Check password policy
try:
policy = iam.get_account_password_policy()['PasswordPolicy']
if policy.get('MinimumPasswordLength', 0) < 14:
self.add_finding('high', 'IAM', 'Weak password policy - minimum length < 14')
self.score -= 5
except iam.exceptions.NoSuchEntityException:
self.add_finding('high', 'IAM', 'No password policy configured')
self.score -= 5
# Check for users without MFA
paginator = iam.get_paginator('list_users')
for page in paginator.paginate():
for user in page['Users']:
username = user['UserName']
mfa_devices = iam.list_mfa_devices(UserName=username)['MFADevices']
if len(mfa_devices) == 0:
# Check if user has console access
try:
iam.get_login_profile(UserName=username)
self.add_finding('high', 'IAM', f'User {username} has console access but no MFA')
self.score -= 2
except iam.exceptions.NoSuchEntityException:
pass # No console access, MFA not required
def audit_s3(self):
"""Audit S3 buckets"""
s3 = boto3.client('s3')
buckets = s3.list_buckets()['Buckets']
for bucket in buckets:
bucket_name = bucket['Name']
# Check public access
try:
acl = s3.get_bucket_acl(Bucket=bucket_name)
for grant in acl['Grants']:
grantee = grant.get('Grantee', {})
if grantee.get('Type') == 'Group':
uri = grantee.get('URI', '')
if 'AllUsers' in uri:
self.add_finding('critical', 'S3', f'Bucket {bucket_name} is publicly accessible via ACL')
self.score -= 10
except Exception as e:
pass
# Check encryption
try:
s3.get_bucket_encryption(Bucket=bucket_name)
except:
self.add_finding('high', 'S3', f'Bucket {bucket_name} is not encrypted')
self.score -= 3
def audit_ec2(self):
"""Audit EC2 instances and security groups"""
ec2 = boto3.client('ec2')
# Check security groups
sgs = ec2.describe_security_groups()['SecurityGroups']
for sg in sgs:
for rule in sg.get('IpPermissions', []):
for ip_range in rule.get('IpRanges', []):
if ip_range.get('CidrIp') == '0.0.0.0/0':
from_port = rule.get('FromPort', 0)
if from_port in [22, 3389, 3306, 5432]:
self.add_finding('critical', 'EC2',
f'Security group {sg["GroupId"]} allows public access to port {from_port}')
self.score -= 8
def audit_rds(self):
"""Audit RDS instances"""
rds = boto3.client('rds')
try:
instances = rds.describe_db_instances()['DBInstances']
for db in instances:
if db.get('PubliclyAccessible', False):
self.add_finding('critical', 'RDS',
f'Database {db["DBInstanceIdentifier"]} is publicly accessible')
self.score -= 10
if not db.get('StorageEncrypted', False):
self.add_finding('high', 'RDS',
f'Database {db["DBInstanceIdentifier"]} is not encrypted')
self.score -= 5
except Exception as e:
pass
def audit_networking(self):
"""Audit VPC and network configuration"""
ec2 = boto3.client('ec2')
# Check for VPC flow logs
vpcs = ec2.describe_vpcs()['Vpcs']
for vpc in vpcs:
vpc_id = vpc['VpcId']
flow_logs = ec2.describe_flow_logs(
Filters=[{'Name': 'resource-id', 'Values': [vpc_id]}]
)['FlowLogs']
if len(flow_logs) == 0:
self.add_finding('high', 'Network', f'VPC {vpc_id} has no flow logs enabled')
self.score -= 3
def audit_logging(self):
"""Audit CloudTrail and logging configuration"""
cloudtrail = boto3.client('cloudtrail')
# Check CloudTrail
trails = cloudtrail.describe_trails()['trailList']
if len(trails) == 0:
self.add_finding('critical', 'Logging', 'No CloudTrail configured')
self.score -= 15
else:
for trail in trails:
if not trail.get('IsMultiRegionTrail', False):
self.add_finding('high', 'Logging',
f'CloudTrail {trail["Name"]} is not multi-region')
self.score -= 5
if not trail.get('EnableLogFileValidation', False):
self.add_finding('medium', 'Logging',
f'CloudTrail {trail["Name"]} has no log file validation')
self.score -= 2
def audit_encryption(self):
"""Audit encryption across services"""
# Check EBS default encryption
ec2 = boto3.client('ec2')
try:
encryption = ec2.get_ebs_encryption_by_default()
if not encryption['EbsEncryptionByDefault']:
self.add_finding('high', 'Encryption', 'EBS encryption by default is not enabled')
self.score -= 5
except Exception as e:
pass
def add_finding(self, severity, service, description):
"""Add a security finding"""
finding = {
'severity': severity,
'service': service,
'description': description,
'timestamp': datetime.datetime.now().isoformat()
}
self.findings[severity].append(finding)
def generate_report(self):
"""Generate final security report"""
print("\n" + "=" * 50)
print("π AWS SECURITY AUDIT REPORT")
print("=" * 50)
print(f"\nπ― Security Score: {max(0, self.score)}/100")
if self.score >= 90:
print("β
Excellent security posture")
elif self.score >= 70:
print("β οΈ Good security posture with some issues")
elif self.score >= 50:
print("π¨ Poor security posture - immediate action required")
else:
print("π₯ Critical security issues - fix immediately!")
# Print findings by severity
total_findings = sum(len(findings) for findings in self.findings.values())
print(f"\nπ Total Findings: {total_findings}")
if self.findings['critical']:
print(f"\nπ΄ CRITICAL ({len(self.findings['critical'])} findings):")
for finding in self.findings['critical']:
print(f" β’ [{finding['service']}] {finding['description']}")
if self.findings['high']:
print(f"\nπ HIGH ({len(self.findings['high'])} findings):")
for finding in self.findings['high']:
print(f" β’ [{finding['service']}] {finding['description']}")
if self.findings['medium']:
print(f"\nπ‘ MEDIUM ({len(self.findings['medium'])} findings):")
for finding in self.findings['medium']:
print(f" β’ [{finding['service']}] {finding['description']}")
# Save detailed report
report_filename = f"aws_security_audit_{datetime.datetime.now().strftime('%Y%m%d_%H%M%S')}.json"
with open(report_filename, 'w') as f:
json.dump({
'score': self.score,
'total_findings': total_findings,
'findings': self.findings,
'generated_at': datetime.datetime.now().isoformat()
}, f, indent=2)
print(f"\nπΎ Detailed report saved to: {report_filename}")
if __name__ == "__main__":
auditor = AWSSecurityAuditor()
auditor.run_audit()Remediation Priority Matrix
Based on impact and effort, hereβs how to prioritize fixes:
Quick Wins (High Impact, Low Effort) - Do Today
- Enable MFA on root account
- Delete root access keys
- Enable S3 Block Public Access
- Enable CloudTrail
- Set up billing alerts
Critical Fixes (High Impact, Medium Effort) - Do This Week
- Implement least-privilege IAM policies
- Encrypt all databases and S3 buckets
- Configure security groups properly
- Enable GuardDuty
- Set up CloudWatch security alarms
Strategic Improvements (Medium Impact, High Effort) - Do This Month
- Implement infrastructure as code
- Set up automated compliance scanning
- Implement secrets management
- Configure VPC flow logs analysis
- Implement security training
Long-term Goals (Ongoing)
- Regular security assessments
- Incident response planning
- Security culture development
- Continuous compliance monitoring
- Third-party security audits
Compliance Mapping
Each checklist item maps to specific compliance requirements:
SOC 2 Type II
- CC6.1: Logical and physical access controls (Items 1-27)
- CC6.6: Encryption (Items 30, 75, 100-101)
- CC7.2: System monitoring (Items 110-114)
- CC7.3: Change management (Items 111, 117)
PCI DSS
- Requirement 2: Default passwords (Item 3)
- Requirement 3: Cardholder data protection (Items 30, 75, 100-101)
- Requirement 8: User identification (Items 1-27)
- Requirement 10: Track access (Items 110-114)
HIPAA
- Administrative Safeguards (Items 1-27)
- Physical Safeguards (Items 73-89)
- Technical Safeguards (Items 28-50, 90-109)
ISO 27001
- A.9: Access control (Items 1-27)
- A.10: Cryptography (Items 30, 75, 100-101)
- A.12: Operations security (Items 51-72)
- A.13: Communications security (Items 51-72)
Automation Tools
To run these checks automatically:
AWS Config Rules
# Deploy AWS Config rules for continuous compliance
import boto3
config = boto3.client('config')
rules_to_deploy = [
'root-account-mfa-enabled',
'iam-password-policy',
'iam-user-mfa-enabled',
's3-bucket-public-read-prohibited',
's3-bucket-public-write-prohibited',
's3-bucket-ssl-requests-only',
'encrypted-volumes',
'rds-storage-encrypted',
'cloudtrail-enabled',
'multi-region-cloudtrail-enabled'
]
for rule_name in rules_to_deploy:
try:
config.put_config_rule(
ConfigRule={
'ConfigRuleName': rule_name,
'Source': {
'Owner': 'AWS',
'SourceIdentifier': rule_name.upper().replace('-', '_')
}
}
)
print(f"β
Deployed Config rule: {rule_name}")
except Exception as e:
print(f"β Failed to deploy {rule_name}: {e}")CloudFormation Security Template
Save this as security-baseline.yaml:
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS Security Baseline Configuration'
Resources:
# CloudTrail for all regions
SecurityCloudTrail:
Type: AWS::CloudTrail::Trail
Properties:
TrailName: security-baseline-trail
S3BucketName: !Ref CloudTrailBucket
IncludeGlobalServiceEvents: true
IsLogging: true
IsMultiRegionTrail: true
EnableLogFileValidation: true
EventSelectors:
- ReadWriteType: All
IncludeManagementEvents: true
DataResources:
- Type: AWS::S3::Object
Values: ["arn:aws:s3:::*/"]
# S3 bucket for CloudTrail logs
CloudTrailBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub 'cloudtrail-logs-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
LifecycleConfiguration:
Rules:
- Id: DeleteOldLogs
Status: Enabled
ExpirationInDays: 90
# GuardDuty
GuardDutyDetector:
Type: AWS::GuardDuty::Detector
Properties:
Enable: true
FindingPublishingFrequency: FIFTEEN_MINUTES
# Security Hub
SecurityHub:
Type: AWS::SecurityHub::Hub
Properties:
Tags:
- Key: Purpose
Value: SecurityBaseline
# CloudWatch Alarms for security events
RootAccountUsageAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: root-account-usage
AlarmDescription: Alert on root account usage
MetricName: RootAccountUsage
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
ComparisonOperator: GreaterThanOrEqualToThreshold
TreatMissingData: notBreaching
Outputs:
CloudTrailName:
Description: Name of the CloudTrail
Value: !Ref SecurityCloudTrail
GuardDutyId:
Description: GuardDuty Detector ID
Value: !Ref GuardDutyDetectorNext Steps
- Run the automated assessment script to get your baseline
- Fix all critical issues within 24 hours
- Schedule weekly reviews of high-priority items
- Implement continuous monitoring with AWS Config
- Train your team on security best practices
Get PathShield Protection
Manually checking 127 security points is time-consuming and error-prone. PathShield automates this entire checklist and more:
β Continuous monitoring of all 127 security checks β Real-time alerts when configurations drift β One-click remediation with Terraform/CLI commands β Compliance reporting for SOC 2, PCI DSS, HIPAA β Attack path visualization to see actual risk
Start Free Security Assessment β
About This Checklist: This checklist is based on 500+ AWS security assessments conducted by PathShield. Itβs updated monthly with new threats and AWS services.
Download Resources:
Tags: #aws-security #security-checklist #cloud-security #compliance #security-audit #aws-best-practices #devsecops
